PHP login using MySQL data and hashed password

Question

I'm trying to login through PHP using a usernames and passwords from a MySQL database that saves userID, usernames, and hashed_passwords (that I created earlier using a registration form, and the salt for the md5 hash is: 2155).

The problem is I'm not able to get the password to be unencrypted to use it for the login.

And I'm not sure if this is how to code the query to look for username and password from the database based on the user input.

$sql = "SELECT * FROM user where username = '$_POST["username"]' AND password = '$_POST["password"]";
$rows = $conn->query($sql);

        if ($userID > 0){
                    echo "Hello World";
            header("Location: login_success.php");
        }

        else{
                        echo "Unsuccessful";
            header("Location: index.php");
        }

Answer 1

Rather than using MD5 or trying to decrypt the password - as others here have suggested - simply use PHP's native password_hash() function which automatically checks if the password is correct for you.

Encrypt the password like this:

$unencrypted_password = 'secret!'; 
$encrypted_password = password_hash($unencrypted_password,  PASSWORD_DEFAULT);

Then insert into your DB like so:

INSERT INTO users (encrypted_password, username) VALUES ($encrypted_password, $username);

When you want to check if the password is correct, select the password from the database with:

SELECT encrypted_password FROM users WHERE username = $username;

Finally, check that the password is correct by using passoword_verify():

$correct = password_verify($unecnrypted_password, $encrypted_password);
if($correct == true) {
    echo 'correct password!';
} else {
    echo 'password incorrect!';
}

Be careful to protect against SQL-injection, as the above code is vulnerable to it.

Answer 2

If, when you inserted the user record in the table, you used md5 encryption, your SQL would be along the lines of:

$sql = "INSERT INTO `tblUsers` (`username`, `userpassword`) VALUES ('myusernameis', md5('mysecretpass'));";

which means that when you retrieve that record for authentication (login), you would use something like:

$sql = "SELECT * FROM `tblUsers` WHERE `username` = 'myusernameis' AND `userpassword` = md5('mysecretpass') LIMIT 1;";

Answer 3

During insert user password "apple" is encrypted using md5 so out put likes "gjdg$fdfjd" and stored in database ,In login form you are checking "apple" is equal to "gjdg$fdfjd" so you geting validation error to fix this to add the same encryption for user password validation

 $sql = "SELECT * FROM user where username = '$_POST["username"]' AND password = 'md5($_POST["password"])";

but you cannot decrypt MD5 without attempting something like brute force hacking which is extremely resource intensive, not practical, and unethical. So use some encryption and decription functions likes this

function encrypt( $q ) {
    $cryptKey  = 'fdf';
    $qEncoded      = base64_encode( mcrypt_encrypt( MCRYPT_RIJNDAEL_256, md5( $cryptKey ), $q, MCRYPT_MODE_CBC, md5( md5( $cryptKey ) ) ) );
    return( $qEncoded );
}

function decrypt( $q ) {
    $cryptKey  = 'fdf';
    $qDecoded      = rtrim( mcrypt_decrypt( MCRYPT_RIJNDAEL_256, md5( $cryptKey ), base64_decode( $q ), MCRYPT_MODE_CBC, md5( md5( $cryptKey ) ) ), "\0");
    return( $qDecoded );
}

Answer 4

I am chinese phper. your code have some mistakes; where user write password ,your need mad5(password)

 

   $password = mad5($_post['password'])

$user = $_post['user'];
$sql = "select * from user where username = $user ";
$rows = $conn->query($sql);
if($rows['password'] ===$password  )
{
 echo "success";
 header("Location: login_success.php");
}else{
echo "unsuccessful";
header("Location: index.php");
}