[SOLVED] Using MD5

[Dada78]

I have been doing some reading about this and did a search and from what I can take it is as easy as putting MD5 before the password insert. On my code though I am not sure where to put that though.

 

<?php

// here, we check if the form has been submitted, because we need to handle
// redirection before we handle outputting the HTML stuff.

if (isset($_POST['submit']))
{
    if (empty($_POST['email']) || empty($_POST['password']))
    {
        $error = 'Please fill in all fields.';  // here, they have not filled in either the username OR the password.  Set an error.
    }
    else
    {
        // MAKE CONNECTION
        include ('db_connect.php');

        // connect to the mysql server
        $link = mysql_connect($host, $username, $password) or die ("Could not connect to mysql because ".mysql_error());

        // select the database
        mysql_select_db($database) or die ("Could not select database because ".mysql_error());

        $error = "";
        $email = $_POST['email'];
        $pwd = $_POST['password'];

        // check if the email is taken (safe query):
        $query = sprintf("SELECT `email` FROM `users` WHERE `email` = '%s'",
                mysql_real_escape_string($_POST['email']));
        $qry = mysql_query($query) or die ("Could not match data because ".mysql_error());
        $num_rows = mysql_num_rows($qry);
        if ($num_rows < 1)
        {
            // Reverse magic_quotes_gpc/magic_quotes_sybase effects on those vars if ON.
            if(get_magic_quotes_gpc())
            {
                $product_name        = stripslashes($_POST['email']);
                $product_description = stripslashes($_POST['password']);
            }
            else
            {
                $product_name        = $_POST['email'];
                $product_description = $_POST['password'];
            }

        if (!preg_match("/^[A-Z0-9._%+-]+@[A-Z0-9.-]+\.[A-Z]{2,4}$/i",$product_name)||!mail($product_name,"Registration","Something")) $error = "Please use a valid email address";
	else {

            // Make a safe query
            $query = sprintf("INSERT INTO users (`email`, `password`) VALUES ('%s', '%s')",
                    mysql_real_escape_string($email, $link),
                    mysql_real_escape_string($password, $link));
            $result = mysql_query($query, $link);

            // If there is no result, or there was not at least 1 row affected, die...
            if(!$result || mysql_affected_rows() < 1)
            {
                $error = 'Could not insert user because ' . mysql_error();
            }
            else
            {
                // redirect them to the user account page, because we successfully ran the SQL
                // notice how we haven't output ANYTHING to the browser yet- header() works
                header('Location: user.php');
                exit();
            }
        }
    	}
        else
        {
            $error = 'That email is already in use, please select a different one.';
        }

    }

}

// If they've posted but there was an error, kindly show their email address for them again.
if(isset($_POST['email']))
    $email = $_POST['email'];
else
    $email = '';

?>

 

-Thanks

[beansandsausages]

$var = md5($_POST['password']);

 

i think

[Dada78]

From the code in my first post I took this

 

$error = "";
        $email = $_POST['email'];
        $pwd = $_POST['password'];

 

and changed it to this...

 

$error = "";
        $email = $_POST['email'];
        $pwd = md5($_POST['password']);

 

That didn't work. Any other suggestions?

 

-Thanks

 

 

 

[mmarif4u]

I think this:

mysql_real_escape_string($password, $link));

 

should be:

mysql_real_escape_string($pwd, $link));

[Dada78]

I think this:

mysql_real_escape_string($password, $link));

 

should be:

mysql_real_escape_string($pwd, $link));

 

That has nothing to do with the code or converting the password to md5. The code works fine as it is. I am just trying to convert the password to md5 when it inserts it.

[mmarif4u]

ok, may i know where u define $password.

[rajivgonsalves]

this

$query = sprintf("INSERT INTO users (`email`, `password`) VALUES ('%s', '%s')",
                    mysql_real_escape_string($email, $link),
                    mysql_real_escape_string($password, $link));

 

should be

 

$query = sprintf("INSERT INTO users (`email`, `password`) VALUES ('%s', '%s')",
                    mysql_real_escape_string($email, $link),
                    md5(mysql_real_escape_string($password, $link)));

[Dada78]

ok, may i know where u define $password.

 

from the code in my first post.

 

 // select the database
        mysql_select_db($database) or die ("Could not select database because ".mysql_error());

        $error = "";
        $email = $_POST['email'];
        $pwd = $_POST['password'];

        // check if the email is taken (safe query):

 

 

Thank you Rajiv for your help. I had an idea that is where it went just wasn't sure how because of how the insert code was modified.

 

 

[nikefido]

make sure the password row in your database is ready to accept a 40 character long varchar!

[Albright]

That's eight characters too long. MD5 hashes are only 32 characters long.

 

But you should set it to varchar(40) anyway. SHA1 hashes (made using the sha1() function in the same way as the md5() one) are 40 characters long. And unless there's some special reason (intercompatibility with some other system), you should always use the SHA1 algorithm for hashing passwords instead of MD5, as it is more secure.

 

Also, consider using PDO for your database access, as it is more secure and results in more portable code.