Inserting and retrieving a password

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
TheOracle
Forum Commoner
Posts: 64
Joined: Mon Nov 22, 2004 4:56 am
Location: Bedford, UK

Inserting and retrieving a password

Post by TheOracle »

Hi All,

I have a password field to allow a user to log into an admin panel, but I'm having trouble with encryption.

Currently I am adding in the users manually through phpMyAdmin with the following SQL

Code: Select all

insert into table (username, password) 
values ('adminuser', md5('adminuserpwd'));
This obvioulsy adds a hashed value into the table. However, when I try and retrieve it for authentication purposes it won't return any rows. What am I doing wrong

Code: Select all

$passCheck = mysql_query("select password from form_admin where password = md5('".$_POST['password']."')");
	if(mysql_num_rows($passCheck) == 0)
	{
	$error_msg .= "Your password is invalid";
	}
Is there a better way of doing this?
User avatar
Maugrim_The_Reaper
DevNet Master
Posts: 2704
Joined: Tue Nov 02, 2004 5:43 am
Location: Ireland

Post by Maugrim_The_Reaper »

Place the md5 function into PHP rather than the mysql query - might simply a few things.

Also check that the stored hash and a generated hash from PHP of the same password are actually matching - may not be an error related to the code at all.
kettle_drum
DevNet Resident
Posts: 1150
Joined: Sun Jul 20, 2003 9:25 pm
Location: West Yorkshire, England

Post by kettle_drum »

Well you want to select the password from the database where the username = username, otherwise i could just enter a commonly used password. Just select the password from the database and then compair it outside of the mysql query or include a clause to make it check the username within the query.

I assume that you are inputting the correct password, or else it wont return any results.
TheOracle
Forum Commoner
Posts: 64
Joined: Mon Nov 22, 2004 4:56 am
Location: Bedford, UK

Post by TheOracle »

yes I am inputting the correct password, and username. Could you show me how I would compare the password outside of the mysql_query?

Makes sense to select the password where username = username

I have a check that makes sure the username exists in the database, and obviously the 2 would have to match. Is this the best way to do it? Or is there a more commonly used way of checking username and password?

Thanks.
User avatar
Maugrim_The_Reaper
DevNet Master
Posts: 2704
Joined: Tue Nov 02, 2004 5:43 am
Location: Ireland

Post by Maugrim_The_Reaper »

Code: Select all

<?php
$passwd = md5($_POST['password']);
$passCheck = mysql_query("select username from form_admin where password = '$passwd' and username = '$_POST[username]'");

?>
Also a good idea to run a few validation checks against password/username, e.g. isset(), is_string(), strlen() <= form_passwd_maxlen, etc. It will help prevent anyone from manipulating data or passing an sql injection...
TheOracle
Forum Commoner
Posts: 64
Joined: Mon Nov 22, 2004 4:56 am
Location: Bedford, UK

Post by TheOracle »

Thanks Maugrim I wil try this and let youknow how I get on..
Post Reply