Page 1 of 1

Encoding

Posted: Sat Mar 06, 2010 9:22 pm
by php_user13
This is my first entry. It took a while to find out how to post a query, so I apologise if I've used the wrong section. I'm fairly new to PHP, but not a total beginner.

I am using the standalone phpdev423 and trying to work with encrypted passwords.
I have constructed a form and can enter and store the password in a database, I can display the password thus stored. I can encrypt the password using the crypt() function. That was the easy part. What I can't do is compare a password login with the previously stored password. Anyone that knows the crypt function is aware the salt changes, as a result the encrypted password from a login does not match a previously encrypted password stored on the database. I don't know how to capture the salt and store that or how to define the salt to control the encryption.

Can someone explain in simple terms how I can get around this problem?

Re: Encoding

Posted: Sat Mar 06, 2010 10:05 pm
by jraede
Just use md5() instead of crypt(), it is irreversible and always encrypts strings the same way, so you can compare the md5() versions of the password and they would also be the same.

Re: Encoding

Posted: Sat Mar 06, 2010 10:30 pm
by php_user13
Thanks for that
I'd tried encode, crypt_blowfish and various other crypt_***, and mcrypt and most functions had come back as invalid. It looks like md5 will work. Didn't find that one in my searches. Much appreciated.

Re: Encoding

Posted: Sat Mar 06, 2010 11:54 pm
by php_user13
I thought the problem was solved and indeed I can now encode consistently using md5() thanks to some assistance. However, I cannot remember how to (if I knew) extract the password from the stored database to insert into the comparing (if) statement to compare the entered and stored (encrypted) values. I can display the value via The SELECT statement, but not act on it.
e.g. I'm trying to set up access to a webpage thus... if the stored value (e.g. 'psword') = entered value (e.g. $_POST["psword"]) then {allow entry to a webpage}.
Can anyone advise?
:roll:

Re: Encoding

Posted: Sun Mar 07, 2010 12:48 am
by jraede

Code: Select all

<?php
$password = // md5 encoded password stored in the database
if(md5($_POST['password'])) == $password) {
 // passwords match, take them to their account page, or whatever you want to do
}
else {
   echo "Wrong password.";
   exit();
}
?>
Is this what you're looking for?

Re: Encoding

Posted: Sun Mar 07, 2010 1:37 am
by jraede
Since you re-posted this question in another thread, I'm assuming this isn't working for you. What are you having trouble with exactly?

Re: Encoding

Posted: Sun Mar 07, 2010 2:57 am
by php_user13
I tried referencing the stored data by it's name, but I couldn't access it

I stored the original values via a Registration form
$query = "INSERT INTO Members (usrname, psword, encode, .....)
VALUES ($_POST[usrname], $_POST[psword], '$encPass1', .....)";
where psword is the actual password and
$encPass1 = md5($_POST["psword"]); e.g. md5(secret) in this case
This worked

I then created a login form and entered the same values
usrname = fjohnson and psword = secret

when I try to assign the stored password to a value e.g.
$value = psword; // e.g. stored value on database
I get $value = psword;
rather than $value = secret;
i.e. I'm not accessing the stored value (e.g. secret) only repeating the string 'psword'
(e.g. the response above using the variable 'Password' did not work)

I want to allow access to a webpage when the login password matches the stored password
i.e. the equivalent of
If (entered password) == (stored password) then (go to webpage via provided link);

I can display the values e.g.
$value1 = $_POST["usrname"];
$value2b = md5($_POST["psword"]);
$query = "SELECT * FROM Members WHERE usrname='$value1' AND encode='$value2b'";

But I can't use the stored values in an comparison expression

Does that clarify the problem or further confuse?