md5()

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

User avatar
s.dot
Tranquility In Moderation
Posts: 5001
Joined: Sun Feb 06, 2005 7:18 pm
Location: Indiana

md5()

Post by s.dot »

I currently have 546 members in my database. All with unencrypted passwords. The reason for this is because when I first started making the website, I basically was new to PHP. Now that I've got some background I'd like to encrypt their passwords with md5(). Now, if I do this, will they have problems logging in?

Would I have to md5() what they put into the password form to make it match the database, or will it match without me encrypting their form password input?

Also, I have a retrieve password page. How would I send them the correct -- unencrypted -- password?
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

once passed through md5() you cannot decrypt it. md5() is not an encryption.

you have to adjust the size of the field to fit an md5() hash (32 characters), and then run an update across all users that updates each line with the hashed form of their current password:

Code: Select all

UPDATE `user_table` SET `password` = MD5(`password`)
make sure to make a backup of the table before you do this, just in case it screws up.

when someone attempts to log in, you have to hash their supplied password for comparison. Again, you cannot retrieve their password in this manor. You can only issue them a new one.
User avatar
s.dot
Tranquility In Moderation
Posts: 5001
Joined: Sun Feb 06, 2005 7:18 pm
Location: Indiana

Post by s.dot »

so by saying hash their password by comparison
take the value of their password form imput and md5($formpassword) to compare it to the database hashed password?

What are the disadvantages to not md5()ing the passwords? I'd like to keep it how it is for password retrieval, but, I would like to have security optimized.
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

I'd suggest new (temporary) password over retrieval. Where they have to enter this password, then immediately change set a new one. Passwords should generally be stored in a nonreversible form. For your and their protection.
User avatar
s.dot
Tranquility In Moderation
Posts: 5001
Joined: Sun Feb 06, 2005 7:18 pm
Location: Indiana

...

Post by s.dot »

Well, the loggin in part is fine, I've md5() all of the passwords in the database and then did the same to their form password data. It works great. However when I have a new password generated, it generates the new password and sends it to their email, but isn't updating the database. Can anyone tell me why?

Here is my code:

Code: Select all

$sql = "SELECT password, username FROM users WHERE email = '$retrieveemail'";
$query = mysql_query($sql);
$array = mysql_fetch_array($query);

$recipient = $retrieveemail;
$subject = "Your LustedOrBusted Account Password";
$newpassword = rand(0, 99999999);
$newuserpass = md5($newpassword);
$updatepasswordsql = "UPDATE users SET password = '$newuserpass' WHERE username = '".$arrayї'username']."'";
mysql_query($updatepasswordsql) or die(mysql_error());

$email_body = "Hello, ".$array&#1111;'username']."<BR>\r\n
Here is your account password:  <B>$newpassword</B> \r\n
<BR>This can be changed once you login and go to the editprofile section.\r\n
<BR><BR><B>-Lusted Or Busted Staff-</B>";
$additional_headers = "From: staff@lustedorbusted.com\r\n";
$additional_headers .="Content-type: text/html; charset=iso-8859-1\r\n";
if(mail($recipient, $subject, $email_body, $additional_headers)) &#123;
     print("Your new password has been sent to <B>$retrieveemail</B>.");
    &#125; else &#123;
       print('There has been an error.  Please try again later.');
    &#125; &#125;?>
jonemo
Forum Commoner
Posts: 28
Joined: Wed Feb 09, 2005 1:32 pm
Location: london, uk

Post by jonemo »

maybe you should check if the given mailaddy is existing or not and throw an error if not. why?

if i come to the bustedorlusted page and enter one of my thousands of mailadresse i get a password to this adress even if i am not registred.
User avatar
s.dot
Tranquility In Moderation
Posts: 5001
Joined: Sun Feb 06, 2005 7:18 pm
Location: Indiana

...

Post by s.dot »

No, I have a check to see if the email exists in the database. I just did not include it in my post because I only posted the problem.
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

$array looks like it appears from no where.
User avatar
s.dot
Tranquility In Moderation
Posts: 5001
Joined: Sun Feb 06, 2005 7:18 pm
Location: Indiana

...

Post by s.dot »

What do you mean it appears from no where?

Code: Select all

$sql = "SELECT password, username FROM users WHERE email = '$retrieveemail'"; 
$query = mysql_query($sql); 
$array = mysql_fetch_array($query);
$array is fetching the password, username from the query
so it would be in an array(password, username)

then in my script I'm updating WHERE username = '".$array['username']."'";

This is how I do all of my scripts ;/ Maybe it's ass backwards, I dunno.
d3ad1ysp0rk
Forum Donator
Posts: 1661
Joined: Mon Oct 20, 2003 8:31 pm
Location: Maine, USA

Post by d3ad1ysp0rk »

Have you tried printing out a bunch of the variables?
User avatar
s.dot
Tranquility In Moderation
Posts: 5001
Joined: Sun Feb 06, 2005 7:18 pm
Location: Indiana

Post by s.dot »

okay, after printing out all of the variables I've identified the problem.

Code: Select all

$sql = "SELECT password, username FROM users WHERE email = '$retrieveemail'";
$query = mysql_query($sql);
$array = mysql_fetch_array($query);
When I run the update query to update where username = '".$array['username']."'";

the $array['username'] is not being passed through to the query... any reason why? The $sql is valid when printed out.
jonemo
Forum Commoner
Posts: 28
Joined: Wed Feb 09, 2005 1:32 pm
Location: london, uk

Post by jonemo »

you want to say, that array['username'] has a non-null value when you fill it from the mysql query and ist null when you stick it into the update-query? that is mysterious...

checked if you use array for something else in between? maybe something like

Code: Select all

if ($arry&#1111;'username'] = '')
User avatar
s.dot
Tranquility In Moderation
Posts: 5001
Joined: Sun Feb 06, 2005 7:18 pm
Location: Indiana

....

Post by s.dot »

Here is the full code"

Code: Select all

<? require 'header.php';

if(isset($_COOKIE&#1111;'username']))&#123;
	$doingsql = "UPDATE users SET doing = 'Requesting Lost Password' WHERE username = '".$_COOKIE&#1111;'username']."'";
	mysql_query($doingsql) or die(mysql_error()); &#125;

if($action == "retrievepassword") &#123; 
$checkemailsql = "SELECT email FROM users";
$checkemailquery = mysql_query($checkemailsql);
if(mysql_num_rows($checkemailquery) < 1) &#123; echo "Your email address is invalid or is not the one you used to sign up with."; &#125; ELSE &#123;
$sql = "SELECT password, username FROM users WHERE email = '$retrieveemail'";
$query = mysql_query($sql);
$array = mysql_fetch_array($query); ?>
						<table width="90%" cellspacing="0" cellpadding="3" style="border: solid 1px #000000;" align="center">
							</tr>
							<tr>
								<td bgcolor="#CCCCFF" style="border: solid 1px #000000;"><center><B>Retrieve Password</B>
								</td>
							</tr>
							<tr>
								<td bgcolor="#FFFFFF" style="border: solid 1px #000000;" align="center"><?
	$recipient = $retrieveemail;
	$subject = "Your LustedOrBusted Account Password";
	$newpassword = rand(0, 99999999);
	$newuserpass = md5($newpassword);
	echo "".$array&#1111;'username']."<BR>";
	echo "".$array&#1111;'password']."<BR>";
	$updatepasswordsql = "UPDATE users SET password = '$newuserpass' WHERE username = '".$array&#1111;'username']."'";
	echo $updatepasswordsql;
	mysql_query($updatepasswordsql) or die(mysql_error());
	$email_body = "Hello, ".$array&#1111;'username']."<BR>\r\n
Here is your account password:  <B>$newpassword</B> \r\n
<BR>This can be changed once you login and go to the editprofile section.\r\n
<BR><BR><B>-Lusted Or Busted Staff-</B>";
	$additional_headers = "From: staff@lustedorbusted.com\r\n";
	$additional_headers .="Content-type: text/html; charset=iso-8859-1\r\n";
	if(mail($recipient, $subject, $email_body, $additional_headers)) &#123;
       print("Your new password has been sent to <B>$retrieveemail</B>.");
    &#125; else &#123;
       print('There has been an error.  Please try again later.');
    &#125; &#125;?>
								</td>
							</tr>
						</table>

<? &#125; ELSE &#123; ?>
						<table width="90%" cellspacing="0" cellpadding="3" style="border: solid 1px #000000;" align="center">
							</tr>
							<tr>
								<td bgcolor="#CCCCFF" style="border: solid 1px #000000;"><center><B>Retrieve Password</B>
								</td>
							</tr>
							<tr>
								<td bgcolor="#FFFFFF" style="border: solid 1px #000000;" align="center">
								Enter the email address you used during signup to have a new password sent to you.  Once you login with this new password, you may go to your edit profile page and change it to your liking.<BR><BR>
								<form action="lostpassword.php" method="post">
								<input type="hidden" name="action" value="retrievepassword">
								<input type="text" size="20" name="retrieveemail"><BR><BR>
								<input type="submit" value="Send My Password">
								</td>
							</tr>
						</table>
<? &#125; require 'footer.php'; ?>
$10 e-bucks for the person who can spot why my UPDATE users query isn't working. :)
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

  1. register_globals are on, yes?
  2. echoing out $sql shows what?
  3. your error_reporting level is at?
User avatar
s.dot
Tranquility In Moderation
Posts: 5001
Joined: Sun Feb 06, 2005 7:18 pm
Location: Indiana

..

Post by s.dot »

1. globals are on, yes
2. echoed $sql = SELECT password, username FROM users WHERE email = 'scott@lustedorbusted.com'

3. No clue what error reproting is ;/
Post Reply