Jump to content


Photo

regarding user passwords


  • Please log in to reply
9 replies to this topic

#1 gardan06

gardan06
  • Members
  • PipPipPip
  • Advanced Member
  • 75 posts

Posted 30 August 2006 - 06:47 PM

im making a simple module that will register a username and its password. what i want to happen is when the password gets saved into the database, it becomes a random character instead of the real password to avid hacking problems.

how can i insert the hashed password into mysql and also, how can i call it back to its original password later?

#2 craygo

craygo
  • Staff Alumni
  • Advanced Member
  • 1,973 posts
  • LocationRhode Island

Posted 30 August 2006 - 06:50 PM

store the password as md5 hash

$password = md5($_GET['password']);
$sql = "INSERT INTO table_name SET password = '$password'";

Ray

#3 gardan06

gardan06
  • Members
  • PipPipPip
  • Advanced Member
  • 75 posts

Posted 30 August 2006 - 06:52 PM

thanks ray. one more thing:

when the user logs in, how can i convert the hash back to its original password?

#4 craygo

craygo
  • Staff Alumni
  • Advanced Member
  • 1,973 posts
  • LocationRhode Island

Posted 30 August 2006 - 06:55 PM

You can't. That is why you use the md5 hash. Only thing you can do is compare the passwords. If someone losses there password it can only be reset NOT retrieved.

Why would you want to convert it back anyway???

Ray

#5 gardan06

gardan06
  • Members
  • PipPipPip
  • Advanced Member
  • 75 posts

Posted 30 August 2006 - 07:31 PM

well, i was thinking when the user logs in, the module checks if the password he typed is the same from the password in the database. i was thinking of 2 things that could compare it:

1) convert the password from the database back to its original characters(which you said i cant, so maybe ill cross out this option). and:

2) convert the password the user typed to md5 hash and then compare it the the md5-hashed password in the database.

would option #2 be the solution or is there another way to compare the passwords?

#6 craygo

craygo
  • Staff Alumni
  • Advanced Member
  • 1,973 posts
  • LocationRhode Island

Posted 30 August 2006 - 07:52 PM

yes option 2 would be correct.

$username = $_POST['username']; // assign username from form to $username
$password = md5($_POST['password']); //get password from form and convert it and assign to $password
$sql = "SELECT * FROM table_name WHERE username = '$username' AND password = '$password'";
  $res = mysql_query($sql) or die (mysql_error());
  $num_rows = mysql_num_rows($res);
if($num_rows >0){
// continue code here
} else {
echo "NO SOUP FOR YOU";
}

Ray

#7 gardan06

gardan06
  • Members
  • PipPipPip
  • Advanced Member
  • 75 posts

Posted 30 August 2006 - 08:46 PM

thanks

#8 trq

trq
  • Staff Alumni
  • Advanced Member
  • 31,041 posts

Posted 30 August 2006 - 11:58 PM

ps: There are no such things as modules in php.

#9 Jenk

Jenk
  • Members
  • PipPipPip
  • Advanced Member
  • 778 posts

Posted 31 August 2006 - 08:17 AM

If a user logs in as
' OR '' = '' --
they needn't bother entering a password.

#10 pmeasham

pmeasham
  • New Members
  • Pip
  • Newbie
  • 6 posts

Posted 31 August 2006 - 08:36 AM

If a user logs in as

' OR '' = '' --
they needn't bother entering a password.


indeed, take a look at:

http://uk2.php.net/m...cape-string.php
Peter Measham
Unique IQ Ltd
www.uniqueiq.co.uk




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users