Jump to content

[SOLVED] loging in to accounts using hashed passwords


thedecline

Recommended Posts

I'm coding a log-in page for the user account sytem of a library system im working on.

the only problem im having with it is verifying the password

 

the password is in the database encrypted with an md5 hash function

when i retrieve it to compare it to the password entered on the form the hashed password never matches the hashed one from the database.

 

Any idea how to hash the password on login so that it will be the same output as when it was hashed on registration?

Or am i approaching this from entirely the wrong angle?

Any ideas welcome.

Link to comment
Share on other sites

 

   include("connection.php"); //Connects to database
  
  	$result = mysql_query("SELECT * FROM users
	WHERE username='$username'");

while($row = mysql_fetch_array($result)){
	$DBpassword=$row['password'];
	}
   
   /*	encrypts the password to allow comparison */
   /*	to the encrypted password in the database */
   $passwordHash=md5($password); 
   //$passwordHash = sha1($password);

$result = mysql_query("SELECT * FROM user WHERE username = '$username' AND password = '$passwordHash'");
//echo ($result);
//testing
   	echo("<b>encrypted password on database:</b> ".$result."<br .>");
   	echo("<b>encrypted password just entered:</b> ".$passwordHash."<br .>");
	//end testing
if ($result == "0")
{
	echo("<p>Incorrect Password.</p>");
	return False;
}
else
{
	return True;
}

The table accepts a 32 character string and md5 returns a 32 character string, as you can see above i am hashing the entered password before comparing it to the password in the database

Link to comment
Share on other sites

<? 
include("connection.php"); //Connects to database
  
  	$result = mysql_query("SELECT * FROM users
	WHERE username='$username'");

while($row = mysql_fetch_array($result)){
	$DBpassword=$row['password'];
	}
   
   /*	encrypts the password to allow comparison */
   /*	to the encrypted password in the database */
   $passwordHash=md5($DBpassword); 
   //$passwordHash = sha1($password);

$result = mysql_query("SELECT * FROM user WHERE username = '$username' AND password = '$passwordHash'");
//echo ($result);
//testing
   	echo("<b>encrypted password on database:</b> ".$result."<br .>");
   	echo("<b>encrypted password just entered:</b> ".$passwordHash."<br .>");
	//end testing
if ($result == "0")
{
	echo("<p>Incorrect Password.</p>");
	return False;
}
else
{
	return True;
}

you had done this:

$DBpassword=$row['password'];
	}
   
   /*	encrypts the password to allow comparison */
   /*	to the encrypted password in the database */
   $passwordHash=md5($password); 

when you should have done this:

$DBpassword=$row['password'];
	}
   
   /*	encrypts the password to allow comparison */
   /*	to the encrypted password in the database */
   $passwordHash=md5($DBpassword); 

Link to comment
Share on other sites

heres is a login sytem iv done a few days ago have a look

 

<?php 

			$mysql_login_query="SELECT * FROM users WHERE username ='$userdet_username' AND password = '".md5($userdet_password)."'";
				if ($mysql_login_result =mysql_query($mysql_login_query))
					{
						$loginarray=mysql_fetch_array($mysql_login_result);
						if(mysql_num_rows($mysql_login_result) ==1)
							{

								if($loginarray['confirmed']=="yes")
									{

										$_SESSION['logedin']=TRUE;
										$_SESSION['username'] = $loginarray['username'];
										$_SESSION['userid'] = $loginarray['id'];
										$_SESSION['datejoined'] = $loginarray['datejoined'];
										$_SESSION['nicname'] = $loginarray['nicname'];
										$_SESSION['email'] = $loginarray['email'];
										$_SESSION['theme'] = $loginarray['theme'];
										$_SESSION['lastonline'] = $loginarray['lastonline'];
										$_SESSION['fname'] = $loginarray['fname'];
										$_SESSION['sname'] = $loginarray['sname'];		
										$_SESSION['accesslvl'] = $loginarray['accesslvl'];		
										$_SESSION['hidemail'] = $loginarray['hidemail'];	


										echo "loged in correct";

									}else{
									header("Location: http://" . $_SERVER['HTTP_HOST'] . dirname($_SERVER['PHP_SELF']) . 
									"/login.php?username=".$userdet_username."&error=notconfirmed");
									}



							}else{
							header("Location: http://" . $_SERVER['HTTP_HOST'] . dirname($_SERVER['PHP_SELF']) . 
							"/login.php?username=".$userdet_username."&error=wrongdetails");
							}		


?>

 

i removed some of the things you dont need as id rather keep the code to myself

Link to comment
Share on other sites

Login.html

<form method="POST" action="p_login.php" id="Login">
		<tr class="browse_rows_heading">
			<td>
				Username:
			</td>
			<td>
				<input type="text" name="username">
			</td>
		</tr>
		<tr class="browse_rows_heading">
			<td>
				Password:
			</td>
			<td>
				<input type="password" name="password">
			</td>
		</tr>
		<tr class="browse_rows_heading">
			<td>
				<input type="submit" value="Submit">
			</td>
		</tr>
		</form>
		</td></tr></table>

p_login.php

<?php
/* ****************************
DB INFO
**************************** */
/* ################################################################################### */
/* 	Query to validate user                                                             */
/* ################################################################################### */
$username = addslashes($_POST["username"]);
$password = addslashes($_POST["password"]);
$enc_pass = md5($password);
$sql = "SELECT * FROM `users_{$list_name}`
	where 
	`uname` = '{$username}' 
	and 
	`password` = '{$enc_pass}' 
	limit 1;";


$result = @mysql_query($sql);
$validate = @mysql_num_rows($result);
/* ################################################################################### */
/* 	END Query to validate user                                                         */
/* ################################################################################### */
if ($validate > 0){
//login the user
}
else{
//don't
}

 

Link to comment
Share on other sites

I solved this a few hours ago, it was entirely down to my own stupid fault.

:-[

i don't even want to point it out here for fear of backlash at how stupid it is.

 

However i have learned alot about login systems that i an now implement. thanks alot.

 

DO i have to pm a mod to set this as solved or just rename the thread?

Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.