Jump to content

md5 will not work

Reaper0167

By Reaper0167
in PHP Coding Help

 Share

Recommended Posts

Reaper0167 Regular Member

Reaper0167

Posted
Posted

something so easy i can not get to work

here is my register script

<?php

//connection to your database
include ("connection.php");

// connects to server and database
mysql_connect("$host", "$username", "$password") or die("Could not connect.");
mysql_select_db("$db_name") or die("Could not find database");

// define variables from form register form
$username = mysql_real_escape_string($_POST["username"]);
$password = md5($_POST["password"]);
$email = mysql_real_escape_string($_POST["email"]);

// inserting data into your database
$sql = "INSERT INTO $tbl_name(username, password, email)VALUES('$username','$password','$email')";
$res = mysql_query($sql) or die(mysql_error());

if ($_POST['password'] != $_POST['password_conf'])
{
$message = "Passwords must be the same. Please try again.";
header("location: registration.php?error=" . urlencode($message));  
}

// closes your connection
mysql_close();

?>

and here is my login script

<?php

// datbase information
include "connection.php";

// connects to server and database
mysql_connect("$host", "$username", "$password") or die("Could not connect.");
mysql_select_db("$db_name") or die("Could not find database");

// pull username and password from the form
$username = mysql_real_escape_string($_POST['username']);
$password = md5($_POST['password']);

// searching for username and md5password in database
$sql="SELECT * FROM $tbl_name WHERE username ='$username' and password = '$password' LIMIT 1";
$result=mysql_query($sql);

$count=mysql_num_rows($result);

// display log in error or success
if($count==1)
{
session_start();
$_SESSION['auth'] = "yes";
$message = "Welcome $username. You are now logged in.";
header("location: home.php?error=" . urlencode($message));
}
else 
{
$message = "$username is not a registered username. Please register first.";
header("location: index.php?error=" . urlencode($message));
}

?>

Link to comment
Share on other sites
Rushyo Newbie

Rushyo

Posted
Posted

Are you sure the $_POST vars are getting through to the script fine?

 

""it registers the username and the md5 password just fine... i checked my database... but when i go to log in,,, it keeps telling me that i am not registered......how much further could i go with security past md5 once i get the md5 to work?"

 

Quite a long way really, but salting suffices for many purposes. Just add the username to the password being md5'd...

 

eg. md5($password.$username);

Link to comment
Share on other sites
Rushyo Newbie

Rushyo

Posted
Posted

"i set max characters to 50 and everything works now... thanks.... now what else could i do to make the names and passwords more secure??? "

 

MD5 hashes are always 32 characters long.

 

Ideally, you should use SHA256 rather than MD5. They're not hugely different, but the former is certainly more secure. You should create a very long string to use as a key and add that key to the end of all passwords.

 

You should also create something unique for that account (preferably based on as many factors as possible such as time, the user's IP, and other things.. the more random the better) and add that, also hashed, to the database alongside the password.

 

So it'd be like this:

 

<?php

$strLongKey = "uihf4ef...adoijwudn;" //This can be anything, feel free to type it by hammering the keyboard... the longer the better.
$strSalt = sha256(time()); //This just uses the current time... add more variable stuff here to increase entropy!
$strPassword = sha256($strSalt.$_POST['pass'].$strLongKey);

//Do stuff

mysql_query("INSERT INTO users (username, password, salt) VALUES ($strUsername, $strPassword, $strSalt");
?>

 

To login, repeat this procedure but instead of generating a new random salt, get it from the database. The key must be the same each time.

 

Now someone who breaks into your database won't have the key... and someone who breaks into your application won't have the salt.

 

Bearing in mind this is just password salting alone. Password constraints (minimum 8 characters, using a range of characters) is very important as well. To make a secure application requires significant expertise. Most companies will hire a professional to audit and/or certify their systems.

Link to comment
Share on other sites
Mchl Regular Member

Mchl

Posted
Posted

Bearing in mind this is just password salting alone. Password constraints (minimum 8 characters, using a range of characters) is very important as well. To make a secure application requires significant expertise. Most companies will hire a professional to audit and/or certify their systems.

 

And the users will still use post-it notes to stick their passwords to their displays. User is your most vulnerable point in security system, and the one on which you have the least control.

 

$strLongKey = "uihf4ef...adoijwudn;" //This can be anything, feel free to type it by hammering the keyboard... the longer the better.

 

I usually recommend using character that are NOT accessible through keyboard (not by hammering into it by random anyway).

Link to comment
Share on other sites
Rushyo Newbie

Rushyo

Posted
Posted
And the users will still use post-it notes to stick their passwords to their displays. User is your most vulnerable point in security system, and the one on which you have the least control.

 

Eight characters and 'easy to remember' are not mutually exclusive. Regardless... if the user wants to stick their password up, that is generally their problem rather than yours. If the user's password gets stolen because somebody brute forced your website though, they'll tend to hold you responsible for it regardless of the merit of the argument.

 

I usually recommend using character that are NOT accessible through keyboard (not by hammering into it by random anyway).

 

It doesn't make more than a negligible difference in the context it is being suggested.

Link to comment
Share on other sites
Mchl Regular Member

Mchl

Posted
Posted

Eight characters and 'easy to remember' are not mutually exclusive. Regardless... if the user wants to stick their password up, that is generally their problem rather than yours. If the user's password gets stolen because somebody brute forced your website though, they'll tend to hold you responsible for it regardless of the merit of the argument.

 

I will not agree it's only their (users') problem if the password is stolen because of their carelessness. I for one wouldn't like to have imposter in my application. But as I said, there's not much one can do about it (except for those 'change your password regularly' notices)

 

It doesn't make more than a negligible difference in the context it is being suggested.

 

Agree on that, in the method you suggest (get as much data fields into hash as possible). Some people on the other hand stick to salt+password hashes, and then adding some uncommon characters into salt can make difference (not much, but not negligible either). It's always a question on how you can make intruder's job more difficult and on what cost. Using salt with uncommon characters is cheap and can be the thing this one script kiddie does not expect.

Link to comment
Share on other sites
Reaper0167 Regular Member

Reaper0167

Posted
  • Author
Posted

What could be wrong here???? This is what i got. md5 is put before both $_POST....

register script

<?php

//connection to your database
include ("connection.php");

// connects to server and database
mysql_connect("$host", "$username", "$password") or die("Could not connect.");
mysql_select_db("$db_name") or die("Could not find database");

// define variables from form register form
$username = mysql_real_escape_string($_POST["username"]);
$password = md5($_POST["password"]);
$email = mysql_real_escape_string($_POST["email"]);

// inserting data into your database
$sql = "INSERT INTO $tbl_name(username, password, email)VALUES('$username','$password','$email')";
$res = mysql_query($sql) or die(mysql_error());

if ($_POST['password'] != $_POST['password_conf'])
{
$message = "Passwords must be the same. Please try again.";
header("location: registration.php?error=" . urlencode($message));  
}

// closes your connection
mysql_close();

?>

login script

<?php

// datbase information
include "connection.php";

// connects to server and database
mysql_connect("$host", "$username", "$password") or die("Could not connect.");
mysql_select_db("$db_name") or die("Could not find database");

// pull username and password from the form
$username = mysql_real_escape_string($_POST['username']);
$password = md5($_POST['password']);

// searching for username and md5password in database
$sql="SELECT * FROM $tbl_name WHERE username ='$username' and password = '$password' LIMIT 1";
$result=mysql_query($sql);

$count=mysql_num_rows($result);

// display log in error or success
if($count==1)
{
session_start();
$_SESSION['auth'] = "yes";
$message = "Welcome $username. You are now logged in.";
header("location: home.php?error=" . urlencode($message));
}
else 
{
$message = "$username is not a registered username. Please register first.";
header("location: index.php?error=" . urlencode($message));
}

?>

Link to comment
Share on other sites
ratcateme Member

ratcateme

Posted
Posted

looking at that shouldn't one of the first things you do on your reg script be

if ($_POST['password'] != $_POST['password_conf'])

{

$message = "Passwords must be the same. Please try again.";

header("location: registration.php?error=" . urlencode($message)); 

}

rather than leaving it till you have put the info in that database

shouldn't it look more like

<?php

//connection to your database
include ("connection.php");

if ($_POST['password'] != $_POST['password_conf'])
{
$message = "Passwords must be the same. Please try again.";
header("location: registration.php?error=" . urlencode($message));  
exit;
}

// connects to server and database
mysql_connect("$host", "$username", "$password") or die("Could not connect.");
mysql_select_db("$db_name") or die("Could not find database");

// define variables from form register form
$username = mysql_real_escape_string($_POST["username"]);
$password = md5($_POST["password"]);
$email = mysql_real_escape_string($_POST["email"]);

// inserting data into your database
$sql = "INSERT INTO $tbl_name(username, password, email)VALUES('$username','$password','$email')";
$res = mysql_query($sql) or die(mysql_error());

// closes your connection
mysql_close();

You must make sure, that code for generating password hash is the same when storing password to database, and when comparing hashes during login.

have you done that??

change

	$message = "$username is not a registered username. Please register first. MD5 was {$password}";

header("location: index.php?error=" . urlencode($message));/php]

and check it with the password stored in the database.

 

Scott.

 

Link to comment
Share on other sites
Reaper0167 Regular Member

Reaper0167

Posted
  • Author
Posted

with the way that it is set up right now,,,, even if all the fields are filled in and the passwords do not match,, it will not register them until the passwords are the same..... like i was saying at the beginning of this thread,,, all i have to do is take out the md5 and the "()" in that line of code and everything works fine... so somewhere in both scripts with the md5 is where it is going wrong..Could there be something wrong with the way i have my database setup??? i don't think there is but it is worth asking.

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.