Smackie Posted April 16, 2008 Share Posted April 16, 2008 Alright I built my own php cms system and well I didn't make the passwords to be encryted and now a friend wants me to make one for him but he wants the passwords to be encryted.. I can make the passwords encryted but my problem is getting the login to use the encryted password.. Please someone help me. here is the checkuser.php page. <? $user_name = $_POST['user_name']; $password = $_POST['password']; // } if ((!$user_name) || (!$password)) { echo '<center><font class="txt">Please enter ALL of the information!</font></center><br><br>'; include 'login_form.php'; return; } $sql = mysql_query("SELECT * FROM users WHERE user_name='$user_name' AND password='$password' AND activated='1'"); $login_check = mysql_num_rows($sql); if ($login_check > 0) { while($row = mysql_fetch_array($sql)){ foreach( $row AS $key => $val ){ $$key = stripslashes( $val ); } session_register('userid'); $_SESSION['userid'] = $userid; session_register('user_name'); $_SESSION['user_name'] = $user_name; session_register('email_address'); $_SESSION['email_address'] = $email_address; session_register('msn'); $_SESSION['msn'] = $msn; session_register('aim'); $_SESSION['aim'] = $aim; session_register('yahoo'); $_SESSION['yahoo'] = $yahoo; session_register('show_email'); $_SESSION['show_email'] = $show_email; session_register('show_msn'); $_SESSION['show_msn'] = $show_msn; session_register('show_aim'); $_SESSION['show_aim'] = $show_aim; session_register('show_yahoo'); $_SESSION['show_yahoo'] = $show_yahoo; session_register('about_me'); $_SESSION['about_me'] = $about_me; session_register('special_user'); $_SESSION['user_level'] = $user_level; session_register('last_login'); $_SESSION['last_login'] = $last_login; mysql_query("UPDATE users SET last_login=now(), online_time=now(), WHERE userid='$userid'"); header("Location: index.php?pages=members_news"); } } else { echo '<center><font class="txt">You could not be logged in, Either the username and password do not match or you have not validated your membership.<br><br>Please try again!<br><br></font></center>'; include 'login_form.php'; } ?> Thank you Smackie Quote Link to comment Share on other sites More sharing options...
doni49 Posted April 16, 2008 Share Posted April 16, 2008 use the md5 function. Here's how you insert the user into the DB in the first place: $query = "INSERT INTO `users` (`username`,`password`) VALUES ('$user_name',password('$password'))"; $result =@mysql_query ($query); // Run the query. Then at login time: $query = "SELECT user_id FROM users WHERE username='$u' AND password=PASSWORD('$p')"; $result = @mysql_query ($query); Quote Link to comment Share on other sites More sharing options...
unidox Posted April 16, 2008 Share Posted April 16, 2008 Easy, just use md5($_POST['password']); and make sure the password is also in md5 format in the db Quote Link to comment Share on other sites More sharing options...
Smackie Posted April 16, 2008 Author Share Posted April 16, 2008 i tred doing the md5($_POST['password']); in the script still won't work and yes the password is in md5 format. Quote Link to comment Share on other sites More sharing options...
redarrow Posted April 16, 2008 Share Posted April 16, 2008 My example for secure passwords.... database password int (32) not null <?php $password="redarrow"; $password=md5(sha1(md5($_POST['password']))); echo $password; ?> Quote Link to comment Share on other sites More sharing options...
doni49 Posted April 16, 2008 Share Posted April 16, 2008 i tred doing the md5($_POST['password']); in the script still won't work and yes the password is in md5 format. Show us your query string please. It can be tricky. The code I copy pasted came directly from one of WORKING scripts. Quote Link to comment Share on other sites More sharing options...
Smackie Posted April 16, 2008 Author Share Posted April 16, 2008 from the checkusers.php page $password = md5($_POST['password']); from register.php page $password = md5($_POST['password']); Quote Link to comment Share on other sites More sharing options...
doni49 Posted April 16, 2008 Share Posted April 16, 2008 NO. The QUERY string. What you're using to insert the user into the DB and what you're using to retrieve the login info. Quote Link to comment Share on other sites More sharing options...
Smackie Posted April 16, 2008 Author Share Posted April 16, 2008 sorry haven't slept in a few days lol.. $sql = mysql_query("INSERT INTO users (user_name, email_address, msn, aim, yahoo, about_me, password, show_email, show_msn, show_aim, show_yahoo, signup_date, ip) VALUES('$user_name', '$email_address', '$msn', '$aim', '$yahoo', '$about_me', '$password', '$show_email', '$show_msn', '$show_aim', '$show_yahoo', now(), '$ip')") or die (mysql_error()); Quote Link to comment Share on other sites More sharing options...
doni49 Posted April 16, 2008 Share Posted April 16, 2008 Ok the code for inserting the user looks good to me (maybe someone else can see something). How about the checkusers query? Quote Link to comment Share on other sites More sharing options...
redarrow Posted April 16, 2008 Share Posted April 16, 2008 this will work defently..... from the checkusers.php page Code: $password = md5($_POST['password']); from register.php page Code: $password = md5($_POST['password']); « Last Edit: Today at 21:49:57 by Smackie » Quote Link to comment Share on other sites More sharing options...
Smackie Posted April 16, 2008 Author Share Posted April 16, 2008 but it isn't working and i know the password is encryted in the database :-\.. Quote Link to comment Share on other sites More sharing options...
redarrow Posted April 16, 2008 Share Posted April 16, 2008 Try this please only a example might work fingers crossed........ Always back your scripts up before testing any users idears and sugestions mate.... <?php session_start(); $user_name =($_POST['user_name']); $password = MD5($_POST['password']); // } if ((!$user_name) || (!$password)) { echo '<center><font class="txt">Please enter ALL of the information!</font></center><br><br>'; include 'login_form.php'; return; } $sql = mysql_query("SELECT * FROM users WHERE user_name='$user_name' AND password='$password' AND activated='1'"); while($row = mysql_fetch_assoc($sql)){ if ($row['login_check'] > 0) { $_SESSION['userid'] = $row['userid']; $_SESSION['user_name'] = $row['user_name']; $_SESSION['email_address'] = $row['$email_address']; $_SESSION['msn'] = $row['msn']; $_SESSION['aim'] = $row['aim']; $_SESSION['yahoo'] = $row['yahoo']; $_SESSION['show_email'] = $row['show_email']; $_SESSION['show_msn'] = $row['show_msn']; $_SESSION['show_aim'] = $row['show_aim']; $_SESSION['show_yahoo'] = $row['show_yahoo']; $_SESSION['about_me'] = $row['about_me']; $_SESSION['user_level'] = $row['user_level']; $_SESSION['last_login'] = $row['last_login']; mysql_query("UPDATE users SET last_login=now(), online_time=now(), WHERE username='$user_name'"); header("Location: index.php?pages=members_news"); } else { echo '<center><font class="txt">You could not be logged in, Either the username and password do not match or you have not validated your membership.<br><br>Please try again!<br><br></font></center>'; include 'login_form.php'; } } ?> Quote Link to comment Share on other sites More sharing options...
Daniel0 Posted April 16, 2008 Share Posted April 16, 2008 My example for secure passwords.... database password int (32) not null <?php $password="redarrow"; $password=md5(sha1(md5($_POST['password']))); echo $password; ?> That's not particularly secure, it's just creating additional overhead. Quote Link to comment Share on other sites More sharing options...
psychowolvesbane Posted April 16, 2008 Share Posted April 16, 2008 Try just using the sha1 or md5 function to encrypt the password outside of the database, and store the hash as is in the db without using any built in password function in sql. Then when it comes to login the password the user enters also needs to be encrypted the same way and if that one and the hash in the database match then it will be correct. P.S. You must also check to see if the character length of the field in which you store the password is big enough to store the entire hash, otherwise part of it will be missing and messes up the comparisons. Quote Link to comment Share on other sites More sharing options...
Cep Posted April 16, 2008 Share Posted April 16, 2008 My example for secure passwords.... database password int (32) not null <?php $password="redarrow"; $password=md5(sha1(md5($_POST['password']))); echo $password; ?> That's not really more secure, your better off using a salt with sha1 or higher Quote Link to comment Share on other sites More sharing options...
Smackie Posted April 16, 2008 Author Share Posted April 16, 2008 Still the same ??? not sure why its not working .. and session_start() was already in my scripts (i have it set in index.php which runs almost everything. Quote Link to comment Share on other sites More sharing options...
jonsjava Posted April 16, 2008 Share Posted April 16, 2008 Creating a user: $username = addslashes($_POST['username']; $key = "thisisakey"; $password = addslashes($_POST['password']; $enc_pass = md5($password.$key); $sql = "INSERT INTO `<table>`(`id`, `username`, `password`) VALUES('','{$username}', '{$enc_pass}');"; mysql_query($sql); logging in a user: $username = addslashes($_POST['username']; $key = "thisisakey"; $password = addslashes($_POST['password']; $enc_pass = md5($password.$key); $sql = "SELECT * FROM users WHERE user_name='{$username}' AND password='{$enc_pass}' AND activated='1';"; change the code to suit your needs, but if you do it this way, you further encrypt your password with a "key", adding it to the end of their password. Quote Link to comment Share on other sites More sharing options...
tinker Posted April 16, 2008 Share Posted April 16, 2008 Yep jonsjava has it right, but i'd call what he calls a key a 'salt'... Make sure your db field for the password is a varchar(32 or 40), e.g. md5 is a 32-character hexadecimal sha1 is 40-character hexadecimal Someone earlier told you to make it some kinda number I think... Quote Link to comment Share on other sites More sharing options...
Smackie Posted April 16, 2008 Author Share Posted April 16, 2008 I got it working thanx for the help guys.. btw all i did was do this password1 = $_POST['password']; password = md5($_POST['password']); Don't ask me why it work and not password = $_POST['password']; lol but i know i got it working Smackie Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.