...

View Full Version : MD5 problem



hans_cellc
10-17-2012, 03:09 PM
I have the following form:


<form name="form1" method="post" action="login.php">
<table width="300" border="0" align="center" cellpadding="0" cellspacing="1" bgcolor="#CCCCCC">
<tr align="center"><td colspan="2" style="font-size: 120%;"><strong>Member Login </strong></td></tr>
<tr><td align="right" width="100">Username:</td><td align="center" width="235"><input name="myusername" type="text" id="myusername" size="20" maxlength="6" /></td></tr>
<tr><td align="right">Password:</td><td align="center"><input name="mypassword" type="password" id="mypassword" size="20" maxlength="6" /></td></tr>
<tr><td>&nbsp</td><td align="center"><input type="submit" name="Submit" value="Log me in"></td></tr>
</table>
</form>

With the following code to check login:


<?PHP
// Inialize session
session_start();

// Import the connect to DB code as required as we need it and can not continue with out it.
require 'connect_db.php';

?>

<!DOCTYPE html PUBLIC
"-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Logging in - 48323934 - ICT 2613</title>
<meta name="Description" content="PHP ICT2613 Exam Assignment. 48323934 - Logging in " />
<meta http-equiv="content-language" content="en-za" />
<meta http-equiv="content-type" content="text/html; charset=iso-8859-1" />
<meta name="Author" content="S.J. Fouche, Student number: 48323934" />
<meta name="HandheldFriendly" content="True" />
<!-- Link to the external style sheet (CSS) -->
<link rel="stylesheet" type="text/css" href="my_css.css" />
<!-- Link to the external javascript file -->
<script type="text/javascript" src="my_javascript.js"></script>

</head>

<body>
<!-- Used the include feature for the header and links on all pages -->
<?PHP require "header.txt" ?>

<!-- Setup image -->
<table width="640" height="350" align="center" cellpadding="0" cellspacing="1">
<tr align="center"><td><img src="site_graphics/controls.jpg" alt="Control Background" width="600" height="300" /></td></tr>
</table>

<!-- PHP Coding -->
<?PHP
// Code below will create Code link at the center and bottom of the page
echo("<p style='position:absolute; bottom:5px; left:49%;'><a href='javascript: logincode()'>Code</a></p>")
?>

</body>
</html>

<?PHP

<?PHP
// Inialize session
session_start();

// Import the connect to DB code as required as we need it and can not continue with out it.
require 'connect_db.php';

?>

<!DOCTYPE html PUBLIC
"-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Logging in - 48323934 - ICT 2613</title>
<meta name="Description" content="PHP ICT2613 Exam Assignment. 48323934 - Logging in " />
<meta http-equiv="content-language" content="en-za" />
<meta http-equiv="content-type" content="text/html; charset=iso-8859-1" />
<meta name="Author" content="S.J. Fouche, Student number: 48323934" />
<meta name="HandheldFriendly" content="True" />
<!-- Link to the external style sheet (CSS) -->
<link rel="stylesheet" type="text/css" href="my_css.css" />
<!-- Link to the external javascript file -->
<script type="text/javascript" src="my_javascript.js"></script>

</head>

<body>
<!-- Used the include feature for the header and links on all pages -->
<?PHP require "header.txt" ?>

<!-- Setup image -->
<table width="640" height="350" align="center" cellpadding="0" cellspacing="1">
<tr align="center"><td><img src="site_graphics/controls.jpg" alt="Control Background" width="600" height="300" /></td></tr>
</table>

<!-- PHP Coding -->
<?PHP
// Code below will create Code link at the center and bottom of the page
echo("<p style='position:absolute; bottom:5px; left:49%;'><a href='javascript: logincode()'>Code</a></p>")
?>

</body>
</html>

<?PHP

// username and password sent from form
// My username and passwords are case sensitive and are not making use of: strtolower or strtoupper
$myusername=$_POST['myusername'];
$mypassword=$_POST['mypassword'];
echo $mypassword.'<br />';
// To protect MySQL injection
$myusername = stripslashes($myusername);
$mypassword = stripslashes($mypassword);
echo $mypassword.'<br />';
$myusername = mysql_real_escape_string($myusername);
$mypassword = mysql_real_escape_string($mypassword);
echo $mypassword.'<br />';

/* With my research on google re PHP and passwords I came accross this neat little encryption trich for passwords, I have changed my database password varchar to 32 characters
insted of 6 characters as specified to accomodate this feature as a MD5 hash generates a 32 character hash which by it self is pretty interesting as well. this is a 128 bit
encryption and therefore should only generate 16 characters but it makes use of hexa-decimal therefore the 32 characters */
$password_hash = md5($mypassword);
echo $password_hash;


// Table name variable
$tb_name = "tb_user";

// Set the Query within a variable
// I have sed SELECT 'id' instead of SELECT * as it speeds up the search especially if you have thousands of users
$query = "SELECT 'id' FROM $tb_name WHERE username='$myusername' AND password='$password_hash'";
$result = mysql_query($query);

// Mysql_num_row is counting table row
$count = mysql_num_rows($result);

// Create a if statement to check if results returned and if not to display an error
// I have created these messages with window.alert and window.confirm just to be snazzy
// I am able to refer back to the index.php on both conditions as there is a conditional to change the menu links if user logged in.
if($count == 1) {
// Register $myusername and redirect to file "securepage.php"
// Set myusername session variable
$_SESSION['myusername'] = $_POST['myusername'];
$username = $_SESSION['myusername'];
echo "(<script type='text/javascript'>
window.alert(\"Welcome $username you are successfully logged in.\")
window.location.href='index.php';
</script>)";
}
else {
// else if incorrect ask user if they wish to register or try again
echo "(<script type='text/javascript'>
if (window.confirm('Username or Password INCORRECT! Press OK to Register a new user or CANCEL to try again.'))
window.location.href='register.php';
else
window.location.href='index.php';
</script>)";
}

?>


// Table name variable
$tb_name = "tb_user";

// Set the Query within a variable
// I have sed SELECT 'id' instead of SELECT * as it speeds up the search especially if you have thousands of users
$query = "SELECT 'id' FROM $tb_name WHERE username='$myusername' AND password='$password_hash'";
$result = mysql_query($query);

// Mysql_num_row is counting table row
$count = mysql_num_rows($result);

// Create a if statement to check if results returned and if not to display an error
// I have created these messages with window.alert and window.confirm just to be snazzy
// I am able to refer back to the index.php on both conditions as there is a conditional to change the menu links if user logged in.
if($count == 1) {
// Register $myusername and redirect to file "securepage.php"
// Set myusername session variable
$_SESSION['myusername'] = $_POST['myusername'];
$username = $_SESSION['myusername'];
echo "(<script type='text/javascript'>
window.alert(\"Welcome $username you are successfully logged in.\")
window.location.href='index.php';
</script>)";
}
else {
// else if incorrect ask user if they wish to register or try again
echo "(<script type='text/javascript'>
if (window.confirm('Username or Password INCORRECT! Press OK to Register a new user or CANCEL to try again.'))
window.location.href='register.php';
else
window.location.href='index.php';
</script>)";
}

?>

I have added the echo statement to try and see what is happening but the password stays right before the md5.
when I echo the $password_hash it adds a ( at the end I cant understand why.

Am I doing something wrong?

I have tried the code seperate as follows and it does not add the (


<?PHP
if (isset($_POST['myusername']) && isset($_POST['mypassword'])) {
// username and password sent from form
// My username and passwords are case sensitive and are not making use of: strtolower or strtoupper
$myusername=$_POST['myusername'];
$mypassword=$_POST['mypassword'];
echo $mypassword.'<br />';
// To protect MySQL injection
$myusername = stripslashes($myusername);
$mypassword = stripslashes($mypassword);
echo $mypassword.'<br />';
$myusername = mysql_real_escape_string($myusername);
$mypassword = mysql_real_escape_string($mypassword);
echo $mypassword.'<br />';

/* With my research on google re PHP and passwords I came accross this neat little encryption trich for passwords, I have changed my database password varchar to 32 characters
insted of 6 characters as specified to accomodate this feature as a MD5 hash generates a 32 character hash which by it self is pretty interesting as well. this is a 128 bit
encryption and therefore should only generate 16 characters but it makes use of hexa-decimal therefore the 32 characters */
$password_hash = md5($mypassword);
echo $password_hash;
}
?>

<form name="form1" method="post" action="password2.php">
<table width="300" border="0" align="center" cellpadding="0" cellspacing="1" bgcolor="#CCCCCC">
<tr align="center"><td colspan="2" style="font-size: 120%;"><strong>Member Login </strong></td></tr>
<tr><td align="right" width="100">Username:</td><td align="center" width="235"><input name="myusername" type="text" id="myusername" size="20" maxlength="6" /></td></tr>
<tr><td align="right">Password:</td><td align="center"><input name="mypassword" type="password" id="mypassword" size="20" maxlength="6" /></td></tr>
<tr><td>&nbsp</td><td align="center"><input type="submit" name="Submit" value="Log me in"></td></tr>
</table>
</form>

hans_cellc
10-17-2012, 06:40 PM
OK don't worry got it, the () brackets around the script within PHP caused the problem.

tangoforce
10-17-2012, 07:15 PM
Don't be offended, this code needs to be completely re-written with error reporting turned on.

I've put my comments in your code below.




<?PHP
// Inialize session
session_start();

// Import the connect to DB code as required as we need it and can not continue with out it.
require 'connect_db.php';

?>

<!DOCTYPE html PUBLIC.. etc

<?PHP //PHP opening tag

<?PHP //What the? - Another one? - This code shouldn't work.
// Inialize session
session_start(); //You shouldn't be using this twice especially after html output has begun - This just shows you have error reporting turned off.

// Import the connect to DB code as required as we need it and can not continue with out it.
require 'connect_db.php';

?>

<!DOCTYPE html PUBLIC
"-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Logging in - 48323934 - ICT 2613</title>
<meta name="Description" content="PHP ICT2613 Exam Assignment. 48323934 - Logging in " />
<meta http-equiv="content-language" content="en-za" />
<meta http-equiv="content-type" content="text/html; charset=iso-8859-1" />
<meta name="Author" content="S.J. Fouche, Student number: 48323934" />
<meta name="HandheldFriendly" content="True" />
<!-- Link to the external style sheet (CSS) -->
<link rel="stylesheet" type="text/css" href="my_css.css" />
<!-- Link to the external javascript file -->
<script type="text/javascript" src="my_javascript.js"></script>

</head>

<body>
<!-- Used the include feature for the header and links on all pages -->
<?PHP require "header.txt" ?>

<!-- Setup image -->
<table width="640" height="350" align="center" cellpadding="0" cellspacing="1">
<tr align="center"><td><img src="site_graphics/controls.jpg" alt="Control Background" width="600" height="300" /></td></tr>
</table>

<!-- PHP Coding -->
<?PHP
// Code below will create Code link at the center and bottom of the page
echo("<p style='position:absolute; bottom:5px; left:49%;'><a href='javascript: logincode()'>Code</a></p>")
?>

</body>
</html>

<?PHP

// username and password sent from form
// My username and passwords are case sensitive and are not making use of: strtolower or strtoupper
$myusername=$_POST['myusername'];
$mypassword=$_POST['mypassword'];
echo $mypassword.'<br />';
// To protect MySQL injection
$myusername = stripslashes($myusername); //Don't just use strip slashes
$mypassword = stripslashes($mypassword); //Check for magic quotes first.


I've not checked the rest as it looks like you need to learn the basics about a few things first such as keeping php and html seperate :thumbsup:

session_start() must be used before ANY output and should only be used once (ok you can use it more than once but only when you really know what you're doing and how it will work behind the scenes etc).

At one point you have TWO <?php opening tags :eek:

hans_cellc
10-17-2012, 08:21 PM
Thanks a mil, I dont know what happened I think my copy and paste got mixed up it was only in once.
How should I change the coding for the magic quotes?

Below my code:

config.php

<?PHP

// Inialize session
ob_start();
session_start();

// Create a function to shorten code on other pages to check if SESSION isset
function loggedin() {
if (isset($_SESSION['myusername'])) {
return true;
}
else {
return false;
}
}

?>

connect_db.php

<?PHP
// I am setting all my variables to make it easier to change code at a later stage by just cganging the variables
$mysql_host = "localhost";
$mysql_user = "root";
$mysql_passw = "";
$mysql_db = "games";

// Using a f statement with the not inside that if the DB does not exist or could not connect
// it will die with an error message as per the variable, I used the @ sign to silence the normal error message
if (!@mysql_connect($mysql_host, $mysql_user, $mysql_passw) OR !@mysql_select_db($mysql_db)) {
// If no such database found pop up error
echo ("<script type='text/javascript'>
window.alert('Could not connect to Database');
window.location.href = 'index.php';
</script>");
}

?>

header.txt

<h1 style="font-size: 400%; font-family: Forte, Verdana, Arial, Helvetica, sans-serif; color: #000000; margin-top: -7px;" align="center">CONSOLE GAMES FOR SALE</h1>
<h1 style="font-size: 300%; font-family: Forte, Verdana, Arial, Helvetica, sans-serif; color: #FF0000; margin-top: -20px;" align="center">PS2 - PS3 - Wii - X-BOX</h1><br />

<!-- Links -->
<table width="100%" style = "margin-top: -25px;">
<tr align="center"><td ><h3 style = "margin-top: -5px; margin-bottom: 1px;"><a href="http://127.0.0.1/exam/index.php" name="top">Home Page</a> | <a href="http://127.0.0.1/exam/insert.php">Insert</a> |
<a href="http://127.0.0.1/exam/list.php">List</a> | <a href="http://127.0.0.1/exam/source_code.php">Source Codes</a> | <a href="http://127.0.0.1/exam/register.php">Register</a> |
<a href="#" onclick="showDiv()">Login</a></h3></td></tr></table>

<h2 style="color: yellow; font-family: Verdana, Arial, Helvetica, sans-serif;" align="center">Members Only</h2>

<!-- Insert a horizontal line (ruler) -->
<hr /><br />

header_secure.txt

<h1 style="font-size: 400%; font-family: Forte, Verdana, Arial, Helvetica, sans-serif; color: #000000; margin-top: -7px;" align="center">CONSOLE GAMES FOR SALE</h1>
<h1 style="font-size: 300%; font-family: Forte, Verdana, Arial, Helvetica, sans-serif; color: #FF0000; margin-top: -20px;" align="center">PS2 - PS3 - Wii - X-BOX</h1><br />

<!-- Links -->
<table width="100%" style = "margin-top: -25px;">
<tr align="center"><td ><h3 style = "margin-top: -5px; margin-bottom: 1px;"><a href="http://127.0.0.1/exam/index.php" name="top">Home Page</a> |
<a href="http://127.0.0.1/exam/insert.php">Insert</a> | <a href="http://127.0.0.1/exam/list.php">List</a>|
<a href="http://127.0.0.1/exam/source_code.php">Source Codes</a> | Welcome: <strong><?php echo $_SESSION['myusername']; ?></strong> | <a href="logout.php">Logout</a></h3></td></tr></table>

<h2 style="color: yellow; font-family: Verdana, Arial, Helvetica, sans-serif;" align="center">Members Zone</h2>

<!-- Insert a horizontal line (ruler) -->
<hr /><br />

login.php

<?PHP
require "config.php";

// Import the connect to DB code as required as we need it and can not continue with out it.
require "connect_db.php";

?>

<!DOCTYPE html PUBLIC
"-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Logging in - 48323934 - ICT 2613</title>
<meta name="Description" content="PHP ICT2613 Exam Assignment. 48323934 - Logging in " />
<meta http-equiv="content-language" content="en-za" />
<meta http-equiv="content-type" content="text/html; charset=iso-8859-1" />
<meta name="Author" content="S.J. Fouche, Student number: 48323934" />
<meta name="HandheldFriendly" content="True" />
<!-- Link to the external style sheet (CSS) -->
<link rel="stylesheet" type="text/css" href="my_css.css" />
<!-- Link to the external javascript file -->
<script type="text/javascript" src="my_javascript.js"></script>

</head>

<body>
<!-- Used the include feature for the header and links on all pages -->
<?PHP require "header.txt" ?>

<!-- Setup image -->
<table width="640" height="350" align="center" cellpadding="0" cellspacing="1">
<tr align="center"><td><img src="site_graphics/controls.jpg" alt="Control Background" width="600" height="300" /></td></tr>
</table>

<!-- PHP Coding -->
<?PHP
// Code below will create Code link at the center and bottom of the page
echo("<p style='position:absolute; bottom:5px; left:49%;'><a href='javascript: logincode()'>Code</a></p>")
?>

</body>
</html>

<?PHP

// username and password sent from form
// My username and passwords are case sensitive and are not making use of: strtolower or strtoupper
$myusername=$_POST['myusername'];
$mypassword=$_POST['mypassword'];
// echo $mypassword.'<br />'; This was my test code
// To protect MySQL injection
$myusername = stripslashes($myusername);
$mypassword = stripslashes($mypassword);
// echo $mypassword.'<br />'; This was my test code
$myusername = mysql_real_escape_string($myusername);
$mypassword = mysql_real_escape_string($mypassword);
// echo $mypassword.'<br />'; This was my test code

/* With my research on google re PHP and passwords I came accross this neat little encryption trich for passwords, I have changed my database password varchar to 32 characters
insted of 6 characters as specified to accomodate this feature as a MD5 hash generates a 32 character hash which by it self is pretty interesting as well. this is a 128 bit
encryption and therefore should only generate 16 characters but it makes use of hexa-decimal therefore the 32 characters */
$password_hash = md5($mypassword);
// echo $password_hash; This was my test code


// Table name variable
$tb_name = "tb_user";

// Set the Query within a variable
// I have sed SELECT 'id' instead of SELECT * as it speeds up the search especially if you have thousands of users
$query = "SELECT 'id' FROM $tb_name WHERE username='$myusername' AND password='$password_hash'";
$result = mysql_query($query);

// Mysql_num_row is counting table row
$count = mysql_num_rows($result);

// Create a if statement to check if results returned and if not to display an error
// I have created these messages with window.alert and window.confirm just to be snazzy
// I am able to refer back to the index.php on both conditions as there is a conditional to change the menu links if user logged in.
if($count == 1) {
// Register $myusername and redirect to file "securepage.php"
// Set myusername session variable
$_SESSION['myusername'] = $_POST['myusername'];
$username = $_SESSION['myusername'];
echo ("<script type='text/javascript'>
window.alert(\"Welcome $username you are successfully logged in.\")
window.location.href='index.php';
</script>");
}
else {
// else if incorrect ask user if they wish to register or try again
echo ("<script type='text/javascript'>
if (window.confirm('Username or Password INCORRECT! Press OK to Register a new user or CANCEL to try again.'))
window.location.href='register.php';
else
window.location.href='index.php';
</script>");
}

?>

tangoforce
10-17-2012, 08:46 PM
This is my way of doing it - I only check for gpc magix quotes



if (get_magic_quotes_gpc())
{
foreach($_POST as $Key => $Value)
{
$_POST[$Key] = (is_string($Value)) ? stripslashes($Value) : $Value;
}
}



EZ Archive Ads Plugin for vBulletin Copyright 2006 Computer Help Forum