Help with encrpytion; not working

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
anivad
Forum Commoner
Posts: 80
Joined: Thu Apr 09, 2009 11:16 pm

Help with encrpytion; not working

Post by anivad »

I created a users database and set the registration form to encrypt all passwords with md5. It enters the database encrypted, but for some reason you can't log in even though I encrypt the inputted passwords.

Everything worked fine until I did the encrypting, so the basic system is functional. As a last resort I won't encrpyt passwords at all; I doubt anyone would be interested in hacking my site. Or do spambots prowl the Internet looking to steal passwords?

Code (registration):

Code: Select all

 
<?php
 
include 'common.php'; 
 
if ($_SERVER['REQUEST_METHOD'] == 'POST'){
 
if(get_magic_quotes_gpc()) {
$uname = stripslashes($_POST['username']); 
$email = stripslashes($email = $_POST['email']);
}
else {
$uname = $_POST['username'];
$email = $_POST['email'];
}
 
 
if ($uname=='' or $email=='') { 
       error('One or both required fields were left blank. Please fill them in and try again.'); 
   }
 
else {
 
// connect to database
 
include 'db.php';
 
        $sql = "SELECT COUNT(*) FROM logintest WHERE uname = '$uname'";
        $result = mysql_query($sql) or die (mysql_error());
    if (!$result) {
        error ('A database error occured in processing your submission.');
    }
    if (@mysql_result($result,0,0)>0) {
        error ('Username already taken');
    }       
        else {
 
$newpass = substr(md5(time()),0,6);
$pword = md5($newpass);
$uname = mysql_real_escape_string($uname);
$email = mysql_real_escape_string($email);
 
            session_start();
            $_SESSION['reg'] = "1";
            header ("Location: registered.php");
            $sql = ("INSERT INTO logintest SET uname='$uname', pword='$pword', 
 
email='$email', regdate='CURDATE()'") or die (mysql_error());
            $result = mysql_query($sql) or die (mysql_error());
if (!result) {
error('A database error occured during submission');
}
else {
            mysql_close($db_handle);
        }
    }
 
    }
        
}
 
 
?>
 
Login code

Code: Select all

<?PHP
 
$errorMessage = "Error logging on.  Check that you are registered, and that your username and password are correct.";
 
if ($_SERVER['REQUEST_METHOD'] == 'POST'){
    $uname = $_POST['username'];
    $pword = $_POST['password'];
 
// Database connect
 
$dbuser = "myuser";
$dbpass = "mypassword";
$database = "database";
$server = "localhost";
 
$db_handle = mysql_connect($server, $dbuser, $dbpass);
$db_found = mysql_select_db($database, $db_handle);
 
if ($db_found) {
$pword = md5($pword);
$uname = mysql_real_escape_string($uname);
 
 
    $SQL = "SELECT * FROM logintest WHERE uname = '$uname' AND pword = '$pword'";
    $result = mysql_query($SQL) or die (mysql_error());
    $num_rows = mysql_num_rows($result);
 
// result checking
 
    if ($result) {
        if ($num_rows > 0) {
            session_start();
            $_SESSION['login'] = "1";
            $_SESSION['uname'] = "$uname";
            header ("Location: loginsuccess.php");
        }
        else {
            session_start();
            $_SESSION['login'] = "";
            print $errorMessage;
        }
    }
 
    mysql_close($db_handle);
 
    }
 
}
 
?>
Thanks!
User avatar
Apollo
Forum Regular
Posts: 794
Joined: Wed Apr 30, 2008 2:34 am

Re: Help with encrpytion; not working

Post by Apollo »

What do you mean with 'the inputted password'? Not substr(md5(time()),0,6) ?
anivad
Forum Commoner
Posts: 80
Joined: Thu Apr 09, 2009 11:16 pm

Re: Help with encrpytion; not working

Post by anivad »

I use substr(md5(time()),0,6) to generate a random password - that's $newpass, and then I encrypt that and store md5($newpass) into the database and e-mail $newpass to the user.

So inputted password would be $newpass = what they type into the login form under the password field.

Then the login.php page encrypts that -> md5($_POST['password']) and compares it with the value stored earlier in the database. For some reason they don't match.
User avatar
Apollo
Forum Regular
Posts: 794
Joined: Wed Apr 30, 2008 2:34 am

Re: Help with encrpytion; not working

Post by Apollo »

Ah ok, I just checked because I didn't see $newpass actually being emailed in your code here.

Well to sort this out, simply compare to check which part is going wrong. Is the correct md5 stored in your database? If you perform the "login query" yourself from e.g. phpMyAdmin, does it work there?
anivad
Forum Commoner
Posts: 80
Joined: Thu Apr 09, 2009 11:16 pm

Re: Help with encrpytion; not working

Post by anivad »

Not working in phpMyAdmin:

SELECT * FROM `logintest` WHERE `uname`='username' AND pword = 'md5(80dc42)'

Returns null.
User avatar
Apollo
Forum Regular
Posts: 794
Joined: Wed Apr 30, 2008 2:34 am

Re: Help with encrpytion; not working

Post by Apollo »

Note that MD5 (in a query) is an SQL function, so put it outside quotes, otherwise you're litterally comparing pword to the string 'md5(80dc42)' :)

Instead, try:

Code: Select all

SELECT * FROM `logintest` WHERE `uname`='username' AND pword = MD5('80dc42')
anivad
Forum Commoner
Posts: 80
Joined: Thu Apr 09, 2009 11:16 pm

Re: Help with encrpytion; not working

Post by anivad »

Tried that; still doesn't work, gave null result. :?
User avatar
Apollo
Forum Regular
Posts: 794
Joined: Wed Apr 30, 2008 2:34 am

Re: Help with encrpytion; not working

Post by Apollo »

What hash is in your database? (look with phpMyAdmin)

Should be '36901b67b525419d57e1e0696d1ea27f' (=md5('80dc42')).
anivad
Forum Commoner
Posts: 80
Joined: Thu Apr 09, 2009 11:16 pm

Re: Help with encrpytion; not working

Post by anivad »

All right! Problem solved. I'd set the length limit for the password at 16, so the end of the encrypted string got cut off. Fixed that, and it all works now. :D

Thanks!

One more unrelated problem - any idea why this doesn't execute?

Code: Select all

<?PHP
 
session_start();
 
if (!(isset($_SESSION['login']) && $_SESSION['login'] != '')) {
print "<b><a href='loginpage.htm'>Login</a></b> | <b><a href='register.htm'>Register</a></b>";
}
else {
print "Logged in as user <b>$_SESSION['uname']</b> | <b><a href='logout.php'>Logout</a></b>";
}
?>
I'm trying to get the login and register links to work when the user isn't logged in, and the second part to appear when the user is.

Instead I get:

Login | Register"; } else { print "Logged in as user $_SESSION['uname'] | Logout"; } ?>

printed on that area of the page.

I'm able to redirect people based on login status by header ("Location: loginpage.htm") so that part of the code's not the problem.
User avatar
Apollo
Forum Regular
Posts: 794
Joined: Wed Apr 30, 2008 2:34 am

Re: Help with encrpytion; not working

Post by Apollo »

I don't see any direct typo's in there, try breaking it down in parts, e.g.

Code: Select all

$bla = (!(isset($_SESSION['login']) && $_SESSION['login'] != ''));
 
die( $bla ? "yes" : "no" );
If that works as expected, replace the die with your previous code:

Code: Select all

if ($bla)
{
print "<b><a href='loginpage.htm'>Login</a></b> | <b><a href='register.htm'>Register</a></b>";
}
else {
print "Logged in as user <b>$_SESSION['uname']</b> | <b><a href='logout.php'>Logout</a></b>";
}
If that doesn't work as expected, replace the printed strings with "yes" and "no" and see if you have a strange chars somewhere (such as an accidental ? instead of ")
anivad
Forum Commoner
Posts: 80
Joined: Thu Apr 09, 2009 11:16 pm

Re: Help with encrpytion; not working

Post by anivad »

EDIT: Never mind; worked that out. I'd saved it as a htm file, but when I included the php code in an include file it worked fine. Thanks for the help!
Post Reply