Jump to content


Photo

simple, i know but im new!! password help


  • Please log in to reply
5 replies to this topic

#1 joshspringsteen

joshspringsteen
  • New Members
  • Pip
  • Newbie
  • 3 posts

Posted 31 August 2006 - 07:43 AM

hi guys

im building a registration and login system for my site...i've read about the md5 but however i put it in my code i cant seem to get it to work...is md5 the best out there, or would something stronger be better...anyway, here is my code --> where do i put in the bit for encrypting the passwords...

===========================

<?php 

include("config.php"); 

// connect to the mysql server
$link = mysql_connect($server, $db_user, $db_pass)
or die ("Could not connect to mysql because ".mysql_error());

// select the database
mysql_select_db($database)
or die ("Could not select database because ".mysql_error());


// Define post fields into simple variables
$username = $_POST['username'];
$password = $_POST['password'];
$email = $_POST['email'];
$realname = $_POST['realname'];
$location = $_POST['location'];
$usertatts = $_POST['usertatts'];
$usercomments = $_POST['usercomments'];


// Do some error checking on the form posted fields 

if((!$username) || (!$password) || (!$email) || (!$realname)){
    echo 'You did not submit the following required information! <br />';
    if(!$username){
        echo "username is a required field. Please enter it below.<br />";
    }
    if(!$password){
        echo "password is a required field. Please enter it below.<br />";
    }
    if(!$email){
        echo "Email Address is a required field. Please enter it below.<br />";
    }
    if(!$realname){
        echo "realname is a required field. Please enter it below.<br />";
    }
    include 'register.html'; // Show the form again!
    
    exit(); // if the error checking has failed, we'll exit the script!
} 


// Let's do some checking 
 
 $sql_email_check = mysql_query("SELECT email FROM users 
             WHERE email='$email'");
 $sql_username_check = mysql_query("SELECT username FROM users 
             WHERE username='$username'");
 
 $email_check = mysql_num_rows($sql_email_check);
 $username_check = mysql_num_rows($sql_username_check);
 
 if(($email_check > 0) || ($username_check > 0)){
     echo "Please fix the following errors: <br />";
     if($email_check > 0){
         echo "<strong>Your email address has already been used by another member 
         in our database. Please submit a different Email address!<br />";
         unset($email);
     }
     if($username_check > 0){
         echo "The username you have selected has already been used by another member 
          in our database. Please choose a different Username!<br />";
         unset($username);
     }
     include 'register.html'; // Show the form again!
     exit();  // exit the script so that we do not create this account!
 } else {





// insert the data
$insert = mysql_query("insert into $table values ('NULL', '".$_POST['username']."', '".$_POST['password']."', '".$_POST['email']."', '".$_POST['realname']."', '".$_POST['location']."', '".$_POST['usertatts']."', '".$_POST['usercomments']."')")
or die("Could not insert data because ".mysql_error());

// print a success message
echo "Your user account has been created!<br>"; 
echo "Now you can <a href=login.html>log in</a>"; 
}

?>


===========================


thanks guys, marty

#2 Daniel0

Daniel0
  • Staff Alumni
  • Advanced Member
  • 11,956 posts

Posted 31 August 2006 - 07:57 AM

Change
$insert = mysql_query("insert into $table values ('NULL', '".$_POST['username']."', '".$_POST['password']."', '".$_POST['email']."', '".$_POST['realname']."', '".$_POST['location']."', '".$_POST['usertatts']."', '".$_POST['usercomments']."')")
to
$insert = mysql_query("insert into $table values ('NULL', '".$_POST['username']."', '".sha1($_POST['password'])."', '".$_POST['email']."', '".$_POST['realname']."', '".$_POST['location']."', '".$_POST['usertatts']."', '".$_POST['usercomments']."')")

If you wan't to use sha1, else just replace it with md5 or a similar function.

#3 .josh

.josh
  • Staff Alumni
  • .josh
  • 14,871 posts

Posted 31 August 2006 - 08:03 AM

okay first off, what was the point in "Defining post fields into simple variables" if you are gonna directly insert the $_POST vars into your query?  but as for your question, you should do like

$password = md5($_POST['password']);

and use $password in your query string (along with your other vars) and also you should think about sanitizing them first, for security.  Make sure that your password field in your database is at least varchar(32) to hold the encrypted string. 

later on when you retrieve the information, you are going to have to md5 the password again. for instance, when a user goes to login, and you check if he exists in the db based on his username/pw, it will look something like this:

$user = $_POST['user'];
$pw = md5($_POST['password']);
$sql = "select * from table where user = '$user' and password = '$pw'";

also, sha1 is a higher bit incryption, if you wanna look into that function.
Did I help you? Feeling generous? Buy me lunch! 
Please, take the time and do some research and find out how much it would have cost you to get your help from a decent paid-for source. A "roll-of-the-dice" freelancer will charge you $5-$15/hr. A decent entry level freelancer will charge you around $15-30/hr. A professional will charge you anywhere from $50-$100/hr. An agency will charge anywhere from $100-$250/hr. Think about all this when soliciting for help here. Think about how much money you are making from the work you are asking for help on. No, we do not expect you to pay for the help given here, but donating a few bucks is a fraction of the cost of what you would have paid, shows your appreciation, helps motivate people to keep offering help without the pricetag, and helps make this a higher quality free-help community :)

#4 Jenk

Jenk
  • Members
  • PipPipPip
  • Advanced Member
  • 778 posts

Posted 31 August 2006 - 08:06 AM

actually, sha1 is the one truly breakable hashing algorithm and use of it is discouraged, even md5 has preference.

but with vulnerabilities like you have in your SQL statements, no hashing algoritm is worth bothering with.

I go to your site and enter the following credentials, what happens?

Username: ' OR '' = '' --
Password: whatever


#5 joshspringsteen

joshspringsteen
  • New Members
  • Pip
  • Newbie
  • 3 posts

Posted 04 September 2006 - 04:56 AM

jenk - i dont understand what your tryting to say.  I tried to log in with those 'credentials' but it doesnt work...it simply states the username is not in the database/.  Also, could you explain what vulnerabilities are in my SQL statements?

THanks again!

#6 Jenk

Jenk
  • Members
  • PipPipPip
  • Advanced Member
  • 778 posts

Posted 04 September 2006 - 09:22 AM

an example of how you make your input 'safe'

$username = mysql_real_escape_string($_POST['username']);





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users