Page 1 of 1

Inserting and retrieving a password

Posted: Mon Nov 29, 2004 10:54 am
by TheOracle
Hi All,

I have a password field to allow a user to log into an admin panel, but I'm having trouble with encryption.

Currently I am adding in the users manually through phpMyAdmin with the following SQL

Code: Select all

insert into table (username, password) 
values ('adminuser', md5('adminuserpwd'));
This obvioulsy adds a hashed value into the table. However, when I try and retrieve it for authentication purposes it won't return any rows. What am I doing wrong

Code: Select all

$passCheck = mysql_query("select password from form_admin where password = md5('".$_POST['password']."')");
	if(mysql_num_rows($passCheck) == 0)
	{
	$error_msg .= "Your password is invalid";
	}
Is there a better way of doing this?

Posted: Mon Nov 29, 2004 11:01 am
by Maugrim_The_Reaper
Place the md5 function into PHP rather than the mysql query - might simply a few things.

Also check that the stored hash and a generated hash from PHP of the same password are actually matching - may not be an error related to the code at all.

Posted: Mon Nov 29, 2004 11:01 am
by kettle_drum
Well you want to select the password from the database where the username = username, otherwise i could just enter a commonly used password. Just select the password from the database and then compair it outside of the mysql query or include a clause to make it check the username within the query.

I assume that you are inputting the correct password, or else it wont return any results.

Posted: Mon Nov 29, 2004 11:07 am
by TheOracle
yes I am inputting the correct password, and username. Could you show me how I would compare the password outside of the mysql_query?

Makes sense to select the password where username = username

I have a check that makes sure the username exists in the database, and obviously the 2 would have to match. Is this the best way to do it? Or is there a more commonly used way of checking username and password?

Thanks.

Posted: Mon Nov 29, 2004 11:15 am
by Maugrim_The_Reaper

Code: Select all

<?php
$passwd = md5($_POST['password']);
$passCheck = mysql_query("select username from form_admin where password = '$passwd' and username = '$_POST[username]'");

?>
Also a good idea to run a few validation checks against password/username, e.g. isset(), is_string(), strlen() <= form_passwd_maxlen, etc. It will help prevent anyone from manipulating data or passing an sql injection...

Posted: Mon Nov 29, 2004 5:40 pm
by TheOracle
Thanks Maugrim I wil try this and let youknow how I get on..