joshspringsteen Posted August 31, 2006 Share Posted August 31, 2006 hi guysim building a registration and login system for my site...i've read about the md5 but however i put it in my code i cant seem to get it to work...is md5 the best out there, or would something stronger be better...anyway, here is my code --> where do i put in the bit for encrypting the passwords...===========================[code]<?php include("config.php"); // connect to the mysql server$link = mysql_connect($server, $db_user, $db_pass)or die ("Could not connect to mysql because ".mysql_error());// select the databasemysql_select_db($database)or die ("Could not select database because ".mysql_error());// Define post fields into simple variables$username = $_POST['username'];$password = $_POST['password'];$email = $_POST['email'];$realname = $_POST['realname'];$location = $_POST['location'];$usertatts = $_POST['usertatts'];$usercomments = $_POST['usercomments'];// Do some error checking on the form posted fields if((!$username) || (!$password) || (!$email) || (!$realname)){ echo 'You did not submit the following required information! <br />'; if(!$username){ echo "username is a required field. Please enter it below.<br />"; } if(!$password){ echo "password is a required field. Please enter it below.<br />"; } if(!$email){ echo "Email Address is a required field. Please enter it below.<br />"; } if(!$realname){ echo "realname is a required field. Please enter it below.<br />"; } include 'register.html'; // Show the form again! exit(); // if the error checking has failed, we'll exit the script!} // Let's do some checking $sql_email_check = mysql_query("SELECT email FROM users WHERE email='$email'"); $sql_username_check = mysql_query("SELECT username FROM users WHERE username='$username'"); $email_check = mysql_num_rows($sql_email_check); $username_check = mysql_num_rows($sql_username_check); if(($email_check > 0) || ($username_check > 0)){ echo "Please fix the following errors: <br />"; if($email_check > 0){ echo "<strong>Your email address has already been used by another member in our database. Please submit a different Email address!<br />"; unset($email); } if($username_check > 0){ echo "The username you have selected has already been used by another member in our database. Please choose a different Username!<br />"; unset($username); } include 'register.html'; // Show the form again! exit(); // exit the script so that we do not create this account! } else {// insert the data$insert = mysql_query("insert into $table values ('NULL', '".$_POST['username']."', '".$_POST['password']."', '".$_POST['email']."', '".$_POST['realname']."', '".$_POST['location']."', '".$_POST['usertatts']."', '".$_POST['usercomments']."')")or die("Could not insert data because ".mysql_error());// print a success messageecho "Your user account has been created!<br>"; echo "Now you can <a href=login.html>log in</a>"; }?>[/code]===========================thanks guys, marty Quote Link to comment Share on other sites More sharing options...
Daniel0 Posted August 31, 2006 Share Posted August 31, 2006 Change [code]$insert = mysql_query("insert into $table values ('NULL', '".$_POST['username']."', '".$_POST['password']."', '".$_POST['email']."', '".$_POST['realname']."', '".$_POST['location']."', '".$_POST['usertatts']."', '".$_POST['usercomments']."')")[/code] to [code]$insert = mysql_query("insert into $table values ('NULL', '".$_POST['username']."', '".sha1($_POST['password'])."', '".$_POST['email']."', '".$_POST['realname']."', '".$_POST['location']."', '".$_POST['usertatts']."', '".$_POST['usercomments']."')")[/code]If you wan't to use sha1, else just replace it with md5 or a similar function. Quote Link to comment Share on other sites More sharing options...
.josh Posted August 31, 2006 Share Posted August 31, 2006 okay first off, what was the point in "Defining post fields into simple variables" if you are gonna directly insert the $_POST vars into your query? but as for your question, you should do like$password = md5($_POST['password']);and use $password in your query string (along with your other vars) and also you should think about sanitizing them first, for security. Make sure that your password field in your database is at least varchar(32) to hold the encrypted string. later on when you retrieve the information, you are going to have to md5 the password again. for instance, when a user goes to login, and you check if he exists in the db based on his username/pw, it will look something like this:[code]$user = $_POST['user'];$pw = md5($_POST['password']);$sql = "select * from table where user = '$user' and password = '$pw'";[/code]also, sha1 is a higher bit incryption, if you wanna look into that function. Quote Link to comment Share on other sites More sharing options...
Jenk Posted August 31, 2006 Share Posted August 31, 2006 actually, sha1 is the one truly breakable hashing algorithm and use of it is discouraged, even md5 has preference.but with vulnerabilities like you have in your SQL statements, no hashing algoritm is worth bothering with.I go to your site and enter the following credentials, what happens?[code]Username: ' OR '' = '' --Password: whatever[/code] Quote Link to comment Share on other sites More sharing options...
joshspringsteen Posted September 4, 2006 Author Share Posted September 4, 2006 jenk - i dont understand what your tryting to say. I tried to log in with those 'credentials' but it doesnt work...it simply states the username is not in the database/. Also, could you explain what vulnerabilities are in my SQL statements?THanks again! Quote Link to comment Share on other sites More sharing options...
Jenk Posted September 4, 2006 Share Posted September 4, 2006 an example of how you make your input 'safe'[code]$username = mysql_real_escape_string($_POST['username']);[/code] Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.