Can't login with real password in php

Question

I've a registration form as well as login form. I've used md5 encryption in my registration form and it's working fine. But when I'm trying to login with real password like (123) it's not logging me in. On the other hand, when I copy paste that md5 encryption in password field, it's then logging me in. Please help me about this! Thank you!

Here is my coding:

<?php
        if (isset($_POST['submit'])) {

            $user_name = $_POST['username'];
            $user_email = $_POST['email'];
            $user_pass = $_POST['password'];

            $query = "SELECT * FROM users where Email = '" . $_POST["email"] . "'";
            $result = $obj->run_query($query);

            if ($count = mysqli_num_rows($result) == 0) {

                $query = "INSERT INTO users (Name,Email,Pass) VALUES ('$user_name','$user_email', md5('$user_pass'))";
                $result = $obj->run_query($query);

                echo "<script>alert('You have successfully Registered!')</script>";
                echo "<script>window.open('welcome.php','_self')</script>";

            } else {

                echo "<script>alert('This user email $user_email is already exist!')</script>";
            }
        }

    // login script
    if (isset($_POST['login'])) {

        $name = $_POST['name'];
        $email = $_POST['email'];
        $password = $_POST['pass'];

        $query = "SELECT * FROM users WHERE Email = '$email' AND Pass = '$password'";
        $result = $obj->run_query($query);

        if ($count = mysqli_num_rows($result) > 0) {

            $_SESSION['email'] = $email;
            $_SESSION['name'] = $name;

            echo "<script>window.open('welcome.php','_self')</script>";



        }
        else 
        {
            echo "<script>alert('Your email or password is incorrect!')</script>";
        }
    }

?>   

Answer 1

As stated: you're comparing plain text from the POST array $password = $_POST['pass']; to the MD5 in your table.

That should read as $password = md5($_POST['pass']);

I also stated that you shouldn't go live with this, "ever" . If it is a live site, I suggest you put it on hold until you use a safe hashing function that is of "this century".

MD5 is 30+ years old and is no longer considered safe to use now to hash/store passwords with.

Consult the following:

• Is MD5 considered insecure?
• https://en.wikipedia.org/wiki/MD5

Passwords

Use one of the following:

• CRYPT_BLOWFISH
• crypt()
• bcrypt()
• scrypt()
• On OPENWALL
• PBKDF2
• PBKDF2 on PHP.net
• PHP 5.5's password_hash() function.
• Compatibility pack (if PHP < 5.5) https://github.com/ircmaxell/password_compat/

Other links:

• PBKDF2 For PHP

Important sidenote about column length:

If and when you do decide to use password_hash() or crypt, it is important to note that if your present password column's length is anything lower than 60, it will need to be changed to that (or higher). The manual suggests a length of 255.

You will need to ALTER your column's length and start over with a new hash in order for it to take effect. Otherwise, MySQL will fail silently.

---

Your present code is also open to SQL injection . Use mysqli with prepared statements , or PDO with prepared statements .