Jump to content

md5 help..


flashguy82

Recommended Posts

Hey,

I need some help knowing how to use md5 for my login/sign up page, PHP isn't my thing so any help would be appreciated. Here's my code, i just need to know where and how to use the md5 encryption (although any other comments on security would be v helpfull to ;o) ), need anything else just ask. Thanks for any help in advance.


<?php
// *** Redirect if username exists
$MM_flag="MM_insert";
if (isset($_POST[$MM_flag])) {
  $MM_dupKeyRedirect="userexists.php";
  $loginUsername = $_POST['Username'];
  $LoginRS__query = "SELECT Username FROM users WHERE Username='" . $loginUsername . "'";
  mysql_select_db($database_fitnessdatabase, $fitnessdatabase);
  $LoginRS=mysql_query($LoginRS__query, $fitnessdatabase) or die(mysql_error());
  $loginFoundUser = mysql_num_rows($LoginRS);

  //if there is a row in the database, the username was found - can not add the requested username
  if($loginFoundUser){
    $MM_qsChar = "?";
    //append the username to the redirect page
    if (substr_count($MM_dupKeyRedirect,"?") >=1) $MM_qsChar = "&";
    $MM_dupKeyRedirect = $MM_dupKeyRedirect . $MM_qsChar ."requsername=".$loginUsername;
    header ("Location: $MM_dupKeyRedirect");
    exit;
  }
}

function GetSQLValueString($theValue, $theType, $theDefinedValue = "", $theNotDefinedValue = "")
{
  $theValue = (!get_magic_quotes_gpc()) ? addslashes($theValue) : $theValue;

  switch ($theType) {
    case "text":
      $theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";
      break;   
    case "long":
    case "int":
      $theValue = ($theValue != "") ? intval($theValue) : "NULL";
      break;
    case "double":
      $theValue = ($theValue != "") ? "'" . doubleval($theValue) . "'" : "NULL";
      break;
    case "date":
      $theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";
      break;
    case "defined":
      $theValue = ($theValue != "") ? $theDefinedValue : $theNotDefinedValue;
      break;
  }
  return $theValue;
}

$editFormAction = $_SERVER['PHP_SELF'];
if (isset($_SERVER['QUERY_STRING'])) {
  $editFormAction .= "?" . htmlentities($_SERVER['QUERY_STRING']);
}

if ((isset($_POST["MM_insert"])) && ($_POST["MM_insert"] == "form1")) {
  $insertSQL = sprintf("INSERT INTO users (Username, Password, FirstName, LastName, EmailAddress, `Admin`, Allowed, UserTypeID) VALUES (%s, %s, %s, %s, %s, %s, %s, %s)",
                      GetSQLValueString($_POST['Username'], "text"),
                      GetSQLValueString($_POST['Password'], "text"),
                      GetSQLValueString($_POST['FirstName'], "text"),
                      GetSQLValueString($_POST['LastName'], "text"),
                      GetSQLValueString($_POST['EmailAddress'], "text"),
                      GetSQLValueString(isset($_POST['Admin']) ? "true" : "", "defined","1","0"),
                      GetSQLValueString(isset($_POST['Allowed']) ? "true" : "", "defined","1","0"),
                      GetSQLValueString($_POST['UserTypeID'], "int"));

  mysql_select_db($database_fitnessdatabase, $fitnessdatabase);
  $Result1 = mysql_query($insertSQL, $fitnessdatabase) or die(mysql_error());
}
$currentPage = $_SERVER["PHP_SELF"];
?>
<?php
// *** Validate request to login to this site.
if (!isset($_SESSION)) {
  session_start();
}

$loginFormAction = $_SERVER['PHP_SELF'];
if (isset($_GET['accesscheck'])) {
  $_SESSION['PrevUrl'] = $_GET['accesscheck'];
}

if (isset($_POST['Username'])) {
  $loginUsername=$_POST['Username'];
  $password=$_POST['Password'];
  $MM_fldUserAuthorization = "";
  $MM_redirectLoginSuccess = "postreview.php";
  $MM_redirectLoginFailed = "loginfailed.php";
  $MM_redirecttoReferrer = true;
  mysql_select_db($database_fitnessdatabase, $fitnessdatabase);
 
  $LoginRS__query=sprintf("SELECT Username, Password, UserID FROM users WHERE Username='%s' AND Password='%s'",
    get_magic_quotes_gpc() ? $loginUsername : addslashes($loginUsername), get_magic_quotes_gpc() ? $password : addslashes($password));
 
  $LoginRS = mysql_query($LoginRS__query, $fitnessdatabase) or die(mysql_error());
  $loginFoundUser = mysql_num_rows($LoginRS);
  if ($loginFoundUser) {
    $loginStrGroup = "";
   
    //declare two session variables and assign them
    $_SESSION['MM_Username'] = $loginUsername;
    $_SESSION['MM_UserGroup'] = $loginStrGroup;      
    $_SESSION['MM_UserID'] = mysql_result($LoginRS,0,'UserID');
    if (isset($_SESSION['PrevUrl']) && true) {
      $MM_redirectLoginSuccess = $_SESSION['PrevUrl'];
    }
    header("Location: " . $MM_redirectLoginSuccess );
  }
  else {
    header("Location: ". $MM_redirectLoginFailed );
  }
}
?>
Link to comment
Share on other sites

And also do not trust the user as it will enter always the RIGHT data!
Right the moment your code is open to the sql injection instead of believing that the user will enter right datas verify that they don't. Instead of:
[code]

$loginUsername = $_POST['Username'];

[/code]

use

[code]

$loginUsername = mysql_real_escape_string($_POST['Username']);

[/code]

(I do not exactly remember the function's name but it's something like that.)
Link to comment
Share on other sites

o yeah i see it now so use

<?php

define('SALT_LENGTH', 9);

function generateHash($plainText, $salt = null)
{
    if ($salt === null)
    {
        $salt = substr(md5(uniqid(rand(), true)), 0, SALT_LENGTH);
    }
    else
    {
        $salt = substr($salt, 0, SALT_LENGTH);
    }

    return $salt . sha1($salt . $plainText);
}

?>
Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.