azonicds2 Posted September 12, 2008 Share Posted September 12, 2008 Hi guys, Ive been helped here before with success so thought id return and get your expertise once more, Ok so im new(ish) to php and know how to make simple logins but with no security. Im trying my best to learn Md5 and Salting but having no luck. Heres my code at the moment for my login script: <?php include ('connection.php') ?> <?php session_start(); error_reporting(E_ALL); $appUsername = $_POST["loginusername"]; $appPassword = $_POST["loginpassword"]; $query = "SELECT * FROM admin WHERE username='$appUsername' AND password='$appPassword'"; $result = mysql_query ($query, $connection); if (mysql_num_rows($result) > 0) { $_SESSION["authenticatedUser"] = $appUsername; header("Location: loggedon.php"); } else { $_SESSION["message"] = "Unable To Login As $appUsername"; header("Location: admin.php"); } ?> Then this is the script on thats currently setting the session on the admin page: <?php session_start(); if (!isset($_SESSION["authenticatedUser"])) { $_SESSION["message"] = "Please Login As Admin"; header("Location: index.php"); } else { ?> This works fine and simply compares the username and pass to that i have predefined in a database. I want it pre defined as the its an admin section, not a user area for multiple users so theres no registering involved. How do i go about making this secure?? Thanks alot in advance. Dan Quote Link to comment Share on other sites More sharing options...
ratcateme Posted September 12, 2008 Share Posted September 12, 2008 if you want to secure your passwords with md5 and a salt this is the function i use function hash_pass($pass){ $salt="THIS IS A SALT"; return md5($pass.$salt); } then change your code to something like this $appPassword = hash_pass($_POST["loginpassword"]); and when you register a user you need to put the password through the same function so it comes out as a md5 hash Scott. Quote Link to comment Share on other sites More sharing options...
azonicds2 Posted September 12, 2008 Author Share Posted September 12, 2008 Right, i kind of get you. I changed my code to now: <?php include ('connection.php') ?> <?php session_start(); error_reporting(E_ALL); function hash_pass($pass){ $salt="blabla"; return md5($pass.$salt); } $appUsername = $_POST["loginusername"]; $appPassword = hash_pass($_POST["loginpassword"]); $query = "SELECT * FROM admin WHERE username='$appUsername' AND password='$appPassword'"; $result = mysql_query ($query, $connection); if (mysql_num_rows($result) > 0) { $_SESSION["authenticatedUser"] = $appUsername; header("Location: loggedon.php"); } else { $_SESSION["message"] = "Unable To Login As $appUsername"; header("Location: admin.php"); } ?> But this now makes the password incorrect when i try to login. Remember im using a predefined password in the database. theres no registering involved so im not first inserting a password to the database then trying to login with those details. Im sorry im not great at understanding this... You get what i mean? Dan Quote Link to comment Share on other sites More sharing options...
peranha Posted September 12, 2008 Share Posted September 12, 2008 But this now makes the password incorrect when i try to login. Remember im using a predefined password in the database. theres no registering involved so im not first inserting a password to the database then trying to login with those details. Im sorry im not great at understanding this... You get what i mean? Dan You will need to change the password in the database to the hashed one. if you echo out the hash, that is what it now has become, and you will need to copy that to the database in order to login. Quote Link to comment Share on other sites More sharing options...
ratcateme Posted September 12, 2008 Share Posted September 12, 2008 yea just make a random page like this to set your password function hash_pass($pass){ $salt="blabla"; //must be the same as all your other files return md5($pass.$salt); } $user = "username"; $pass = "pasword"; $pass = hash_pass($pass); $query = "INSERT INTO `admin`(`username`,`password`) VALUES ('{$user}','{$pass}')"; $result = mysql_query ($query, $connection); Scott. Quote Link to comment Share on other sites More sharing options...
azonicds2 Posted September 12, 2008 Author Share Posted September 12, 2008 Thats brilliant thanks alot both of you, specially Scott, hehe. Ill give it a try now, however just curious, what did u mean by: $salt="blabla"; //must be the same as all your other files Thanks Dan Quote Link to comment Share on other sites More sharing options...
ratcateme Posted September 12, 2008 Share Posted September 12, 2008 you need to make sure that the salt is the same every time you use it i would recomend making a functions file and including it on all your pages then you have the same salt on all your pages Scott. Quote Link to comment Share on other sites More sharing options...
azonicds2 Posted September 12, 2008 Author Share Posted September 12, 2008 Right, ive just made random page with the following: <?php include ('connection.php') ?> <?php function hash_pass($pass){ $salt="blabla"; //must be the same as all your other files return md5($pass.$salt); } $user = "dan"; $pass = "mypass"; $pass = hash_pass($pass); $query = "INSERT INTO `admin`(`username`,`password`) VALUES ('{$user}','{$pass}')"; $result = mysql_query ($query, $connection); ?> So that executes fine and inserts. Now i try to login with the username: dan and the password: mypass and it doesn't allow. Is there something else im doing wrong here? Thanks Dan Quote Link to comment Share on other sites More sharing options...
azonicds2 Posted September 12, 2008 Author Share Posted September 12, 2008 Right ive tried all sorts, heres all the sections of code i have: The page that inserts the admin username and password into the database: <?php include ('connection.php') ?> <?php function hash_pass($pass){ $salt="blabla"; //must be the same as all your other files return md5($pass.$salt); } $user = "dan"; $pass = "mypass"; $pass = hash_pass($pass); $query = "INSERT INTO `admin`(`username`,`password`) VALUES ('{$user}','{$pass}')"; $result = mysql_query ($query, $connection); ?> Login Action Page: <?php include ('connection.php') ?> <?php session_start(); error_reporting(E_ALL); function hash_pass($pass){ $salt="blabla"; return md5($pass.$salt); } $appUsername = $_POST["loginusername"]; $appPassword = hash_pass($_POST["loginpassword"]); $query = "SELECT * FROM admin WHERE username='$appUsername' AND password='$appPassword'"; $result = mysql_query ($query, $connection); if (mysql_num_rows($result) > 0) { $_SESSION["authenticatedUser"] = $appUsername; header("Location: loggedon.php"); } else { $_SESSION["message"] = "Unable To Login As $appUsername"; header("Location: admin.php"); } ?> The admin logged on page: <?php session_start(); if (!isset($_SESSION["authenticatedUser"])) { $_SESSION["message"] = "Please Login As Admin"; header("Location: index.php"); } else { ?> CONTENT <?php } ?> Thats what ive got, so then when i try to login with the following: Username: dan Password: mypass It doesn't accept it and spits out the message "*Unable To Login As dan" as i set it to if the username and password didn't match that in the database. HELP PLEASE!! 2 Beers for the person that can fix this lol Thanks alot Dan Quote Link to comment Share on other sites More sharing options...
Mchl Posted September 12, 2008 Share Posted September 12, 2008 There are afew things you could check. First, do echo of hash_pass("mypass") and compare it with the hash stored in your database. You can also try echoing it when getting POST data echo $appPassword = hash_pass($_POST["loginpassword"]); If it returns different hash than expected, then there might be some whitespace appended to your password. Quote Link to comment Share on other sites More sharing options...
azonicds2 Posted September 12, 2008 Author Share Posted September 12, 2008 Ok, ill try that, sorry to sound dumb, but how exactly should i execute this: echo $appPassword = hash_pass($_POST["loginpassword"]); ?? Just on any random page? Thanks Dan Quote Link to comment Share on other sites More sharing options...
Mchl Posted September 12, 2008 Share Posted September 12, 2008 No. Just replace $appPassword = hash_pass($_POST["loginpassword"]); with echo $appPassword = hash_pass($_POST["loginpassword"]); in your login.php Remeber to remove echo after you're finished with checking. Quote Link to comment Share on other sites More sharing options...
azonicds2 Posted September 12, 2008 Author Share Posted September 12, 2008 Ok what ive done is created a page called hashtest.php and made the login form action to that page: the page contains: <?php function hash_pass($pass){ $salt="blabla"; return md5($pass.$salt); } echo $appPassword = hash_pass($_POST["loginpassword"]);?> This echos: 75f3b2ada058ffeae1fbb01a14181d40 Yet in the database it is only: 75f3b2ada058ffeae1fb Now ive had a brain wave, is this all because ive limited the password field in the database to 20 letters!! lol? Quote Link to comment Share on other sites More sharing options...
Mchl Posted September 12, 2008 Share Posted September 12, 2008 It is. MD5 is always 32 letters long. Quote Link to comment Share on other sites More sharing options...
azonicds2 Posted September 12, 2008 Author Share Posted September 12, 2008 Fixed!! Brilliant!! Thanks so much, just needed that push. You guys are great on here! Really appretiate that thx mate. Dan Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.