checking passwords using md5 checksum

[leegreaves]

Im trying to create a login script for my page, using sample code in parts. Ive noticed this code checks the password in the usual manner, what i need to do is check it using md5 checksum, ive pasted the code ive written below. Im unsure what to do to login and check password using md5 checksum as passwords on my database are stored using md5. Im pretty sure the md5 check would happen where the connection to the database occurs and the check for username and password starts, BUT, not sure on how to insert it so that a password using md5 check occurs. Would be really grateful if someone could help me out.

 

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">

<head>

<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />

<title>Untitled Document</title>

</head>

 

<body>

 

<p>Username:

<input type="text" name="Username" id="Username" />

</p>

<p>Password:

<input type="password" name="Password" id="Password" />

</p>

 

<p>Remember Me:

<input type="radio" />

</p>

 

<?php

 

$host="localhost"; // Host name

$username="tastscou_admin"; // Mysql username

$password="pentium"; // Mysql password

$db_name="tastcou_members"; // Database name

$tbl_name="members"; // Table name

 

// Connect to server and select database.

mysql_connect("$host", "$username", "$password")or die("cannot connect");

mysql_select_db("$db_name")or die("cannot select DB");

// username and password sent from form

$myusername=$_POST['myusername'];

$mypassword=$_POST['mypassword'];

 

// To protect MySQL injection (more detail about MySQL injection)

$myusername = stripslashes($myusername);

$mypassword = stripslashes($mypassword);

$myusername = mysql_real_escape_string($myusername);

$mypassword = mysql_real_escape_string($mypassword);

$sql="SELECT * FROM $tbl_name WHERE username='$myusername' and password='$mypassword'";

$result=mysql_query($sql);

 

// Mysql_num_row is counting table row

$count=mysql_num_rows($result);

 

// If result matched $myusername and $mypassword, table row must be 1 row

if($count==1){

 

// Register $myusername, $mypassword and redirect to file "login_success.php"

session_register("myusername");

session_register("mypassword");

header("location:login_success.php");

}

else {

echo "Wrong Username or Password";

 

</body>

</html>

[Bricktop]

Hi leegreaves,

 

Add the following line to your code beneath the $mypassword = mysql_real_escape_string($mypassword); line:

 

$encrypted_password=md5($mypassword);

 

and then modify your MySQL query to be:

 

$sql="SELECT * FROM $tbl_name WHERE username='$myusername' and password='$encrypted_password'";

 

Hope this helps.

 

 

 

[leegreaves]

Thanks Ill do that right now...also...when i actually try testing it, i enter username and password but when i click the submit button, nothing happens. How can i check that all is good, Im suspecting that there needs to be something just after where ive put the code for the "submit" button. DO i need to add extra code at that point to tell it to do whatever it needs to do when the button is clicked (for example an "event" such as onclick). Not sure what i need to do there, i have an idea of what needs to be done but not sure how to interpret that in the script.

Many thanks

[Bricktop]

Hi leegreaves,

 

If you've mixed the above code in with your submit page then you just need:

 

<form method="post">

 

If the above code is in another page, for example checklogin.php, then your form code needs to be something like;

 

<form method="post" action="checklogin.php">

 

Hope this helps.

[leegreaves]

Thanks dude, yer the code is mixed in together...the form and php code are both in the same file, do u think it would be better to put the php code in a seperate file, then call the code from login. Anyway heres the code as it is now, ive customised some existing code for a login form to my needs (or so i hope) What im gonna do at moment is do it the way u say in the first example, ie mixed up. does that code need to be inside the php section, im assuming it has to be and aslo assume it needs to be at the start of that code.

 

</style>

</head>

<body>

<p>Username:

  <input type="text" name="Username" id="Username" />

</p>

<p>Password:

  <input type="password" name="Password" id="Password" />

</p>

<p>Remember Me:

  <input type="radio" />

  <input type="submit" name="Submit" id="Submit" value="Submit" />

</p>

 

  <?php

 

$host="localhost"; // Host name

$username="tastscou_admin"; // Mysql username

$password="pentium"; // Mysql password

$db_name="tastcou_members"; // Database name

$tbl_name="members"; // Table name

 

// Connect to server and select database.

mysql_connect("$host", "$username", "$password")or die("cannot connect");

mysql_select_db("$db_name")or die("cannot select DB");

// username and password sent from form

$myusername=$_POST['myusername'];

$mypassword=$_POST['mypassword'];

 

// To protect MySQL injection (more detail about MySQL injection)

$myusername = stripslashes($myusername);

$mypassword = stripslashes($mypassword);

$myusername = mysql_real_escape_string($myusername);

$mypassword = mysql_real_escape_string($mypassword);

$sql="SELECT * FROM $tbl_name WHERE username='$myusername' and password='$mypassword' .md5$password";

$result=mysql_query($sql);

 

// Mysql_num_row is counting table row

$count=mysql_num_rows($result);

 

// If result matched $myusername and $mypassword, table row must be 1 row

if($count==1){

 

// Register $myusername, $mypassword and redirect to file "login_success.php"

session_register("myusername");

session_register("mypassword");

header("location:login_success.php");

}

else {

echo "Wrong Username or Password";

}

?>

</p>

</body>

</html></div>

 

 

</div></body>

</html>

 

[Bricktop]

Hi leegreaves,

 

Change your code to below:

 

<?php
if($_SERVER['REQUEST_METHOD'] == 'POST') {

$host="localhost"; // Host name 
$username="tastscou_admin"; // Mysql username 
$password="pentium"; // Mysql password 
$db_name="tastcou_members"; // Database name 
$tbl_name="members"; // Table name

// Connect to server and select database.
mysql_connect("$host", "$username", "$password")or die("cannot connect"); 
mysql_select_db("$db_name")or die("cannot select DB");
// username and password sent from form 
$myusername=$_POST['myusername']; 
$mypassword=$_POST['mypassword']; 

// To protect MySQL injection (more detail about MySQL injection)
$myusername = stripslashes($myusername);
$mypassword = stripslashes($mypassword);
$myusername = mysql_real_escape_string($myusername);
$mypassword = mysql_real_escape_string($mypassword);
$encrypted_password=md5($mypassword);

$sql="SELECT * FROM $tbl_name WHERE username='$myusername' and password='$encrypted_password'";
$result=mysql_query($sql);

// Mysql_num_row is counting table row
$count=mysql_num_rows($result);

// If result matched $myusername and $mypassword, table row must be 1 row
if($count==1){

// Register $myusername, $mypassword and redirect to file "login_success.php"
session_register("myusername");
session_register("mypassword"); 
header("location:login_success.php");
}
else {
echo "Wrong Username or Password";
}
}
?>

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Untitled Document</title>
</head>

<body>
<form method="post">
<p>Username:
<input type="text" name="myusername" id="Username" />
</p>
<p>Password:
<input type="password" name="mypassword" id="Password" />
</p>
<p>Remember Me:
<input type="radio" />
</p>
<p><input type="submit" name="Login" value="Login"></p>
</form>


</body>
</html>

 

Changes made:

 

1.  Moved the PHP code to the very top of the document.

2.  PHP code was missing the ending ?>

3.  Added the md5 check to the POST values

4.  Added the md5 check to the MySQL Query

5.  Added an if statement to check for a POST request

6.  Added the missing } on your last else statement

7.  Added <form> and </form> elements to your HTML code

8.  Added a Login button

9.  Renamed the username and password fields to myusername and mypassword

 

Hope this helps.

[leegreaves]

Thanks brick yove been good help here, im actually starting to understand this coding a little bit now, even tho ive only been playing around with existing scripts for a little over 2 weeks. Yer i DID notice the myusername and mypassword seemed a little out of sorts, i wondered if things needed renaming but werent sure but obviously it shows that i was on the right track. Now when i tried it live on the site, it seemed to refresh the page and just stay at the login screen...even tho the login screen still shows cos i havent added code to indicate it to be hidden if someone is logged in im not worried bout that at the moment. Im guessing now that the next step is to put in a session check on each of my pages so i can be sure that its been successful. I also need to redirect the page to where ever they need, how do i do that? I intend to put that in a seperate script which shows whether login was successful or not.

[Bricktop]

Hi leegreaves,

 

Your code should already direct you to login_success.php on a valid login, and echo an error if not.

 

If you want to check that the user is logged in on other pages (i.e. login_success.php) add the following to the very top of the page:

 

<? 
session_start();
if(!session_is_registered(myusername)){
header("location:login.php");
}
?>

 

With the above code added to login_success.php (for example) the code will check that the user has logged in, and if not redirect to the login page.

 

Hope this helps.

[leegreaves]

Cheers brick, LOL i already knew how to do the session start code cos i have a similar instruction already on how to do that. I noticed tho that in the code you put (location:login.php). Now, my the login page is on my index page but its html, ie index.html. Should i put that as index.php rather than index.html so that it works properly?

[Bricktop]

Hi leegreaves,

 

Yes, always rename any pages that have PHP code inside them to .php or the PHP code will be ignored.

[leegreaves]

I should have realised that tbh lol

 

Anyway, when i went to try it out it came up with a "cannot select DB" error, then i realised that in my db_name id missed a letter out. So after correcting that it came up with the following error:

 

Warning: session_register() [function.session-register]: Cannot send session cache limiter - headers already sent (output started at /home/tastscou/public_html/index.php:9) in /home/tastscou/public_html/index.php on line 188

 

 

It has something to do with the session_register ($myusername);

 

Any ideas on this? I like to try n understand the reasoning why these errors occur at times.

[Bricktop]

Hi leegreaves,

 

It's because you are echoing content before the headers are being sent.

 

You must ensure the PHP code is at the very top of your document (as per the code I posted above) and that nothing else is being output before the headers are being sent.

 

Another cause of this is extra whitespaces at the end of lines of code.

 

But that's what's causing the error!

 

Hope this helps.

[leegreaves]

SO the best thing to do is make sure there are no white spaces in between the lines of code? OK ill get on to doing that and hopefully sorting it out. Many thanks Brick.

[Bricktop]

Hi leegreaves,

 

You can have breaks between the lines but sometimes editors add spurious whitespace at the end of lines, e.g. after the ; so make sure there is nothing there on each line, but more importantly make sure nothing is being output before the headers are being sent.