alienmojo Posted January 19, 2007 Share Posted January 19, 2007 after basicly getting my web site dont i realized i needed to make it more secure. after looking online i desided shat sha1 would be the best way for me to do that but im not sure how to do that here is my login script[code]<?php$db_host="localhost"; $db_user="root";$db_pass="*****";$database="realestate";$IP=$_SERVER["REMOTE_ADDR"];if (isset($_POST["pass"])) { mysql_connect($db_host,$db_user,$db_pass) or die("Unable to connect to database"); mysql_select_db($database) or die( "Unable to select database"); $login=htmlentities($_POST["login"], ENT_QUOTES); $pass=htmlentities($_POST["pass"], ENT_QUOTES); $resultat=mysql_query("SELECT id,pass FROM users WHERE login ='".$login."';"); if($ligne = mysql_fetch_array ($resultat)) { $uid=$ligne["id"]; $bantime=time()-600; mysql_query("DELETE FROM logins_f WHERE time<$bantime"); $res3=mysql_query("SELECT count(*) FROM logins_f WHERE (uid='".$uid."' AND IP='".$IP."');"); if(!($lig3=mysql_fetch_row($res3))) die('Error connecting to the database, please try again'); if($lig3[0]>=3)echo 'Too many failed attempts, account and IP locked for 10 minutes.<br/>'; else { if(($ligne['pass']==$pass) && ($ligne['pass']!='')) { $_SESSION["uname"] = $login; if(isset($_POST["IPsec"]))$_SESSION["IP"]=$IP; else $_SESSION["IP"]="no"; } else { mysql_query("INSERT INTO logins_f SET uid='".$uid."',time='".time()."',IP='".$IP."'"); echo 'Wrong password !<br/>'; } } } else echo 'Wrong login or password.<br/>'; mysql_close(); }if (!isset($_SESSION["uname"])) { session_destroy(); echo '<h3>Please log in :</h3><br/><form action="" method="post"> <div> <label for="login">Login</label> : <input type="text" name="login" id="login" size="50" value="" /><br/> <label for="pass">Password</label> : <input type="password" name="pass" id="pass" size="50" /><br/> <input type="checkbox" name="IPsec" id="IPsec" checked="checked" /> <label for="IPsec">Use IP session lock</label><br/> <input type="submit" value=" Log in " /> </div> </form>'; }else if(isset($_GET["log"]) && $_GET["log"]=="logout") { session_destroy(); echo 'You are now logged out. <a href="">Click here to log in</a>.<br/>'; $bug_fix=1; }else if($_SESSION["IP"]!="no" && $_SESSION["IP"]!=$IP) { session_destroy(); echo 'You have been kicked by the IP security. <a href="'.$_SERVER["PHP_SELF"].'">Click here to log in again</a>.<br/>'; $bug_fix=1; }if (isset($_SESSION["uname"]) && !isset($bug_fix)) { echo 'Welcome '.$_SESSION["uname"].' ! <a href="'.$_SERVER["PHP_SELF"].'?log=logout">Click here to log out</a>.<br/>'; }?>[/code]from what i understand i need to add something in here and in the table where i have the password stored im just not sure exactly where or what. if someone can help me with this it would be every helpful Link to comment https://forums.phpfreaks.com/topic/34928-sha1/ Share on other sites More sharing options...
pocobueno1388 Posted January 19, 2007 Share Posted January 19, 2007 Change this:[code]if(($ligne['pass']==$pass) && ($ligne['pass']!='')) { $_SESSION["uname"] = $login; if(isset($_POST["IPsec"]))$_SESSION["IP"]=$IP; else $_SESSION["IP"]="no"; }[/code]To this:[code]if(($ligne['pass']==sha1($pass)) && ($ligne['pass']!='')) { $_SESSION["uname"] = $login; if(isset($_POST["IPsec"]))$_SESSION["IP"]=$IP; else $_SESSION["IP"]="no"; }[/code]Although you need to store the password in the database converted with the sha1() function already. So you need to change your register script to store that for you. Then this login script will test against the password in the database.EDIT: I have never actually used this myself, but I have read about it. So hopefully I explained that correctly. If I didn't please don't bite my head off xP Link to comment https://forums.phpfreaks.com/topic/34928-sha1/#findComment-164725 Share on other sites More sharing options...
alienmojo Posted January 19, 2007 Author Share Posted January 19, 2007 i just think i figured something out at the time i cant test what you sayed but after looking at the code i and what u told me i believe that i can do thiswhere i had[code]$pass=htmlentities($_POST["pass"], ENT_QUOTES); [/code]i think i can put [code]$pass=htmlentities(sha1($_POST["pass"]), ENT_QUOTES); [/code] if anyone has had experance with sha1 can u tell me if this is the right syntax Link to comment https://forums.phpfreaks.com/topic/34928-sha1/#findComment-164736 Share on other sites More sharing options...
ShogunWarrior Posted January 20, 2007 Share Posted January 20, 2007 sha1 only returns alpha-numeric characters I believe so html-entitilizing the output is unecessary. Link to comment https://forums.phpfreaks.com/topic/34928-sha1/#findComment-164795 Share on other sites More sharing options...
pocobueno1388 Posted January 20, 2007 Share Posted January 20, 2007 Shogun is right, that would be pretty pointless if you did that as there will be no HTML in the sha1() password. Link to comment https://forums.phpfreaks.com/topic/34928-sha1/#findComment-164832 Share on other sites More sharing options...
alienmojo Posted January 20, 2007 Author Share Posted January 20, 2007 if i want to use sha512 how would i do that Link to comment https://forums.phpfreaks.com/topic/34928-sha1/#findComment-164870 Share on other sites More sharing options...
alienmojo Posted January 20, 2007 Author Share Posted January 20, 2007 iv noy sure do you have to download a moduale or something Link to comment https://forums.phpfreaks.com/topic/34928-sha1/#findComment-164904 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.