Jump to content

Recommended Posts

Hi:

 

I was reading a tutorial about making password protected pages and how to make the more secure by using MD5 to encrypt (I think) the password.

 

But. I'm not sure if I don't understand the concept of what it does, or maybe 'm using it wrong.

 

This is the code I am using:

 

Database Table:

CREATE TABLE `myAdmins` (
  `id` int(4) NOT NULL auto_increment,
  `myUserName` varchar(65) NOT NULL default '',
  `myPassword` varchar(65) NOT NULL default '',
  PRIMARY KEY  (`id`)
) ENGINE=MyISAM AUTO_INCREMENT=2 DEFAULT CHARSET=utf8;

INSERT INTO myAdmins VALUES("1","abc", "123");

 

I was told in the tutorial to develop something like this (I think I'm doing it wrong):

CREATE TABLE `myAdmins` (
  `id` int(4) NOT NULL auto_increment,
  `myUserName` varchar(65) NOT NULL default '',
  `myPassword` varchar(65) NOT NULL default '',
  PRIMARY KEY  (`id`)
) ENGINE=MyISAM  DEFAULT CHARSET=utf8 AUTO_INCREMENT=2 ;


INSERT INTO `myAdmins` VALUES(1, 'abc', md5('123'));

 

My Login.php page:

<?php

include('../include/myConn.php');

session_start();
session_destroy();

$message="";

$Login=$_POST['Login'];
if($Login){
$myUserName=$_POST['myUserName'];

//$md5_myPassword=md5($_POST['myPassword']); // Encrypt password with md5() function.
$myPassword=$_POST['myPassword'];

//$result=mysql_query("select * from myAdmins where myUserName='$myUserName' and myPassword='$md5_myPassword'");
$result=mysql_query("select * from myAdmins where myUserName='$myUserName' and myPassword='$myPassword'");
if(mysql_num_rows($result)!='0'){
session_register("myUserName");
header("location:a_Home.php");
exit;
}else{
$message="<div class=\"myAdminLoginError\">Incorrect Username or Password</div>";
}
}
?>


<html>
...

</head>

<form id="form1" name="form1" method="post" action="<? echo $PHP_SELF; ?>">

<? echo $message; ?>

User Name: <input name="myUserName" type="text" id="myUserName" size="40" />
<br /><br />
Password: <input name="myPassword" type="password" id="myPassword" size="40" />

<input name="Login" type="submit" id="Login" value="Login" />

</form>

...
</html>

 

Protected Page:

<?
session_start();
if(!session_is_registered("myUserName")){
header("location:Login.php");
}?>

<html>
...
...
</html>

 

I know I need to uncomment the 2 lines of code in Login.php and remove the 2 that I'm currently using, and use the Database Table that has the MD5 code, but whenever I do it will not let me login.

 

The Login.php page (with the Database Table without the MD5 code) works fine.

 

I just wanted to know if this is the right way to use MD5 to make logins even more secure, of if I am totally off on understanding it.

 

Any help or code tweaks would be appreciated.

 

Thanks!

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Link to comment
https://forums.phpfreaks.com/topic/247095-md5-login-trying-to-understand-it/
Share on other sites

Basically here's how it works:

 

You get your password then you use the md5() function to hash it. Then when the user logs in, it matches the hashed password to the one in the database.

 

So if the passwords in the database aren't the md5 hashes of their password then it's not going to work. You should also add a salt to your passwords to make them harder to crack.

You need to use md5 again when your checking your users credentials or they will never find a match.

 

$result=mysql_query("select * from myAdmins where myUserName='$myUserName' and myPassword='MD5($myPassword')");

 

Also, the tutorial your using looks like it's pretty dated. session_register has long been deprecated.

Hi again:

 

1st - so I should set my session code like this:

<?
session_start();

//if(!session_is_registered("myUserName"))

isset($_SESSION[$myUserName]);

{
header("location:Login.php");
}?>

<html>
...
...
</html>

 

Just in that file or in the other file? Wasn't sure about that.

 

MD5 - maybe I need to change the code to what thorpe posted:

$result=mysql_query("select * from myAdmins where myUserName='$myUserName' and myPassword='MD5($myPassword')");

 

The code was definitely scambled in the database.

 

I insert the "myAdmins" table via phpmyAdmin, and then use the Login.php page for the admin area.

 

I just wanted to know if I'm using the MD5 for the right purpose - in other words does this make logging in more secure?

 

What I can't figure out is if I set a password to "123" and when it is insert into mySQL it becomes "asdagdauihdadGFtyda" (or whatever), how a user can type in "123" and be granted access to to site when the password is clearly not"123"??

alright ill explain this using code.. and first off the isset() code you posted needs to be in an if conditional..

 

alright lets say that you store the password as "asdagdauihdadGFtyda" in your database...

when a user types in their password (we will say 123), you will check the md5 hashed version of what they typed in to the database hashed password like so..

 

<?php

$db_password = "asdagdauihdadGFtyda"; //password grabbed from database
$password = $_POST['password']; //user typed password

if($db_password == md5($password)){
     // the password typed matches the $db_password
}else{
     // passwords don't match
}

?>

 

Edit: quick note.. an md5 hash will be 32 characters... the string i chose is simply for example purposes

 

FYI - using the md5 hashing function on a password does not make your code more secure and it does not make logging in more secure. It makes the stored passwords more secure in case someone obtains the contents of your database, because the actual passwords are not stored, the md5 hashed value of the password is what is stored.

 

Password hashing is one of the most basic security considerations that must be made when designing any application that accepts passwords from users. Without hashing, any passwords that are stored in your application's database can be stolen if the database is compromised, and then immediately used to compromise not only your application, but also the accounts of your users on other services, if they do not use unique passwords.

 

By applying a hashing algorithm to your user's passwords before storing them in your database, you make it implausible for any attacker to determine the original password, while still being able to compare the resulting hash to the original password in the future.

 

1st - so I should set my session code like this: ...

 

^^^ You need an exit statement after the header() redirect to prevent the remainder of the code on your 'protected' page from executing. The only thing a header statement does is send a http header to the browser. The php code continues running until it gets to the end of your page or to an exit; statement.

OK, so my "CheckLongin.php" page should look like this:

:
<?
session_start();
isset($_SESSION[$myUserName]);
{
header("location:Login.php");
exit;
}?>

<html>
...
...
</html>

 

??

 

One other thing - how do I do it so the session will timeout after 20 minutes on being inactice?

 

Do I add it to the code listed above?

 

Thanks!

OK, so my "CheckLongin.php" page should look like this:

:
<?
session_start();
isset($_SESSION[$myUserName]);
{
header("location:Login.php");
exit;
}?>

<html>
...
...
</html>

 

??

 

One other thing - how do I do it so the session will timeout after 20 minutes on being inactice?

 

Do I add it to the code listed above?

 

Thanks!

 

read this

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.