Jump to content

login/registration info needed.

seany123

By seany123
in PHP Coding Help

Recommended Posts

seany123 Advanced Member

seany123

Posted
Posted

I don't know if this is the correct section but still...

 

i have a private website that i have been doing some testing on, (trying to get better at coding).

 

Can someone explain this...?

 

 

i have a registration page (this is some of the code)

 

	
                $insert['username'] = $_POST['username'];
	$insert['password'] = sha1($_POST['password']);
	$insert['email'] = $_POST['email'];
	$insert['registered'] = time();
	$insert['last_active'] = time();
	$insert['ip'] = $_SERVER['REMOTE_ADDR'];
	$query = $db->autoexecute('members', $insert, 'INSERT');

 

now because its private i thought i would play around... so i removed the sha1.

 

(which meant when registering the password wasnt encrypted)

 

But when trying to log in with this new account, it said invalid username / password.

 

any care to explain why it didnt work?

Link to comment
https://forums.phpfreaks.com/topic/130960-loginregistration-info-needed/
Share on other sites
sKunKbad Advanced Member

sKunKbad

Posted
Posted

mysql has a PASSWORD function that does encrypt, but I could never figure it out. I use md5 with a salt and a token.

 

$salt = 'h$sTbV@45';
$super_password = md5($salt . $clean_login_password);
$fingerprint = $row['timestamp'];
session_regenerate_id();
$_SESSION['user_id'] = $row['user_id'];
$_SESSION['token'] = md5($fingerprint . session_id());

 

 

seany123 Advanced Member

seany123

Posted
  • Author
Posted

You would have to remove the sha1 from where php checks the password in the database too, or it will never match.

 

You mean in the login script.

 

well here is the part that logs me in.

 

<form method="POST" action="index.php">
          Username:
          <input type="text" name="username" value="<?=$_POST['username']?>" />
          <br />
          Password:
          <input type="password" name="password" value="<?=$_POST['password']?>" />
          <br />
  <?php
$query = 'SELECT * FROM ext_general';
$command = mysql_query ($query);
$result = mysql_fetch_array ($command)
or die ($db_error);
$debug = $result['debug'];
if ($debug == 1)
{
print "Game Repair! Be Back soon!!";
}
else
{
?>
  <input name="login" type="submit" value="Login!" />
  <?
}
?>

  • 2 weeks later...
xtopolis Member

xtopolis

Posted
Posted

sha1 encrypts your password.

 

If the account was(most likely) created with the password being stored in the database as sha1("yourpassword"), you will never be able to login if you only send it "yourpassword".

 

If your password is "cat".

sha1("cat") = 9d989e8d27dc9e0ec3389fc855f142c3d40f0c50

 

Since you removed sha1() from $insert['password'] = sha1($_POST['password']);, it's now just $_POST['password'];

 

$_POST['password'] will never == sha1($_POST['password'];, and therefore you will never find a match in your database.  Yes you can make $_POST['password'] == 9d989e8d27dc9e0ec3389fc855f142c3d40f0c50 to login, but you now know the encrypted password value, not the password.

Archived

This topic is now archived and is closed to further replies.

Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.