md5()
Moderator: General Moderators
md5()
I currently have 546 members in my database. All with unencrypted passwords. The reason for this is because when I first started making the website, I basically was new to PHP. Now that I've got some background I'd like to encrypt their passwords with md5(). Now, if I do this, will they have problems logging in?
Would I have to md5() what they put into the password form to make it match the database, or will it match without me encrypting their form password input?
Also, I have a retrieve password page. How would I send them the correct -- unencrypted -- password?
Would I have to md5() what they put into the password form to make it match the database, or will it match without me encrypting their form password input?
Also, I have a retrieve password page. How would I send them the correct -- unencrypted -- password?
- feyd
- Neighborhood Spidermoddy
- Posts: 31559
- Joined: Mon Mar 29, 2004 3:24 pm
- Location: Bothell, Washington, USA
once passed through md5() you cannot decrypt it. md5() is not an encryption.
you have to adjust the size of the field to fit an md5() hash (32 characters), and then run an update across all users that updates each line with the hashed form of their current password:make sure to make a backup of the table before you do this, just in case it screws up.
when someone attempts to log in, you have to hash their supplied password for comparison. Again, you cannot retrieve their password in this manor. You can only issue them a new one.
you have to adjust the size of the field to fit an md5() hash (32 characters), and then run an update across all users that updates each line with the hashed form of their current password:
Code: Select all
UPDATE `user_table` SET `password` = MD5(`password`)when someone attempts to log in, you have to hash their supplied password for comparison. Again, you cannot retrieve their password in this manor. You can only issue them a new one.
so by saying hash their password by comparison
take the value of their password form imput and md5($formpassword) to compare it to the database hashed password?
What are the disadvantages to not md5()ing the passwords? I'd like to keep it how it is for password retrieval, but, I would like to have security optimized.
take the value of their password form imput and md5($formpassword) to compare it to the database hashed password?
What are the disadvantages to not md5()ing the passwords? I'd like to keep it how it is for password retrieval, but, I would like to have security optimized.
...
Well, the loggin in part is fine, I've md5() all of the passwords in the database and then did the same to their form password data. It works great. However when I have a new password generated, it generates the new password and sends it to their email, but isn't updating the database. Can anyone tell me why?
Here is my code:
Here is my code:
Code: Select all
$sql = "SELECT password, username FROM users WHERE email = '$retrieveemail'";
$query = mysql_query($sql);
$array = mysql_fetch_array($query);
$recipient = $retrieveemail;
$subject = "Your LustedOrBusted Account Password";
$newpassword = rand(0, 99999999);
$newuserpass = md5($newpassword);
$updatepasswordsql = "UPDATE users SET password = '$newuserpass' WHERE username = '".$arrayї'username']."'";
mysql_query($updatepasswordsql) or die(mysql_error());
$email_body = "Hello, ".$arrayї'username']."<BR>\r\n
Here is your account password: <B>$newpassword</B> \r\n
<BR>This can be changed once you login and go to the editprofile section.\r\n
<BR><BR><B>-Lusted Or Busted Staff-</B>";
$additional_headers = "From: staff@lustedorbusted.com\r\n";
$additional_headers .="Content-type: text/html; charset=iso-8859-1\r\n";
if(mail($recipient, $subject, $email_body, $additional_headers)) {
print("Your new password has been sent to <B>$retrieveemail</B>.");
} else {
print('There has been an error. Please try again later.');
} }?>...
What do you mean it appears from no where?
$array is fetching the password, username from the query
so it would be in an array(password, username)
then in my script I'm updating WHERE username = '".$array['username']."'";
This is how I do all of my scripts ;/ Maybe it's ass backwards, I dunno.
Code: Select all
$sql = "SELECT password, username FROM users WHERE email = '$retrieveemail'";
$query = mysql_query($sql);
$array = mysql_fetch_array($query);so it would be in an array(password, username)
then in my script I'm updating WHERE username = '".$array['username']."'";
This is how I do all of my scripts ;/ Maybe it's ass backwards, I dunno.
-
d3ad1ysp0rk
- Forum Donator
- Posts: 1661
- Joined: Mon Oct 20, 2003 8:31 pm
- Location: Maine, USA
okay, after printing out all of the variables I've identified the problem.
When I run the update query to update where username = '".$array['username']."'";
the $array['username'] is not being passed through to the query... any reason why? The $sql is valid when printed out.
Code: Select all
$sql = "SELECT password, username FROM users WHERE email = '$retrieveemail'";
$query = mysql_query($sql);
$array = mysql_fetch_array($query);the $array['username'] is not being passed through to the query... any reason why? The $sql is valid when printed out.
you want to say, that array['username'] has a non-null value when you fill it from the mysql query and ist null when you stick it into the update-query? that is mysterious...
checked if you use array for something else in between? maybe something like
checked if you use array for something else in between? maybe something like
Code: Select all
if ($arryї'username'] = '')....
Here is the full code"
$10 e-bucks for the person who can spot why my UPDATE users query isn't working. 
Code: Select all
<? require 'header.php';
if(isset($_COOKIEї'username'])){
$doingsql = "UPDATE users SET doing = 'Requesting Lost Password' WHERE username = '".$_COOKIEї'username']."'";
mysql_query($doingsql) or die(mysql_error()); }
if($action == "retrievepassword") {
$checkemailsql = "SELECT email FROM users";
$checkemailquery = mysql_query($checkemailsql);
if(mysql_num_rows($checkemailquery) < 1) { echo "Your email address is invalid or is not the one you used to sign up with."; } ELSE {
$sql = "SELECT password, username FROM users WHERE email = '$retrieveemail'";
$query = mysql_query($sql);
$array = mysql_fetch_array($query); ?>
<table width="90%" cellspacing="0" cellpadding="3" style="border: solid 1px #000000;" align="center">
</tr>
<tr>
<td bgcolor="#CCCCFF" style="border: solid 1px #000000;"><center><B>Retrieve Password</B>
</td>
</tr>
<tr>
<td bgcolor="#FFFFFF" style="border: solid 1px #000000;" align="center"><?
$recipient = $retrieveemail;
$subject = "Your LustedOrBusted Account Password";
$newpassword = rand(0, 99999999);
$newuserpass = md5($newpassword);
echo "".$arrayї'username']."<BR>";
echo "".$arrayї'password']."<BR>";
$updatepasswordsql = "UPDATE users SET password = '$newuserpass' WHERE username = '".$arrayї'username']."'";
echo $updatepasswordsql;
mysql_query($updatepasswordsql) or die(mysql_error());
$email_body = "Hello, ".$arrayї'username']."<BR>\r\n
Here is your account password: <B>$newpassword</B> \r\n
<BR>This can be changed once you login and go to the editprofile section.\r\n
<BR><BR><B>-Lusted Or Busted Staff-</B>";
$additional_headers = "From: staff@lustedorbusted.com\r\n";
$additional_headers .="Content-type: text/html; charset=iso-8859-1\r\n";
if(mail($recipient, $subject, $email_body, $additional_headers)) {
print("Your new password has been sent to <B>$retrieveemail</B>.");
} else {
print('There has been an error. Please try again later.');
} }?>
</td>
</tr>
</table>
<? } ELSE { ?>
<table width="90%" cellspacing="0" cellpadding="3" style="border: solid 1px #000000;" align="center">
</tr>
<tr>
<td bgcolor="#CCCCFF" style="border: solid 1px #000000;"><center><B>Retrieve Password</B>
</td>
</tr>
<tr>
<td bgcolor="#FFFFFF" style="border: solid 1px #000000;" align="center">
Enter the email address you used during signup to have a new password sent to you. Once you login with this new password, you may go to your edit profile page and change it to your liking.<BR><BR>
<form action="lostpassword.php" method="post">
<input type="hidden" name="action" value="retrievepassword">
<input type="text" size="20" name="retrieveemail"><BR><BR>
<input type="submit" value="Send My Password">
</td>
</tr>
</table>
<? } require 'footer.php'; ?>..
1. globals are on, yes
2. echoed $sql = SELECT password, username FROM users WHERE email = 'scott@lustedorbusted.com'
3. No clue what error reproting is ;/
2. echoed $sql = SELECT password, username FROM users WHERE email = 'scott@lustedorbusted.com'
3. No clue what error reproting is ;/