flashguy82 Posted August 11, 2006 Share Posted August 11, 2006 Hey,I need some help knowing how to use md5 for my login/sign up page, PHP isn't my thing so any help would be appreciated. Here's my code, i just need to know where and how to use the md5 encryption (although any other comments on security would be v helpfull to ;o) ), need anything else just ask. Thanks for any help in advance. <?php// *** Redirect if username exists$MM_flag="MM_insert";if (isset($_POST[$MM_flag])) { $MM_dupKeyRedirect="userexists.php"; $loginUsername = $_POST['Username']; $LoginRS__query = "SELECT Username FROM users WHERE Username='" . $loginUsername . "'"; mysql_select_db($database_fitnessdatabase, $fitnessdatabase); $LoginRS=mysql_query($LoginRS__query, $fitnessdatabase) or die(mysql_error()); $loginFoundUser = mysql_num_rows($LoginRS); //if there is a row in the database, the username was found - can not add the requested username if($loginFoundUser){ $MM_qsChar = "?"; //append the username to the redirect page if (substr_count($MM_dupKeyRedirect,"?") >=1) $MM_qsChar = "&"; $MM_dupKeyRedirect = $MM_dupKeyRedirect . $MM_qsChar ."requsername=".$loginUsername; header ("Location: $MM_dupKeyRedirect"); exit; }}function GetSQLValueString($theValue, $theType, $theDefinedValue = "", $theNotDefinedValue = "") { $theValue = (!get_magic_quotes_gpc()) ? addslashes($theValue) : $theValue; switch ($theType) { case "text": $theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL"; break; case "long": case "int": $theValue = ($theValue != "") ? intval($theValue) : "NULL"; break; case "double": $theValue = ($theValue != "") ? "'" . doubleval($theValue) . "'" : "NULL"; break; case "date": $theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL"; break; case "defined": $theValue = ($theValue != "") ? $theDefinedValue : $theNotDefinedValue; break; } return $theValue;}$editFormAction = $_SERVER['PHP_SELF'];if (isset($_SERVER['QUERY_STRING'])) { $editFormAction .= "?" . htmlentities($_SERVER['QUERY_STRING']);}if ((isset($_POST["MM_insert"])) && ($_POST["MM_insert"] == "form1")) { $insertSQL = sprintf("INSERT INTO users (Username, Password, FirstName, LastName, EmailAddress, `Admin`, Allowed, UserTypeID) VALUES (%s, %s, %s, %s, %s, %s, %s, %s)", GetSQLValueString($_POST['Username'], "text"), GetSQLValueString($_POST['Password'], "text"), GetSQLValueString($_POST['FirstName'], "text"), GetSQLValueString($_POST['LastName'], "text"), GetSQLValueString($_POST['EmailAddress'], "text"), GetSQLValueString(isset($_POST['Admin']) ? "true" : "", "defined","1","0"), GetSQLValueString(isset($_POST['Allowed']) ? "true" : "", "defined","1","0"), GetSQLValueString($_POST['UserTypeID'], "int")); mysql_select_db($database_fitnessdatabase, $fitnessdatabase); $Result1 = mysql_query($insertSQL, $fitnessdatabase) or die(mysql_error());}$currentPage = $_SERVER["PHP_SELF"];?><?php// *** Validate request to login to this site.if (!isset($_SESSION)) { session_start();}$loginFormAction = $_SERVER['PHP_SELF'];if (isset($_GET['accesscheck'])) { $_SESSION['PrevUrl'] = $_GET['accesscheck'];}if (isset($_POST['Username'])) { $loginUsername=$_POST['Username']; $password=$_POST['Password']; $MM_fldUserAuthorization = ""; $MM_redirectLoginSuccess = "postreview.php"; $MM_redirectLoginFailed = "loginfailed.php"; $MM_redirecttoReferrer = true; mysql_select_db($database_fitnessdatabase, $fitnessdatabase); $LoginRS__query=sprintf("SELECT Username, Password, UserID FROM users WHERE Username='%s' AND Password='%s'", get_magic_quotes_gpc() ? $loginUsername : addslashes($loginUsername), get_magic_quotes_gpc() ? $password : addslashes($password)); $LoginRS = mysql_query($LoginRS__query, $fitnessdatabase) or die(mysql_error()); $loginFoundUser = mysql_num_rows($LoginRS); if ($loginFoundUser) { $loginStrGroup = ""; //declare two session variables and assign them $_SESSION['MM_Username'] = $loginUsername; $_SESSION['MM_UserGroup'] = $loginStrGroup; $_SESSION['MM_UserID'] = mysql_result($LoginRS,0,'UserID'); if (isset($_SESSION['PrevUrl']) && true) { $MM_redirectLoginSuccess = $_SESSION['PrevUrl']; } header("Location: " . $MM_redirectLoginSuccess ); } else { header("Location: ". $MM_redirectLoginFailed ); }}?> Quote Link to comment Share on other sites More sharing options...
shocker-z Posted August 11, 2006 Share Posted August 11, 2006 basicaly all you need to do is change both$_POST['Password'];tomd5($_POST['Password']);and then that means you insert an md5'd password in and also check if the users password as md5 is equal to the md5 password in the database.RegardsLiam Quote Link to comment Share on other sites More sharing options...
hackerkts Posted August 11, 2006 Share Posted August 11, 2006 You use md5() when you storing the user's password, and in the login script you need to put encrypt it with md5 function when user typed their password.Example of how you use it,[code]<?php echo md5("Hello"); ?>[/code] Quote Link to comment Share on other sites More sharing options...
brown2005 Posted August 11, 2006 Share Posted August 11, 2006 should you always use md5() to encrypt passwords? Quote Link to comment Share on other sites More sharing options...
corbin Posted August 11, 2006 Share Posted August 11, 2006 Its my personal favorite... Theres some other methods but md5 is the most common... Quote Link to comment Share on other sites More sharing options...
brown2005 Posted August 11, 2006 Share Posted August 11, 2006 cool Quote Link to comment Share on other sites More sharing options...
radalin Posted August 11, 2006 Share Posted August 11, 2006 And also do not trust the user as it will enter always the RIGHT data! Right the moment your code is open to the sql injection instead of believing that the user will enter right datas verify that they don't. Instead of:[code]$loginUsername = $_POST['Username'];[/code]use[code]$loginUsername = mysql_real_escape_string($_POST['Username']);[/code](I do not exactly remember the function's name but it's something like that.) Quote Link to comment Share on other sites More sharing options...
redarrow Posted August 11, 2006 Share Posted August 11, 2006 http://phpsec.org/articles/2005/password-hashing.htmlread up on this please as salt is the best way Quote Link to comment Share on other sites More sharing options...
flashguy82 Posted August 11, 2006 Author Share Posted August 11, 2006 Cool, this is really usefull thanks for all the help :D Quote Link to comment Share on other sites More sharing options...
brown2005 Posted August 11, 2006 Share Posted August 11, 2006 so you are saying dont use md5() but use salt Quote Link to comment Share on other sites More sharing options...
redarrow Posted August 11, 2006 Share Posted August 11, 2006 use them both together read the link. Quote Link to comment Share on other sites More sharing options...
brown2005 Posted August 11, 2006 Share Posted August 11, 2006 o yeah i see it now so use<?phpdefine('SALT_LENGTH', 9);function generateHash($plainText, $salt = null){ if ($salt === null) { $salt = substr(md5(uniqid(rand(), true)), 0, SALT_LENGTH); } else { $salt = substr($salt, 0, SALT_LENGTH); } return $salt . sha1($salt . $plainText);}?> Quote Link to comment Share on other sites More sharing options...
brown2005 Posted August 11, 2006 Share Posted August 11, 2006 wasnt looking properly Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.