Jump to content

[SOLVED] Admin Login With MD5 and Salt


azonicds2

Recommended Posts

Hi guys,

 

Ive been helped here before with success so thought id return and get your expertise once more,

 

Ok so im new(ish) to php and know how to make simple logins but with no security.

 

Im trying my best to learn Md5 and Salting but having no luck.

 

Heres my code at the moment for my login script:

 

<?php
include ('connection.php')	 
?>
<?php
session_start();
error_reporting(E_ALL);

$appUsername = $_POST["loginusername"];
$appPassword = $_POST["loginpassword"];

$query = "SELECT * FROM admin WHERE username='$appUsername' AND  password='$appPassword'";

$result = mysql_query ($query, $connection);

if (mysql_num_rows($result) > 0) { 
$_SESSION["authenticatedUser"] = $appUsername;
header("Location: loggedon.php");
} 
else
{
$_SESSION["message"] = "Unable To Login As $appUsername";
header("Location: admin.php");
}
?>

 

Then this is the script on thats currently setting the session on the admin page:

 

<?php
session_start();
if (!isset($_SESSION["authenticatedUser"]))
{
$_SESSION["message"] = "Please Login As Admin";
header("Location: index.php");
}
else
{ 
?>

 

This works fine and simply compares the username and pass to that i have predefined in a database. I want it pre defined as the its an admin section, not a user area for multiple users so theres no registering involved.

 

How do i go about making this secure??

 

Thanks alot in advance.

 

Dan

Link to comment
https://forums.phpfreaks.com/topic/123915-solved-admin-login-with-md5-and-salt/
Share on other sites

if you want to secure your passwords with md5 and a salt this is the function i use

function hash_pass($pass){
    $salt="THIS IS A SALT";
    return md5($pass.$salt);
}

then change your code to something like this

$appPassword = hash_pass($_POST["loginpassword"]);

and when you register a user you need to put the password through the same function so it comes out as a md5 hash

 

Scott.

Right, i kind of get you.

 

I changed my code to now:

 

<?php
include ('connection.php')	 
?>
<?php
session_start();
error_reporting(E_ALL);

function hash_pass($pass){
    $salt="blabla";
    return md5($pass.$salt);
}

$appUsername = $_POST["loginusername"];
$appPassword = hash_pass($_POST["loginpassword"]);

$query = "SELECT * FROM admin WHERE username='$appUsername' AND  password='$appPassword'";

$result = mysql_query ($query, $connection);

if (mysql_num_rows($result) > 0) { 
$_SESSION["authenticatedUser"] = $appUsername;
header("Location: loggedon.php");
} 
else
{
$_SESSION["message"] = "Unable To Login As $appUsername";
header("Location: admin.php");
}
?>

 

But this now makes the password incorrect when i try to login.

 

Remember im using a predefined password in the database. theres no registering involved so im not first inserting a password to the database then trying to login with those details.

 

Im sorry im not great at understanding this...

 

You get what i mean?

 

Dan

But this now makes the password incorrect when i try to login.

 

Remember im using a predefined password in the database. theres no registering involved so im not first inserting a password to the database then trying to login with those details.

 

Im sorry im not great at understanding this...

 

You get what i mean?

 

Dan

 

You will need to change the password in the database to the hashed one.  if you echo out the hash, that is what it now has become, and you will need to copy that to the database in order to login.

yea just make a random page like this to set your password

function hash_pass($pass){
    $salt="blabla"; //must be the same as all your other files
    return md5($pass.$salt);
}
$user = "username";
$pass = "pasword";
$pass = hash_pass($pass);
$query = "INSERT INTO `admin`(`username`,`password`) VALUES ('{$user}','{$pass}')";

$result = mysql_query ($query, $connection);

 

Scott.

Right, ive just made random page with the following:

 

<?php
include ('connection.php')
?>
<?php
function hash_pass($pass){
    $salt="blabla"; //must be the same as all your other files
    return md5($pass.$salt);
}
$user = "dan";
$pass = "mypass";
$pass = hash_pass($pass);
$query = "INSERT INTO `admin`(`username`,`password`) VALUES ('{$user}','{$pass}')";

$result = mysql_query ($query, $connection);

?>

 

So that executes fine and inserts. Now i try to login with the username: dan and the password: mypass and it doesn't allow. Is there something else im doing wrong here?

 

Thanks

 

Dan

 

 

Right ive tried all sorts,

 

heres all the sections of code i have:

 

The page that inserts the admin username and password into the database:

<?php
include ('connection.php')
?>
<?php
function hash_pass($pass){
    $salt="blabla"; //must be the same as all your other files
    return md5($pass.$salt);
}
$user = "dan";
$pass = "mypass";
$pass = hash_pass($pass);
$query = "INSERT INTO `admin`(`username`,`password`) VALUES ('{$user}','{$pass}')";

$result = mysql_query ($query, $connection);

?>

 

 

Login Action Page:

<?php
include ('connection.php')	 
?>
<?php
session_start();
error_reporting(E_ALL);

function hash_pass($pass){
    $salt="blabla";
    return md5($pass.$salt);
}

$appUsername = $_POST["loginusername"];
$appPassword = hash_pass($_POST["loginpassword"]);

$query = "SELECT * FROM admin WHERE username='$appUsername' AND  password='$appPassword'";

$result = mysql_query ($query, $connection);

if (mysql_num_rows($result) > 0) { 
$_SESSION["authenticatedUser"] = $appUsername;
header("Location: loggedon.php");
} 
else
{
$_SESSION["message"] = "Unable To Login As $appUsername";
header("Location: admin.php");
}
?>

 

 

The admin logged on page:

<?php
session_start();
if (!isset($_SESSION["authenticatedUser"]))
{
$_SESSION["message"] = "Please Login As Admin";
header("Location: index.php");
}
else
{ 
?>
CONTENT
<?php  
} 
?>

 

 

Thats what ive got, so then when i try to login with the following:

 

Username: dan

Password: mypass

 

It doesn't accept it and spits out the message "*Unable To Login As dan" as i set it to if the username and password didn't match that in the database.

 

HELP PLEASE!! :) 2 Beers for the person that can fix this :) lol

 

Thanks alot

 

Dan

There are afew things you could check.

First, do echo of hash_pass("mypass") and compare it with the hash stored in your database.

You can also try echoing it when getting POST data

echo $appPassword = hash_pass($_POST["loginpassword"]);

 

If it returns different hash than expected, then there might be some whitespace appended to your password.

Ok what ive done is created a page called hashtest.php and made the login form action to that page:

 

the page contains:

<?php 
function hash_pass($pass){
    $salt="blabla";
    return md5($pass.$salt);
}
echo $appPassword = hash_pass($_POST["loginpassword"]);?>

 

This echos: 75f3b2ada058ffeae1fbb01a14181d40

 

Yet in the database it is only: 75f3b2ada058ffeae1fb

 

Now ive had a brain wave, is this all because ive limited the password field in the database to 20 letters!! lol?

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.