md5 password encryption not working

[tekrscom]

Please help me... I've really done it... I was looking into encrypting all of the passwords in my users table using md5 which I was reading about and it seemed oh so very easy... so I did this...

require "Connection.php";
function ChangePassword($UserID, $Password_pre)
{
$Password = md5($Password_pre);
mysql_query("UPDATE Users SET Password = '$Password' WHERE UserID = '$UserID'");
}
$sub_query = "SELECT UserID, Password FROM Users WHERE 1";
$sub_results = mysql_query($sub_query);
    while ($row  =  mysql_fetch_array($sub_results)){
    	$UserID = $row['UserID'];
    	$Password = $row['Password'];
        ChangePassword($UserID, $Password);
    }

 

And I changed my login.php script to this…

 $LoginPassword = md5($_POST['Password']);
$query = "SELECT UserID, Username, EmailValidated, PrivacySetting, AccountType FROM Users WHERE Username = '$_POST[username]' AND Password = '$LoginPassword'"; 

 

Now no one can log in and I’m freaking out… someone please tell me that there is a fix for what I have done…

[PFMaBiSmAd]

What is your table definition, specifically for the password column?

[tekrscom]

varchar (15)

 

OMG, now I see what has happened... it shortened the encryption string... there isn't going to be anyway to fix this is there?

[MadTechie]

if your going to catch hell then

try this

$LoginPassword = md5($_POST['Password']);
$LoginPassword = substr($LoginPassword, 0, 15);

 

this should work but only keep it like that until everyone has reset their passwords

 

EDIT: also read up on sql injection and then look at this part of your code

 Username = '$_POST[username]'

 

I'm sure someone will explain why its bad.. but its 7:30am here and i need sleep!

[PFMaBiSmAd]

I recommend restoring your database from a backup and starting over. You should make a new column to hold the md5 values. Populate it with the md5 of the existing passwords. Modify your code to use the new column. Once everything is working, delete the old plain-text password column.

 

If that option is not available, I would truncating the md5($_POST['Password']) value to 15 characters and use that in your query.

[tekrscom]

It just came to me that, just about an hour ago I integrated all of my users into my phpBB3 users table via an external script... when I did that, it encrypted them via md5... If I do a query and update with those md5 passwords, those should work right?

[tekrscom]

This script should work, never worked with two different databases before though...

$a_link = mysql_connect ("localhost", "username", "password") or die ('I cannot connect to the database because: ' . mysql_error());
$UsersDatabase = "database_users";
$ForumDatabase = "database_phpbb3";

function ChangePassword($Username_pre, $Password_pre)
{
mysql_query("UPDATE Users SET Password = '$Password_pre' WHERE Username = '$Username_pre'", $UsersDatabase);
}
$sub_query = "SELECT username, user_password FROM phpbb_users WHERE 1", $ForumDatabase;
$sub_results = mysql_query($sub_query);
    while ($row  =  mysql_fetch_array($sub_results)){
    	$Username = $row['username'];
    	$Password = $row['user_password'];
        ChangePassword($Username, $Password);
    }

[PFMaBiSmAd]

Edit: I recommend proceeding cautiously (make a backup first.)

 

It just came to me that, just about an hour ago I integrated all of my users into my phpBB3 users table via an external script... when I did that, it encrypted them via md5... If I do a query and update with those md5 passwords, those should work right?

 

Yes, you will need to make the password column 32 characters first.

 

If the phpBB3 code is using a salt string, you will need to use that same salt when you add more entries and when you md5() the entered password and put it into the query that checks against the value in the table.

[tekrscom]

I will start research what a salt string is now... but meanwhile... I'm having problems finding a solid answer as to how I can connect both of these queries to 2 different databases, I've tried quite a few different variations, but nada...

[PFMaBiSmAd]

So, do both these databases have the same user/password so that one database connection could be used to access them both?

[tekrscom]

Actually now that you mention it, no, they don't... I have a different sql user for both...

[corbin]

If you could access both databases via the same connection, it would easier/much faster.

 

 

Could you possibly create a user that has access to both databases?

[tekrscom]

I got it to work... all passwords are updated... now I just need to work on this salt...

[tekrscom]

Actually what do you know... it let me in, they're working... the passwords must not be encrypted utilizing the salt... perhaps an option that I didn't have turned on?

[tekrscom]

I know now why it worked without the salt... because I created the users and their passwords and their email from the external script, bypassing the part that must use the salt...

[corbin]

I know now why it worked without the salt... because I created the users and their passwords and their email from the external script, bypassing the part that must use the salt...

 

 

 

Which means that the login script that uses the salt probably doesn't work any more.

[PFMaBiSmAd]

If the phpBB3 code is using a salt string ...

 

I started that statement with a conditional clause. Not a definitive clause. Check if the conditional clause is TRUE before spending a lot of time on this.

[tekrscom]

Sorry, you're right PFMaBiSmAd... didn't notice the "If"... The forum login works as well as the site... everything seems to be peachy...

 

Thank you everyone for your help... I can breathe again...