bytesize Posted October 28, 2010 Share Posted October 28, 2010 I would like to add md5 encryption into the create and login functions but I'm having difficulties with the process. user.php - create user and login functions <?php function create_user($params) { db_connect_posts(); $query = sprintf("INSERT INTO users SET users.screen_name = '%s', users.user_email = '%s', users.user_pwd = '%s', users.image = '%s', created_at = NOW()" , mysql_real_escape_string($params['screen_name']), mysql_real_escape_string($params['user_email']), mysql_real_escape_string($params['user_pwd']), mysql_real_escape_string($params['image']) ); $result = mysql_query($query); if(!$result) { return false; } else { return true; } } function login($username, $password) { db_connect_posts(); $query = sprintf("SELECT * FROM users WHERE user_email = '%s' AND user_pwd = '%s'" , mysql_real_escape_string($username), mysql_real_escape_string($password) ); $result = mysql_query($query); $number_of_posts = mysql_num_rows($result); if($number_of_posts == 0) { return false; } $row = mysql_fetch_array($result); $_SESSION['user'] = $row; return true; } ?> Register form: <form action="<?php echo '/'.APP_ROOT.'/'; ?>sessions/signup" method="post"> <fieldset> <legend>Register</legend> <div> <label>Screen Name</label> <input name="user[screen_name]" size="40" type="text" /> </div> <div> <label>E-mail</label> <input name="user[user_email]" size="40" type="text" /> </div> <div> <label>Password</label> <input name="user[user_pwd]" size="40" type="password" /> </div> <div> <label>Image</label> <input name="user[image]" size="40" type="text" /> </div> <input type="submit" name="Register" value="Register" /> </fieldset> </form> Login form: <form action="<?php echo '/'.APP_ROOT.'/'; ?>sessions/login_user" method="post"> <fieldset> <legend>Login</legend> <div> <label>E-mail</label> <input name="user[user_email]" size="40" type="text" /> </div> <div> <label>Password</label> <input name="user[user_pwd]" size="40" type="password" /> </div> <input type="submit" value="Login" /> </fieldset> </form> Quote Link to comment Share on other sites More sharing options...
revraz Posted October 28, 2010 Share Posted October 28, 2010 MD5 is a hash and not encryption. Where are you trying to use it? You need to store the MD5 Password when you write it to the DB, then compare a MD5 Password to the stored value in the DB. Quote Link to comment Share on other sites More sharing options...
bytesize Posted October 28, 2010 Author Share Posted October 28, 2010 I want to add it to the user_pwd field in the database in both functions. Quote Link to comment Share on other sites More sharing options...
sharal Posted October 28, 2010 Share Posted October 28, 2010 <?php function create_user($params) { db_connect_posts(); $query = sprintf("INSERT INTO users SET users.screen_name = '%s', users.user_email = '%s', users.user_pwd = '%s', users.image = '%s', created_at = NOW()" , mysql_real_escape_string($params['screen_name']), mysql_real_escape_string($params['user_email']), mysql_real_escape_string(md5($params['user_pwd'])), /* the md5 function wrapping around the password string hashes the password with the md5 algorithm. the string "hello world" will always produce the same hash value, hence you can compare the inserted hashed password when you log your users in by, hashing the password from the login formula before comparing with the password, that is already in the database */ mysql_real_escape_string($params['image']) ); $result = mysql_query($query); if(!$result) { return false; } else { return true; } } function login($username, $password) { db_connect_posts(); $query = sprintf("SELECT * FROM users WHERE user_email = '%s' AND user_pwd = '%s'" , mysql_real_escape_string($username), // hashing the password again before comparing. mysql_real_escape_string(md5($password)) ); $result = mysql_query($query); $number_of_posts = mysql_num_rows($result); if($number_of_posts == 0) { return false; } $row = mysql_fetch_array($result); $_SESSION['user'] = $row; return true; } ?> Quote Link to comment Share on other sites More sharing options...
Andy-H Posted October 28, 2010 Share Posted October 28, 2010 I would like to add md5 encryption into the create and login functions but I'm having difficulties with the process. user.php - create user and login functions <?php function create_user($params) { db_connect_posts(); $query = sprintf("INSERT INTO users VALUES ( users.screen_name = '%s', users.user_email = '%s', users.user_pwd = '%s', users.image = '%s', created_at = NOW() )" , mysql_real_escape_string($params['screen_name']), mysql_real_escape_string($params['user_email']), md5($params['user_pwd']), // doesn't require escaping as md5 hashes to //alphanumeric chars mysql_real_escape_string($params['image']) ); // not sure if your insert syntax was correct??? $result = mysql_query($query); if(!$result) { return false; } else { return true; } } function login($username, $password) { db_connect_posts(); $query = sprintf("SELECT * FROM users WHERE user_email = '%s' AND user_pwd = '%s'" , mysql_real_escape_string($username), md5($password) //need to compare as md5 hashed too. ); $result = mysql_query($query); $number_of_posts = mysql_num_rows($result); if($number_of_posts == 0) { return false; } $row = mysql_fetch_array($result); /* mysql_fetch_row / mysql_fetch_assoc is faster as it only fetches one set of values, alternatively use MYSQL_NUM/MYSQL_ASSOC flags with fetch array */ $_SESSION['user'] = $row; return true; } ?> Register form: <form action="<?php echo '/'.APP_ROOT.'/'; ?>sessions/signup" method="post"> <fieldset> <legend>Register</legend> <div> <label>Screen Name</label> <input name="user[screen_name]" size="40" type="text" /> </div> <div> <label>E-mail</label> <input name="user[user_email]" size="40" type="text" /> </div> <div> <label>Password</label> <input name="user[user_pwd]" size="40" type="password" /> </div> <div> <label>Image</label> <input name="user[image]" size="40" type="text" /> </div> <input type="submit" name="Register" value="Register" /> </fieldset> </form> Login form: <form action="<?php echo '/'.APP_ROOT.'/'; ?>sessions/login_user" method="post"> <fieldset> <legend>Login</legend> <div> <label>E-mail</label> <input name="user[user_email]" size="40" type="text" /> </div> <div> <label>Password</label> <input name="user[user_pwd]" size="40" type="password" /> </div> <input type="submit" value="Login" /> </fieldset> </form> Quote Link to comment Share on other sites More sharing options...
bytesize Posted October 28, 2010 Author Share Posted October 28, 2010 Thank you! It works with the escape removed. Are you saying the INSERT should use VALUES instead of SET? I'm using SET and it seems to work. Quote Link to comment Share on other sites More sharing options...
Andy-H Posted October 28, 2010 Share Posted October 28, 2010 If it works leave it as is, I wasn't sure but it must be valid syntax. Quote Link to comment Share on other sites More sharing options...
revraz Posted October 29, 2010 Share Posted October 29, 2010 Yes, you can use either, Values is just more common. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.