Page 1 of 2
How can i login in?
Posted: Tue Aug 12, 2008 11:10 pm
by zplits
Hi everyone, good day. I've run through some tutorials in the internet and found some good encyption tutorial. I have this code:
Code: Select all
<?php
//start session
session_start();
//include mysql_connection.php to connect to the database
require_once("mysql_connection.php");
if(!isset($_SESSION['user'])){
header("location:index.php");
}
// Define $myusername and $mypassword
$newLoginName=$_POST['newLoginName'];
$newFirstName=$_POST['newFirstName'];
$newLastName=$_POST['newLastName'];
$newEmailAdd=$_POST['newEmailAdd'];
//form processing
$newPassWord = $_POST['newPassWord'];
$newPassWord = mysql_real_escape_string($newPassWord);
// Generate a random salt
$salt = substr(md5(uniqid(rand(), true)), 0, 5);
// Hash password
$secure_password = md5($salt . md5($newPassWord));
// update data in mysql database
$sql="UPDATE $tbl_name SET loginName = '$newLoginName', passWord = '$secure_password', firstName = '$newFirstName', lastName='$newLastName', emailAdd='$newEmailAdd'";
$result=mysql_query($sql);
// if successfully updated.
if($result){
$updateSuccess = "<b>SUCCESS</b>: Your account has been updated.";
}
else {
$updateError = "<b>ERROR</b>: Server is busy. Please try again later.";
}
?>
that script is for my page that updates the user information. After i successfully updated my password. I logged out and tried to log in but it gives me an error.
here is the checklogin.php code for my login:
Code: Select all
<?php
//start session
session_start();
//include mysql_connection.php to connect to the database
require_once("mysql_connection.php");
// Define $myusername and $mypassword
$myusername=$_POST['username'];
$mypassword=$_POST['password'];
// To protect MySQL injection
$myusername = mysql_real_escape_string($myusername);
$mypassword = mysql_real_escape_string($mypassword);
$sql="SELECT id, firstName, lastName FROM $tbl_name WHERE loginName='$myusername' and passWord='$mypassword'";
$result=mysql_query($sql);
//code to check for errors
if (!$result) {
echo "Could not successfully run query ($sql) from DB: " . mysql_error();
exit;
}
$count=mysql_num_rows($result);
if ($count==1) {
$data = mysql_fetch_assoc($result);
$_SESSION['user'] = array('id' => $data['id'], 'realName'=>$data['firstName'] . ' ' . $data['lastName']);
header("location:main.php");
exit();
}
else {
$error = "<b>ERROR</b>: Invalid Username / Password";
}
?>
Please please help me. I don't know how to get the hashed password in the database so that i can login.
Really need your help.
Thanks in advance.
Re: How can i login in?
Posted: Wed Aug 13, 2008 1:18 am
by desmi
Your problem is that you first insert md5 hash to database, then you try to select normal non hashed password
[code = php]
# // Hash password
# $secure_password = md5($salt . md5($newPassWord)); // first you convert it to md5
#
#
# // update data in mysql database
# $sql="UPDATE $tbl_name SET loginName = '$newLoginName', passWord = '$secure_password', firstName = '$newFirstName', lastName='$newLastName', emailAdd='$newEmailAdd'"; // here you insert/update that md5 hash
# $result=mysql_query($sql);
Code: Select all
$sql="SELECT id, firstName, lastName FROM $tbl_name WHERE loginName='$myusername' and passWord='$mypassword'"; //Here you try to check only non secured password
So you need to convert that second password to md5 with same $salt before trying to do the query.
Please ask for more information if it didn't help

Re: How can i login in?
Posted: Wed Aug 13, 2008 1:36 am
by zplits
Thanks for the response.
Yes when i update my user info. the password encryption works good. But the thing is, i can't decrypt the code so that i can login.
How am i be able to do that sir? Pllease help me.
Re: How can i login in?
Posted: Wed Aug 13, 2008 3:32 am
by desmi
You need to md5 that login password too:
Code: Select all
# // Define $myusername and $mypassword
# $myusername=$_POST['username'];
# $mypassword=$_POST['password'];
#
# // To protect MySQL injection
# $myusername = mysql_real_escape_string($myusername);
# $mypassword = mysql_real_escape_string($mypassword);
#
# $sql="SELECT id, firstName, lastName FROM $tbl_name WHERE loginName='$myusername' and passWord='$mypassword'";
# $result=mysql_query($sql);
Here you submit your login form password, and try to select with it from database, what you should do is, md5 it like you do when you update it, because when you update it to database, what you really put there is that md5 hash, eg. 'sajkh5u6sd777g9d9'
And you try to compare the password you type, eg. 'password' to that hash 'sajkh5u6sd777g9d9'.
So what you need to do is, put this same code in that checklogin page, just the same way you do on that first page.
Code: Select all
# // Generate a random salt
# $salt = substr(md5(uniqid(rand(), true)), 0, 5);
#
# // Hash password
# $myPassword = md5($salt . md5($myPassword));
Re: How can i login in?
Posted: Wed Aug 13, 2008 3:55 am
by zplits
yes sir, i have copy pasted it in my checklogin.php
but my problem is here:
Code: Select all
// Generate a random salt
$salt = substr(sha1(uniqid(rand(), true)), 0, 5);
// Hash password
$secure_password = sha1($salt . sha1($mypassword));
$sql="SELECT id, firstName, lastName FROM $tbl_name WHERE loginName='$myusername' and passWord='$secure_password'";
$result=mysql_query($sql);
$count=mysql_num_rows($result);
if ($count==1) {
$data = mysql_fetch_assoc($result);
$_SESSION['user'] = array('id' => $data['id'], 'realName'=>$data['firstName'] . ' ' . $data['lastName']);
header("location:main.php");
exit();
}
else {
$error = "<b>ERROR</b>: Invalid Username / Password";
}
Is that code okay?
Re: How can i login in?
Posted: Wed Aug 13, 2008 4:00 am
by onion2k
zplits wrote:Is that code okay?
No. You're using a random number in your salt value. Unless you manage to generate the same random number again you'll never be able to match the password when the user logs in.
Re: How can i login in?
Posted: Wed Aug 13, 2008 4:04 am
by zplits
Okay. Can you tell me how to do it right? what salt value should i put?
Re: How can i login in?
Posted: Wed Aug 13, 2008 4:42 am
by onion2k
Desmi has explained that already.
Re: How can i login in?
Posted: Wed Aug 13, 2008 4:54 am
by zplits
@onion2k
I'm using sha1. If you want to help please help. If you don't I'm not forcing you to. It seems like you don't understand. I'm new in php, that's why i joined this forum so that i can learn more. I know your far knowledgeable than me.
I'm asking because i don't know. I'm not that stupid. If i know I won't ask.
Re: How can i login in?
Posted: Wed Aug 13, 2008 5:00 am
by onion2k
Desmi has explained how it should work. What you need to do is think about what he's said and implement it in PHP. Don't just come back immediately and ask for someone else to write the code for you. If people do that you'll never learn and progress. We don't do it to be mean. By not posting the complete solution here we are helping you more.
Re: How can i login in?
Posted: Wed Aug 13, 2008 5:06 am
by zplits
Yes sir, i get what you mean. But please consider. I'm honestly new to php. I have tried that code and it doesn't work. I have also changed my $salt value.
Here is the complete code of my checklogin.php:
Code: Select all
<?php
//start session
session_start();
//include mysql_connection.php to connect to the database
require_once("mysql_connection.php");
// Define $myusername and $mypassword
$myusername=$_POST['username'];
$mypassword=$_POST['password'];
// To protect MySQL injection
$myusername = mysql_real_escape_string($myusername);
$mypassword = mysql_real_escape_string($mypassword);
// Generate a random salt
$salt = "7e217131";
// Hash password
//$secure_password = sha1($salt . sha1($mypassword));
$secure_password = sha1($mypassword.$salt);
$sql="SELECT id, firstName, lastName FROM $tbl_name WHERE loginName='$myusername' and passWord='$secure_password'";
$result=mysql_query($sql);
//code to check for errors
if (!$result) {
echo "Could not successfully run query ($sql) from DB: " . mysql_error();
exit;
}
$count=mysql_num_rows($result);
if ($count==1) {
$data = mysql_fetch_assoc($result);
$_SESSION['user'] = array('id' => $data['id'], 'realName'=>$data['firstName'] . ' ' . $data['lastName']);
header("location:main.php");
exit();
}
else {
$error = "<b>ERROR</b>: Invalid Username / Password";
}
mysql_close();
?>
and here's the code for my update.php
Code: Select all
<?php
//start session
session_start();
//include mysql_connection.php to connect to the database
require_once("mysql_connection.php");
if(!isset($_SESSION['user'])){
header("location:index.php");
}
// Define $myusername and $mypassword
$newLoginName=$_POST['newLoginName'];
$newFirstName=$_POST['newFirstName'];
$newLastName=$_POST['newLastName'];
$newEmailAdd=$_POST['newEmailAdd'];
//form processing
$mypassword = $_POST['newPassWord'];
$mypassword = mysql_real_escape_string($newPassWord);
// Generate a random salt
$salt = "7e217131";
// Hash password
//$secure_password = sha1($salt . sha1($newPassWord));
$secure_password = sha1($mypassword.$salt);
// update data in mysql database
$sql="UPDATE $tbl_name SET loginName = '$newLoginName', passWord = '$secure_password', firstName = '$newFirstName', lastName='$newLastName', emailAdd='$newEmailAdd'";
$result=mysql_query($sql);
// if successfully updated.
if($result){
$updateSuccess = "<b>SUCCESS</b>: Your account has been updated.";
$sql="SELECT * FROM $tbl_name";
$result = mysql_query($sql);
$row=mysql_fetch_array($result);
$dusername=$row['loginName'];
$dpassword=$row['passWord'];
$dfirstName=$row['firstName'];
$dlastName=$row['lastName'];
$demailAdd=$row['emailAdd'];
}
else {
$updateError = "<b>ERROR</b>: Invalid Username / Password";
}
?>
I'm sorry. I really don't know. I hope you'll help me.
Re: How can i login in?
Posted: Wed Aug 13, 2008 5:12 am
by onion2k
Right. The first thing to do is check what the SQL you're using is set to. Add "echo $sql;" after each bit of SQL code so it's printed in your HTML page. Copy and paste it into your MySQL client (phpMyAdmin for example) and see if it works there. If it doesn't look at the error returned and see if you can work out why it isn't working.
One problem I can see is in your update script...
Code: Select all
$sql="UPDATE $tbl_name SET loginName = '$newLoginName', passWord = '$secure_password', firstName = '$newFirstName', lastName='$newLastName', emailAdd='$newEmailAdd'";
There's no WHERE clause in that SQL so when it's run it'll update every record in the table.
Re: How can i login in?
Posted: Wed Aug 13, 2008 5:30 am
by zplits
Sir i have tried what you have advised.
i put echo $sql. and it returned "SELECT id, firstName, lastName FROM users WHERE loginName='admin' and passWord='1234' "....
then i copy and pasted it in phpmyadmin under sql tabs and executed it. And it displays this message "MySQL returned an empty result set (i.e. zero rows). (Query took 0.0013 sec)"
What do you mean when you said this sir?
One problem I can see is in your update script...
1. $sql="UPDATE $tbl_name SET loginName = '$newLoginName', passWord = '$secure_password', firstName = '$newFirstName', lastName='$newLastName', emailAdd='$newEmailAdd'";
There's no WHERE clause in that SQL so when it's run it'll update every record in the table.
I don't get it. should i insert where? or not? if i should where should i put it?
Re: How can i login in?
Posted: Wed Aug 13, 2008 6:12 am
by desmi
Ok, you should read some basics about mysql querys, and about md5 hashes.
Like onion2k said, is better for you to learn it by yourself than that i create you working code here, but heres some basics:
When you create your md5 hash, since you're just learning, use:
Code: Select all
<?php
$password = md5($password);
No need to try any unique salts or even self-generated salts.
And when you update your database, the query should be:
Code: Select all
$sql = 'UPDATE table SET row = '$value', .... WHERE id = '$id'';
You need to tell the database WHAT you want to update, that WHERE id = '$id' could be eg. WHERE username = '$username' or what ever you want
Re: How can i login in?
Posted: Wed Aug 13, 2008 8:14 am
by zplits
Okay. It's okay if i use sha1? is there such thing as sha512 or sha256?
i know how $pass = sha1($_POST['password']); works and i know how to put it in the database. My problem is how can i decrypt it. what code shall i use?
Please help