...

View Full Version : A question about encoding(md5)



asmon
08-08-2007, 06:32 PM
I have a registration form and i use md5 to encode the password.
the problem is, if i type a password longer than 10 characters, it encodes
only the first 10 characters.
therefore the following password: 1234567890 when it's being encoded will
be the same as 123456789012345

at first i thought it has something to do with the md5() function
but when i encode the password the user has typed, it encodes all of it so the passwords doesn't match the one in the database.
i can just allow a registration with 10 chars max but i still want to know why it's happening.

do you know what i am talking about or should i post the "register" and "check login" code?

whizard
08-08-2007, 06:54 PM
You should post the code

Dan

asmon
08-08-2007, 07:22 PM
registration



<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" >
<head runat="server">
<title>Untitled Page</title>
<link href="StyleSheet.css" rel="stylesheet" type="text/css" />
</head>
<body>
<?php

include("config/db_config.php");
?>
<div id="MPMain">




<div id="MPLogo">
<?php
include("logo.php");
?>
</div>




<div id="MPMenu">

<?php
include("menu.php");
?>


</div>

<div id="MPContent">















<?php


$conn = mysql_connect ($host, $dbusername, $dbpassword);
$db_select = mysql_select_db("$db_name",$conn);
if (!$db_select){
die ("Could not select the database: <br />". mysql_error());
}


//This code runs if the form has been submitted
if (isset($_POST['submit'])) {

//This makes sure they did not leave any fields blank
if (!$_POST['username'] | !$_POST['pass'] | !$_POST['pass2'] ) {
die('You did not complete all of the required fields');
}





// sql injection protection //
$username = mysql_real_escape_string($_POST['username']);
$pass = md5($_POST['pass']);
$pass2 = md5($_POST['pass2']);


// checks if the username is in use
$check = mysql_query("SELECT username FROM users WHERE username = '$username'")

or die(mysql_error());
$check2 = mysql_num_rows($check);




//if the name exists it gives an error
if ($check2 != 0) {
die('Sorry, the username '.$_POST['username'].' is already in use.');
}


// this makes sure both passwords entered match
if ($pass != $pass2) {
die('Your passwords did not match.');
}


if (getenv('HTTP_X_FORWARDED_FOR'))
{
$ip = getenv('HTTP_X_FORWARDED_FOR');
if ($ip == '')
{
$ip = getenv('REMOTE_ADDR');
}
}
else
{
$ip = getenv('REMOTE_ADDR');
}





$date = DATE('Y-m-d');
// now we insert it into the database
if($insert = "INSERT INTO users (username, password, ip, reg_date)
VALUES ('$username', '$pass' ,'$ip', '$date')" )
$add_member = mysql_query($insert);
{



?>


<h1>Registered</h1>
<p>Thank you, you have registered - you may now login</a>.</p>



<?php
}
}
else
{
?>


<form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post">
<table border="0">
<tr><td>Username:</td><td>
<input type="text" name="username" maxlength="60">
</td></tr>
<tr><td>First name:</td><td>
<input type="text" name="privatename" maxlength="60">
</td></tr>
<tr><td>Password:</td><td>
<input type="password" name="pass" maxlength="10">
</td></tr>
<tr><td>Retype Password:</td><td>
<input type="password" name="pass2" maxlength="10">
</td></tr>
<tr><td>Mail: </td><td>
<input type="text" name="1" maxlength="60"> <font color=red>(must be valid)</font>
</td></tr>
<tr><td>Retpy Mail:</td><td>
<input type="text" name="2" maxlength="60">
</td></tr>
<tr><td>Gender:</td><td>
MALE<input type="radio" name="gender" value= "male" maxlength="60">
FEMALE<input type="radio" name="gender" value="female" maxlength="60">
</td></tr>
<tr><th colspan=2><input type="submit" name="submit" value="Register"></th></tr> </table>
</form>

<?php
}
?>




</div>



</div>
</body>
</html>


the page which checks if the user\password is correct.


<?php



include("cgi-bin/db_config.php");
$conn = mysql_connect ($host, $dbusername, $dbpassword);
$db_select = mysql_select_db("$db_name",$conn);
if (!$db_select){
die ("Could not select the database: <br />". mysql_error());
}

//if the login form is submitted
if (isset($_POST['submit'])) {

// makes sure they filled it in
if(!$_POST['username'] | !$_POST['pass']) {
die('You did not fill in a required field.');
}

//sql injection protection
$testingerror= $_POST['pass'];
$_POST['pass'] = md5($_POST['pass']);
$_POST['username'] = mysql_real_escape_string($_POST['username']);
$username = $_POST['username'];
// checks it against the database
$check = mysql_query("SELECT * FROM users WHERE username = '$username'")or die(mysql_error());

//Gives error if user dosen't exist
$check2 = mysql_num_rows($check);
if ($check2 == 0) {
die('That user does not exist in our database.
<a href=registration.php>Click Here to Register</a>');
}
while($info = mysql_fetch_array( $check ))
{



//gives error if the password is wrong
if ($_POST['pass'] != $info['password']) {
echo $testingerror;
}

else
{

// if login is ok then we add a cookie

$hour = time() + 3600;
setcookie(ID_my_site, $_POST['username'], $hour);
setcookie(Key_my_site, $_POST['pass'], $hour);
$date = DATE('Y-m-d');
$update = "UPDATE users SET last_date='$date' WHERE username=$username";

mysql_query($update, $conn);
//then redirect them to the members area
header("Location: main.php");
}
}
}
else
{
echo("error 101");
}

?>


here's a screen shot where you can see the problem.
http://img453.imageshack.us/img453/1102/3434dp6.jpg
i used the same password as the username but just the last one is correct since
it's a 10 chars password.

the problem is with the registration since when i encode the password the user has typed in the login form, it encodes the whole password (what causes a "wrong password" error)

it's my first registration\login script so if you see any other things i should fix, i would like to know.

PappaJohn
08-08-2007, 08:09 PM
<tr><td>Password:</td><td>
<input type="password" name="pass" maxlength="10">
</td></tr>
<tr><td>Retype Password:</td><td>
<input type="password" name="pass2" maxlength="10">



EZ Archive Ads Plugin for vBulletin Copyright 2006 Computer Help Forum