Problem when adding salt to md5 hash.

[edd12345678]

Hi Guys,

 

I wonder If I can call on this forums help once again.

 

I am trying to add salt to my md5 password hash. However I think I am getting the syntax slightly wrong as it is not working properly.

 

It works in the fact that when someone logs in and they have a 1 next to the member type it will direct them to the teachers page . However if no values are entered into the log in form and someone clicks log in it will still direct them to the students page when I thought it would direct them to log in failed.

 

The code for the log in form is:

//Sanitize the POST values
$login = clean($_POST['login']);
$password = clean($_POST['password']);
$salt = "salt";
$EncryptedPassword=md5($password, $salt);



//Create query
$qry="SELECT * FROM users WHERE username='$login' AND password='$EncryptedPassword'";
$result=mysql_query($qry);

//Check whether the query was successful or not
if($result) {
	if(mysql_num_rows($result) == 1) {
		//Login Successful
		session_regenerate_id();
		$member = mysql_fetch_assoc($result);
		$_SESSION['SESS_MEMBER_ID'] = $member['id'];
		$_SESSION['SESS_FIRST_NAME'] = $member['FirstName'];
		$_SESSION['SESS_LAST_NAME'] = $member['LastName'];
		$_SESSION['SESS_LAST_NAME'] = $member['Member_Type'];
		session_write_close();
}
		//if the member has an id equal to 0 send them to the member page
		if($member['Member_Type'] == 0){
			header("Location: Student-Page.php");
		//if the member has an id equal to 1 send them to the admin page
		} elseif($member['Member_Type'] == 1){
			header("Location: Teachers-Page.php");
		}
		// regardless of the outcome, we need to exit, so it can be done once after both checks
		exit();
	} else {
		//Login failed
		header("location: login-failed.php");
		exit();
	}

 

 

In case you need it the code for the registration form where the password is originally salted upon creation is:

 

<?php
//Start session
session_start();

//Include database connection details
require_once('config.php');

//Connect to mysql server
$link = mysql_connect(DB_HOST, DB_USER ,DB_PASSWORD);


if(!$link) {
	die('Failed to connect to server: ' . mysql_error());
}

//Select database
$db = mysql_select_db(DB_DATABASE);
if(!$db) {
	die("Unable to select database");
}

//Function to sanitize values received from the form. Prevents SQL injection
function clean($str) {
	$str = @trim($str);
	if(get_magic_quotes_gpc()) {
		$str = stripslashes($str);
	}
	return mysql_real_escape_string($str);
}

//Sanitize the POST values
$username = clean($_POST['username']);
$FirstName = clean($_POST['FirstName']);
$LastName = clean($_POST['LastName']);
$Member_Type = clean($_POST['Member_Type']);
$password = clean($_POST['password']);
$Cpassword = clean($_POST['Cpassword']);
$salt = "salt";
$EncryptedPassword = md5($password,$salt);

//Check for duplicate login ID
if($username != '') {
	$qry = "SELECT * FROM users WHERE username='$username'";
	$result = mysql_query($qry);
	if($result) {
		if(mysql_num_rows($result) > 0) {

		}
		@mysql_free_result($result);
	}
	else {
		//die("query failed");
	}
}


//Create INSERT query
$qry = "INSERT INTO users(username, password, FirstName, LastName, Member_Type) 
VALUES('$username','$EncryptedPassword','$FirstName','$LastName','$Member_Type')";
$result = @mysql_query($qry);

//Check whether the query was successful or not
if($result) {
	header("location: register-success.php");
	exit();
}else {
	die("Query Failed");
}
?>

 

If someone could take a look and point me in the right direction. Also if there are any other mistakes let me know I would be very grateful.

 

Thanks in advance.

 

Edd 

[edd12345678]

Apologies, I have now resolved this issue. myself. Thanks anyone who was looking into it.