User and Password not matching DB

Question

I am testing an sql query and I am typing the user and password properly but it's not giving me at match.

Here's the query's output:

SELECT * FROM wp_users where user_login='User' and user_pass='pass'

I can see that I've typed it properly but still returning false.

I know that the password is in md5 in the db.

Do I need to decode the variable in the query? If so how?

I've tried this but it didn't work:

$SQL =   "SELECT * FROM wp_users where user_login='".$username."' and user_pass='".md5($password)."'";

UPDATE:

This is the contaent of md5($password) - 3fc0a7acf087f549ac2b266baf94b8b1

and this is what's in the database: $P$BfzHHqBF88q4RHJsAiVf4m7.ulbgCZ1

They are both supposed to be the same :o/

when you say its returning false, how are you testing this? Have you tried pasting the output of your second query directly into php myadmin or mysql commandline to see what it outputs? — Jon Taylor, Jun 27 '12 at 19:00
The query is right. If it returns 0 results, that means the username or password is wrong. Do just `md5($password)` and compare with what is in the db. — sachleen, Jun 27 '12 at 19:01
Post an example of the hashed password from the database. Obviously you need to use some test account for this, not a real user's password. — Mark Byers, Jun 27 '12 at 19:01
plain `md5()` is a really poor (huge understatement) way to store a password. Might as well store it in plain text (not really but very close). — PeeHaa, Jun 27 '12 at 19:02
Looks like this is a Wordpress installation, in which case the info in [this question](http://stackoverflow.com/q/4750395/185544) and its answers should be helpful. — Wiseguy, Jun 27 '12 at 19:06
If you're getting false from query, can you please tell the output of `mysql_error()`? There maybe some SQL error maybe. — ksg91, Jun 27 '12 at 19:08
There's no errors...the hash md5($password) is different to the one on the database although it should be the same? — Satch3000, Jun 27 '12 at 19:30

score 1 · Answer 1 · answered Jun 27 '12 at 19:32

Simplest thing is to call the Wordpress function wp_hash_password(password). In which case your query would look like:

require_once '/path/to/wp-config.php';  //will load up wordpress, such as if you're doing this from a script
$SQL =   "SELECT * FROM wp_users where user_login='".$username."' and user_pass='".wp_hash_password($password)."'";

Wordpress doesn't use standard MD5, but rather the phpass library, to hash user passwords. So, if you're trying to do this from outside of Wordpress, you then you will need to look into that library. Here's the code that implements the wp_hash_password() method using phpass:

if ( !function_exists('wp_hash_password') ) :
/**
 * Create a hash (encrypt) of a plain text password.
 *
 * For integration with other applications, this function can be overwritten to
 * instead use the other package password checking algorithm.
 *
 * @since 2.5
 * @global object $wp_hasher PHPass object
 * @uses PasswordHash::HashPassword
 *
 * @param string $password Plain text user password to hash
 * @return string The hash string of the password
 */
function wp_hash_password($password) {
    global $wp_hasher;

    if ( empty($wp_hasher) ) {
            require_once( ABSPATH . 'wp-includes/class-phpass.php');
            // By default, use the portable hash from phpass
            $wp_hasher = new PasswordHash(8, TRUE);
    }

    return $wp_hasher->HashPassword($password);
}
endif;

You could presumably get the same content by following the same pattern:

require_once '/path/to/wp-includes/class-phpass.php';
$my_hasher = new PasswordHash(8, TRUE);
$SQL =   "SELECT * FROM wp_users where user_login='".$username."' and user_pass='". $my_hasher->HashPassword($password)."'";

I tried the above and the hashes look very similar but still no match — Satch3000, Jun 27 '12 at 19:47
You may have to look through the wordpress code in your particular version of wordpress for more details — Benjamin Cox, Jun 27 '12 at 19:49

score 0 · Answer 2 · answered Jun 27 '12 at 19:08

0

Are you sure the password's aren't salted before they're being stored in the database? If they are you would need to do something like:

$SQL =   sprintf("SELECT * FROM wp_users where user_login='%s' and user_pass='%s'", $username, md5($salt.$password));

I would also look into mysql_real_escape_string and PDO prepared statements rather than straight mysql

answered Jun 27 '12 at 19:08

Gabriel Baker

1,209
11
21

The about didn't work but you are not far as I'm not getting a straight md5 hash ... it's different. I'm using wordpress version 3.3 – Satch3000 Jun 27 '12 at 19:15

score 0 · Answer 3 · answered Jun 27 '12 at 19:32

it looks like the password in the database is stored with the Crypt function.. look:

$pw="thisismypassword";
echo crypt($pw);    // $1$lmJBSDCp$AcU45N45sUhdglYn28T4X/
echo md5($pw);  //31435008693ce6976f45dedc5532e2c1

try to use crypt in your query. Crypt also uses a "Salt" which is I believe in the wp_config.php file.

score 0 · Answer 4 · answered Jun 27 '12 at 19:58

0

Check the encryption function used in the INSERT/UPDATE wp_users commands. In MySQL there are a bunch of encryption function. Have a look here.

For login purpose, Password(string) is often used.

answered Jun 27 '12 at 19:58

Alberto De Caro

5,147
9
47
73

User and Password not matching DB

4 Answers4