登录不适用于未散列的密码，只有散列的密码

Question

my login on my website doesn't work with regular password only the hashed passwords, how can I fix it

    <?
include '../../engine/config.php';
//Ïðîâåðÿåì àâòîðèçàöèþ,åñëè âñå õîðîøî,ïóñêàåì
if(empty($_COOKIE["pass"]) || $_COOKIE["pass"]=="")
{
    header("Location: login.php");
}
else
{
    $per = explode(":", $_COOKIE["pass"]);
    $pass_md5 = $per[0];
    $login = $per[1];
    $search = mysql_query("SELECT * From ".$account['table']." WHERE ".$account['name']."='$login'");
    $user = mysql_fetch_array($search);
    if($pass_md5 != md5(md5($user["".$account['pass'].""])))
    {
        setcookie("pass", "", 0, "/");
        header("Location: login.php");
    }
}
//?>

Answer 1

There are quite a number of problems with your code, which could affect you (security wise):

• MD5 is very insecure, and running even 10 nested md5() calls doesn't guarantee security.

You can rewrite your code as follows:

include '../../engine/config.php';

if (empty($_COOKIE['pass']) || $_COOKIE['pass'] == '') {
    header("Location: login.php");
} else {
    $per = explode(":", $_COOKIE['pass'])
    $password = $per[0];
    $login = $per[1];

    $search = mysql_query("SELECT * FROM " . $account['table'] . " WHERE " . $account['name'] . " = '$login' LIMIT 1"); // Included an option LIMIT 1 to end the query and speed it up

    $user = mysql_fetch_array($search);
    if (!password_verify($password, $user[$account['pass']])) {
        setcookie("pass", "", 0, "/");
        header("Location: login.php");
    }
}

// You don't really need the closing bracket, unless you are going to write HTML code