I am using PHP and Mysql. I want to know how to send password hashed using MD5 and want to check against it when the user tries to log in. I tried it, but it's not working properly. If anyone knows how to do it, please provide me the code.
//Register:
$the_magical_salt = "everybody_is_obsessed_with_these_days$3^^2)(%=-"; // Even_though_md5_shouldnt_be_used
mysql_query('insert into users values (NULL,'.$filtered_username.','.md5($password.$the_magical_salt).');');
//Login:
$res = mysql_query('select password from users where username = '.$filtered_username);
$res = mysql_fetch_array($res);
if(md5($_POST['password'].$the_magical_salt) == $res[0]) echo "Yeah, you're welcome.";
else echo "Wrong password sugar";
There's not much to it other than using the md5() function twice.
md5
isn't very well suited to this purpose. Read this article to learn the hows and whys, but the short version is that you should use bcrypt
instead. A quick Google shows that PHPass claims to support bcrypt
.
Without any more information it's going to be difficult to help you, but what I believe you want is Digest Authentication.
Here is an example (specifically Example #7) from the PHP documentation: http://php.net/manual/en/features.http-auth.php
Note that this type of authentication does not prevent against man-in-the-middle attacks. If, for example, someone is sniffing traffic on a victim's network, the attacker could simply replay the request with the digested username/password combination, and your PHP script would happily authenticate the attacker as the victim.