cloudsurferuk Posted February 7, 2010 Share Posted February 7, 2010 Hi, How can I change this so it injects the password as md5? $sql="INSERT INTO pilots (name, email, password, Age, city, country, vatsim_id, previous_va, previous_hours) VALUES ('$_POST[name]','$_POST[email]', '$_POST[password]','$_POST[Age]','$_POST[city]','$_POST[country]','$_POST[vatsim_id]','$_POST[previous_va]','$_POST[previous_hours]')"; Link to comment https://forums.phpfreaks.com/topic/191247-send-password-as-md5/ Share on other sites More sharing options...
jl5501 Posted February 7, 2010 Share Posted February 7, 2010 $sql="INSERT INTO pilots (name, email, password, Age, city, country, vatsim_id, previous_va, previous_hours) VALUES ('$_POST[name]','$_POST[email]', 'md5($_POST[password])','$_POST[Age]','$_POST[city]','$_POST[country]','$_POST[vatsim_id]','$_POST[previous_va]','$_POST[previous_hours]')"; Link to comment https://forums.phpfreaks.com/topic/191247-send-password-as-md5/#findComment-1008369 Share on other sites More sharing options...
xjake88x Posted February 7, 2010 Share Posted February 7, 2010 Hi, You never want to insert post variables directly into your SQL. It leaves it wide open for SQL injection. What happens when someone uses an apostrophe in one of those fields? $name = addslashes($_POST['name']); //always use addslashes to escape any apostrophe characters $email = addslashes($_POST['email']); $password = md5($_POST['password']); //use md5 for password $Age = intval($_POST['Age']); //use intval if it is supposed to be an integer $city = addslashes($_POST['city']); $country = addslashes($_POST['country']); $vatsim_id = intval($_POST['vatsim_id']); //use intval if it is supposed to be an integer $previous_va = addslashes($_POST['previous_va']); $previous_hours = intval($_POST['previous_hours']); //use intval if it is supposed to be an integer $sql="INSERT INTO pilots (name, email, password, Age, city, country, vatsim_id, previous_va, previous_hours) VALUES ('$name', '$email', '$password', $Age, '$city', '$country', $vatsim_id, '$previous_va', $previous_hours)"; //notice you don't need singlequotes around integers in the VALUES() clause. Link to comment https://forums.phpfreaks.com/topic/191247-send-password-as-md5/#findComment-1008370 Share on other sites More sharing options...
Mchl Posted February 7, 2010 Share Posted February 7, 2010 //always use addslashes to escape any apostrophe characters Except if you have access to any better escaping function like mysql_real_escape_string. Also be sure to check the status of magic_quotes_gpc to avoid double escaping Link to comment https://forums.phpfreaks.com/topic/191247-send-password-as-md5/#findComment-1008374 Share on other sites More sharing options...
cloudsurferuk Posted February 7, 2010 Author Share Posted February 7, 2010 Thanks for both your replies, yeah its the ' that I was trying to secure up. As you can tell I am new to PHP and on a VERY steep learning curve.the help at PHP freaks is much appreciated. Link to comment https://forums.phpfreaks.com/topic/191247-send-password-as-md5/#findComment-1008375 Share on other sites More sharing options...
cloudsurferuk Posted February 7, 2010 Author Share Posted February 7, 2010 Ok so the sign up side is sorted but this code is used to process the login, and I cant get it working.. anything obvious? $username = $_POST['username']; $password = md5 $_POST['password']; $time = time(); $check = $_POST['setcookie']; $db = mysql_connect($dbHost,$dbUser,$dbPass); mysql_select_db($dbname,$db); $query = "SELECT username, password FROM pilots WHERE username = '$username' AND password = 'md5 ($password)'"; $result = mysql_query($query, $db); if(mysql_num_rows($result)) { $_SESSION['loggedin'] = 1; if($check) { setcookie("fsuk[username]", $username, $time + 3600); setcookie("fsuk[password]", $password, $time + 3600); } header('Location: index.php'); exit(); } else { header('Location: crewlogin.php?error=1'); exit(); } ?> Link to comment https://forums.phpfreaks.com/topic/191247-send-password-as-md5/#findComment-1008379 Share on other sites More sharing options...
Mchl Posted February 7, 2010 Share Posted February 7, 2010 Enable error reporting and you'll get error message telling you where you did a mistake. Link to comment https://forums.phpfreaks.com/topic/191247-send-password-as-md5/#findComment-1008380 Share on other sites More sharing options...
merylvingien Posted February 7, 2010 Share Posted February 7, 2010 Do you have passwords already stored without the md5 hash? Cause obviously they will no longer work..... Link to comment https://forums.phpfreaks.com/topic/191247-send-password-as-md5/#findComment-1008396 Share on other sites More sharing options...
cloudsurferuk Posted February 7, 2010 Author Share Posted February 7, 2010 Yeah and I tried converting them md5hash using a md5 hash convertor online and changed in the database Link to comment https://forums.phpfreaks.com/topic/191247-send-password-as-md5/#findComment-1008397 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.