tekrscom Posted August 23, 2009 Share Posted August 23, 2009 Please help me... I've really done it... I was looking into encrypting all of the passwords in my users table using md5 which I was reading about and it seemed oh so very easy... so I did this... require "Connection.php"; function ChangePassword($UserID, $Password_pre) { $Password = md5($Password_pre); mysql_query("UPDATE Users SET Password = '$Password' WHERE UserID = '$UserID'"); } $sub_query = "SELECT UserID, Password FROM Users WHERE 1"; $sub_results = mysql_query($sub_query); while ($row = mysql_fetch_array($sub_results)){ $UserID = $row['UserID']; $Password = $row['Password']; ChangePassword($UserID, $Password); } And I changed my login.php script to this… $LoginPassword = md5($_POST['Password']); $query = "SELECT UserID, Username, EmailValidated, PrivacySetting, AccountType FROM Users WHERE Username = '$_POST[username]' AND Password = '$LoginPassword'"; Now no one can log in and I’m freaking out… someone please tell me that there is a fix for what I have done… Quote Link to comment Share on other sites More sharing options...
PFMaBiSmAd Posted August 23, 2009 Share Posted August 23, 2009 What is your table definition, specifically for the password column? Quote Link to comment Share on other sites More sharing options...
tekrscom Posted August 23, 2009 Author Share Posted August 23, 2009 varchar (15) OMG, now I see what has happened... it shortened the encryption string... there isn't going to be anyway to fix this is there? Quote Link to comment Share on other sites More sharing options...
MadTechie Posted August 23, 2009 Share Posted August 23, 2009 if your going to catch hell then try this $LoginPassword = md5($_POST['Password']); $LoginPassword = substr($LoginPassword, 0, 15); this should work but only keep it like that until everyone has reset their passwords EDIT: also read up on sql injection and then look at this part of your code Username = '$_POST[username]' I'm sure someone will explain why its bad.. but its 7:30am here and i need sleep! Quote Link to comment Share on other sites More sharing options...
PFMaBiSmAd Posted August 23, 2009 Share Posted August 23, 2009 I recommend restoring your database from a backup and starting over. You should make a new column to hold the md5 values. Populate it with the md5 of the existing passwords. Modify your code to use the new column. Once everything is working, delete the old plain-text password column. If that option is not available, I would truncating the md5($_POST['Password']) value to 15 characters and use that in your query. Quote Link to comment Share on other sites More sharing options...
tekrscom Posted August 23, 2009 Author Share Posted August 23, 2009 It just came to me that, just about an hour ago I integrated all of my users into my phpBB3 users table via an external script... when I did that, it encrypted them via md5... If I do a query and update with those md5 passwords, those should work right? Quote Link to comment Share on other sites More sharing options...
tekrscom Posted August 23, 2009 Author Share Posted August 23, 2009 This script should work, never worked with two different databases before though... $a_link = mysql_connect ("localhost", "username", "password") or die ('I cannot connect to the database because: ' . mysql_error()); $UsersDatabase = "database_users"; $ForumDatabase = "database_phpbb3"; function ChangePassword($Username_pre, $Password_pre) { mysql_query("UPDATE Users SET Password = '$Password_pre' WHERE Username = '$Username_pre'", $UsersDatabase); } $sub_query = "SELECT username, user_password FROM phpbb_users WHERE 1", $ForumDatabase; $sub_results = mysql_query($sub_query); while ($row = mysql_fetch_array($sub_results)){ $Username = $row['username']; $Password = $row['user_password']; ChangePassword($Username, $Password); } Quote Link to comment Share on other sites More sharing options...
PFMaBiSmAd Posted August 23, 2009 Share Posted August 23, 2009 Edit: I recommend proceeding cautiously (make a backup first.) It just came to me that, just about an hour ago I integrated all of my users into my phpBB3 users table via an external script... when I did that, it encrypted them via md5... If I do a query and update with those md5 passwords, those should work right? Yes, you will need to make the password column 32 characters first. If the phpBB3 code is using a salt string, you will need to use that same salt when you add more entries and when you md5() the entered password and put it into the query that checks against the value in the table. Quote Link to comment Share on other sites More sharing options...
tekrscom Posted August 23, 2009 Author Share Posted August 23, 2009 I will start research what a salt string is now... but meanwhile... I'm having problems finding a solid answer as to how I can connect both of these queries to 2 different databases, I've tried quite a few different variations, but nada... Quote Link to comment Share on other sites More sharing options...
PFMaBiSmAd Posted August 23, 2009 Share Posted August 23, 2009 So, do both these databases have the same user/password so that one database connection could be used to access them both? Quote Link to comment Share on other sites More sharing options...
tekrscom Posted August 23, 2009 Author Share Posted August 23, 2009 Actually now that you mention it, no, they don't... I have a different sql user for both... Quote Link to comment Share on other sites More sharing options...
corbin Posted August 23, 2009 Share Posted August 23, 2009 If you could access both databases via the same connection, it would easier/much faster. Could you possibly create a user that has access to both databases? Quote Link to comment Share on other sites More sharing options...
tekrscom Posted August 23, 2009 Author Share Posted August 23, 2009 I got it to work... all passwords are updated... now I just need to work on this salt... Quote Link to comment Share on other sites More sharing options...
tekrscom Posted August 23, 2009 Author Share Posted August 23, 2009 Actually what do you know... it let me in, they're working... the passwords must not be encrypted utilizing the salt... perhaps an option that I didn't have turned on? Quote Link to comment Share on other sites More sharing options...
tekrscom Posted August 23, 2009 Author Share Posted August 23, 2009 I know now why it worked without the salt... because I created the users and their passwords and their email from the external script, bypassing the part that must use the salt... Quote Link to comment Share on other sites More sharing options...
corbin Posted August 23, 2009 Share Posted August 23, 2009 I know now why it worked without the salt... because I created the users and their passwords and their email from the external script, bypassing the part that must use the salt... Which means that the login script that uses the salt probably doesn't work any more. Quote Link to comment Share on other sites More sharing options...
PFMaBiSmAd Posted August 23, 2009 Share Posted August 23, 2009 If the phpBB3 code is using a salt string ... I started that statement with a conditional clause. Not a definitive clause. Check if the conditional clause is TRUE before spending a lot of time on this. Quote Link to comment Share on other sites More sharing options...
tekrscom Posted August 23, 2009 Author Share Posted August 23, 2009 Sorry, you're right PFMaBiSmAd... didn't notice the "If"... The forum login works as well as the site... everything seems to be peachy... Thank you everyone for your help... I can breathe again... Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.