dizzleboi1 Posted March 14, 2008 Share Posted March 14, 2008 i have just set up my login in form and found that the way the password is encrypted when users sign up effects how it is when they try to log on meaning they can only log on seeing they copy the encrypted password from the database instead of just being able to use there own which is bad here is my register source register.php <?php error_reporting(E_ALL); include_once "functions.php"; connect(); if(!isset($_POST['submit'])){ echo "<table border=\"0\" cellspacing=\"3\" cellpadding=\"3\">\n"; echo "<form method=\"post\" action=\"register.php\">\n"; echo "<tr><td colspan=\"2\" align=\"center\">Registration Form</td></tr>\n"; echo "<tr><td>Username</td><td><input type=\"text\" name=\"username\"></td></tr>\n"; echo "<tr><td>Password</td><td><input type=\"password\" name=\"password\"></td></tr>\n"; echo "<tr><td>Confirm</td><td><input type= \"password\" name=\"passconf\"></td></tr>\n"; echo "<tr><td>E-Mail</td><td><input type=\"text\" name=\"email\"></td></tr>\n"; echo "<tr><td>Name</td><td><input type=\"text\" name=\"name\"></td></tr>\n"; echo "<tr><td>AIM Address</td><td><input type=\"text\" name=\"aim\"></td></tr>\n"; echo "<tr><td colspan=\"2\" align=\"center\"><input type=\"submit\" name=\"submit\" value=\"Register\"></td></tr>\n"; echo "</form></table>\n"; } else { $username = protect($_POST['username']); $password = protect($_POST['password']); $confirm = protect($_POST['passconf']); $email = protect($_POST['email']); $name = protect($_POST['name']); $aim = protect($_POST['aim']); $errors = array(); if(!$username){ $errors[] = "Username is not defined!"; } if(!$password){ $errors[] = "Password is not defined!"; } if(!$password){ if(!$confirm){ $errors[] = "Confirmation password is not defined!"; } } if(!$email){ $errors[] = "Email is not defined!"; } if(!$name){ $errors[] = "Name is not defined!"; } If (!$aim){ $errors[] = "AIM Screename is not defined!"; } If ($username) { if(!ctype_alnum($username)){ $errors[] = "Username can only contain numbers and letters!"; } } $range = range(1,31); if(!in_array(strlen($username),$range)){ $errors[] = "Username must be between 1 and 32 characters!"; } if($password && $confirm){ if ($password != $confirm){ $errors[] = "Passwords do not match!"; } } if($email){ $checkemail = "/^[a-z0-9+([_\\.-][a-z0-9]+([\.-\[a-z0-9]+([\.-][a-z0-9]+)*)+\\.[a-z]{2,}$/i"; if(!preg_match($checkemail, $email)){ $errors[] = "E-mail is not valid, must be name@server.tld"; } } if($name){ $range2 = range(1,64); if(!in_array(strlen($name),$range2)){ $errors[] = "Your name must be between 3 to and characters!"; } } if($aim){ $range3 = range(3,16); if(!in_array(strlen($aim),$range3)){ $errors[] = "Your AIM screename must be between 3 and 16 charecters!"; } } if($username){ $sql = "SELECT * FROM `users` WHERE `username`='{$username}'"; $res = mysql_query($sql) or die(mysql_error()); if(mysql_num_rows($res) > 0) { $errors[] = "The username you supplied is already in use!"; } } if($email){ $sql2 = "SELECT * FROM `users` WHERE `email`='{$email}'"; $res2 = mysql_query($sql2) or die(mysql_error()); if(mysql_num_rows($res2) > 0){ $errors[] = "The email you supplied is already in use of another user!"; } } if($aim){ $sql3 = "SELECT * FROM `users` WHERE `aim`='{$aim}'"; $res3 = mysql_query($sql3) or die(mysql_error()); if(mysql_num_rows($res3) > 0){ $errors[] = "The AIM screename you supplied is already in use of another user!"; } } if(count($errors) > 0){ foreach($errors AS $error){ echo $error . "<br>\n"; } }else { $sql4 = "INSERT INTO `users` (`username`,`password`,`email`,`name`,`aim`) VALUES ('$username','".md5($password)."','$email','$name','$aim');"; $res4 = mysql_query($sql4) or die(mysql_error()); echo "You have sucessfully registered!</br> Username:<b>{$username}</b></br> Password:<b>{$password}</b></br> E-mail:<b>{$email}</b></br> AIM:<b>{$aim}</b></br> Name:<b>{$name}</b></br>"; } } ?> i think the main part is the .md5 how do i make it in a way so i can encrypt the password but still be able to use a password i created Quote Link to comment Share on other sites More sharing options...
peranha Posted March 14, 2008 Share Posted March 14, 2008 On your login page all you have to do is md5 the password, and it will check the database field for the md5 string. Quote Link to comment Share on other sites More sharing options...
dizzleboi1 Posted March 14, 2008 Author Share Posted March 14, 2008 would this be the right formula? $sql = "SELECT id FROM users WHERE Username='$_POST[username]' AND Password='".md5($password)."''$_POST[password]'"; $result = mysql_query($sql); Quote Link to comment Share on other sites More sharing options...
lordfrikk Posted March 14, 2008 Share Posted March 14, 2008 <?php $sql = sprintf('select id from users where Username = %s and Password = %s', $_POST['username'], md5($_POST['password'])); $result = mysql_query($sql); ?> Quote Link to comment Share on other sites More sharing options...
conker87 Posted March 14, 2008 Share Posted March 14, 2008 You could, of course, make your own function for added security. Ex: <?php function myEncryption($string) { $string = md5($string); $string = sha1($string); $string = sha1($string); $string = md5($string); return $string; } ?> This will md5, then sha, and sha that, then md5 it again. Quote Link to comment Share on other sites More sharing options...
haku Posted March 14, 2008 Share Posted March 14, 2008 We were talking about this in a different thread yesterday or the day before - some people seemed to think that actually lowers your security. Quote Link to comment Share on other sites More sharing options...
conker87 Posted March 14, 2008 Share Posted March 14, 2008 How would that be the case? Neither md5 nor sha1 can be decoded, so there is no way of finding the string anyway. How about adding both encryptions? <?php function myEncryption($string) { $string = md5($string) . sha1($string); $string = md5($string); // or sha1, depends on your person preference. return $string; } ?> Quote Link to comment Share on other sites More sharing options...
haku Posted March 14, 2008 Share Posted March 14, 2008 sha1 can be decoded - kind of. Its been cracked, but it needs a crazy supercomputer. Anyways, here's the thread: http://www.phpfreaks.com/forums/index.php/topic,186872.0.html skip down towards the end of the first page, thats where the talk starts. Quote Link to comment Share on other sites More sharing options...
conker87 Posted March 14, 2008 Share Posted March 14, 2008 sha1 can be decoded - kind of. Its been cracked, but it needs a crazy supercomputer. Anyways, here's the thread: http://www.phpfreaks.com/forums/index.php/topic,186872.0.html skip down towards the end of the first page, thats where the talk starts. Thanks, saves having two threads for arguing ) Quote Link to comment Share on other sites More sharing options...
dizzleboi1 Posted March 14, 2008 Author Share Posted March 14, 2008 so basically can someone EXPLAIN on how i can make it protected but not mess up the way the people log in Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.