Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Page 1 of 3 123 LastLast
Results 1 to 15 of 38
  1. #1
    Regular Coder
    Join Date
    Jun 2009
    Posts
    278
    Thanks
    78
    Thanked 2 Times in 2 Posts

    Encypted Password

    Im using this login script, and for the part posted below, its suppose to change there password they entered into the form to the encrypted password so that it can properly check the DB if its the correct account. But I guess its not doing that because everytime I type in my pass it says wrong password.

    PHP Code:
    <?php
    ob_start
    ();

    // Connect to server and select databse.
    mysql_connect("$host""$username""$password")or die("cannot connect"); 
    mysql_select_db("$db_name")or die("cannot select DB");

    // Define $myusername and $mypassword 
    $myusername=$_POST['myusername']; 
    $mypassword=$_POST['mypassword']; 

    $encrypted_mypassword=md5($mypassword);

    // To protect MySQL injection (more detail about MySQL injection)
    $myusername stripslashes($myusername);
    $encrypted_mypassword stripslashes($encrypted_mypassword);
    $myusername mysql_real_escape_string($myusername);
    $encrypted_mypassword mysql_real_escape_string($encrypted_mypassword);

    $sql="SELECT * FROM $tbl_name WHERE username='$myusername' and user_password='$encrypted_mypassword'";
    $result=mysql_query($sql);

    // Mysql_num_row is counting table row
    $count=mysql_num_rows($result);
    // If result matched $myusername and $mypassword, table row must be 1 row

    if($count==1){
    // Register $myusername, $mypassword and redirect to file "login_success.php"
    session_register("myusername");
    session_register("mypassword"); 
    header("location:login_success.php");
    }
    else {
    echo 
    "Wrong Username or Password";
    }

    ob_end_flush();
    ?>

  • #2
    God Emperor Fou-Lu's Avatar
    Join Date
    Sep 2002
    Location
    Saskatoon, Saskatchewan
    Posts
    16,978
    Thanks
    4
    Thanked 2,659 Times in 2,628 Posts
    Where is $tbl defined?
    I assume as well that the insertion had md5 encrypted as well? If so, ensure that the char/varchar column width is at minimum 32 characters, otherwise it will truncate you're string to fit the db column.

    session_register shouldn't even work. You need a session_start but on top of that, session_register will only work with register_globals enabled, which has been disabled by default since PHP4.2.1. Instead, use $_SESSION['myusername'] = $myusername;. After any header call where you desire to perform a redirection, exit or die you're script. Processing of the remaining code will still happen without it.

    Edit:
    Actually, I don't see any of you're configuration information defined; you shouldn't make it past the mysql_select_db call.
    PHP Code:
    header('HTTP/1.1 420 Enhance Your Calm'); 

  • #3
    Regular Coder
    Join Date
    Jun 2009
    Posts
    278
    Thanks
    78
    Thanked 2 Times in 2 Posts
    Quote Originally Posted by Fou-Lu View Post
    Where is $tbl defined?
    I assume as well that the insertion had md5 encrypted as well? If so, ensure that the char/varchar column width is at minimum 32 characters, otherwise it will truncate you're string to fit the db column.

    session_register shouldn't even work. You need a session_start but on top of that, session_register will only work with register_globals enabled, which has been disabled by default since PHP4.2.1. Instead, use $_SESSION['myusername'] = $myusername;. After any header call where you desire to perform a redirection, exit or die you're script. Processing of the remaining code will still happen without it.

    Edit:
    Actually, I don't see any of you're configuration information defined; you shouldn't make it past the mysql_select_db call.
    I cut out the connect code, its easier than blanking out the info.

    Also, the code works when I copy and paste the encrypted password.

  • #4
    God Emperor Fou-Lu's Avatar
    Join Date
    Sep 2002
    Location
    Saskatoon, Saskatchewan
    Posts
    16,978
    Thanks
    4
    Thanked 2,659 Times in 2,628 Posts
    Quote Originally Posted by Ndogg View Post
    I cut out the connect code, its easier than blanking out the info.

    Also, the code works when I copy and paste the encrypted password.
    Gotcha, thats fine then.

    When you say the encrypted password, do you mean that you run an md5('yourpassword'); copy that result, and put it into the password field? If so, that would indicate that you're data has been encrypted twice through md5 before being stored in the database.
    PHP Code:
    header('HTTP/1.1 420 Enhance Your Calm'); 

  • #5
    Regular Coder Zangeel's Avatar
    Join Date
    Oct 2007
    Location
    public_html/
    Posts
    638
    Thanks
    17
    Thanked 79 Times in 79 Posts
    Just use

    PHP Code:
    $encrypted_mypassword md5(mysql_real_escape_string($mypassword)); 
    Why are you using stripslashes? mysql_real_escape_string should work fine against sql injections, and it takes out slashes while mysql_real_escape_string escapes characters.

    And make sure the same method the passwords were inputted with is used to check them.

  • #6
    God Emperor Fou-Lu's Avatar
    Join Date
    Sep 2002
    Location
    Saskatoon, Saskatchewan
    Posts
    16,978
    Thanks
    4
    Thanked 2,659 Times in 2,628 Posts
    Stripslashes are used to remove quotes from magic_quotes_gpc. You should always check before hand, otherwise it will compromise some passwords: eg: mypasswordis\\. Oops, the stripslashes will remove the second last \ if magic_quotes are not enabled. I can't wait for PHP6 (magic_quotes_gpc and runtime are both history).

    You won't need either actually. You may want to do it anyways for consistency, but md5 hash will always result in a 128bit hex string. For that reason you don't need to worry about a string break.

    A point does go on that though, if special characters exist in the password, you must be 100% certain that whatever you did for insertion is happening with the comparison.
    If magic_quotes_gpc is enabled and were not stripslashed before insertion, a password like 'I'm the best' would not match. This is since the insertion would have included the \, and the comparison does not.
    PHP Code:
    header('HTTP/1.1 420 Enhance Your Calm'); 

  • #7
    Regular Coder
    Join Date
    Jun 2009
    Posts
    278
    Thanks
    78
    Thanked 2 Times in 2 Posts
    Quote Originally Posted by Fou-Lu View Post
    Gotcha, thats fine then.

    When you say the encrypted password, do you mean that you run an md5('yourpassword'); copy that result, and put it into the password field? If so, that would indicate that you're data has been encrypted twice through md5 before being stored in the database.
    No, I went into the db, copied the encrypted password out of there, then pasted it into the password box.

  • #8
    Senior Coder
    Join Date
    Jul 2009
    Location
    South Yorkshire, England
    Posts
    2,318
    Thanks
    6
    Thanked 304 Times in 303 Posts
    Quote Originally Posted by Ndogg View Post
    No, I went into the db, copied the encrypted password out of there, then pasted it into the password box.
    That would mean that you are double encrypting the submitted password.

  • #9
    God Emperor Fou-Lu's Avatar
    Join Date
    Sep 2002
    Location
    Saskatoon, Saskatchewan
    Posts
    16,978
    Thanks
    4
    Thanked 2,659 Times in 2,628 Posts
    Are you 100% certain that this is the code that the form is being posted to? It should not work, the DB I assume is already encrypted, and encrypting it again would result in a non-comparison.

    Edit:
    Matt got one in here.
    Its actually the other way around from the looks of it. If its retrieved from the db and validates against the db, that would indicate that the processing comparison it not encrypting the value. Perhaps this: user_password='$encrypted_mypassword' is actually: user_password='$mypassword'?
    Last edited by Fou-Lu; 07-24-2009 at 05:05 AM.
    PHP Code:
    header('HTTP/1.1 420 Enhance Your Calm'); 

  • #10
    Regular Coder
    Join Date
    Jun 2009
    Posts
    278
    Thanks
    78
    Thanked 2 Times in 2 Posts
    Quote Originally Posted by MattF View Post
    That would mean that you are double encrypting the submitted password.
    Well, I tried posting the real password, and it doesnt work, so that must mean its not checking for the encrypted password, otherwise when I tried the encrypted password, that wouldnt have worked. So theres something wrong with changing the normal password to the encrypted password.

    EDIT: The form is sending the info to the correct location
    <form name="form1" method="post" action="checklogin.php">
    Last edited by Ndogg; 07-24-2009 at 05:08 AM.

  • #11
    Senior Coder
    Join Date
    Jul 2009
    Location
    South Yorkshire, England
    Posts
    2,318
    Thanks
    6
    Thanked 304 Times in 303 Posts
    First, get rid of those stripslashes lines and do stripslashes removal properly, (only if needed). Put this at the top of that file, under the opening tag:

    Code:
    if (get_magic_quotes_gpc() && isset($_POST))
    {
        $_POST = array_map('stripslashes', $_POST);
    }

  • #12
    God Emperor Fou-Lu's Avatar
    Join Date
    Sep 2002
    Location
    Saskatoon, Saskatchewan
    Posts
    16,978
    Thanks
    4
    Thanked 2,659 Times in 2,628 Posts
    Quote Originally Posted by MattF View Post
    First, get rid of those stripslashes lines and do stripslashes removal properly, (only if needed). Put this at the top of that file, under the opening tag:

    Code:
    if (get_magic_quotes_gpc() && isset($_POST))
    {
        $_POST = array_map('stripslashes', $_POST);
    }
    I would second this. A localized global stripping is better than the stripslashes one by one simply because of the get_magic_quotes_gpc.
    I'll have to see on my 6-dev if @ will still allow processing. I remember testing this a bit and get_magic_quotes_gpc wasn't deprecated, its gone. What a pain.
    PHP Code:
    header('HTTP/1.1 420 Enhance Your Calm'); 

  • #13
    Regular Coder
    Join Date
    Jun 2009
    Posts
    278
    Thanks
    78
    Thanked 2 Times in 2 Posts
    This is what Im at now, is this correct:

    PHP Code:
    <?php
    if (get_magic_quotes_gpc() && isset($_POST))
    {
        
    $_POST array_map('stripslashes'$_POST);
    }
    ob_start();
    $host="mysql7.***************"// Host name 
    $username=""// Mysql username 
    $password=""// Mysql password 
    $db_name=""// Database name 
    $tbl_name=""// Table name 

    // Connect to server and select databse.
    mysql_connect("$host""$username""$password")or die("cannot connect"); 
    mysql_select_db("$db_name")or die("cannot select DB");

    // Define $myusername and $mypassword 
    $myusername=$_POST['myusername']; 
    $mypassword=$_POST['mypassword']; 

    $encrypted_mypassword=md5($mypassword);

    // To protect MySQL injection (more detail about MySQL injection)
    $myusername mysql_real_escape_string($myusername);
    $encrypted_mypassword md5(mysql_real_escape_string($mypassword));

    $sql="SELECT * FROM $tbl_name WHERE username='$myusername' and user_password='$encrypted_mypassword'";
    $result=mysql_query($sql);

    // Mysql_num_row is counting table row
    $count=mysql_num_rows($result);
    // If result matched $myusername and $mypassword, table row must be 1 row

    if($count==1){
    // Register $myusername, $mypassword and redirect to file "login_success.php"
    session_register("myusername");
    session_register("encrypted_mypassword"); 
    header("location:login_success.php");
    }
    else {
    echo 
    "Wrong Username or Password";
    }

    ob_end_flush();
    ?>
    Last edited by Fou-Lu; 07-24-2009 at 05:21 AM.

  • #14
    Senior Coder
    Join Date
    Jul 2009
    Location
    South Yorkshire, England
    Posts
    2,318
    Thanks
    6
    Thanked 304 Times in 303 Posts
    Edited: The virtues of viewing a cached page. A five minute time lag.
    Last edited by MattF; 07-24-2009 at 05:32 AM.

  • #15
    Senior Coder
    Join Date
    Jul 2009
    Location
    South Yorkshire, England
    Posts
    2,318
    Thanks
    6
    Thanked 304 Times in 303 Posts
    PHP Code:
    <?php

    if (get_magic_quotes_gpc() && isset($_POST))
    {
        
    $_POST array_map('stripslashes'$_POST);
    }

    ob_start();

    // Connect to server and select databse.
    mysql_connect("$host""$username""$password")or die("cannot connect"); 
    mysql_select_db("$db_name")or die("cannot select DB");

    // To protect MySQL injection (more detail about MySQL injection)
    $myusername mysql_real_escape_string($_POST['myusername']);
    $encrypted_mypassword mysql_real_escape_string(md5($_POST['mypassword']));

    $sql="SELECT * FROM $tbl_name WHERE username='$myusername' and user_password='$encrypted_mypassword'";
    $result=mysql_query($sql);

    // Mysql_num_row is counting table row
    $count=mysql_num_rows($result);
    // If result matched $myusername and $mypassword, table row must be 1 row

    if($count==1){
    // Register $myusername, $mypassword and redirect to file "login_success.php"
    session_register("myusername");
    session_register("encrypted_mypassword"); 
    header("location:login_success.php");
    }
    else {
    echo 
    "Wrong Username or Password";
    }

    ob_end_flush();
    ?>
    Btw, you are sure they're using md5 encryption?


  •  
    Page 1 of 3 123 LastLast

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •