Jump to content

Archived

This topic is now archived and is closed to further replies.

enfys

MD5 password protection

Recommended Posts

I have started using the passsword() function to protect passwords but dont' know how to hash the passwords that a user inputs into the form for comparison.

 

Anybody help?

Share this post


Link to post
Share on other sites

Have you already encoded your passwords in the databse?

 

so when the user signs up.. their password is automatically passed through md5.. i.e the input box is called password.. u need to catch it before inputting into the db

 

$password=md5($_POST['password']);

 

then when comparing.. all you need to do is... check that the $string they entered is the same as the one in the database...

 

if(md5($string)==$password){

//run code

}

Share this post


Link to post
Share on other sites

When the users are added the Insert statement for mysql adds the password as password('$_POST[password]') which I think encrypts it.

 

To veryfy I'm calling the password as part of an array, assigning it to a variable ($password) and then trying to verify by;

 

if ($_POST['password'] == $password) {

 

//run code

}

Share this post


Link to post
Share on other sites

Don't store the password in the database without encrypting it. PHP and MySQL don't encode anything unless you tell them to.

 

When you insert the password into the database, make sure you md5() it first. When a user is going to log in with his password, md5() the password he typed in and compare it to what the password is stored as on the server. This way only the user knows his unencrypted password.

Share this post


Link to post
Share on other sites

When they login in. At the moment my code reads:

 

if ($_POST['user'] != $user || $_POST['password'] != $pw) {

 

echo "Inncorrect user name or password";

 

} else {

 

//run rest of code here...

Share this post


Link to post
Share on other sites
But how do you md5 the user's password when they type it in?

You don't at the moment user types it in, you do it afterwards, either at point of control whether the password or md5 representation of it is identical with md5-ed password already stored in user table in database or at the point of insertion of that password into database record.

 

Use input field of type password, md5 input, store it md5-ed into database.

 

At next login, compare md5-ed users input with already md5-ed password stored in users record.

 

Simple, isn't it?

 

You can, of course use SHA1() too.

If you're using MySQL as database server, use MySQL function password() which gives you 12 character representation of string entered as password.

 

This raises a question:

What happens if you have HTML login without any php code and you pass input via POST method into an php script where you perform autorization? I.e. what happens with entered password that comes into php script non-encripted?

Example:

- in HTML, say login.html:

<input name="passw" type="password" />

- user's input is visible as ******, but still it's very readable string

-HTML form is defined:

<FORM name="form" method="POST" action="verify.php">

 

in verify.php:

 

$pass_entered = md5('$_POST[passw]');

 

At that moment input is being encrypted, but what was going on with this input while browser invoked and opened "verify.php", variables made throuhg POST method in HTML should have been passed in some way, although no verify.php?passw weren't used?

Isn't there some kind of security leak where unauthorized person can catch password user entered?

 

Sorry for lenght of that post?

That's something taht's on my mind for some time...

 

Thanks for understanding.

Share this post


Link to post
Share on other sites

Yes, see what you mean!

 

Will have a play around with it. Thanks for your help.

Share this post


Link to post
Share on other sites

[!--quoteo(post=102802:date=Apr 2 2004, 02:10 AM:name=MadDogSh)--][div class=\'quotetop\']QUOTE(MadDogSh @ Apr 2 2004, 02:10 AM) 102802[/snapback][/div][div class=\'quotemain\'][!--quotec--]

You don't at the moment user types it in, you do it afterwards, either at point of control whether the password or md5 representation of it is identical with md5-ed password already stored in user table in database or at the point of insertion of that password into database record.

 

Use input field of type password, md5 input, store it md5-ed into database.

 

At next login, compare md5-ed users input with already md5-ed password stored in users record.

 

Simple, isn't it?

 

You can, of course use SHA1() too.

If you're using MySQL as database server, use MySQL function password() which gives you 12 character representation of string entered as password.

 

This raises a question:

What happens if you have HTML login without any php code and you pass input via POST method into an php script where you perform autorization? I.e. what happens with entered password that comes into php script non-encripted?

Example:

- in HTML, say login.html:

<input name="passw" type="password" />

- user's input is visible as ******, but still it's very readable string

-HTML form is defined:

<FORM name="form" method="POST" action="verify.php">

 

in verify.php:

 

$pass_entered = md5('$_POST[passw]');

 

At that moment input is being encrypted, but what was going on with this input while browser invoked and opened "verify.php", variables made throuhg POST method in HTML should have been passed in some way, although no verify.php?passw weren't used?

Isn't there some kind of security leak where unauthorized person can catch password user entered?

 

Sorry for lenght of that post?

That's something taht's on my mind for some time...

 

Thanks for understanding.

 

 

Please forgive a silly question but how do you get the md5 password into the mysql database? Do you insert it via a query? I tried adding it directly to the table but that didn't work. I have a script that I am trying to get working. It is an encrypted password login. I have the password being encrypted but it's not getting to the database.

 

Any help would be gratefully received.

 

Vonzie

 

Share this post


Link to post
Share on other sites

×

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.