Hiya, newbie MD5 login question

[rhudson]

I've managed to encrypt the user password when the user registers for the site BUT I can't work out how to make the login work. Here's the code for the login script:

 

<?php

$host="xxxx";

$username="xxxx";

$password="xxxx1";

$db_name="xxxx";

$tbl_name="xxxx";

 

// Connect to server and select databse.

mysql_connect("$host", "$username", "$password")or die("cannot connect");

mysql_select_db("$db_name")or die("cannot select DB");

 

// username and password sent from form

$myusername=$_POST['UID'];

$mypassword=$_POST['password'];

 

// To protect MySQL injection

$myusername = stripslashes($myusername);

$mypassword = stripslashes($mypassword);

$myusername = mysql_real_escape_string($myusername);

$mypassword = mysql_real_escape_string($mypassword);

 

$sql="SELECT * FROM $tbl_name WHERE UID='$myusername' and password='$mypassword'";

$result=mysql_query($sql);

 

// Mysql_num_row is counting table row

$count=mysql_num_rows($result);

// If result matched $myusername and $mypassword, table row must be 1 row

 

if($count==1){

// Register $myusername, $mypassword, set cookie and redirect to file

session_register("UID");

session_register("password");

header("location:resources.php");

}

else {

header("location:loginerror.html");

}

?>

 

Some pointers would be great - Huge thanks in advance.

 

Ryan

 

 

[Nhoj]

$sql="SELECT * FROM $tbl_name WHERE UID='$myusername' and password='$mypassword'";

 

Change the $mypassword part to md5($mypassword):

 

$sql="SELECT * FROM $tbl_name WHERE UID='$myusername' and password='".md5($mypassword)."'";

 

That way when it does the lookup it changes the password to MD5 before scanning, providing the password is stored in the DB as an MD5 string.

 

Edit: Also, should note that you don't need to do

$mypassword = stripslashes($mypassword);

$mypassword = mysql_real_escape_string($mypassword);

 

When you are going to MD5 the password anyway, as MD5 strings don't contain any special characters, therefore an MD5 string will be safe to search the DB without cleaning. In addition, with that, you are disabling the ability to use slashes and some other special characters in a password simply because the password is modified from the original string inputed. To secure it when inserting you would do essentially the same as when you select, which is, md5($mypassword) in the insert statement.

[MFHJoe]

EDIT: Nhoj got there before me

 

It'd be better doing it with the code below. Nhoj's would work well, unless the user happened to have some weird characters in their password - those characters would be taken out by stripslashes() and mysql_real_escape_string() and the user wouldn't be able to login, even though he was using the password he signed up with.

 

I've commented the bits I've changed. The code below should work.

 

<?php
$host="xxxx"; 
$username="xxxx"; 
$password="xxxx1";
$db_name="xxxx";
$tbl_name="xxxx";

// Connect to server and select databse.
mysql_connect("$host", "$username", "$password")or die("cannot connect"); 
mysql_select_db("$db_name")or die("cannot select DB");

// username and password sent from form 
$myusername=$_POST['UID']; 

// Encrypt the line below so it may match what's in the database
$mypassword=md5($_POST['password']);

// To protect MySQL injection
$myusername = stripslashes($myusername);
$myusername = mysql_real_escape_string($myusername);

// $mypassword = stripslashes($mypassword); You don't need to stripslashes, it's already md5() encoded so it's safe
// $mypassword = mysql_real_escape_string($mypassword); Again, no need. It's already md5() so it's safe.

$sql="SELECT * FROM $tbl_name WHERE UID='$myusername' and password='$mypassword'";
$result=mysql_query($sql);

// Mysql_num_row is counting table row
$count=mysql_num_rows($result);
// If result matched $myusername and $mypassword, table row must be 1 row

if($count==1){
// Register $myusername, $mypassword, set cookie and redirect to file
session_register("UID");
session_register("password"); 
header("location:resources.php");
}
else {
header("location:loginerror.html");
}
?>

[vincibleman]

Hello all, and let me first apologize to rhudson for derailing his help atm but my problem seems very similar to his and I just can't seem to edit my code without getting errors.  I believe I have the same problem rhudson has where my login will actually work if a user types in their md5 password instead of their actual password.  If they type in the non-hashed password the login will fail.

I've been trying to insert the snippets you two have mentioned to alter the query to find the md5 version of what the user types in with no success.  I'm using Dreamweaver so the login function has a bit more mess and my php knowledge is novice at best.  If you still have time to help another newb out the code is just below.  Thank you in advance

 

 

 

 

 

<?php require_once('Connections/Homelogin.php'); ?>
<?php
if (!function_exists("GetSQLValueString")) {
function GetSQLValueString($theValue, $theType, $theDefinedValue = "", $theNotDefinedValue = "") 
{
  $theValue = get_magic_quotes_gpc() ? stripslashes($theValue) : $theValue;

  $theValue = function_exists("mysql_real_escape_string") ? mysql_real_escape_string($theValue) : mysql_escape_string($theValue);

  switch ($theType) {
    case "text":
      $theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";
      break;    
    case "long":
    case "int":
      $theValue = ($theValue != "") ? intval($theValue) : "NULL";
      break;
    case "double":
      $theValue = ($theValue != "") ? "'" . doubleval($theValue) . "'" : "NULL";
      break;
    case "date":
      $theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";
      break;
    case "defined":
      $theValue = ($theValue != "") ? $theDefinedValue : $theNotDefinedValue;
      break;
  }
  return $theValue;
}
}
?><?php
// *** Validate request to login to this site.
if (!isset($_SESSION)) {
  session_start();
}

$loginFormAction = $_SERVER['PHP_SELF'];
if (isset($_GET['accesscheck'])) {
  $_SESSION['PrevUrl'] = $_GET['accesscheck'];
}

if (isset($_POST['username'])) {
  $loginUsername=$_POST['username'];
  $password=$_POST['password'];
  $MM_fldUserAuthorization = "";
  $MM_redirectLoginSuccess = "http://www.gungapit.com/wordpress/";
  $MM_redirectLoginFailed = "http://www.gungapit.com/failed.php";
  $MM_redirecttoReferrer = false;
  mysql_select_db($database_Homelogin, $Homelogin);
  
  $LoginRS__query=sprintf("SELECT user_login, user_pass FROM wp_users WHERE user_login=%s AND user_pass=%s",
    GetSQLValueString($loginUsername, "text"), GetSQLValueString($password, "text")); 
   
  $LoginRS = mysql_query($LoginRS__query, $Homelogin) or die(mysql_error());
  $loginFoundUser = mysql_num_rows($LoginRS);
  if ($loginFoundUser) {
     $loginStrGroup = "";
    
    //declare two session variables and assign them
    $_SESSION['MM_Username'] = $loginUsername;
    $_SESSION['MM_UserGroup'] = $loginStrGroup;	      

    if (isset($_SESSION['PrevUrl']) && false) {
      $MM_redirectLoginSuccess = $_SESSION['PrevUrl'];	
    }
    header("Location: " . $MM_redirectLoginSuccess );
  }
  else {
    header("Location: ". $MM_redirectLoginFailed );
  }
}
?>
<div align="center">
<form name="form1" method="POST" action="<?php echo $loginFormAction; ?>">
<table width="400" border="0" cellspacing="0" cellpadding="3">
<tr>
<td width="100">Username:</td>
<td><input name="username" type="text" id="username"></td>
</tr>
<tr>
<td width="100">Password:</td>
<td><input name="password" type="password" id="password"></td>
</tr>
<tr>
<td width="100"> </td>
<td><input type="submit" name="Submit" value="Submit"></td>
</tr>
</table>
</form>
</div>

[revraz]

Try

 

$password=$_POST['password'];

 

to

 

$password=md5($_POST['password']);

 

[vincibleman]

Thank you for the response revraz.  I've tried what you mentioned both in test view in Dreamweaver and on my live site.  It appears the only thing that changes is that I cant login with my actual password or my hashed password.  My thoughts were that maybe its not a md5 hash but everything i've seen claims that Wordpress(what database im accessing) uses md5.

 

EDIT:I have seen sites mentioning wordpress 2.6 uses something called phpass but i sounds like that's something else entirely.