Page 1 of 2

MD5 Password Encryption ..

Posted: Sat Sep 20, 2008 1:56 pm
by pavanpuligandla
Hii...
i've encrypted my password and inserted it into the database table, but when i tries to retrieve it i'm getting login failure..i'm herewith posting my source code..kindly go thru this and do the needful..
the passwords inserted are being successfull md5 encrypted but when i'm matching the entered password in the form with the original md5 password in database,i'm unable to login..

Code: Select all

 
<?php
 
 //Connect to mysql server
    $link=mysql_connect("localhost","root","");
    if(!$link) {
        die('Failed to connect to server: ' . mysql_error());
    }
    //Select database
    $db=mysql_select_db("trrcollege");
    if(!$db) {
        die("Unable to select database");
    }
 
//Sanitize the value received from login field
    //to prevent SQL Injection
    if(!get_magic_quotes_gpc()) {
        $username=mysql_real_escape_string($_POST['username']);
    }else {
        $username=$_POST['username'];
    }
 
 
$username = $_POST["username"];
$password = md5($_POST["password"]);
 
//Create query
    $query="SELECT * FROM login WHERE username='" . mysql_real_escape_string($username) . "' AND password='".md5($_POST['password'])."'";
    
    //require_once('attempt.log.class.php'); 
    $result=mysql_query($query);
    $rows2=mysql_fetch_array($result);
    if($rows2["password"] == $password && $rows2["username"] == $username )
        {
        if(mysql_num_rows($result)>0) 
            {
            //Login Successful
            session_start();
                $start=time();
                        $_SESSION['time_start']=$start; 
            $_SESSION['username']=$username;
            $_SESSION['password']=$password;
            $_SESSION['ip'] = $_SERVER['REMOTE_ADDR'];
            session_register('username');
            session_register('password');
            session_register('time_start');
            session_regenerate_id();
            session_write_close();
            include "session.php";
            include "scsession.php";
            include("class_session.inc.php");
                header("Location: redirect.php");
            exit();
            }
    
        else {
            //Login failed
            require_once('attempt.log.class.php');
                        session_unset();
            session_destroy();
                header("location: loginfail.htm");
            exit();
             }
        }
else{
require_once('attempt.log.class.php');
session_unset();
session_destroy();
header("location: loginfail.htm");
    }
 
?>
kindly do the needful..awaiting for ur reply guys..

Re: MD5 Password Encryption ..

Posted: Sat Sep 20, 2008 2:47 pm
by jaoudestudios
MD5 is not a secure encryption method!!! It might have been 15 years ago.

Dont know why you have this ...

Code: Select all

if($rows2["password"] == $password && $rows2["username"] == $username )
As no results will return if the above condition is not satisfied as you have it in your SQL query.

Why do you do mysql_real_escape_string on the $username twice? There is no need, the second time you have used it in the mysql query is sufficient.

Try using trim on $username & $password and when you register too. As your data in your database might have spaces at the beginning or end and this could cause a problem.

Re: MD5 Password Encryption ..

Posted: Sat Sep 20, 2008 2:52 pm
by pavanpuligandla
Hiii..
That line is to match the entered password with that of password field of table..(if i omit tht condition then i'm getting error i mean the second else is getting executed even though i enter rite credentials.)
and no there are no spaces i'm sure..

Re: MD5 Password Encryption ..

Posted: Sat Sep 20, 2008 3:16 pm
by pavanpuligandla
hii..
can anyone suggest me the new way of protecting my passwords..
i'll be thankful if any one can provide me any working script for those methods ..
Many Thanks,
Pavan.P

Re: MD5 Password Encryption ..

Posted: Sat Sep 20, 2008 3:41 pm
by jaoudestudios
Take a look at this for encryption, it is suitable for passwords but not for credit cards.
http://www.forum.jaoudestudios.com/view ... ?f=13&t=14

Re: MD5 Password Encryption ..

Posted: Sat Sep 20, 2008 3:59 pm
by arjan.top
@pavanpuligandla:
look at this: viewtopic.php?f=34&t=62782&start=0
jaoudestudios wrote:Take a look at this for encryption, it is suitable for passwords but not for credit cards.
http://www.forum.jaoudestudios.com/view ... ?f=13&t=14
that's totally wrong

Re: MD5 Password Encryption ..

Posted: Sat Sep 20, 2008 6:03 pm
by jaoudestudios
It is an old method and using ECB, but simple for beginners.

I will read the link you have provided.
Thanks

Re: MD5 Password Encryption ..

Posted: Sat Sep 20, 2008 6:09 pm
by jaoudestudios
Great article!

Goes into a lot of detail on encryption.

Thanks :)

Re: MD5 Password Encryption ..

Posted: Sun Sep 21, 2008 12:11 am
by pavanpuligandla
thnx for ur reply boss..
can you provide me any working code for that..i'm trying of my own using hash functions..
many thnx,
pavan.p

Re: MD5 Password Encryption ..

Posted: Sun Sep 21, 2008 4:11 am
by arjan.top
jaoudestudios wrote:It is an old method and using ECB, but simple for beginners.

I will read the link you have provided.
Thanks
two-way encryption for passwords is wrong

Re: MD5 Password Encryption ..

Posted: Sun Sep 21, 2008 4:38 am
by jaoudestudios
Yes good point!

Re: MD5 Password Encryption ..

Posted: Sun Sep 21, 2008 8:06 am
by pavanpuligandla
@ arjan.top,
can u post the source for encrypting passwords..
many thnx,
pavan.p

Re: MD5 Password Encryption ..

Posted: Sun Sep 21, 2008 10:47 am
by Mordred
1. Post the registration code, maybe you're not MD5-ing it the same way? Read the article already linked for details on hashing and salting. Print the values from the database and the ones coming from the form, so you can compare them "visually"

2. SQL injection on $_POST['password']

Re: MD5 Password Encryption ..

Posted: Sun Sep 21, 2008 1:38 pm
by pavanpuligandla
@ mordred.

Username Password Insertion to the table:

Code: Select all

<?PHP
  
//Connect to mysql server
    $link=mysql_connect("localhost","root","");
    if(!$link) {
        die('Failed to connect to server: ' . mysql_error());
    }
    //Select database
    $db=mysql_select_db("tge");
    if(!$db) {
        die("Unable to select database");
    }
    
    $username = $_POST["username"];
    $password = $_POST['password'];
     $encrypt = sha1($password);
  
    
    
    $sql = "INSERT INTO login (username, password) VALUES ('".$username."', '".$encrypt."')";
    mysql_query($sql)or die(mysql_error());
    echo $sql;
    ?>
     
here i'm using sha1,, and while i try to retrieve it during login,, i'm getting error.. below is my logincheck.php code..

Code: Select all

<?php
 
 //Connect to mysql server
    $link=mysql_connect("localhost","root","");
    if(!$link) {
        die('Failed to connect to server: ' . mysql_error());
    }
    //Select database
    $db=mysql_select_db("tge");
    if(!$db) {
        die("Unable to select database");
    }
 
 
$username = $_POST["username"];
$password = $_POST['password'];
$encrypt = sha1($password);
 
$query="SELECT * FROM login WHERE username='" . mysql_real_escape_string($username) . "' AND password='".   mysql_real_escape_string ($encrypt). "'";
    
    //require_once('attempt.log.class.php'); 
    $result=mysql_query($query);
    $rows2=mysql_fetch_array($result);
    if($rows2["password"] == $encrypt && $rows2["username"] == $username )
        {
        if(mysql_num_rows($result)>0) 
            {
            //Login Successful
            session_start();
                $start=time();
                       $_SESSION['time_start']=$start; 
            $_SESSION['username']=$username;
            $_SESSION['password']=$encrypt;
            $_SESSION['ip'] = $_SERVER['REMOTE_ADDR'];
            session_register('username');
            session_register('password');
            session_register('time_start');
            session_regenerate_id();
            session_write_close();
            include "session.php";
            include "scsession.php";
            include("class_session.inc.php");
                header("Location: redirect.php");
            exit();
            }
    
        else {
            //Login failed
            require_once('attempt.log.class.php');
                        session_unset();
            session_destroy();
                header("location: loginfail.htm");
            exit();
             }
        }
else{
require_once('attempt.log.class.php');
session_unset();
session_destroy();
header("location: loginfail.htm");
    }
 
?>
please help me out boss..
many thnx,
pavan.p

Re: MD5 Password Encryption ..

Posted: Sun Sep 21, 2008 2:29 pm
by pavanpuligandla
hii mordred,
i've printed the password...actually in my database i set password field's size 15, but after sha1 'ing the password, my table is storing only 15 characters out of 40..so i'm getting mismatch of passwords and now i changed my password field to 40 i'm not getting any errors..
but why is it creating 40 char length string only??
any how thnx mordred for ur valuable suggestions..awaiting for ur reply of my query.

string stored in table : 8f283033e9f9f92 (15)
string printed : 8f283033e9f9f92e5d84f48263e1d344fdd4339e (40)