Jump to content

Archived

This topic is now archived and is closed to further replies.

flashguy82

md5 help..

Recommended Posts

Hey,

I need some help knowing how to use md5 for my login/sign up page, PHP isn't my thing so any help would be appreciated. Here's my code, i just need to know where and how to use the md5 encryption (although any other comments on security would be v helpfull to ;o) ), need anything else just ask. Thanks for any help in advance.


<?php
// *** Redirect if username exists
$MM_flag="MM_insert";
if (isset($_POST[$MM_flag])) {
  $MM_dupKeyRedirect="userexists.php";
  $loginUsername = $_POST['Username'];
  $LoginRS__query = "SELECT Username FROM users WHERE Username='" . $loginUsername . "'";
  mysql_select_db($database_fitnessdatabase, $fitnessdatabase);
  $LoginRS=mysql_query($LoginRS__query, $fitnessdatabase) or die(mysql_error());
  $loginFoundUser = mysql_num_rows($LoginRS);

  //if there is a row in the database, the username was found - can not add the requested username
  if($loginFoundUser){
    $MM_qsChar = "?";
    //append the username to the redirect page
    if (substr_count($MM_dupKeyRedirect,"?") >=1) $MM_qsChar = "&";
    $MM_dupKeyRedirect = $MM_dupKeyRedirect . $MM_qsChar ."requsername=".$loginUsername;
    header ("Location: $MM_dupKeyRedirect");
    exit;
  }
}

function GetSQLValueString($theValue, $theType, $theDefinedValue = "", $theNotDefinedValue = "")
{
  $theValue = (!get_magic_quotes_gpc()) ? addslashes($theValue) : $theValue;

  switch ($theType) {
    case "text":
      $theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";
      break;   
    case "long":
    case "int":
      $theValue = ($theValue != "") ? intval($theValue) : "NULL";
      break;
    case "double":
      $theValue = ($theValue != "") ? "'" . doubleval($theValue) . "'" : "NULL";
      break;
    case "date":
      $theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";
      break;
    case "defined":
      $theValue = ($theValue != "") ? $theDefinedValue : $theNotDefinedValue;
      break;
  }
  return $theValue;
}

$editFormAction = $_SERVER['PHP_SELF'];
if (isset($_SERVER['QUERY_STRING'])) {
  $editFormAction .= "?" . htmlentities($_SERVER['QUERY_STRING']);
}

if ((isset($_POST["MM_insert"])) && ($_POST["MM_insert"] == "form1")) {
  $insertSQL = sprintf("INSERT INTO users (Username, Password, FirstName, LastName, EmailAddress, `Admin`, Allowed, UserTypeID) VALUES (%s, %s, %s, %s, %s, %s, %s, %s)",
                      GetSQLValueString($_POST['Username'], "text"),
                      GetSQLValueString($_POST['Password'], "text"),
                      GetSQLValueString($_POST['FirstName'], "text"),
                      GetSQLValueString($_POST['LastName'], "text"),
                      GetSQLValueString($_POST['EmailAddress'], "text"),
                      GetSQLValueString(isset($_POST['Admin']) ? "true" : "", "defined","1","0"),
                      GetSQLValueString(isset($_POST['Allowed']) ? "true" : "", "defined","1","0"),
                      GetSQLValueString($_POST['UserTypeID'], "int"));

  mysql_select_db($database_fitnessdatabase, $fitnessdatabase);
  $Result1 = mysql_query($insertSQL, $fitnessdatabase) or die(mysql_error());
}
$currentPage = $_SERVER["PHP_SELF"];
?>
<?php
// *** Validate request to login to this site.
if (!isset($_SESSION)) {
  session_start();
}

$loginFormAction = $_SERVER['PHP_SELF'];
if (isset($_GET['accesscheck'])) {
  $_SESSION['PrevUrl'] = $_GET['accesscheck'];
}

if (isset($_POST['Username'])) {
  $loginUsername=$_POST['Username'];
  $password=$_POST['Password'];
  $MM_fldUserAuthorization = "";
  $MM_redirectLoginSuccess = "postreview.php";
  $MM_redirectLoginFailed = "loginfailed.php";
  $MM_redirecttoReferrer = true;
  mysql_select_db($database_fitnessdatabase, $fitnessdatabase);
 
  $LoginRS__query=sprintf("SELECT Username, Password, UserID FROM users WHERE Username='%s' AND Password='%s'",
    get_magic_quotes_gpc() ? $loginUsername : addslashes($loginUsername), get_magic_quotes_gpc() ? $password : addslashes($password));
 
  $LoginRS = mysql_query($LoginRS__query, $fitnessdatabase) or die(mysql_error());
  $loginFoundUser = mysql_num_rows($LoginRS);
  if ($loginFoundUser) {
    $loginStrGroup = "";
   
    //declare two session variables and assign them
    $_SESSION['MM_Username'] = $loginUsername;
    $_SESSION['MM_UserGroup'] = $loginStrGroup;      
    $_SESSION['MM_UserID'] = mysql_result($LoginRS,0,'UserID');
    if (isset($_SESSION['PrevUrl']) && true) {
      $MM_redirectLoginSuccess = $_SESSION['PrevUrl'];
    }
    header("Location: " . $MM_redirectLoginSuccess );
  }
  else {
    header("Location: ". $MM_redirectLoginFailed );
  }
}
?>

Share this post


Link to post
Share on other sites
basicaly all you need to do is change both

$_POST['Password'];

to

md5($_POST['Password']);

and then that means you insert an md5'd password in and also check if the users password as md5 is equal to the md5 password in the database.

Regards
Liam

Share this post


Link to post
Share on other sites
You use md5() when you storing the user's password, and in the login script you need to put encrypt it with md5 function when user typed their password.

Example of how you use it,
[code]
<?php echo md5("Hello"); ?>
[/code]

Share this post


Link to post
Share on other sites
Its my personal favorite... Theres some other methods but md5 is the most common...

Share this post


Link to post
Share on other sites
And also do not trust the user as it will enter always the RIGHT data!
Right the moment your code is open to the sql injection instead of believing that the user will enter right datas verify that they don't. Instead of:
[code]

$loginUsername = $_POST['Username'];

[/code]

use

[code]

$loginUsername = mysql_real_escape_string($_POST['Username']);

[/code]

(I do not exactly remember the function's name but it's something like that.)

Share this post


Link to post
Share on other sites
http://phpsec.org/articles/2005/password-hashing.html

read up on this please as salt is the best way

Share this post


Link to post
Share on other sites
o yeah i see it now so use

<?php

define('SALT_LENGTH', 9);

function generateHash($plainText, $salt = null)
{
    if ($salt === null)
    {
        $salt = substr(md5(uniqid(rand(), true)), 0, SALT_LENGTH);
    }
    else
    {
        $salt = substr($salt, 0, SALT_LENGTH);
    }

    return $salt . sha1($salt . $plainText);
}

?>

Share this post


Link to post
Share on other sites

×

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.