Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 4 of 4
  1. #1
    New Coder
    Join Date
    Apr 2007
    Posts
    18
    Thanks
    0
    Thanked 0 Times in 0 Posts

    A question about encoding(md5)

    I have a registration form and i use md5 to encode the password.
    the problem is, if i type a password longer than 10 characters, it encodes
    only the first 10 characters.
    therefore the following password: 1234567890 when it's being encoded will
    be the same as 123456789012345

    at first i thought it has something to do with the md5() function
    but when i encode the password the user has typed, it encodes all of it so the passwords doesn't match the one in the database.
    i can just allow a registration with 10 chars max but i still want to know why it's happening.

    do you know what i am talking about or should i post the "register" and "check login" code?

  • #2
    Senior Coder whizard's Avatar
    Join Date
    Jan 2005
    Location
    Philadelphia, PA, USA
    Posts
    1,662
    Thanks
    14
    Thanked 76 Times in 76 Posts
    You should post the code

    Dan
    PHP Tip: If you want to use short tags (<? or <?=$var) then make sure short_open_tag is set to "1". It really helps.

    Don't forget to save everyone time and mark your thread as Resolved :)

    "Also note that it is your responsibility to die() if necessary."

    DON'T USE THE MYSQL_ EXTENSION

  • #3
    New Coder
    Join Date
    Apr 2007
    Posts
    18
    Thanks
    0
    Thanked 0 Times in 0 Posts
    registration

    PHP Code:
    <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

    <html xmlns="http://www.w3.org/1999/xhtml" >
    <head runat="server">
        <title>Untitled Page</title>
        <link href="StyleSheet.css" rel="stylesheet" type="text/css" />
    </head>
    <body>
            <?php

    include("config/db_config.php");
    ?>
        <div id="MPMain">



        
         <div id="MPLogo">
         <?php
    include("logo.php");
    ?>
        </div>

        

        
        <div id="MPMenu">

    <?php
    include("menu.php");
    ?>


        </div>

            <div id="MPContent">















      <?php


    $conn 
    mysql_connect ($host$dbusername$dbpassword);
    $db_select mysql_select_db("$db_name",$conn);
    if (!
    $db_select){
    die (
    "Could not select the database: <br />"mysql_error());
    }


    //This code runs if the form has been submitted
    if (isset($_POST['submit'])) {

    //This makes sure they did not leave any fields blank
    if (!$_POST['username'] | !$_POST['pass'] | !$_POST['pass2'] ) {
    die(
    'You did not complete all of the required fields');
    }





     
    // sql injection protection //
    $username mysql_real_escape_string($_POST['username']);
    $pass  md5($_POST['pass']);
    $pass2  md5($_POST['pass2']);


    // checks if the username is in use
    $check mysql_query("SELECT username FROM users WHERE username = '$username'")

    or die(
    mysql_error());
    $check2 mysql_num_rows($check);




    //if the name exists it gives an error
    if ($check2 != 0) {
    die(
    'Sorry, the username '.$_POST['username'].' is already in use.');
    }


    // this makes sure both passwords entered match
    if ($pass != $pass2) {
    die(
    'Your passwords did not match.');
    }


     if (
    getenv('HTTP_X_FORWARDED_FOR'))
     {
         
    $ip getenv('HTTP_X_FORWARDED_FOR');
         if (
    $ip == '')
         {
             
    $ip getenv('REMOTE_ADDR');
         }
     }
     else
     {
         
    $ip getenv('REMOTE_ADDR');
     }





    $date DATE('Y-m-d');
    // now we insert it into the database
    if($insert "INSERT INTO users (username, password, ip, reg_date)
    VALUES ('$username', '$pass' ,'$ip', '$date')" 
    )
    $add_member mysql_query($insert);
    {



    ?>


    <h1>Registered</h1>
    <p>Thank you, you have registered - you may now login</a>.</p>



         <?php
         
    }
    }
    else
    {
    ?>


    <form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post">
    <table border="0">
    <tr><td>Username:</td><td>
    <input type="text" name="username" maxlength="60">
    </td></tr>
    <tr><td>First name:</td><td>
    <input type="text" name="privatename" maxlength="60">
    </td></tr>
    <tr><td>Password:</td><td>
    <input type="password" name="pass" maxlength="10">
    </td></tr>
    <tr><td>Retype Password:</td><td>
    <input type="password" name="pass2" maxlength="10">
    </td></tr>
    <tr><td>Mail: </td><td>
    <input type="text" name="1" maxlength="60">  <font color=red>(must be valid)</font>
    </td></tr>
    <tr><td>Retpy Mail:</td><td>
    <input type="text" name="2" maxlength="60">
    </td></tr>
    <tr><td>Gender:</td><td>
    MALE<input type="radio" name="gender" value= "male" maxlength="60">
    FEMALE<input type="radio" name="gender" value="female" maxlength="60">
    </td></tr>
    <tr><th colspan=2><input type="submit" name="submit" value="Register"></th></tr> </table>
    </form>

    <?php
    }
    ?>




        </div>

        
        
        </div>
    </body>
    </html>

    the page which checks if the user\password is correct.

    PHP Code:
    <?php



    include("cgi-bin/db_config.php");
    $conn mysql_connect ($host$dbusername$dbpassword);
    $db_select mysql_select_db("$db_name",$conn);
    if (!
    $db_select){
    die (
    "Could not select the database: <br />"mysql_error());
    }

    //if the login form is submitted
    if (isset($_POST['submit'])) {

    // makes sure they filled it in
    if(!$_POST['username'] | !$_POST['pass']) {
    die(
    'You did not fill in a required field.');
    }

    //sql injection protection
    $testingerror=  $_POST['pass'];
    $_POST['pass'] = md5($_POST['pass']);
    $_POST['username'] = mysql_real_escape_string($_POST['username']);
    $username $_POST['username'];
     
    // checks it against the database
    $check mysql_query("SELECT * FROM users WHERE username = '$username'")or die(mysql_error());

    //Gives error if user dosen't exist
    $check2 mysql_num_rows($check);
    if (
    $check2 == 0) {
    die(
    'That user does not exist in our database.
    <a href=registration.php>Click Here to Register</a>'
    );
    }
    while(
    $info mysql_fetch_array$check ))
    {



    //gives error if the password is wrong
    if ($_POST['pass'] != $info['password']) {
    echo 
    $testingerror;
    }

    else
    {

    // if login is ok then we add a cookie

    $hour time() + 3600;
    setcookie(ID_my_site$_POST['username'], $hour);
    setcookie(Key_my_site$_POST['pass'], $hour);
    $date DATE('Y-m-d');
    $update "UPDATE users SET last_date='$date' WHERE username=$username";

    mysql_query($update$conn);
    //then redirect them to the members area
    header("Location: main.php");
    }
    }
    }
    else
    {
    echo(
    "error 101");
    }

    ?>

    here's a screen shot where you can see the problem.
    http://img453.imageshack.us/img453/1102/3434dp6.jpg
    i used the same password as the username but just the last one is correct since
    it's a 10 chars password.

    the problem is with the registration since when i encode the password the user has typed in the login form, it encodes the whole password (what causes a "wrong password" error)

    it's my first registration\login script so if you see any other things i should fix, i would like to know.
    Last edited by asmon; 08-08-2007 at 07:27 PM.

  • #4
    Senior Coder
    Join Date
    Apr 2007
    Location
    Quakertown PA USA
    Posts
    1,028
    Thanks
    1
    Thanked 125 Times in 123 Posts
    Code:
    <tr><td>Password:</td><td>
    <input type="password" name="pass" maxlength="10">
    </td></tr>
    <tr><td>Retype Password:</td><td>
    <input type="password" name="pass2" maxlength="10">


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •