Jump to content

Recommended Posts

As a relative PHP/Mysql newbie I'm finding it very difficult making sense of basic encryption and I'm similarly finding it difficult to locate a site which is simple enough to help me.

 

If I use one of the following to create the encrypted phrase:

 

$pw = crypt(md5($phrase))

or

$pw = crypt($phrase)

 

then write $pw to the appropriate database field.

 

This is OK so far and I can see the encrypted phrase exists in the appropriate col/row in my database.

 

The problem then arises if I try and compare that encrypted phrase with the posted data from a login form. When I encrypt the new posted phrase it produces a different encryption to the one stored in the db even though I have used the same phrase.

 

Help!! Please!!

 

 

 

Link to comment
https://forums.phpfreaks.com/topic/38801-encryption-frustrations/
Share on other sites

Hi Jese,

 

The code (for which $pword and 'pass' are identical words):

 

$pw = crypt($pword);

$sql = "INSERT INTO main (password) values ('$pw')";

$result = mysql_query($sql, $conn) or die(mysql_error());

 

This works and adds an encrypted form of $pword into the database.

 

The problem then arises when I use posted data from my login form:

 

$sql = "SELECT password FROM main WHERE account = 'timlondon'";

$result = mysql_query($sql, $conn) or die(mysql_error());

$pw = mysql_fetch_array($result);

$pass = strip_tags(substr($_POST['pass'],0,12));

$enpass = crypt($pass);

 

At this point if I echo both $enpass and $pw I get 2 differing strings of the encrypted phrase:

 

cd13b6a6af66fb774faa589a9d18f906 - that's $pw from the database

72256f8971aefb19f327aa7c08503149 - thats $pass from the form.

 

How can I compare these to get a pos or neg result for the login?

 

if ($pw == $pass)... doesn't work because they are differing strings.

 

Are you sure $pword has a value before you encrypt it?

 

Also : $sql = "INSERT INTO main (password) values ('$pw')";

 

Will set all of the passwords equal to that.

 

You want to get the username and password from the registration form, then encrypt the password and insert them at the same time. Then when they login, encrypt the password they supply and do a select WHERE username=username and password= enycrptyed password.

Sorry I meant INSERT...WHERE account='timlondon'

 

Yes $pw is encrypted from $pword which is "rainbow" and pass from the login form is also "rainbow".

 

I am encrypting the password and inserting it with the username at the same time.

 

I'm not sure I understand the basic concept.

 

Should the encryption for the same word "rainbow" produce two differing strings as is happening????

 

By using echo prior to the "if" I can see that the posted variable from the login page is different to the one stored in the databse for the same word.

Your password in the database is the salt to verify the form input!

 

// insert

 

$pass = crypt ( 'test' );

mysql_query ( "INSERT INTO main (account, password) VALUES ('timlondon', '" . $pass . "');" );

 

// test the password

 

// the form input unencrypted

$pass = $_POST['pass'] // IE: test

// encrypt the form input

$cpass = crypt ( $pass );

// select the password from the database (based on the username)

$sql = "SELECT password FROM main WHERE account = 'timlondon'";
$result = mysql_query ( "SELECT password FROM main WHERE account = 'timlondon';" );
$row = mysql_fetch_assoc ( $result );

// now compare the encrypted form input to what is in the database

if ( $cpass == crypt ( $pass, $row['password'] ) )
{
echo 'valid user';
}
else
{
echo 'username and or password not correct!';
}

 

 

 

The following is what I use in my php script for registering people:

$mdpwd = md5($password);

$sql = mysql_query("INSERT INTO users (username, name, password, email, signup_date)

       VALUES('$username', '$name', '$mdpwd', '$email', now())") or die (mysql_error());

 

And this is what I use in my script that checks the login information from the login page:

// Conver to simple variables

$username = $_POST['username'];

$password = $_POST['password'];

 

if((!$username) || (!$password)){

   echo "Please enter ALL of the information! <br />";

   include 'login_form.html';

   exit();

}

 

// Convert password to md5 hash

$password = md5($password);

 

// check if the user info validates the db

$sql = mysql_query("SELECT * FROM users WHERE username='$username' AND password='$password' AND activated='1'");

$login_check = mysql_num_rows($sql);

if($login_check > 0){

   while($row = mysql_fetch_array($sql)){

   foreach( $row AS $key => $val ){

       $$key = stripslashes( $val );

   }

 

 

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.