Jump to content

MD5 password protection


enfys

Recommended Posts

Have you already encoded your passwords in the databse?

 

so when the user signs up.. their password is automatically passed through md5.. i.e the input box is called password.. u need to catch it before inputting into the db

 

$password=md5($_POST['password']);

 

then when comparing.. all you need to do is... check that the $string they entered is the same as the one in the database...

 

if(md5($string)==$password){

//run code

}

Link to comment
Share on other sites

When the users are added the Insert statement for mysql adds the password as password('$_POST[password]') which I think encrypts it.

 

To veryfy I'm calling the password as part of an array, assigning it to a variable ($password) and then trying to verify by;

 

if ($_POST['password'] == $password) {

 

//run code

}

Link to comment
Share on other sites

Don't store the password in the database without encrypting it. PHP and MySQL don't encode anything unless you tell them to.

 

When you insert the password into the database, make sure you md5() it first. When a user is going to log in with his password, md5() the password he typed in and compare it to what the password is stored as on the server. This way only the user knows his unencrypted password.

Link to comment
Share on other sites

But how do you md5 the user's password when they type it in?

You don't at the moment user types it in, you do it afterwards, either at point of control whether the password or md5 representation of it is identical with md5-ed password already stored in user table in database or at the point of insertion of that password into database record.

 

Use input field of type password, md5 input, store it md5-ed into database.

 

At next login, compare md5-ed users input with already md5-ed password stored in users record.

 

Simple, isn't it?

 

You can, of course use SHA1() too.

If you're using MySQL as database server, use MySQL function password() which gives you 12 character representation of string entered as password.

 

This raises a question:

What happens if you have HTML login without any php code and you pass input via POST method into an php script where you perform autorization? I.e. what happens with entered password that comes into php script non-encripted?

Example:

- in HTML, say login.html:

<input name="passw" type="password" />

- user's input is visible as ******, but still it's very readable string

-HTML form is defined:

<FORM name="form" method="POST" action="verify.php">

 

in verify.php:

 

$pass_entered = md5('$_POST[passw]');

 

At that moment input is being encrypted, but what was going on with this input while browser invoked and opened "verify.php", variables made throuhg POST method in HTML should have been passed in some way, although no verify.php?passw weren't used?

Isn't there some kind of security leak where unauthorized person can catch password user entered?

 

Sorry for lenght of that post?

That's something taht's on my mind for some time...

 

Thanks for understanding.

Link to comment
Share on other sites

  • 2 years later...

[!--quoteo(post=102802:date=Apr 2 2004, 02:10 AM:name=MadDogSh)--][div class=\'quotetop\']QUOTE(MadDogSh @ Apr 2 2004, 02:10 AM) 102802[/snapback][/div][div class=\'quotemain\'][!--quotec--]

You don't at the moment user types it in, you do it afterwards, either at point of control whether the password or md5 representation of it is identical with md5-ed password already stored in user table in database or at the point of insertion of that password into database record.

 

Use input field of type password, md5 input, store it md5-ed into database.

 

At next login, compare md5-ed users input with already md5-ed password stored in users record.

 

Simple, isn't it?

 

You can, of course use SHA1() too.

If you're using MySQL as database server, use MySQL function password() which gives you 12 character representation of string entered as password.

 

This raises a question:

What happens if you have HTML login without any php code and you pass input via POST method into an php script where you perform autorization? I.e. what happens with entered password that comes into php script non-encripted?

Example:

- in HTML, say login.html:

<input name="passw" type="password" />

- user's input is visible as ******, but still it's very readable string

-HTML form is defined:

<FORM name="form" method="POST" action="verify.php">

 

in verify.php:

 

$pass_entered = md5('$_POST[passw]');

 

At that moment input is being encrypted, but what was going on with this input while browser invoked and opened "verify.php", variables made throuhg POST method in HTML should have been passed in some way, although no verify.php?passw weren't used?

Isn't there some kind of security leak where unauthorized person can catch password user entered?

 

Sorry for lenght of that post?

That's something taht's on my mind for some time...

 

Thanks for understanding.

 

 

Please forgive a silly question but how do you get the md5 password into the mysql database? Do you insert it via a query? I tried adding it directly to the table but that didn't work. I have a script that I am trying to get working. It is an encrypted password login. I have the password being encrypted but it's not getting to the database.

 

Any help would be gratefully received.

 

Vonzie

 

Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.