md5 problem in login

[amber.long83]

Problem in my login script. In my script password in md5 hash in the registration. registration is successful and the password is in md5 form in the database table.
But whenever I try to login is not == with md5 password in the database.

Code

<?php
include 'dbconnect.php';

if(!$_POST['submit'])
{
?>

<html>
...
<form method="post" action="<?php echo $_SERVER['PHP_SELF']; ?>">
<p>Username&nbsp;:</br>
<input type="text" name="username" maxlength="20">
</p>
<p>Password&nbsp;:</br>
<input type="password" name="password" maxlength="20">
</p>
<p>
<input type="submit" name="submit" value="Submit">
</p>
</form>
...
</html>
<?php
}
else
{
$username = cleanString($_POST['username']);
$password = cleanString($_POST['password']);

if($username && $password)
{
$password = md5($password);
$sql="SELECT id,username FROM `users` WHERE `username`='$username' AND `password`='$password'";
$query=mysql_query($sql) or die(mysql_error());

if(mysql_num_rows($query) > 0)
{
$row = mysql_fetch_assoc($query);
$_SESSION['id'] = $row['id'];
$_SESSION['username'] = $row['username'];


echo "<script type=\"text/javascript\">window.location=\"members_area.php\"</script>";
}
else
{
echo "<script type=\"text/javascript\">
alert(\"Your username or password is incorrect\");
window.location=\"index.php\"</script>";
}
}
else
{
echo "<script type=\"text/javascript\">
alert(\"You need to input your username and password\");
window.location=\"index.php\"</script>";
}
}
?>

Anyone can please help me for correct my problem

Thanks in Advnace

[RussellReal]

$password = cleanString($_POST['password']);

there is NO need to do this.. you're going to MD5 it anyway, that is probably where it is messing up

[silverf0x]

maybe it's better you use stripslashes than cleanstring the password

[phpSiteMinder]

What does the function cleanString do? Its probably altering the posted value, so that its different to the md5 that is stored in the database.

Also check that the md5 in the database is the right md5 for the password. There may have been a problem when registering, if the md5 wasn't generated using the cleanString function.

Also I dislike the use of :
$sql="SELECT id,username FROM `users` WHERE `username`='$username' AND `password`='$password'";
and relying on counting the rows to indicate whether the user can login. If your cleanString functions is not able to remove all sql injection hacks, then someone may be able to gain access to your system.

A better way is to retrieve the password from the database for the username, and compare the passwords in php to determine if the user can log in. Even with no protection from sql injection, this approach will still prevent unathorised access.

[tinaCEO]

Use debugging software to find out error. Rather than putting your own head on it. I recommend HTTP Debugger that is best to use.

[norbertwarne]

Use rectifying software to detect out error. Rather than investing your own head on it. I advocate HTTP Debugger that is better to use.

[damienb]

If I were you I would have used stripslashes() function instead of cleanString().