Search the Community

I'm curious to get opinions on using strip_tags() for fields that will be encrypted in a database. I often see websites that say "choose a password that contains X certain characters but not Z other characters." And I got curious. Let's say there's a registration form where a new user creates a username and password, and the server will store the password as ... sha1( $user_entered_value ) ... or some other sort of hashed/encrypted string. In this case, why would it ever matter that a user had entered <div> or some other such text in their password? The password will only ever be hashed into something before it is matched... so why would you bother stripping tags? Why bother preventing any "special" characters? Thoughts?

I followed this YouTube tutorial on how to make a registration page with a username and password. Also a login page that checks you credentials against the database and logs you in. After you are logged in, it starts a session. That's where it stopped. I want to do two things. I want to display on the site if you are logged in or if you are visiting as a guest. And my site's main purpose is photo uploading. So I would like to have under each uploaded photo the username of who uploaded it, or guest if they were not registered. I really am clueless on where to go from here. So if anyone could even point me in the right direction that would be great. I am teaching myself to program and am totally new to sessions, users etc. Here is the config.php file <?php $sql = mysql_connect("localhost","root","") or die(mysql_error()); $slect_db = mysql_select_db("login", $sql); ?> The registrer.php file <?php include ('config.php'); if ($_SERVER['REQUEST_METHOD'] == 'POST') { $username = mysql_real_escape_string($_POST['username']); $password = mysql_real_escape_string(md5($_POST['password'])); if (empty($username)) { echo("You have to fill in an username!"); } else { if(empty($password)){ echo ("You have to fill in a password!"); } else { $query = mysql_query("SELECT * FROM users WHERE username = '$username'"); $rows = mysql_num_rows($query); } if ($rows > 0) { die("Username taken!"); } else { $user_input = mysql_query("INSERT INTO users (username, password) VALUES ('$username','$password')"); echo("Succesfuly Registered!"); } } } ?> <html> <head> <title>Register</title> </head> <body> <form action="register.php" method="post"> Username: <input type="text" name="username" /><br/> Password: <input type="password" name="password"/><br/> <input type="submit" value="Register!"/> </form> </body> </html> and the login.php file <?php include ("config.php"); if ($_SERVER['REQUEST_METHOD'] == 'POST') { $username = mysql_real_escape_string($_POST['username']); $password = mysql_real_escape_string(md5($_POST['password'])); $query = mysql_query("SELECT * FROM users WHERE username='$username' AND password='$password'"); $query_rows = mysql_num_rows($query); if($query_rows > 0) { echo ("Succesfull Login!"); session_start(); $_SESSION['login'] = "1"; } else { echo ("Username and/or password incorrect"); } } ?> <html> <head> <title>Login</title> </head> <body> <form action="login.php" method="post"> Username: <input type="text" name="username" /><br/> Password: <input type="password" name="password"/><br/> <input type="submit" value="Login!"/> </form> </body> </html>

Hi there I wondered if there was anyone out there who could help me with a problem. I designed a PHP site, plain code and all, a number of years ago and it's worked great. Recently though I've been informed from my hosting company 1&1 that it would need to be updated from MySQL4 to 5 and I've spent the last fortnight trying to get things to work. The export and import into MySQL5 have all gone fine but on trying to login to the site the password would not autthenticate. Changing the passwd column from 16 to 41 does not work and the site only works if one requests a new password and the login then works fine - with the 41 character passwd column that is. Now this wouldn't pose a problem but there are now 20,000+ users and getting them all to request a new password would be tricky to say the least. I've tried everything - well everything apart from the correct thing - and I'm running out of patience. 1&1 are not replying to my mails and it's all going a bit wonky, I'm working evenings on this after a full day at work and this has now lasted a fortnight and I would love to see my daughter again. Any suggestions would be really welcome and I must apologise if I've posted this in the wrong forum but I'm steadily going a bit insane :-) If I could get them to set old_password to true on the server I think this would work but I get the feeling they can't do this on a none server hosted version. Please help.....