A1SURF.us Posted October 15, 2010 Share Posted October 15, 2010 (Main Objective) I need this login class to encrypt the password before it sends it to the database for login verification. (Alternative Solution) Force a login with just the username and captcha no password.. This is the original working script.. <? session_start(); include "config.php"; global $c; include "data.php"; global $config; require('funciones.php'); if ($_POST['username']) { session_start(); if($_POST['code']!=$_SESSION['string']){ header("Location: login.php?error=1"); } //Comprobacion del envio del nombre de usuario y password $username=uc($_POST['username']); $password=uc($_POST['password']); if ($password==NULL) { header("Location: login.php?error=2"); }else{ $query = mysql_query("SELECT username,password FROM tb_users WHERE username = '$username'") or die(mysql_error()); if(mysql_num_rows($query) == 0) { header("Location: login.php?error=3"); } else { $data = mysql_fetch_array($query); if($data['password'] != $password) { header("Location: login.php?error=4"); }else{ $query = mysql_query("SELECT username,password FROM tb_users WHERE username = '$username'") or die(mysql_error()); $row = mysql_fetch_array($query); $nicke=$row['username']; $passe=$row['password']; //90 day cookie setcookie("usNick",$nicke,time()+7776000); setcookie("usPass",$passe,time()+7776000); $lastlogdate=time(); $lastip = getRealIP(); $querybt = "UPDATE tb_users SET lastlogdate='$lastlogdate', lastiplog='$lastip' WHERE username='$nicke'"; mysql_query($querybt) or die(mysql_error()); header("Location: members.php"); // echo "Has sido logueado correctamente ".$_SESSION['s_username']." y puedes acceder al index.php."; // echo "<script>location.href='index.php';</script>"; ?> <META HTTP-EQUIV="REFRESH" CONTENT="0;URL=members.php"> <? } } } } ?> <div class="heading">Login</div><br /> <? if($_GET['error'] == 1) { print "<b>Error</b> - Wrong Captcha Code<br /><br/>"; } if($_GET['error'] == 2) { print "<b>Error</b> - Please supply a password<br /><br/>"; } if($_GET['error'] == 3) { print "<b>Error</b> - Invalid Username<br><br>"; } if($_GET['error'] == 4) { print "<b>Error</b> - Invalid Password<br /><br />"; } ?> <form action="login.php" method="post"> <table> <tr> <td class="midtext">Username:</td> <td> <input type="text" name="username" size="25" class="form" autocomplete="off"></td> </tr> <tr> <td class="midtext">Password:</td> <td> <input type="password" name="password" size="25" class="form" autocomplete="off"></td> </tr> <tr> <td class="midtext" valign="top">Security Code:</td> <td class="midtext"> <img src="image.php" onclick="this.src='image.php?newtime=' + (new Date()).getTime();">(Click to reload)<br /> <input type="text" name="code" size="17" maxlength="17" autocomplete="off" class="form"></td> </tr> <tr> <td></td> <td align="right"> <input type="submit" value="Login" name="loginsubmit" class="form"></td> </tr> </table> </form> Let me know if you need any files... Quote Link to comment Share on other sites More sharing options...
the182guy Posted October 15, 2010 Share Posted October 15, 2010 Is the database located on a different server to the PHP scripts? If it's the same server then there's no need to encrypt it. Why don't you store the password as a hash like md5 (or something stronger, see hash() ), that way even if your server is remote you can hash the password before transmitting it to the database server. Only downside to hashing it is no decryption, however you shouldn't need to decrypt it under normal circumstances. Quote Link to comment Share on other sites More sharing options...
A1SURF.us Posted October 15, 2010 Author Share Posted October 15, 2010 @the182guy I use a hosting provider and the mysql server is separate from the file server, I think, not to sure. The password is already encrypted inside the database with md5, I think. It's just not sent encrypted with this $query call. When I use this script to login to the database, with the encrypted password, it says the password is wrong. But I know the password is correct becasue it is also used on another account that I have. So I thank somewhere in the $query it needs to say encrypt this password before verify. Quote Link to comment Share on other sites More sharing options...
Psycho Posted October 15, 2010 Share Posted October 15, 2010 If the password is already encrypted (but most likely hashed) you need to know what method was used to encrypt/hash the password. The idea is that you do not store passwords in the database in plain text - otherwise someone who gains access to the database will have access to the passwords. So, you hash the password when you store it and then when the user attempts to authenticate you first hash it then compare that hashed value to the db value. Quote Link to comment Share on other sites More sharing options...
A1SURF.us Posted October 15, 2010 Author Share Posted October 15, 2010 If the password is already encrypted (but most likely hashed) you need to know what method was used to encrypt/hash the password. PHPizabi is the CMS script that is encrypting it. I'm looking through it's PHP files now. If I knew what to look for then maybe I could find it, but I'm just looking at all php files randomly. I also asked what method is used inside the phpizabi help forum. http://phpizabi.com/forum/showthread.php?p=15245#post15245 Quote Link to comment Share on other sites More sharing options...
naike Posted October 16, 2010 Share Posted October 16, 2010 Hashing and encrypting is not the same. Hashing a password is a one way function. That means even if someone got access to your database, the only way of getting those password would be by brute forcing them (going through all of those billion possibilities one by one). Encrypting on the other hand works in both ways, you can encrypt a password, then store it and decrypt it to plain text again. So you definitely want to hash your passwords instead of just encrypting them. Quote Link to comment Share on other sites More sharing options...
A1SURF.us Posted October 16, 2010 Author Share Posted October 16, 2010 My third option is to create a 2nd password table for mysql users. I have a password reset class that can be used as a fancy, make sure their email is legit, security code. So the users can login just by from this password table instead of the hashed or encrypted one: $password2 Quote Link to comment Share on other sites More sharing options...
A1SURF.us Posted October 16, 2010 Author Share Posted October 16, 2010 My third option is to create a 2nd password table for mysql users. I have a password reset class that can be used as a fancy, make sure their email is legit, security code. So the users can login just by from this password table instead of the hashed or encrypted one: $password2 My entire goal might even be solved by being able to get, the cookies inside the login class, to turn on and trigger other scripts associated with those cookies. What I'm trying to do is plug a paid to surf script into PHPizabi, without using the modules option. The paid to click script, has referral links, user click tracking, and several other class's that need those cookies to trigger, I think. Unless it's last logon and last user IP I thank this handles the cookie, but where would I put it inside Izabi?? setcookie("usNick",$nicke,time()+7776000); setcookie("usPass",$passe,time()+7776000); $lastlogdate=time(); $lastip = getRealIP(); $querybt = "UPDATE tb_users SET lastlogdate='$lastlogdate', lastiplog='$lastip' WHERE username='$nicke'"; mysql_query($querybt) or die(mysql_error()); Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.