virtuexru Posted March 7, 2007 Share Posted March 7, 2007 OK. So I have a website and I recently updated to MySQL V5 from V4. My code for registering users was $request = "INSERT INTO tbl_auth_user values('$user_id',PASSWORD('$pass'),'$name')"; this way, the password would be hashed, and when logging in, I have image verification and pulling the PASSWORD('$pass') = $passwordinput code to check passwords. But now I have a problem... In MySQL 5, the PASSWORD() function creates a different type of hash, so when logging in, I can no longer use PASSWORD, I need to use OLD_PASSWORD(), so hence my new code: $request = "INSERT INTO tbl_auth_user values('$user_id',OLD_PASSWORD('$pass'),'$name')"; same for login.. My question is.. How would I go about updating the Database so that all user passwords are in the new hash format, or should I just create an if then statement when logging in to check what hash it is, how would I go about doing any of this? Quote Link to comment Share on other sites More sharing options...
obsidian Posted March 7, 2007 Share Posted March 7, 2007 You would have to actually update your database upon each person's login. Besides that, until you were sure that all active users had logged in since your script checking was enabled, you would have to run both checks. This sort of deprecated function is one of the reasons I like to use an MD5() hash instead. Quote Link to comment Share on other sites More sharing options...
artacus Posted March 7, 2007 Share Posted March 7, 2007 I'm not entirely sure that it makes sense to do this... But, first make sure that the field is long enough to store the longer hash. I believe it is 40 characters now, look it up to be sure. Look it up using: AND (PASSWORD('$pass') OR OLD_PASSWORD('$pass')) return the hashed password in your query and if its length is less than 40, update it using $pass that the user provided. Quote Link to comment Share on other sites More sharing options...
virtuexru Posted March 7, 2007 Author Share Posted March 7, 2007 OK. Well I decided to just have old users update their passwords by using a form. I'm going to be using SHA1() to encrypt the passwords now. Can you look at my update form let me know if there are any visible flaws? <? include 'config.php'; include 'opendb.php'; $username = $_POST['txtUserId']; $oldpw = $_POST['OldPassword']; $newpw = $_POST['NEWPW1']; $newpwv = $_POST['NEWPW2']; if (($newpw)!=($newpwv)) { echo "Password doesn't match."; Die(); } $min_length = 6; if(strlen($newpw) < $min_length) { echo "Password not long enough, minimum 6 characters."; Die(); } $sql = "SELECT user_id FROM tbl_auth_user WHERE user_id = '$username' AND user_password = OLD_PASSWORD('$oldpw')"; $result = mysql_query($sql) or die('Query failed. ' . mysql_error()); if (mysql_num_rows($result) == 1) { $newpassword = sha1($password); $query = "UPDATE tbl_auth_user SET user_password = '$newpassword' WHERE user_id = '$username'"; mysql_query($query) or die('Error, query failed'); echo "Update successful"; } else { echo "Old password not correct or username does not exist."; } include 'closedb.php'; ?> Quote Link to comment Share on other sites More sharing options...
virtuexru Posted March 7, 2007 Author Share Posted March 7, 2007 Nevermind, fixed it. <? include 'config.php'; include 'opendb.php'; $username = mysql_real_escape_string($_POST['txtUserId']); $oldpw = mysql_real_escape_string($_POST['OldPassword']); $newpw = mysql_real_escape_string($_POST['NEWPW1']); $newpwv = mysql_real_escape_string($_POST['NEWPW2']); if (($newpw)!=($newpwv)) { echo "Password doesn't match. <a href=\"javascript: history.go(-1)\">Go Back</a>"; Die(); } $min_length = 6; if(strlen($newpw) < $min_length) { echo "Password not long enough, minimum 6 characters. <a href=\"javascript: history.go(-1)\">Go Back</a>"; Die(); } $sql = "SELECT user_id FROM tbl_auth_user WHERE user_id = '$username' AND user_password = OLD_PASSWORD('$oldpw')"; $result = mysql_query($sql) or die('Query failed. ' . mysql_error()); if (mysql_num_rows($result) == 1) { $encpass = sha1($newpw); $query = "UPDATE tbl_auth_user SET user_password = '$encpass' WHERE user_id = '$username'"; mysql_query($query) or die('Error, query failed'); echo "Update successful. <a href=\"http://www.-----.com/\">Home</a>."; } else { echo "Old password not correct or username does not exist. <a href=\"javascript: history.go(-1)\">Go Back</a>"; } include 'closedb.php'; ?> Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.