MD5

[eaglelegend]

I know its not something I should shout out about, but I need MD5 for my login/register and cookies scripts, however, I dont know how to install it, and really I'd rather not throw all the info here with database info etc. to affect, but, my hosting people provide no php help unfortunately.

[BlueSkyIS]

your php install doesn't include the md5() function???

[eaglelegend]

No, the guy whose I bought it off, as everyone knows, as I told them, he sold it to me with no help or anything, it was only because people have notified me about these issues I have had to well... try but not successfully understand how to put it in!

[wildteen88]

WHat! You are making no sense. md5() is a core PHP function. Are you trying to implement md5 passwords in your existing script as currently your not using any type of encryption.

 

Also what do you mean by:

No, the guy whose I bought it off, as everyone knows, as I told them,

What did you buy? The PHP script?

[eaglelegend]

I bought most of the script, I have repaired, and gtot help from most of your guys.

right I need to have the passwords etc. that are stored in the datbases encrypted, so if anyone accesses them, they cannot get any login details, as I currently dont have that like that :/

[BlueSkyIS]

so a script like this errors and nothing else?

 

<?php
echo md5("hello world");
?>

[eaglelegend]

it has no md5 tags :/ thats why I need help installing it on ther and FAST!

[wildteen88]

If you post parts of your script which logs users in then we maybe able to help you.

 

In order for your existing passwords in your database to become md5 encrypted you'll have to do this with a MySQL query.

[bilis_money]

it has no md5 tags :/ thats why I need help installing it on ther and FAST!

 

do you mean, recreate the codes?

 

and not installing right?

 

post the codes that you want us to fix please.

 

[eaglelegend]

Login.php

 

<?php
include("header.php");

$username = $_POST['username'];
$password = $_POST['password'];

if($username && $password) {
$check = mysql_num_rows(mysql_query("SELECT * FROM `members` WHERE `username`=\"$username\" AND `password`=\"$password\""));

if($check == 1) {
 	if(setcookie("ELv2",$username,time()+(3600*24))) {
 	 	Header("Location: index.php");
 	}
 	else {
 	 	print "Cant set cookie";
 	}
}
else {
 	print "Sorry, username/password mismatch!";
}

}
else {
?>
<h2>Login</h2><p>
<form action="login.php" method="post">
Username<br>
<input type="text" name="username" class="text_box" size="20" value="Username" title="Please enter the Username you registered here with." alt="Please enter the Username you registered here with."><p>
Password<br>
<input type="password" name="password" class="text_box" size="20" value="password" title="Please enter the Password you registered here with." alt="Please enter the Password you registered here with."><p>
<input type="submit" class="text_box" value=" Login " title="Click here to log in." alt="Click here to log in."></form>
<? 
}

include("footer.php");
?>

 

Register.php

<?php
include("header.php");
?>
<?php
$username = $_POST['username'];
$password = $_POST['password'];
$password_confirm = $_POST['password_confirm'];
$email = $_POST['email'];

if($username && $password && $password_confirm && $email) {

$siteurl = preg_replace( "/[^a-zA-Z0-9s]/", "", $siteurl );

$check_user = mysql_num_rows(mysql_query("SELECT * FROM `members` WHERE `username`=\"$username\""));
$check_site = mysql_num_rows(mysql_query("SELECT * FROM `members` WHERE `url`=\"$siteurl\""));

if($check_user == 0) {

 	if($password == $password_confirm) {
 	 	$newpass = $password;
 	 	$date = date("m/d/y");

		$sql = mysql_query("SELECT * FROM `sites` WHERE `url`='$Z'");
		while($r = mysql_fetch_array($sql)) {
		 	$money = $r["money"];
		 	$points = $r["points"];
		}

		$insert = mysql_query("INSERT INTO `members` (`admin`, `date`, `username`, `password`, `email`, `points`, `money`) VALUES('0', '$date', \"$username\", \"$newpass\", \"$email\", '$points', '$money')"); 

		if($insert) {


			print "<h2>Congratulations!</h2><p>
			You are now a registered member of this site!<p>
			Username: $username<br>
			Password: $password<p>
			You can login using the form to the right!";
		}
		else {
		 	print mysql_error();
		}
	}
	else {
	 	print "<p>Passwords do not match!</p>";
	}
}
else {
 	if($check_user > 0) {
 		print "<p>That username already exists!</p>"; 
 	}
}
}
else {
?>
<h2>Register</h2><p>

<img src="http://www.eaglelegend.com/images/pets/Quadra.png" title="Mr. Helpya" alt="Mr. Helpya">

<form action="register.php" method="post">
Hello. My name is Mr. Helpya and as it is says in my name, I am here to help you! As you 
play throughout the game, you will see me bringing up help or tooltips as they are 
otherwise known. Even though I am to busy to see every user on the site, you will still be
able to get the tooltips from me personally!.<br><br>

Here is an example of my work, put your mouse over my picture above here... do you see the little
box come up with my name? thats how it works, just put your mouse over any image, function or
form fields and I will tell you what it is for!.<br><br>

So, you want to register eh?, OK, the register form is another example of what I just taught 
you!, again put your mouse over the fields before you write to find out what you have to put there!
please, whatever you write, do not enter any personal info on your username, as it is viewed
by hundreds every day, and you wouldnt walk down town handing out your personal info would you?
and what would your parents think? not to happy, I should think, so...<br><br>

Please ask your parents about joining up with us, by registering we are assuming you have had 
your parents consent.<p>
<b>Username:</b> <br>
<input type="text" name="username" class="text_box" size="25" title="You need a username, it will be publically seen all over the site. 
NO personal info." alt="You need a username, it will be publically seen all over the site. 
NO personal info."><br>
<b>Password</b> <br>
<input type="password" name="password" class="text_box" size="25" title="You need a password
that you can remember but others cannot guess." alt="You need a password
that you can remember but others cannot guess."><p>
<b>Password Confirm</b><br>
<input type="password" name="password_confirm" class="text_box" size="25" title="Please enter
the password you just written above here, again." alt="Please enter
the password you just written above here, again."><p>
<b>Email</b><br>
<input type="text" name="email" class="text_box" size="30" title="Please enter your email address. 
We rarely email. Please talk to your parents first." alt="Please enter your email address. 
We rarely email. Please talk to your parents first."><p>
<input type="submit" value="Register" class="text_box" alt="Click here to register your new account!" title="Click here to register your new account!"></form> 
<?php
}
include("footer.php");
?>

 

I think there maybe more, but thats all I can think I can provide right now :/

 

ALSO, how do I query the mysql about that?

[wildteen88]

In login.php change

$password = $_POST['password'];

to

$password = md5($_POST['password']);

 

In register.php change

$newpass = $password;

to

$newpass = md5($password);

 

Before running the following script, I advise you to backup your existing database first.

 

Now you'll need to run the following script ONLY ONCE in order for existing members logins to work:

include 'header.php';

while(list($username, $password) = mysql_fetch_assoc(mysql_query('SELECT username, password FROM members'))
{
    mysql_query('UPDATE members SET password='.md5($password).' WHERE username="'.$username.'"');
}

echo 'Passwords reset. DELETE THIS SCRIPT NOW DONOT RERUN.';

Do not run the above script more than once otherwise you'll break existing password.s

[eaglelegend]

ok, that script you game me, is there any special name I need for it?

[wildteen88]

No. Just create new php file call it md5passwords.php and add the above code to it. Upload to your website where your other PHP scripts are and go to yoursirte.com/md5passwords.php

 

Nothing will be outputted so don't refresh the page or anything. Now delete the file from your site. Existing passwords should still work.

[eaglelegend]

ok this shown include 'header.php'; while(list($username, $password) = mysql_fetch_assoc(mysql_query('SELECT username, password FROM members')) { mysql_query('UPDATE members SET password='.md5($password).' WHERE username="'.$username.'"'); }

 

should I put <?php CODE ?> in it?

[wildteen88]

Yeah sorry. Forgot to include the php tags 

 

Corrected code:

<?php

include 'header.php';

while(list($username, $password) = mysql_fetch_assoc(mysql_query('SELECT username, password FROM members'))
{
    mysql_query('UPDATE members SET password='.md5($password).' WHERE username="'.$username.'"');
}

echo 'Passwords reset. DELETE THIS SCRIPT NOW DONOT RERUN.';

?>

[eaglelegend]

ok did that sure, but now I get this :/

 

Parse error: syntax error, unexpected '{' in /misc/39/000/171/334/2/user/web/eaglelegend.com/md5.php on line 6

 

Thanks btw for hellping out! heh, I didnt think people would be so kind, but justgo to my site and abuse the security holes :/ heh I dont know what half of them are, people keep saying I have security holes, they never say what!

[wildteen88]

Missed of a closing parenthesis on line 6, corrected code

<?php

include 'header.php';

while(list($username, $password) = mysql_fetch_row(mysql_query('SELECT username, password FROM members')))
{
    mysql_query('UPDATE members SET password='.md5($password).' WHERE username="'.$username.'"');
}

echo 'Passwords reset. DELETE THIS SCRIPT NOW DONOT RERUN.';

?>

[eaglelegend]

PROBLEM LOADING PAGE

 

The connection was reset

 

The connection to the server was reset while the page was loading.

 

    * The site could be temporarily unavailable or too busy. Try again in a few

          moments.

 

    *  If you are unable to load any pages, check your computer's network

          connection.

 

    *  If your computer or network is protected by a firewall or proxy, make sure

          that Firefox is permitted to access the Web.

 

 

 

 

     

 

 

      EDIT: I checked the database and it hasent encryped any of the passwords :/

[wildteen88]

Do you have many passwords in your database? It shouldn't cause too much of problem.

[eaglelegend]

hehe, approaching 100!

[wildteen88]

Umm. That shouldn't be much of an issue with that script I provided.

[eaglelegend]

well it keeps going like I just said :/ is there any way I can query itin the actual database area that I can query on etc.?

[GingerRobot]

Wouldn't it be easier to just run the query:

 

UPDATE `members` SET `password`=md5(`password`)

 

Again, as wildteen has emphasized, make sure you back up your data and run this query only once.

[eaglelegend]

Thanks ginger- I thought of that yes, but, I wasnt sure if I couldnt for some reason heh. thanks guys!

[GingerRobot]

Before you finalise that, however, you might wish to consider adding a salt to your passwords to increase the security of the hash (i.e. prevent the use of rainbow tables).

 

Basically, you add a string before/after/in the middle or a combination to the user's password before it is hashed. This makes a reverse lookup chart useless.