Page 2 of 2
Re: How can i login in?
Posted: Wed Aug 13, 2008 8:23 am
by desmi
Why do you have to decrypt it? It's not too safe..
And to be honest, i think md5 is just fine, you dont have to go to sha crypting, well, atleast i think that with your current skills, you are not coding anything that needs stronger protection than md5 gives.
I dont think hashes can even be decrypted, not sure about that tho..
Re: How can i login in?
Posted: Wed Aug 13, 2008 8:35 am
by zplits
sir what's wrong with my code? I tried md5(), still can't get it done
kindly check it please:
checklogin.php
Code: Select all
<?php
//start session
session_start();
//include mysql_connection.php to connect to the database
require_once("mysql_connection.php");
// Define $myusername and $mypassword
$myusername=$_POST['username'];
$mypassword=$_POST['password'];
// To protect MySQL injection
$myusername = mysql_real_escape_string($myusername);
$mypassword = mysql_real_escape_string($mypassword);
// encrypt password
$encrypted_mypassword=md5($mypassword);
$sql="SELECT id, firstName, lastName FROM $tbl_name WHERE loginName='$myusername' and passWord='$encrypted_mypassword'";
$result=mysql_query($sql);
echo $sql;
//code to check for errors
/*
if (!$result) {
echo "Could not successfully run query ($sql) from DB: " . mysql_error();
exit;
}
*/
$count=mysql_num_rows($result);
if ($count==1) {
$data = mysql_fetch_assoc($result);
$_SESSION['user'] = array('id' => $data['id'], 'realName'=>$data['firstName'] . ' ' . $data['lastName']);
header("location:main.php");
exit();
}
else {
$error = "<b>ERROR</b>: Invalid Username / Password";
}
mysql_close();
?>
here is the code for
update.php
Code: Select all
<?php
//start session
session_start();
//include mysql_connection.php to connect to the database
require_once("mysql_connection.php");
if(!isset($_SESSION['user'])){
header("location:index.php");
}
else{
// Define $myusername and $mypassword
$newLoginName=$_POST['newLoginName'];
$newFirstName=$_POST['newFirstName'];
$newLastName=$_POST['newLastName'];
$newEmailAdd=$_POST['newEmailAdd'];
//form processing
$mypassword = $_POST['newPassWord'];
$mypassword = mysql_real_escape_string($newPassWord);
// encrypt password
$encrypted_mypassword=md5($mypassword);
// update data in mysql database
$sql="UPDATE $tbl_name SET loginName = '$newLoginName', passWord = '$encrypted_mypassword', firstName = '$newFirstName', lastName='$newLastName', emailAdd='$newEmailAdd'";
$result=mysql_query($sql);
//echo $sql;
}
// if successfully updated.
if($result){
$updateSuccess = "<b>SUCCESS</b>: Your account has been updated.";
$sql="SELECT * FROM $tbl_name";
$result = mysql_query($sql);
$row=mysql_fetch_array($result);
$dusername=$row['loginName'];
$dpassword=$row['passWord'];
$dfirstName=$row['firstName'];
$dlastName=$row['lastName'];
$demailAdd=$row['emailAdd'];
}
else {
$updateError = "<b>ERROR</b>: Invalid Username / Password";
}
?>
Re: How can i login in?
Posted: Wed Aug 13, 2008 8:36 am
by Stryks
The hashing mechanism you use in storing passwords isn't that critical. The reason being that (hopefully) the end user never has access to the hash value stored in the database, so they don't have a basis for breaking the code.
There is a lot of hype blowing around about md5 and sha being 'broken', and for some uses this is true. But this in not one of them. A person hunting for a collision needs to know the end hash, and without it they need to try to brute force your authentication system by banging away with random passwords. That is easily overcome by making a 5 failed attempt lockout for 15 - 30 minutes.
Regardless, you're going to want to compare the hashed password in your database with the hashed password your user submitted (hence the reason why a random salt wont work - you will not be able to replicate it).
Just to clarify for you, once you hash that password, it cannot be un-hashed. It becomes a hash representation of the password. The only way to get the original password back would be to hash combinations of characters until you find a combination that makes the same hash value.
So you hash your password and store it into the database, and then on logon, you'll need to hash the user supplied password using the same method you used when you hashed it the first time, and use that as the password value when you pull from the database.
Hope that helps
Re: How can i login in?
Posted: Wed Aug 13, 2008 8:40 am
by Stryks
The password you have in the database has been stored as an md5 hash I assume? It's not plain text in there?
Re: How can i login in?
Posted: Wed Aug 13, 2008 8:43 am
by zplits
Hello sir Stryks. Thank God your here. I know sir. But I can't get it to work. I've check my database tables and it's value. the password field is hashed. But when i tried to login, and provide the correct username and password that i have set in update.php it won't let me in.
Hope you understand. Did you check the code above? I have posted the checklogin.php and update.php. Is there anything wrong with it?
Re: How can i login in?
Posted: Wed Aug 13, 2008 8:45 am
by desmi
Seems fine to me, except:
Code: Select all
//form processing
$mypassword = $_POST['newPassWord'];
$mypassword = mysql_real_escape_string($newPassWord);
// encrypt password
$encrypted_mypassword=md5($mypassword);
// update data in mysql database
$sql="UPDATE $tbl_name SET loginName = '$newLoginName', passWord = '$encrypted_mypassword', firstName = $newFirstName', lastName='$newLastName', emailAdd='$newEmailAdd'";
$result=mysql_query($sql);
//echo $sql;
You have 2 mistakes here,
1. update.php page
Code: Select all
$mypassword = $_POST['newPassWord'];
$mypassword = mysql_real_escape_string($newPassWord); // I cant find $newPassWord variable on this page
2. You're still missing WHERE from your UPDATE query.. Please read some tutorials to get it clear..
Re: How can i login in?
Posted: Wed Aug 13, 2008 8:49 am
by desmi
Oh and one more thing im not sure of, maybe someone could lighten it up:
Is this even possible:
Code: Select all
$password = 'pass';
$password = mysql_real_escape_string($password);
$password = md($password);
and if it is, should it be in different order?
Code: Select all
$password = 'pass';
$password = md($password);
$password = mysql_real_escape_string($password);
I hope someone can answer this ;P
Re: How can i login in?
Posted: Wed Aug 13, 2008 8:54 am
by zplits
thanks desmi. Finally i got i working. The only problem there is the $mypassword = mysql_real_escape_string($newPassWord); I'm so sorry. I forgot to change $newPassWord to $mypassword.
wait up sir desmi. Ahmmmm. Where should i use WHERE? do i still have to use it? it still updates my password without WHERE.
Thanks a lot sir. thanks a lot. I'm so thankful. Thank you very much.
Re: How can i login in?
Posted: Wed Aug 13, 2008 8:55 am
by Stryks
desmi has pretty much covered everything I think.
To help you with the query aspect, what you will be wanting to update is records WHERE the id is the same as the user id that is stored in the session.
Now you just need to look up the correct mySQL format for UPDATE queries.
Re: How can i login in?
Posted: Wed Aug 13, 2008 8:55 am
by Stryks
Also, try adding a second user with a different password. You'll see why the where clause is important.

Re: How can i login in?
Posted: Wed Aug 13, 2008 8:57 am
by zplits
There is only one user for this system sir. Thanks for a lot for the help and info.
Re: How can i login in?
Posted: Wed Aug 13, 2008 8:57 am
by onion2k
zplits wrote:i know how $pass = sha1($_POST['password']); works and i know how to put it in the database. My problem is how can i decrypt it. what code shall i use?
It sounds like you don't know how sha1() works. It's not encryption. It's hashing. You can't decrypt it. That's impossible. You need to compare the user's password when they log in with the hash stored in the database, so you'll need to get the password, hash it, and then compare that in your sql, eg:
Code: Select all
$password_hash = sha1($_POST['password']);
$sql = "SELECT * FROM `users` WHERE `username`='$username' AND `password`='$password_hash'";
Re: How can i login in?
Posted: Wed Aug 13, 2008 9:01 am
by zplits
yes onion2k. I'm sorry for what i have said. My fault. I know sha1 and md5 aren't encryption. They're hashes.
I'm sorry for that.