enfys Posted March 31, 2004 Share Posted March 31, 2004 I have started using the passsword() function to protect passwords but dont' know how to hash the passwords that a user inputs into the form for comparison. Anybody help? Quote Link to comment https://forums.phpfreaks.com/topic/1771-md5-password-protection/ Share on other sites More sharing options...
richtom80 Posted March 31, 2004 Share Posted March 31, 2004 Have you already encoded your passwords in the databse? so when the user signs up.. their password is automatically passed through md5.. i.e the input box is called password.. u need to catch it before inputting into the db $password=md5($_POST['password']); then when comparing.. all you need to do is... check that the $string they entered is the same as the one in the database... if(md5($string)==$password){ //run code } Quote Link to comment https://forums.phpfreaks.com/topic/1771-md5-password-protection/#findComment-5771 Share on other sites More sharing options...
enfys Posted March 31, 2004 Author Share Posted March 31, 2004 When the users are added the Insert statement for mysql adds the password as password('$_POST[password]') which I think encrypts it. To veryfy I'm calling the password as part of an array, assigning it to a variable ($password) and then trying to verify by; if ($_POST['password'] == $password) { //run code } Quote Link to comment https://forums.phpfreaks.com/topic/1771-md5-password-protection/#findComment-5772 Share on other sites More sharing options...
barffyman Posted March 31, 2004 Share Posted March 31, 2004 Don't store the password in the database without encrypting it. PHP and MySQL don't encode anything unless you tell them to. When you insert the password into the database, make sure you md5() it first. When a user is going to log in with his password, md5() the password he typed in and compare it to what the password is stored as on the server. This way only the user knows his unencrypted password. Quote Link to comment https://forums.phpfreaks.com/topic/1771-md5-password-protection/#findComment-5773 Share on other sites More sharing options...
enfys Posted April 1, 2004 Author Share Posted April 1, 2004 But how do you md5 the user's password when they type it in? Quote Link to comment https://forums.phpfreaks.com/topic/1771-md5-password-protection/#findComment-5783 Share on other sites More sharing options...
symchicken Posted April 1, 2004 Share Posted April 1, 2004 type it in where? In the login or the original registration? Quote Link to comment https://forums.phpfreaks.com/topic/1771-md5-password-protection/#findComment-5785 Share on other sites More sharing options...
enfys Posted April 1, 2004 Author Share Posted April 1, 2004 When they login in. At the moment my code reads: if ($_POST['user'] != $user || $_POST['password'] != $pw) { echo "Inncorrect user name or password"; } else { //run rest of code here... Quote Link to comment https://forums.phpfreaks.com/topic/1771-md5-password-protection/#findComment-5786 Share on other sites More sharing options...
MadDogSh Posted April 1, 2004 Share Posted April 1, 2004 But how do you md5 the user's password when they type it in? You don't at the moment user types it in, you do it afterwards, either at point of control whether the password or md5 representation of it is identical with md5-ed password already stored in user table in database or at the point of insertion of that password into database record. Use input field of type password, md5 input, store it md5-ed into database. At next login, compare md5-ed users input with already md5-ed password stored in users record. Simple, isn't it? You can, of course use SHA1() too. If you're using MySQL as database server, use MySQL function password() which gives you 12 character representation of string entered as password. This raises a question: What happens if you have HTML login without any php code and you pass input via POST method into an php script where you perform autorization? I.e. what happens with entered password that comes into php script non-encripted? Example: - in HTML, say login.html: <input name="passw" type="password" /> - user's input is visible as ******, but still it's very readable string -HTML form is defined: <FORM name="form" method="POST" action="verify.php"> in verify.php: $pass_entered = md5('$_POST[passw]'); At that moment input is being encrypted, but what was going on with this input while browser invoked and opened "verify.php", variables made throuhg POST method in HTML should have been passed in some way, although no verify.php?passw weren't used? Isn't there some kind of security leak where unauthorized person can catch password user entered? Sorry for lenght of that post? That's something taht's on my mind for some time... Thanks for understanding. Quote Link to comment https://forums.phpfreaks.com/topic/1771-md5-password-protection/#findComment-5787 Share on other sites More sharing options...
enfys Posted April 1, 2004 Author Share Posted April 1, 2004 Yes, see what you mean! Will have a play around with it. Thanks for your help. Quote Link to comment https://forums.phpfreaks.com/topic/1771-md5-password-protection/#findComment-5788 Share on other sites More sharing options...
99naa Posted April 7, 2006 Share Posted April 7, 2006 [!--quoteo(post=102802:date=Apr 2 2004, 02:10 AM:name=MadDogSh)--][div class=\'quotetop\']QUOTE(MadDogSh @ Apr 2 2004, 02:10 AM) 102802[/snapback][/div][div class=\'quotemain\'][!--quotec--] You don't at the moment user types it in, you do it afterwards, either at point of control whether the password or md5 representation of it is identical with md5-ed password already stored in user table in database or at the point of insertion of that password into database record. Use input field of type password, md5 input, store it md5-ed into database. At next login, compare md5-ed users input with already md5-ed password stored in users record. Simple, isn't it? You can, of course use SHA1() too. If you're using MySQL as database server, use MySQL function password() which gives you 12 character representation of string entered as password. This raises a question: What happens if you have HTML login without any php code and you pass input via POST method into an php script where you perform autorization? I.e. what happens with entered password that comes into php script non-encripted? Example: - in HTML, say login.html: <input name="passw" type="password" /> - user's input is visible as ******, but still it's very readable string -HTML form is defined: <FORM name="form" method="POST" action="verify.php"> in verify.php: $pass_entered = md5('$_POST[passw]'); At that moment input is being encrypted, but what was going on with this input while browser invoked and opened "verify.php", variables made throuhg POST method in HTML should have been passed in some way, although no verify.php?passw weren't used? Isn't there some kind of security leak where unauthorized person can catch password user entered? Sorry for lenght of that post? That's something taht's on my mind for some time... Thanks for understanding. Please forgive a silly question but how do you get the md5 password into the mysql database? Do you insert it via a query? I tried adding it directly to the table but that didn't work. I have a script that I am trying to get working. It is an encrypted password login. I have the password being encrypted but it's not getting to the database. Any help would be gratefully received. Vonzie Quote Link to comment https://forums.phpfreaks.com/topic/1771-md5-password-protection/#findComment-24650 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.