Jump to content


Photo

md5 help..


  • Please log in to reply
12 replies to this topic

#1 flashguy82

flashguy82
  • New Members
  • Pip
  • Newbie
  • 7 posts

Posted 11 August 2006 - 08:44 AM

Hey,

I need some help knowing how to use md5 for my login/sign up page, PHP isn't my thing so any help would be appreciated. Here's my code, i just need to know where and how to use the md5 encryption (although any other comments on security would be v helpfull to ;o) ), need anything else just ask. Thanks for any help in advance.


<?php
// *** Redirect if username exists
$MM_flag="MM_insert";
if (isset($_POST[$MM_flag])) {
  $MM_dupKeyRedirect="userexists.php";
  $loginUsername = $_POST['Username'];
  $LoginRS__query = "SELECT Username FROM users WHERE Username='" . $loginUsername . "'";
  mysql_select_db($database_fitnessdatabase, $fitnessdatabase);
  $LoginRS=mysql_query($LoginRS__query, $fitnessdatabase) or die(mysql_error());
  $loginFoundUser = mysql_num_rows($LoginRS);

  //if there is a row in the database, the username was found - can not add the requested username
  if($loginFoundUser){
    $MM_qsChar = "?";
    //append the username to the redirect page
    if (substr_count($MM_dupKeyRedirect,"?") >=1) $MM_qsChar = "&";
    $MM_dupKeyRedirect = $MM_dupKeyRedirect . $MM_qsChar ."requsername=".$loginUsername;
    header ("Location: $MM_dupKeyRedirect");
    exit;
  }
}

function GetSQLValueString($theValue, $theType, $theDefinedValue = "", $theNotDefinedValue = "")
{
  $theValue = (!get_magic_quotes_gpc()) ? addslashes($theValue) : $theValue;

  switch ($theType) {
    case "text":
      $theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";
      break;   
    case "long":
    case "int":
      $theValue = ($theValue != "") ? intval($theValue) : "NULL";
      break;
    case "double":
      $theValue = ($theValue != "") ? "'" . doubleval($theValue) . "'" : "NULL";
      break;
    case "date":
      $theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";
      break;
    case "defined":
      $theValue = ($theValue != "") ? $theDefinedValue : $theNotDefinedValue;
      break;
  }
  return $theValue;
}

$editFormAction = $_SERVER['PHP_SELF'];
if (isset($_SERVER['QUERY_STRING'])) {
  $editFormAction .= "?" . htmlentities($_SERVER['QUERY_STRING']);
}

if ((isset($_POST["MM_insert"])) && ($_POST["MM_insert"] == "form1")) {
  $insertSQL = sprintf("INSERT INTO users (Username, Password, FirstName, LastName, EmailAddress, `Admin`, Allowed, UserTypeID) VALUES (%s, %s, %s, %s, %s, %s, %s, %s)",
                      GetSQLValueString($_POST['Username'], "text"),
                      GetSQLValueString($_POST['Password'], "text"),
                      GetSQLValueString($_POST['FirstName'], "text"),
                      GetSQLValueString($_POST['LastName'], "text"),
                      GetSQLValueString($_POST['EmailAddress'], "text"),
                      GetSQLValueString(isset($_POST['Admin']) ? "true" : "", "defined","1","0"),
                      GetSQLValueString(isset($_POST['Allowed']) ? "true" : "", "defined","1","0"),
                      GetSQLValueString($_POST['UserTypeID'], "int"));

  mysql_select_db($database_fitnessdatabase, $fitnessdatabase);
  $Result1 = mysql_query($insertSQL, $fitnessdatabase) or die(mysql_error());
}
$currentPage = $_SERVER["PHP_SELF"];
?>
<?php
// *** Validate request to login to this site.
if (!isset($_SESSION)) {
  session_start();
}

$loginFormAction = $_SERVER['PHP_SELF'];
if (isset($_GET['accesscheck'])) {
  $_SESSION['PrevUrl'] = $_GET['accesscheck'];
}

if (isset($_POST['Username'])) {
  $loginUsername=$_POST['Username'];
  $password=$_POST['Password'];
  $MM_fldUserAuthorization = "";
  $MM_redirectLoginSuccess = "postreview.php";
  $MM_redirectLoginFailed = "loginfailed.php";
  $MM_redirecttoReferrer = true;
  mysql_select_db($database_fitnessdatabase, $fitnessdatabase);
 
  $LoginRS__query=sprintf("SELECT Username, Password, UserID FROM users WHERE Username='%s' AND Password='%s'",
    get_magic_quotes_gpc() ? $loginUsername : addslashes($loginUsername), get_magic_quotes_gpc() ? $password : addslashes($password));
 
  $LoginRS = mysql_query($LoginRS__query, $fitnessdatabase) or die(mysql_error());
  $loginFoundUser = mysql_num_rows($LoginRS);
  if ($loginFoundUser) {
    $loginStrGroup = "";
   
    //declare two session variables and assign them
    $_SESSION['MM_Username'] = $loginUsername;
    $_SESSION['MM_UserGroup'] = $loginStrGroup;      
    $_SESSION['MM_UserID'] = mysql_result($LoginRS,0,'UserID');
    if (isset($_SESSION['PrevUrl']) && true) {
      $MM_redirectLoginSuccess = $_SESSION['PrevUrl'];
    }
    header("Location: " . $MM_redirectLoginSuccess );
  }
  else {
    header("Location: ". $MM_redirectLoginFailed );
  }
}
?>

#2 shocker-z

shocker-z
  • Members
  • PipPipPip
  • Advanced Member
  • 864 posts
  • LocationNottingham

Posted 11 August 2006 - 08:59 AM

basicaly all you need to do is change both

$_POST['Password'];

to

md5($_POST['Password']);

and then that means you insert an md5'd password in and also check if the users password as md5 is equal to the md5 password in the database.

Regards
Liam
www: www.ukchat.ws | irc: irc.ukchat.ws chan: #blufudge

#3 hackerkts

hackerkts
  • Members
  • PipPipPip
  • Advanced Member
  • 593 posts
  • LocationSingapore
  • Age:18

Posted 11 August 2006 - 09:01 AM

You use md5() when you storing the user's password, and in the login script you need to put encrypt it with md5 function when user typed their password.

Example of how you use it,
<?php echo md5("Hello"); ?>


Regards,
hackerkts

To be a coder, you must learn how to think and not to give up so easily.


#4 brown2005

brown2005
  • Members
  • PipPipPip
  • Advanced Member
  • 943 posts

Posted 11 August 2006 - 09:25 AM

should you always use md5() to encrypt passwords?

#5 corbin

corbin
  • Staff Alumni
  • Advanced Member
  • 8,129 posts

Posted 11 August 2006 - 09:28 AM

Its my personal favorite... Theres some other methods but md5 is the most common...
Why doesn't anyone ever say hi, hey, or whad up world?

#6 brown2005

brown2005
  • Members
  • PipPipPip
  • Advanced Member
  • 943 posts

Posted 11 August 2006 - 09:29 AM

cool

#7 radalin

radalin
  • Members
  • PipPipPip
  • Advanced Member
  • 179 posts

Posted 11 August 2006 - 09:35 AM

And also do not trust the user as it will enter always the RIGHT data!
Right the moment your code is open to the sql injection instead of believing that the user will enter right datas verify that they don't. Instead of:

$loginUsername = $_POST['Username'];


use


$loginUsername = mysql_real_escape_string($_POST['Username']);


(I do not exactly remember the function's name but it's something like that.)
Roy Simkes
Yet Another Parkyeri Developer

#8 redarrow

redarrow
  • Members
  • PipPipPip
  • Advanced Member
  • 7,308 posts
  • Locationlondon

Posted 11 August 2006 - 09:38 AM

http://phpsec.org/ar...rd-hashing.html

read up on this please as salt is the best way
Wish i new all about php DAM i will have to learn
((EMAIL CODE THAT WORKS))
http://simpleforum.ath.cx/mail2.inc
((PAYPAL INTEGRATION THAT WORKS))
http://simpleforum.a...aypal1_info.inc

#9 flashguy82

flashguy82
  • New Members
  • Pip
  • Newbie
  • 7 posts

Posted 11 August 2006 - 09:42 AM

Cool, this is really usefull thanks for all the help  :D

#10 brown2005

brown2005
  • Members
  • PipPipPip
  • Advanced Member
  • 943 posts

Posted 11 August 2006 - 09:59 AM

so you are saying dont use md5() but use salt

#11 redarrow

redarrow
  • Members
  • PipPipPip
  • Advanced Member
  • 7,308 posts
  • Locationlondon

Posted 11 August 2006 - 10:11 AM

use them both together read the link.
Wish i new all about php DAM i will have to learn
((EMAIL CODE THAT WORKS))
http://simpleforum.ath.cx/mail2.inc
((PAYPAL INTEGRATION THAT WORKS))
http://simpleforum.a...aypal1_info.inc

#12 brown2005

brown2005
  • Members
  • PipPipPip
  • Advanced Member
  • 943 posts

Posted 11 August 2006 - 10:31 AM

o yeah i see it now so use

<?php

define('SALT_LENGTH', 9);

function generateHash($plainText, $salt = null)
{
    if ($salt === null)
    {
        $salt = substr(md5(uniqid(rand(), true)), 0, SALT_LENGTH);
    }
    else
    {
        $salt = substr($salt, 0, SALT_LENGTH);
    }

    return $salt . sha1($salt . $plainText);
}

?>

#13 brown2005

brown2005
  • Members
  • PipPipPip
  • Advanced Member
  • 943 posts

Posted 11 August 2006 - 10:31 AM

wasnt looking properly





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users