I am Unable to access my admin panel with my password and email. This is PHP and SQL related

Question

It says The specified email address or password was incorrect. I used this code to insert my password in database

UPDATE author SET password = MD5('pass') WHERE id = 1

I am using PHP 5.4.3 . Everything is fine but why it is not working? Please help

This is my code:

 <?php

  function userIsLoggedIn()
{
if (isset($_POST['action']) and $_POST['action'] == 'login')
{
if (!isset($_POST['email']) or $_POST['email'] == '' or
  !isset($_POST['password']) or $_POST['password'] == '')
{
  $GLOBALS['loginError'] = 'Please fill in both fields';
  return FALSE;
}

$password = md5($_POST['password'] . 'ijdb');

if (databaseContainsAuthor($_POST['email'], $password))
{
  session_start();
  $_SESSION['loggedIn'] = TRUE;
  $_SESSION['email'] = $_POST['email'];
  $_SESSION['password'] = $password;
  return TRUE;
}
else
{
  session_start();
  unset($_SESSION['loggedIn']);
  unset($_SESSION['email']);
  unset($_SESSION['password']);
  $GLOBALS['loginError'] =
      'The specified email address or password was incorrect.';
  return FALSE;
  }
}

   if (isset($_POST['action']) and $_POST['action'] == 'logout')
  {
   session_start();
   unset($_SESSION['loggedIn']);
   unset($_SESSION['email']);
   unset($_SESSION['password']);
   header('Location: ' . $_POST['goto']);
   exit();
   }

session_start();
if (isset($_SESSION['loggedIn']))
{
return databaseContainsAuthor($_SESSION['email'], $_SESSION['password']);
}
}

function databaseContainsAuthor($email, $password)
{
include 'db.inc.php';

try
{
$sql = 'SELECT COUNT(*) FROM author
    WHERE email = :email AND password = :password';
$s = $pdo->prepare($sql);
$s->bindValue(':email', $email);
$s->bindValue(':password', $password);
$s->execute();
}
catch (PDOException $e)
{
$error = 'Error searching for author.';
include 'error.html.php';
exit();
}

$row = $s->fetch();

if ($row[0] > 0)
{
return TRUE;
}
else
{
return FALSE;
}
}

function userHasRole($role)
{
 include 'db.inc.php';

 try
 {
  $sql = "SELECT COUNT(*) FROM author
    INNER JOIN authorrole ON author.id = authorid
    INNER JOIN role ON roleid = role.id
    WHERE email = :email AND role.id = :roleId";
  $s = $pdo->prepare($sql);
  $s->bindValue(':email', $_SESSION['email']);
  $s->bindValue(':roleId', $role);
  $s->execute();
 }
catch (PDOException $e)
{
$error = 'Error searching for author roles.';
include 'error.html.php';
exit();
}

$row = $s->fetch();

if ($row[0] > 0)
{
 return TRUE;
}
else
{
 return FALSE;
 }
  }

You are using [an unsuitable hashing algorithm](http://php.net/manual/en/faq.passwords.php) and need to [take better care](https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet) of your users' passwords. — Quentin, Oct 05 '14 at 20:28
It looks like your PHP code adds a salt `$password = md5($_POST['password'] . 'ijdb');` but when you hashed the password in the database it had no salt: `UPDATE author SET password = MD5('pass') WHERE id = 1` (the salt is `'idjb'`) — Michael Berkowski, Oct 05 '14 at 20:32
i have honestly never read a single php\mysql book, they are out of date before they go to print. the interweb has a tutorial or two (million) — , Oct 05 '14 at 20:34
@NeelIon No one book can or should teach everything. This one correctly uses PDO for database interaction, but MD5 has been considered insecure for many years. The password hashing docs Quentin linked above are a good place to begin learning a better way. Also [the answers to this question](http://stackoverflow.com/questions/4795385/how-do-you-use-bcrypt-for-hashing-passwords-in-php) — Michael Berkowski, Oct 05 '14 at 20:34
@NeelIon I cannot recommend a PHP or SQL book, as I have not read one in almost 10 years. I have learned best incrementally through experience. — Michael Berkowski, Oct 05 '14 at 20:37
I think you have a hash mismatch due to that `idjb` string. If you hash it in the database adding that salt as `UPDATE author SET password = MD5('passidjb')`, do the hashes match? — Michael Berkowski, Oct 05 '14 at 20:39
@NeelIon: there are various tutorials in the [sidebar here](http://www.reddit.com/r/phphelp). Also I've been working on a tutorial that should help too - see my profile. — halfer, Oct 05 '14 at 20:44
@NeelIon We don't see the code you use to save passwords in PHP, but you have to add on the salt at the time you save it in the database, like with `UPDATE author SET password = MD5(CONCAT($the_password, 'ijdb'))`. If you start working toward modern bcrypt hashing using the question I linked earlier, secure salting will be done automatically and you needn't worry much about it. — Michael Berkowski, Oct 05 '14 at 21:12

score 1 · Accepted Answer · edited May 23 '17 at 12:23

To make the existing code work:

The main issue with your password checking code as you have it above is a mismatch between the MD5 hashes as stored in the database and as passed in PHP code to check for password verification.

In your table, you have stored the bare password MD5-hashed, with no salt string:

UPDATE author SET password = MD5('pass') WHERE id = 1

But when validating the input password in PHP code, you are appending a salt string 'ijdb':

// This appends a salt 'idjb' to the input password before hashing
$password = md5($_POST['password'] . 'ijdb');

To correct this in its existing state, you would need to add the same salt into the database to rehash the password. Doing this alone requires no modification to the existing PHP code (where $the_password is the admin password you're storing and testing):

UPDATE author SET password = MD5(CONCAT($the_password, 'ijdb'))

Improve hashing rather than stick with MD5:

As was mentioned in the comments above, MD5 has for several years been considered inadequate and insecure for password hashing, and a 4 character salt is far too short to be very effective. Starting with PHP 5.5, and with a special compatibility library developed for 5.3+, PHP supports bcrypt for vastly improved password hashing.

Please review How do I use bcrypt for password hashing in PHP for excellent answers on how to begin using password_hash() and password_verify()

Additionally, intrepid and skilled members of PHP community have assembled PHP The Right Way, which has a section on password hashing. In general, that website is excellent and I recommend reviewing it as you progress in learning PHP.

I am Unable to access my admin panel with my password and email. This is PHP and SQL related

1 Answers1

To make the existing code work:

Improve hashing rather than stick with MD5: