Values wont insert into DB

[BrianM]

The values from the input fields wont insert into the database when submitted. The only part of the script that does seem to run is line 29 - header('Location: login.php'); - it just seems to skip everything else when Register is clicked.

 

Here is my code:

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>MPS - Register</title>
</head>
<?php
mysql_connect('localhost', 'brian', '') or die(mysql_error());
mysql_select_db('mps') or die(mysql_error());

if (isset($_POST['register'])) {
if (!$_POST['username'] | !$_POST['password']) {
	print('You must complete all input fields.');
}

$valid_username = $_POST['username'];
$check_one = mysql_query("SELECT username FROM mps_login WHERE username = '$valid_username'") or die(mysql_error());
$check_two = mysql_num_rows($check_one);

if ($check_two != 0) {
	print('The username "'.$_POST['username'].'" is not available.');
}

$_POST['password'] = md5($_POST['password']);

$values = "INSERT INTO mps_login (username, password) VALUES ('".$_POST['username']."', '".$_POST['password']."')";
$register = mysql_query($values);

header('Location: login.php');
}
?>
<body>
<form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post">
<table>
  <tr>
    <td>Register</td>
  </tr>
  <tr>
    <td>Username:</td>
<td><input type="text" name="username" /></td>
  </tr>
  <tr>
    <td>Password:</td>
<td><input type="password" name="password" /></td>
  </tr>
  <tr>
    <td><input type="submit" name="register" value="Register" /></td>
  </tr>
</table>
</form>
</body>
</html>

 

Does anyone see why it may not be inserting the values into the database? If anyone would like me to provide the database structure, I'll be more than happy to put it up here.

[The Little Guy]

$register = mysql_query($values);

 

to

 

$register = mysql_query($values)or die(mysql_error());

[BrianM]

Alright, I'll try that and see what it spits out.

 

Also, here is the database structure for the table:

CREATE TABLE mps_login
(
id int(11) auto_increment,
username varchar(30),
password varchar(30),
PRIMARY KEY (id)
);

[BrianM]

Data too long for column 'password' at row 1 .. that is the error I got. What changes should I make to my table, or code?

 

Just a thought, I may be wrong, does the md5 hash make the password string to long for the field?

 

Another update, I just looked up on Wiki about md5 hashing, and it says it turns it into a 32 character string, which would be 2 characters to long for my field. So I suppose a fix to my issue would be to enlarge my password field, and hope all goes well.

[The Little Guy]

I wouldn't use MD5, so remove the MD5 line, and use this for your mysql query:

$values = "INSERT INTO mps_login (username, password) VALUES ('".$_POST['username']."', PASSWORD('".$_POST['password']."'))";

[xtopolis]

Your md5($password) is returning a string that is longer than 30 characters.  You set a limit of 30 characters in your mysql table.

 

Adjust the table to accommodate more characters in the password column.  (Why not just go with 255 since you are hashing the values anyway)?  Also, read your error message because it told you what was wrong before I did

 

 

** I disagree with "The Little Guy".  It is considered bad practice to store plain passwords, it comes down to a liability issue.  This is up to you whether you want to or not.  Everyone has their own opinion. **

[The Little Guy]

actually it is not a plain password, it is a hashed password.

[BrianM]

Thank you for everyones opinions and help with my problem. What I did was change the type in the username/password fields from 'varchar()' to 'tinytext', so really I used xtopolis' statement as a solution, but before you posted.

 

And yes, I would rather stick with password encryption, heh.

[The Little Guy]

all the provided ways have been encrypted, I just used it in the SQL query instead of PHP.

[BrianM]

I've never seen that method of encryption used before, is that a PHP function?

[The Little Guy]

No, it is a mysql function.

 

http://dev.mysql.com/doc/refman/5.0/en/password-hashing.html

[xtopolis]

My mistake TLG, I saw the $_POST['something'] and didn't notice it was being reassigned to the $_POST var, thought it was a straight input.

 

BrianM, you don't need tinytext, varchar(255) will do fine.  Md5 actually returns 33 chars.

[corbin]

It has a 128 bit hash that can be expressed in a 32 charcter hexidecimal string....

[bluejay002]

from your discussion about encryption (though it was accidental ), something makes me intersted:

 

password() vs md5()

 

i have read this mysql:

 

Note

The PASSWORD() function is used by the authentication system in MySQL Server; you should not use it in your own applications. For that purpose, consider MD5() or SHA1() instead. Also see RFC 2195, section 2 (Challenge-Response Authentication Mechanism (CRAM)), for more information about handling passwords and authentication securely in your applications.

 

can i have your opinion? also, do you have other options other than this? i have heard twofish() - the same pipz who created blowfish() - is better than blowfish() but less mature. any other suggested hashing technique?

 

[xtopolis]

If you're asking whether to use MYSQL's PASSWORD() or to use PHP's MD5(), my opinion is this:

 

Why make MYSQL do the work of a scripting language?  Mysql is primarily used to store data.  It has additional features which allow it to perform specialized queries and computations, but most people will agree that it is better at storing data than crunching numbers.

 

Also, using PHP or any Server-Side-Language will give you more flexibility in your hashing.  There are plenty of encryption options out there, you can read a wiki on the best ones to use.  MD5 is a common simple one used for 'secure' applications.  Things that everyday people like you and I probably use because it's secure enough.  If you were designing bank software, I strongly doubt you'd use MD5, more likely SHA2 or WHIRLWIND[i think that was the name].

 

Make your MD5 more secure:

If you have read up on security, you will hear eventually about hackers/crackers using rainbow tables to decrypt MD5 passwords.  There is a wiki on this too which was a little beyond me...  But the method to beat these rainbow tables was to append/prepend a "salt" to the MD5 string.  This means a character/string that you hardcode into your script in order to make your hash data different.  Also, you would be careful to do the same to incoming password queries, otherwise they'd always fail.  By adding the 'salt' to the MD5, the password 'cat' no longer has the same hash as the word 'cat' would, essentially because the password is really md5('salt + cat').  You might think it's not really saving anything to add a word to your hash, since they might crack your word, but in reality changing 1 character of an MD5 input changes the hash significantly.

[bluejay002]

from xtopolis:

 

If you're asking whether to use MYSQL's PASSWORD() or to use PHP's MD5()

 

nope... just pure mysql stuff... and yeah, i prefer at storing data. MySQL has MD5().

 

hey, thanks for the input...

 

[The Little Guy]

You could make an even more secure password like this, then you get the best of all worlds!

 

$pass = md5(sh1(base64_encode($_POST['password'])));

$values = "INSERT INTO mps_login (username, password) 
VALUES 
('".$_POST['username']."', PASSWORD('".$pass."'))";

 

If you wanted, you could even "salt" it.