Page 1 of 1

PHP and MySQL password issue...

Posted: Thu Jun 13, 2002 9:44 am
by BuzzT
I recently tried to use a script that I know works. I have used it before, but I cannot figue out the problem.

When I add passwords to a table for login information, I send them to MySQL through PHP as password('$password'). This encrypts them fine. I can see that when I check the database.

When I try to validate the password later during login using the same method, I can't seem to get in. The exact same script works for me on a friend's server. I have installed PHP4 and MySQL on a Win 2K server. Did I miss a setting or something? How come they can be sent, but not retieved?

Also, I can't seem to find an mcrypt.dll that will work. It always locks up when PHP tries to access it. How come?

Posted: Fri Jun 14, 2002 2:00 am
by twigletmac
If you've got PHP 4.2 (or installed 4.1.x and used the php.ini-recommended), have you read this?

If the stuff from the above thread doesn't help maybe we could see some code to spot anything else that might be going wrong.

Mac

Posted: Fri Jun 14, 2002 9:26 am
by BuzzT
Here the part of the code. The first set is from the PHP to add members to the database and encrypt the password (this works fine). The second set is where I try to validate the user. This works only if I did not encrypt the password in the previous set and do not try to retrieve it with password(password). Keep in mind that this works perfectly on a friend's Apache server. Could there be a setting I missed when installing MySQL or PHP on my Win 2k Server box?

-----------start first set (add user)-----------------

$query = "insert into level1_members values ('NULL','".$username."', password('".$password."'),'".$date."','".$email."')";
$result = mysql_query($query);
$check_user = "select * from level1_members where username = '$username' or password = password('$password') ";

if ($result)
{
echo "User <b>$username</b> with password <b>$password</b> has been inserted into our database on $date"."<br><br>";
exit;
}

else if ($check_user)
{
echo "That username and/or password is already in use.";
exit;
}
else
{
echo "Unable to insert member into database.";
}


----------start second set (check for user)-------------

// query the database to see if there is a record which matches

$query = "select count(*) from level1_members where
username = '$username' and
password = password('$password')";

$result = mysql_query( $query );
if(!$result)
{
echo 'Cannot run query.';
exit;
}

$count = mysql_result( $result, 0, 0 );

$success="schedule.php";
$failure="rejected.php";

if ( $count > 0 )
{
// visitor's name and password combination are correct
header("Location: $success");
}
else
{
// visitor's name and password combination are not correct
header("Location: $failure");
}

I think...................

Posted: Mon Sep 27, 2004 1:17 am
by JadePhp
$check_user = "select * from level1_members where username = '$username' or password = password('$password') ";




'And' Should come instead of 'OR' in query

Posted: Mon Sep 27, 2004 4:22 am
by timvw
http://dev.mysql.com/doc/mysql/en/Encry ... tions.html
Note: The PASSWORD() function is used by the authentication system in MySQL Server, you should not use it in your own applications. For that purpose, use MD5() or SHA1() instead. Also see RFC 2195 for more information about handling passwords and authentication securely in your application

Well

Posted: Mon Sep 27, 2004 4:39 am
by JadePhp
timvw wrote:http://dev.mysql.com/doc/mysql/en/Encry ... tions.html
Note: The PASSWORD() function is used by the authentication system in MySQL Server, you should not use it in your own applications. For that purpose, use MD5() or SHA1() instead. Also see RFC 2195 for more information about handling passwords and authentication securely in your application

I TRIED ......USING MD5 And SHA1 but it generates different output from that of the value stored in database Encrypted

Code: Select all

<?php

    $password=md5('noor');
$check_user = "select * from info
where  password = password('$password') ";

//$check_user = "select * from info
//where  password = '$password' ";
 echo($check_user) ;
$link=mysql_connect('localhost','root','triadpass');
      mysql_select_db('testdb');
$result= mysql_query($check_user) or die(mysql_error())  ;
  while($arrt= mysql_fetch_array($result, MYSQL_ASSOC )){
      print_r( $arrt)  ;
      echo("asdasdas") ;
  }
?>


still its not working

Posted: Mon Sep 27, 2004 4:42 am
by timvw
If you store PASSWORD($input) it is expected to be unequal to MD5($input).

It will only work if you INSERT values as MD5($input) instead of PASSWORD($input).

Thus if you have already a lot of accounts, you may not want to change this.

Hmmmmmmmm

Posted: Mon Sep 27, 2004 4:55 am
by JadePhp
Ok then how can i decrypt it to show it to user in this case i have to remember it .......and one more thing then whats the use of SQL Function
i already knew this way of md5 i wanna implement SQL PASSWORD('');

you don't

Posted: Mon Sep 27, 2004 8:43 am
by phpScott
You don't decript it you get the user(that you now want to beat on) to create a new password.

Posted: Tue Sep 28, 2004 8:29 am
by AGISB
Can you state the password field length and datatype?

for password encrypt I believe it has to be char(16) and for md5 it has to be char(32) if you got different values that might be a problem of spaces added or the password string getting cut of.