Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.
I have added a hash to my user registration form. The script works fine and the password is hashed in my mysql db.
I am now testing the login page and trying to log in but seem to have problems. I have an html form bellow this php which is exited to if the user is not recognized (see bellow).
When I log in, with a user that has md5 hashing, it exits the script and just displays the html form. There are no errors and no other echo's. Just the html form.
error_reporting(E_ALL);
ini_set('display_errors', true);
if ( isset($_POST['loginid'], $password)) {
$link = dbconnect();
mysql_select_db("jobs4alltrades", $link) or die(mysql_error());
$pass = $_POST['password'];
$loginid = mysql_real_escape_string($_POST['loginid'], $link) or die(mysql_error());
$password = mysql_real_escape_string(hash('md5', $pass,TRUE), $link) or die(mysql_error());
$query = "SELECT * FROM members WHERE LOWER(loginid)='" . strtolower($loginid) . "' AND `password`='$password'";
$result = mysql_query($query, $link) or die(mysql_error());
if (mysql_num_rows($result) >0) {
$_SESSION['loginid'] = $_POST['loginid'];
echo '<h1>Welcome ', $_POST['loginid'], "</h1>\n",
'<br><a href="sessiontest.php">click here</a>';
exit;
}
else{
echo "<h1>Sorry</h1><p>There is no match on our records. Please try again or register as a new user.</p>\n";
}
}
Thanks
Last edited by toby_c500 on Fri May 25, 2007 11:44 am, edited 1 time in total.
Hashing functions internally form a binary string of bits that compose the result. Often the result is then converted to a more manageable form such as a hexadecimal string. The database needs them to be encoded the same at any rate. Whether it's using md5() or hash() doesn't overly matter. The spot where you run into trouble is that hash() is a very new function to PHP, md5() is not.
error_reporting(E_ALL);
ini_set('display_errors', true);
if ( isset($_POST['loginid'], $password)) {
$link = dbconnect();
mysql_select_db("jobs4alltrades", $link) or die(mysql_error());
$pass = $_POST['password'];
$loginid = mysql_real_escape_string($_POST['loginid'], $link) or die(mysql_error());
$password = mysql_real_escape_string(md5($pass), $link) or die(mysql_error());
$query = "SELECT * FROM members WHERE LOWER(loginid)='" . strtolower($loginid) . "' AND `password`='$password'";
$result = mysql_query($query, $link) or die(mysql_error());
if (mysql_num_rows($result) >0) {
$_SESSION['loginid'] = $_POST['loginid'];
echo '<h1>Welcome ', $_POST['loginid'], "</h1>\n",
'<br><a href="sessiontest.php">click here</a>';
exit;
}
else{
echo "<h1>Sorry</h1><p>There is no match on our records. Please try again or register as a new user.</p>\n";
}
}
error_reporting(E_ALL);
ini_set('display_errors', true);
if ( isset($_POST['loginid'], $_POST['password'])) {
$link = dbconnect();
mysql_select_db("jobs4alltrades", $link) or die(mysql_error());
$pass = $_POST['password'];
$loginid = mysql_real_escape_string($_POST['loginid'], $link) or die(mysql_error());
$password = mysql_real_escape_string(md5($pass), $link) or die(mysql_error());
$query = "SELECT * FROM members WHERE LOWER(loginid)='" . strtolower($loginid) . "' AND `password`='$password'";
$result = mysql_query($query, $link) or die(mysql_error());
if (mysql_num_rows($result) >0) {
$_SESSION['loginid'] = $_POST['loginid'];
echo '<h1>Welcome ', $_POST['loginid'], "</h1>\n",
'<br><a href="sessiontest.php">click here</a>';
exit;
}
else{
echo "<h1>Sorry</h1><p>There is no match on our records. Please try again or register as a new user.</p>\n";
}
}
rror_reporting(E_ALL);
ini_set('display_errors', true);
if ( isset($_POST['loginid'], $_POST['password'])) {
$link = dbconnect();
mysql_select_db("jobs4alltrades", $link) or die(mysql_error());
$loginid = mysql_real_escape_string($_POST['loginid'], $link) or die(mysql_error());
$password = mysql_real_escape_string(md5($_POST['password']), $link) or die(mysql_error());
$query = "SELECT * FROM members WHERE LOWER(loginid)='" . strtolower($loginid) . "' AND `password`='$password'";
$result = mysql_query($query, $link) or die(mysql_error());
if (mysql_num_rows($result) >0) {
$_SESSION['loginid'] = $_POST['loginid'];
echo '<h1>Welcome ', $_POST['loginid'], "</h1>\n",
'<br><a href="sessiontest.php">click here</a>';
exit;
}
else{
echo "<h1>Sorry</h1><p>There is no match on our records. Please try again or register as a new user.</p>\n";
}
}
and [syntax="..."] tags where appropriate when posting code. Your post has been edited to reflect how we'd like it posted. Please read: [url=http://forums.devnetwork.net/viewtopic.php?t=21171]Posting Code in the Forums[/url] to learn how to do it too.[/color]
Hi Feyd, Thanks again for sticking with me and giving me this help. I have been playing around with phpMyAdmin and got this. I hope it is what you need:
[syntax="sql"]members CREATE TABLE `members` (\n
`loginid` varchar(20) collate latin1_bin NOT NULL,\n
`password` varchar(20) collate latin1_bin NOT NULL,\n
`firstname` varchar(50) collate latin1_bin NOT NULL,\n
`surname` varchar(50) collate latin1_bin NOT NULL,\n
`email` varchar(50) collate latin1_bin NOT NULL,\n
`trade` varchar(50) collate latin1_bin NOT NULL,\n
`address1` varchar(50) collate latin1_bin NOT NULL,\n
`address2` varchar(50) collate latin1_bin NOT NULL,\n
`address3` varchar(50) collate latin1_bin default 'no info supplied',\n
`address4` varchar(50) collate latin1_bin default 'no info supplied',\n
`postzip` varchar(50) collate latin1_bin default 'no info supplied',\n
`country` varchar(50) collate latin1_bin NOT NULL,\n
`yearsexp` varchar(50) collate latin1_bin default 'no info supplied',\n
`about` varchar(255) collate latin1_bin NOT NULL,\n
`other` varchar(255) collate latin1_bin default NULL,\n
PRIMARY KEY (`loginid`),\n
KEY `firstname` (`firstname`)\n) ENGINE=MyISAM DEFAULT CHARSET=latin1 COLLATE=latin1_bin
I must admit, the limited time I have to learn web development has been mainly concentrated on PHP not MySQL.
and [syntax="..."] tags where appropriate when posting code. Your post has been edited to reflect how we'd like it posted. Please read: [url=http://forums.devnetwork.net/viewtopic.php?t=21171]Posting Code in the Forums[/url] to learn how to do it too.[/color]
Woo Hoo! That has sorted it. Thanks Everah. The varchar was set to 20 an the hash was too long to fit in so cut off short. The query couldn't match it.
Thats great. Thank you guys.
BTW, when you hash something, is there a rule as to how long the hash will be in relation to the password? ie: 1 letter in a string = 5 char in a hash.