Login in code will just login with md5 encrypted p

I've created a login + register site. The register page works fine, login too except that when I have to write in my password I have to write in the encrypted version, the md5... I've done in register page so that their password gets encrypted. How can I make in login page so that they dont need to write their md5 password, just their normal one?

The register.php looks like:

<?

$reg = @$_POST['reg'];
//declaring variables to prevent errors
$fn = ""; //First Name
$ln = ""; //Last Name
$un = ""; //Username
$em = ""; //Email
$em2 = ""; //Email 2
$pswd = ""; //Password
$pswd2 = ""; // Password 2
$d = ""; // Sign up Date
$u_check = ""; // Check if username exists
//registration form
$fn = strip_tags(@$_POST['fname']);
$ln = strip_tags(@$_POST['lname']);
$un = strip_tags(@$_POST['username']);
$em = strip_tags(@$_POST['email']);
$em2 = strip_tags(@$_POST['email2']);
$pswd = strip_tags(@$_POST['password']);
$pswd2 = strip_tags(@$_POST['password2']);
$d = date("Y-m-d"); // Year - Month - Day

if ($reg) {
if ($em==$em2) {
// Check if user already exists
$u_check = mysql_query("SELECT username FROM users WHERE username='$un'");
// Count the amount of rows where username = $un
$check = mysql_num_rows($u_check);
if ($check == 0) {
//check all of the fields have been filed in
if ($fn&&$ln&&$un&&$em&&$em2&&$pswd&&$pswd2) {
// check that passwords match
if ($pswd==$pswd2) {
// check the maximum length of username/first name/last name does not exceed 25   characters
if (strlen($un)>25||strlen($fn)>25||strlen($ln)>25) {
echo "The maximum limit for username/first name/last name is 25 characters!";
}
else
{
// check the maximum length of password does not exceed 25 characters and is not less   than 5 characters
if (strlen($pswd)>30||strlen($pswd)<5) {
echo "Your password must be between 5 and 30 characters long!";
}
else
{
//encrypt password and password 2 using md5 before sending to database
$pswd = md5($pswd);
$pswd2 = md5($pswd2);
$query = mysql_query("INSERT INTO users VALUES       ('','$un','$fn','$ln','$em','$pswd','$d','0')");
die("<h2>Welcome to InstaWord!</h2>Login to your account to get started ...");
}
}
}
else {
echo "Your passwords don't match!";
}
}
else
{
echo "Please fill in all of the fields";
}
}
else
{
echo "Username already taken ...";
}
}
else {
echo "Your E-mails don't match!";
}
}
?>
<table class="homepageTable">
   <tr>
       <td width="60%" valign="top">
        <h2>Share your texts!</h2>
        <img src="img/animation.gif" width="930">
       </td>
       <td width="40%" valign="top">
        <h2>Sign up</h2>
       <form action="#" method="post">
       <input type="text" size="25" name="fname" placeholder="First Name" value="<? echo   $fn; ?>">
       <input type="text" size="25" name="lname" placeholder="Last Name" value="<? echo $ln; ?>">
       <input type="text" size="25" name="username" placeholder="Username" value="<?   echo $un; ?>">
       <input type="text" size="25" name="email" placeholder="Email" value="<? echo $em; ?>">
       <input type="text" size="25" name="email2" placeholder="Repeat Email" value="<? echo $em2; ?>">
       <input type="password" size="25" name="password" placeholder="Password">
       <input type="password" size="25" name="password2" placeholder="Repeat Password">  <br />
       <input type="submit" name="reg" value="Sign Up!">
       </form>
       </td>
      </tr>
     </table>
   </body>
 </html>

And the login.php looks like this:

    <?php

session_start();


//This displays your login form

function index(){


echo "<form action='?act=login' method='post'>" 

."Username: <input type='text' name='username' size='30'><br>"

."Password: <input type='password' name='password' size='30'><br>"

."<input type='submit' value='Login'>"

."</form>"; 


}


//This function will find and checks if your data is correct

function login(){


//Collect your info from login form

$username = $_REQUEST['username'];

$password = $_REQUEST['password'];



//Connecting to database

$connect = mysql_connect("myserver", "username", "password");

if(!$connect){

die(mysql_error());

}


//Selecting database

$select_db = mysql_select_db("database_name", $connect);

if(!$select_db){

die(mysql_error());

}


//Find if entered data is correct


$result = mysql_query("SELECT * FROM users WHERE username='$username' AND password='$password'");

$row = mysql_fetch_array($result);

$id = $row['id'];


$select_user = mysql_query("SELECT * FROM users WHERE id='$id'");

$row2 = mysql_fetch_array($select_user);

$user = $row2['username'];


if($username != $user){

die("Username is wrong!");

}



$pass_check = mysql_query("SELECT * FROM users WHERE username='$username' AND id='$id'");

$row3 = mysql_fetch_array($pass_check);

$email = $row3['email'];

$select_pass = mysql_query("SELECT * FROM users WHERE username='$username' AND id='$id' AND email='$email'");

$row4 = mysql_fetch_array($select_pass);

$real_password = $row4['password'];


if($password != $real_password){

die("Your password is wrong!");

}




//Now if everything is correct let's finish his/her/its login


session_register("username", $username);

session_register("password", $password);


echo "Welcome, ".$username." please continue on our <a href=index.php>Index</a>";





}


switch($act){


default;

index();

break;


case "login";

login();

break;


}

?>

Please help me fix this...

回答1:

You are not using md5 to check while login....

Use $password = md5($_REQUEST['password']); In your login function().

This will take the normal password and check it with encrypted version in database and then will successfully log the user in.

Hope this helps.

回答2:

You should not apply a strip_tags() to the $_POST['password'], just feed the incoming value to the password hashing function.

To protect your user's passwords, you need to do better than md5 hash the passwords. You need

a better hashing algorithm: BCrypt hash
add a random salt value

The good news is that you can just use a drop-in library and use that: PHPass

require('PasswordHash.php');

$pwdHasher = new PasswordHash(8, FALSE);

// $hash is what you would store in your database
$hash = $pwdHasher->HashPassword( $_POST['password'] );

// $hash would be the $hashed stored in your database for this user
$checked = $pwdHasher->CheckPassword($_POST['password'], $hash);
if ($checked) {
    echo 'password correct';
} else {
    echo 'wrong credentials';
}

回答3:

Encrypt the input password with md5() when you pass the details into sql query while checking correct login details.

$password_encrypt = md5($password);
$result = mysql_query("SELECT * FROM users WHERE username='$username' AND password='$password_encrypt '");