hashing the password using md5

Question

i want to hash the registered password in the database using MD5 and the same thing when login but the problem is that in the register process the password get hashed but in the login the system work as this is incorrect password

register.php

 //ADD MD5 hash to the password 
       $db_pass=md5($pass1);
//************Insert all the user's input to the database**************************//
$query = mysql_query("INSERT INTO user(user_name, first_name, last_name, governorate,
 district, village, birth_date, email_address, specialization, password, 
 registered_date)VALUES('$username', '$firstname', '$lastname', '$governorate',
 '$district', '$village', '$bdate', '$email', '$specialization', '$db_pass', 
 now())") or die("could not insert data");  

login.php

$pass = md5($pass);

$sql=mysql_query( "SELECT user_id, email_address, first_name, user_name FROM user 
WHERE email_address='$email'
AND password='$pass'LIMIT 1") or die("error in user table");

Answer 1

You shouldn't be using MD5. It is insecure and it is waaaaay too fast for you to be using it for the purpose of password hashing (look at the Wiki page for Brute-force attacks if you don't understand why using a fast password hashing algorithm is a bad idea). You should look into using something like Bcrypt .

You can use Bcrypt via the crypt function .

$userPassword = 'testpassword';
$hashed = crypt($userPassword, '$2a$15$usesomesillystringforsalt$');
echo $hashed;

As somebody mentioned above, ircmaxell has a pretty good library available on github. The library is forwards-compatible with the password_hash function, which will be available in PHP 5.5 (currently in BETA).

Answer 2

Are you sure that $pass1 and $pass are same!! Just check that, both are same before hashing.

As MD5 is insecure use sha256/sha512 with salts or use phpass for generating strong hashes (phpass is used by WordPress for generating password hashes).