Loging in

General PHP Help
#1

Hello, I’m triny got make a Login script for my website but it’s not reading the passwords correctly.

A sample of the register.php

$Pass = mysql_real_escape_string($_POST[‘password’], $Link);
$Pass = StrToLower(Trim($Pass));

$Salt = “0x” . md5($Login.$Pass);
MySQL_Query("call adduser(’{$Login}’, {$Salt},

And here’s my login.php

<?php session_start(); require("common.php"); $submitted_name = ''; function hash_pass($passwd){ $salt="0x."; return md5($passwd.$salt); } if(!empty($_POST)) { $query = " SELECT id, name, passwd FROM users WHERE name = :name "; $query_params = array( ':name' => $_POST['name'] ); try { $stmt = $db->prepare($query); $result = $stmt->execute($query_params); } catch(PDOException $ex) { die("Failed to run query: " . $ex->getMessage()); } $login_ok = false; $row = $stmt->fetch(); if($row) { $check_passwd == md5($passwd . $salt); for($round = 0; $round < 65536; $round++) if($check_passwd = md5($salt['passwd'])) { $login_ok = true; } } if($login_ok) { unset($row['passwd']); $_SESSION['user'] = $row; header("Location: usercp.php"); die("Redirecting to: usercp.php"); } else { print("Login Failed."); $submitted_name = htmlentities($_POST['name'], ENT_QUOTES, 'UTF-8'); } } ?>

When I login, I can use any password.

However, if I change;

$check_passwd == md5($passwd . $salt);

to;

$check_passwd === md5($passwd . $salt);

It says “Login Failed” even with the correct information…

I’m kinda noobie with PHP, any help is appreciated, thankyou! :slight_smile:

#2

First of all don’t use md5 for a password hashing, I would recommend using a password library: https://github.com/ircmaxell/password_compat/blob/master/lib/password.php I recommend this one. Why reinvent the wheel and people who write these libraries really know what they are doing, specially the link I gave you. Also don’t trim or escape your password variable, leave it in it’s pure form, for one you are using PDO Parameter variables and two you can either unset the password when you are done storing or validating. As for == versus ===. the double equal just checks to see if they are equal, the === has to match exactly or a true match. An I would guess $check_passwd == md5($passwd . $salt); is just giving you a false true for it really isn’t any if statement and I guessing that it might just treating it like a function call. To put it simply that statement isn’t doing anything. ;D

Sponsor our Newsletter | Privacy Policy | Terms of Service