Checking Length of MD5 in Change Password Script

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
ravious
Forum Newbie
Posts: 1
Joined: Thu Aug 23, 2012 3:49 pm

Checking Length of MD5 in Change Password Script

Post by ravious »

So im trying to write a change password script for the user control panel for my site. My server is storing passwords in the database as unsalted md5 (i know i need to salt them but one step at a time). The script ive modified was orignally used for plaintext passwords, i've modified to to md5. The problem im having is with the character count check.. The script is counting the hashed rather than the password and im not versed enough in php to understand yet where the problem lies.. When i remove the character check, it works fine except the script allows null password hashes to be written. Anyone able to lend a noob some advice?

Code: Select all

<?php {
// check the login details of the user and stop execution if not logged in
 if(!empty($_POST['username']) && !empty($_POST['password']) && !empty($_POST['password2'])) ;
 
$todo=$_POST['todo'];
$password=md5(mysql_real_escape_string($_POST['password']));
$password2=md5(mysql_real_escape_string($_POST['password2']));
/////////////////////////

if(isset($todo) and $todo=="change-password"){
$password=md5(mysql_real_escape_string($_POST['password']));

//Setting flags for checking
$status = "OK";
$msg=""; 

if ( strlen($password) < 3 or strlen($password) > 100 ){
$msg=$msg."Password must be more than 3 char legth and maximum 100 char lenght<BR>";
$status= "NOTOK";}			

if ( $password <> $password2 ){
$msg=$msg."Both passwords are not matching<BR>";
$status= "NOTOK";}					



if($status<>"OK"){ 
echo "$msg<br><center><input type='button' value='Retry' onClick='history.go(-1)'></center>";
}else{ // if all validations are passed.
if(mysql_query("update users set Password='$password' where UserID='$_SESSION[UserID]'")){
echo "Thanks <br> Your password changed successfully.";
}else{echo "Sorry <br> Failed to change password Contact Site Admin";
}
}
} else ?> 

<div id="stylized" class="myform">
<form id="form" method="post" action="account.php?p=settings">
<input type="hidden" name="todo" value="change-password">
<h1>Change Password:</h1>
<p>Enter details below to change your password</p>

<label>New Password
<span class="small"></span>
</label>
<input type="password" name="password" id="password" />

<label>Re-Enter Password
<span class="small"></span>
</label>
<input type="password" name="password2" id="password2" />



<button type="submit">Change Password</button>
<div class="spacer"></div>

</form>

<?php ;


echo "</div>";


   }?>
User avatar
requinix
Spammer :|
Posts: 6617
Joined: Wed Oct 15, 2008 2:35 am
Location: WA, USA

Re: Checking Length of MD5 in Change Password Script

Post by requinix »

Don't do the hashing until just before you put it into the SQL query.

Also, don't mysql_real_escape_string() it: the hash will only contain letters and numbers.

Also, salting at this point is trivial. Do it now. Generate a random salt, hash the password with it, and when you save the password also save the salt.
Post Reply