Page 1 of 2

md5()

Posted: Sat Feb 12, 2005 1:11 pm
by s.dot
I currently have 546 members in my database. All with unencrypted passwords. The reason for this is because when I first started making the website, I basically was new to PHP. Now that I've got some background I'd like to encrypt their passwords with md5(). Now, if I do this, will they have problems logging in?

Would I have to md5() what they put into the password form to make it match the database, or will it match without me encrypting their form password input?

Also, I have a retrieve password page. How would I send them the correct -- unencrypted -- password?

Posted: Sat Feb 12, 2005 1:21 pm
by feyd
once passed through md5() you cannot decrypt it. md5() is not an encryption.

you have to adjust the size of the field to fit an md5() hash (32 characters), and then run an update across all users that updates each line with the hashed form of their current password:

Code: Select all

UPDATE `user_table` SET `password` = MD5(`password`)
make sure to make a backup of the table before you do this, just in case it screws up.

when someone attempts to log in, you have to hash their supplied password for comparison. Again, you cannot retrieve their password in this manor. You can only issue them a new one.

Posted: Sat Feb 12, 2005 1:26 pm
by s.dot
so by saying hash their password by comparison
take the value of their password form imput and md5($formpassword) to compare it to the database hashed password?

What are the disadvantages to not md5()ing the passwords? I'd like to keep it how it is for password retrieval, but, I would like to have security optimized.

Posted: Sat Feb 12, 2005 1:30 pm
by feyd
I'd suggest new (temporary) password over retrieval. Where they have to enter this password, then immediately change set a new one. Passwords should generally be stored in a nonreversible form. For your and their protection.

...

Posted: Sat Feb 12, 2005 2:01 pm
by s.dot
Well, the loggin in part is fine, I've md5() all of the passwords in the database and then did the same to their form password data. It works great. However when I have a new password generated, it generates the new password and sends it to their email, but isn't updating the database. Can anyone tell me why?

Here is my code:

Code: Select all

$sql = "SELECT password, username FROM users WHERE email = '$retrieveemail'";
$query = mysql_query($sql);
$array = mysql_fetch_array($query);

$recipient = $retrieveemail;
$subject = "Your LustedOrBusted Account Password";
$newpassword = rand(0, 99999999);
$newuserpass = md5($newpassword);
$updatepasswordsql = "UPDATE users SET password = '$newuserpass' WHERE username = '".$arrayї'username']."'";
mysql_query($updatepasswordsql) or die(mysql_error());

$email_body = "Hello, ".$array&#1111;'username']."<BR>\r\n
Here is your account password:  <B>$newpassword</B> \r\n
<BR>This can be changed once you login and go to the editprofile section.\r\n
<BR><BR><B>-Lusted Or Busted Staff-</B>";
$additional_headers = "From: staff@lustedorbusted.com\r\n";
$additional_headers .="Content-type: text/html; charset=iso-8859-1\r\n";
if(mail($recipient, $subject, $email_body, $additional_headers)) &#123;
     print("Your new password has been sent to <B>$retrieveemail</B>.");
    &#125; else &#123;
       print('There has been an error.  Please try again later.');
    &#125; &#125;?>

Posted: Sat Feb 12, 2005 2:22 pm
by jonemo
maybe you should check if the given mailaddy is existing or not and throw an error if not. why?

if i come to the bustedorlusted page and enter one of my thousands of mailadresse i get a password to this adress even if i am not registred.

...

Posted: Sat Feb 12, 2005 2:35 pm
by s.dot
No, I have a check to see if the email exists in the database. I just did not include it in my post because I only posted the problem.

Posted: Sat Feb 12, 2005 2:40 pm
by feyd
$array looks like it appears from no where.

...

Posted: Sat Feb 12, 2005 3:01 pm
by s.dot
What do you mean it appears from no where?

Code: Select all

$sql = "SELECT password, username FROM users WHERE email = '$retrieveemail'"; 
$query = mysql_query($sql); 
$array = mysql_fetch_array($query);
$array is fetching the password, username from the query
so it would be in an array(password, username)

then in my script I'm updating WHERE username = '".$array['username']."'";

This is how I do all of my scripts ;/ Maybe it's ass backwards, I dunno.

Posted: Sat Feb 12, 2005 3:05 pm
by d3ad1ysp0rk
Have you tried printing out a bunch of the variables?

Posted: Sat Feb 12, 2005 3:37 pm
by s.dot
okay, after printing out all of the variables I've identified the problem.

Code: Select all

$sql = "SELECT password, username FROM users WHERE email = '$retrieveemail'";
$query = mysql_query($sql);
$array = mysql_fetch_array($query);
When I run the update query to update where username = '".$array['username']."'";

the $array['username'] is not being passed through to the query... any reason why? The $sql is valid when printed out.

Posted: Sat Feb 12, 2005 5:32 pm
by jonemo
you want to say, that array['username'] has a non-null value when you fill it from the mysql query and ist null when you stick it into the update-query? that is mysterious...

checked if you use array for something else in between? maybe something like

Code: Select all

if ($arry&#1111;'username'] = '')

....

Posted: Sat Feb 12, 2005 6:43 pm
by s.dot
Here is the full code"

Code: Select all

<? require 'header.php';

if(isset($_COOKIE&#1111;'username']))&#123;
	$doingsql = "UPDATE users SET doing = 'Requesting Lost Password' WHERE username = '".$_COOKIE&#1111;'username']."'";
	mysql_query($doingsql) or die(mysql_error()); &#125;

if($action == "retrievepassword") &#123; 
$checkemailsql = "SELECT email FROM users";
$checkemailquery = mysql_query($checkemailsql);
if(mysql_num_rows($checkemailquery) < 1) &#123; echo "Your email address is invalid or is not the one you used to sign up with."; &#125; ELSE &#123;
$sql = "SELECT password, username FROM users WHERE email = '$retrieveemail'";
$query = mysql_query($sql);
$array = mysql_fetch_array($query); ?>
						<table width="90%" cellspacing="0" cellpadding="3" style="border: solid 1px #000000;" align="center">
							</tr>
							<tr>
								<td bgcolor="#CCCCFF" style="border: solid 1px #000000;"><center><B>Retrieve Password</B>
								</td>
							</tr>
							<tr>
								<td bgcolor="#FFFFFF" style="border: solid 1px #000000;" align="center"><?
	$recipient = $retrieveemail;
	$subject = "Your LustedOrBusted Account Password";
	$newpassword = rand(0, 99999999);
	$newuserpass = md5($newpassword);
	echo "".$array&#1111;'username']."<BR>";
	echo "".$array&#1111;'password']."<BR>";
	$updatepasswordsql = "UPDATE users SET password = '$newuserpass' WHERE username = '".$array&#1111;'username']."'";
	echo $updatepasswordsql;
	mysql_query($updatepasswordsql) or die(mysql_error());
	$email_body = "Hello, ".$array&#1111;'username']."<BR>\r\n
Here is your account password:  <B>$newpassword</B> \r\n
<BR>This can be changed once you login and go to the editprofile section.\r\n
<BR><BR><B>-Lusted Or Busted Staff-</B>";
	$additional_headers = "From: staff@lustedorbusted.com\r\n";
	$additional_headers .="Content-type: text/html; charset=iso-8859-1\r\n";
	if(mail($recipient, $subject, $email_body, $additional_headers)) &#123;
       print("Your new password has been sent to <B>$retrieveemail</B>.");
    &#125; else &#123;
       print('There has been an error.  Please try again later.');
    &#125; &#125;?>
								</td>
							</tr>
						</table>

<? &#125; ELSE &#123; ?>
						<table width="90%" cellspacing="0" cellpadding="3" style="border: solid 1px #000000;" align="center">
							</tr>
							<tr>
								<td bgcolor="#CCCCFF" style="border: solid 1px #000000;"><center><B>Retrieve Password</B>
								</td>
							</tr>
							<tr>
								<td bgcolor="#FFFFFF" style="border: solid 1px #000000;" align="center">
								Enter the email address you used during signup to have a new password sent to you.  Once you login with this new password, you may go to your edit profile page and change it to your liking.<BR><BR>
								<form action="lostpassword.php" method="post">
								<input type="hidden" name="action" value="retrievepassword">
								<input type="text" size="20" name="retrieveemail"><BR><BR>
								<input type="submit" value="Send My Password">
								</td>
							</tr>
						</table>
<? &#125; require 'footer.php'; ?>
$10 e-bucks for the person who can spot why my UPDATE users query isn't working. :)

Posted: Sat Feb 12, 2005 8:00 pm
by feyd
  1. register_globals are on, yes?
  2. echoing out $sql shows what?
  3. your error_reporting level is at?

..

Posted: Sun Feb 13, 2005 12:11 am
by s.dot
1. globals are on, yes
2. echoed $sql = SELECT password, username FROM users WHERE email = 'scott@lustedorbusted.com'

3. No clue what error reproting is ;/