Armondo
03-24-2007, 07:12 PM
i have been messing around with my little login/user system for a while now...and i have already done various security fixes such as email validation and password confirmation...but i recently realized that i need to encrypt the passwords the user sends in. i tried this: $password = sha1(md5($password)); and it successfully encrypts it! but...er...i have no idea how to un-encrypt it when you login...the script is at: www.flashanims.com
here be me codes
sendit (sends the register data to the db):
<?
//replace username and password with your mysql name and password
$conn = mysql_connect("p41mysql5.secureserver.net","flashanims_db","allnumeric132");
//select the database
$db = mysql_select_db("flashanims_db");
$username = $_POST["username"];
$password = $_POST["password"];
$email = $_POST["email"];
$password2 = $_POST["password2"];
$email2 = $_POST["email2"];
function check_email_address($email) {
// First, we check that there's one @ symbol, and that the lengths are right
if (!ereg("^[^@]{1,64}@[^@]{1,255}$", $email)) {
// Email invalid because wrong number of characters in one section, or wrong number of @ symbols.
return false;
}
// Split it into sections to make life easier
$email_array = explode("@", $email);
$local_array = explode(".", $email_array[0]);
for ($i = 0; $i < sizeof($local_array); $i++) {
if (!ereg("^(([A-Za-z0-9!#$%&'*+/=?^_`{|}~-][A-Za-z0-9!#$%&'*+/=?^_`{|}~\.-]{0,63})|(\"[^(\\|\")]{0,62}\"))$", $local_array[$i])) {
return false;
}
}
if (!ereg("^\[?[0-9\.]+\]?$", $email_array[1])) { // Check if domain is IP. If not, it should be valid domain name
$domain_array = explode(".", $email_array[1]);
if (sizeof($domain_array) < 2) {
return false; // Not enough parts to domain
}
for ($i = 0; $i < sizeof($domain_array); $i++) {
if (!ereg("^(([A-Za-z0-9][A-Za-z0-9-]{0,61}[A-Za-z0-9])|([A-Za-z0-9]+))$", $domain_array[$i])) {
return false;
}
}
}
return true;
}
if($email != $email2) {
print "your email addresses did not match, please go back and correct them";
exit;
}
if($password != $password2) {
print "your passwords did not match, please go back and correct them";
exit;
}
elseif($password == $password2) {
$password = sha1(md5($password));
}
if(check_email_address($email)) {
//insert the values
$result= MYSQL_QUERY("INSERT INTO users (id, username, password, email)".
"VALUES ('NULL', '$username', '$password', '$email')");
echo "<span>Your name and password have been submitted into our database! <a href=\"/comboard/login.php\">Click Here To Login</a></span>";
} else { echo"<span>oh noes...there was an error be sure to check your email address is valid!</span>"; }
?>
getin.php (login result):
<?php
$conn = mysql_connect("**","***","***");
$db = mysql_select_db("flashanims_db");
$username = $_POST["username"];
$password = $_POST["password"];
$password = sha1(md5($password));
$result = MYSQL_QUERY("SELECT * from users WHERE username='$username'and password='$password'")
or die ("Name and password not found or not matched");
$worked = mysql_fetch_array($result);
$user = $worked[username];
$password = $worked[password];
$email = $worked[email];
if($worked) {
echo "Welcome $user! Your e-mail address is $email! you are now logged in.";
$_SESSION["loggedin_user"] = $user;
$_SESSION["loggedin_user_email"] = $email;
$_SESSION["loggedin"] = "yes";
}
?>
here be me codes
sendit (sends the register data to the db):
<?
//replace username and password with your mysql name and password
$conn = mysql_connect("p41mysql5.secureserver.net","flashanims_db","allnumeric132");
//select the database
$db = mysql_select_db("flashanims_db");
$username = $_POST["username"];
$password = $_POST["password"];
$email = $_POST["email"];
$password2 = $_POST["password2"];
$email2 = $_POST["email2"];
function check_email_address($email) {
// First, we check that there's one @ symbol, and that the lengths are right
if (!ereg("^[^@]{1,64}@[^@]{1,255}$", $email)) {
// Email invalid because wrong number of characters in one section, or wrong number of @ symbols.
return false;
}
// Split it into sections to make life easier
$email_array = explode("@", $email);
$local_array = explode(".", $email_array[0]);
for ($i = 0; $i < sizeof($local_array); $i++) {
if (!ereg("^(([A-Za-z0-9!#$%&'*+/=?^_`{|}~-][A-Za-z0-9!#$%&'*+/=?^_`{|}~\.-]{0,63})|(\"[^(\\|\")]{0,62}\"))$", $local_array[$i])) {
return false;
}
}
if (!ereg("^\[?[0-9\.]+\]?$", $email_array[1])) { // Check if domain is IP. If not, it should be valid domain name
$domain_array = explode(".", $email_array[1]);
if (sizeof($domain_array) < 2) {
return false; // Not enough parts to domain
}
for ($i = 0; $i < sizeof($domain_array); $i++) {
if (!ereg("^(([A-Za-z0-9][A-Za-z0-9-]{0,61}[A-Za-z0-9])|([A-Za-z0-9]+))$", $domain_array[$i])) {
return false;
}
}
}
return true;
}
if($email != $email2) {
print "your email addresses did not match, please go back and correct them";
exit;
}
if($password != $password2) {
print "your passwords did not match, please go back and correct them";
exit;
}
elseif($password == $password2) {
$password = sha1(md5($password));
}
if(check_email_address($email)) {
//insert the values
$result= MYSQL_QUERY("INSERT INTO users (id, username, password, email)".
"VALUES ('NULL', '$username', '$password', '$email')");
echo "<span>Your name and password have been submitted into our database! <a href=\"/comboard/login.php\">Click Here To Login</a></span>";
} else { echo"<span>oh noes...there was an error be sure to check your email address is valid!</span>"; }
?>
getin.php (login result):
<?php
$conn = mysql_connect("**","***","***");
$db = mysql_select_db("flashanims_db");
$username = $_POST["username"];
$password = $_POST["password"];
$password = sha1(md5($password));
$result = MYSQL_QUERY("SELECT * from users WHERE username='$username'and password='$password'")
or die ("Name and password not found or not matched");
$worked = mysql_fetch_array($result);
$user = $worked[username];
$password = $worked[password];
$email = $worked[email];
if($worked) {
echo "Welcome $user! Your e-mail address is $email! you are now logged in.";
$_SESSION["loggedin_user"] = $user;
$_SESSION["loggedin_user_email"] = $email;
$_SESSION["loggedin"] = "yes";
}
?>