Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 5 of 5

Thread: MD5 problem

  1. #1
    New Coder
    Join Date
    Oct 2011
    Posts
    92
    Thanks
    38
    Thanked 0 Times in 0 Posts

    MD5 problem

    I have the following form:

    Code:
    <form name="form1" method="post" action="login.php">
    <table width="300" border="0" align="center" cellpadding="0" cellspacing="1" bgcolor="#CCCCCC">
    <tr align="center"><td colspan="2" style="font-size: 120%;"><strong>Member Login </strong></td></tr>
    <tr><td align="right" width="100">Username:</td><td align="center" width="235"><input name="myusername" type="text" id="myusername" size="20" maxlength="6" /></td></tr>
    <tr><td align="right">Password:</td><td align="center"><input name="mypassword" type="password" id="mypassword" size="20" maxlength="6" /></td></tr>
    <tr><td>&nbsp</td><td align="center"><input type="submit" name="Submit" value="Log me in"></td></tr>
    </table>
    </form>
    With the following code to check login:

    Code:
    <?PHP
    // Inialize session
    session_start();
     
    // Import the connect to DB code as required as we need it and can not continue with out it.
    require 'connect_db.php';
    
    ?>
    
    <!DOCTYPE html PUBLIC
    "-//W3C//DTD XHTML 1.0 Transitional//EN"
    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
    
    <html xmlns="http://www.w3.org/1999/xhtml">
    <head>
    <title>Logging in - 48323934 - ICT 2613</title>
    <meta name="Description" content="PHP ICT2613 Exam Assignment. 48323934 - Logging in " />
    <meta http-equiv="content-language" content="en-za" />
    <meta http-equiv="content-type" content="text/html; charset=iso-8859-1" />
    <meta name="Author" content="S.J. Fouche, Student number: 48323934" />
    <meta name="HandheldFriendly" content="True" />
    <!-- Link to the external style sheet (CSS) -->
    <link rel="stylesheet" type="text/css" href="my_css.css" />
    <!-- Link to the external javascript file -->
    <script type="text/javascript" src="my_javascript.js"></script>
    
    </head>
    
    <body>
    <!-- Used the include feature for the header and links on all pages -->
    <?PHP require "header.txt" ?>
    
    <!-- Setup image -->
    <table width="640" height="350" align="center" cellpadding="0" cellspacing="1">
    <tr align="center"><td><img src="site_graphics/controls.jpg" alt="Control Background" width="600" height="300" /></td></tr>
    </table>
    
    <!-- PHP Coding -->
    <?PHP
    // Code below will create Code link at the center and bottom of the page
    echo("<p style='position:absolute; bottom:5px; left:49%;'><a href='javascript: logincode()'>Code</a></p>")
    ?> 
    
    </body>
    </html>
    
    <?PHP
    
    <?PHP
    // Inialize session
    session_start();
     
    // Import the connect to DB code as required as we need it and can not continue with out it.
    require 'connect_db.php';
    
    ?>
    
    <!DOCTYPE html PUBLIC
    "-//W3C//DTD XHTML 1.0 Transitional//EN"
    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
    
    <html xmlns="http://www.w3.org/1999/xhtml">
    <head>
    <title>Logging in - 48323934 - ICT 2613</title>
    <meta name="Description" content="PHP ICT2613 Exam Assignment. 48323934 - Logging in " />
    <meta http-equiv="content-language" content="en-za" />
    <meta http-equiv="content-type" content="text/html; charset=iso-8859-1" />
    <meta name="Author" content="S.J. Fouche, Student number: 48323934" />
    <meta name="HandheldFriendly" content="True" />
    <!-- Link to the external style sheet (CSS) -->
    <link rel="stylesheet" type="text/css" href="my_css.css" />
    <!-- Link to the external javascript file -->
    <script type="text/javascript" src="my_javascript.js"></script>
    
    </head>
    
    <body>
    <!-- Used the include feature for the header and links on all pages -->
    <?PHP require "header.txt" ?>
    
    <!-- Setup image -->
    <table width="640" height="350" align="center" cellpadding="0" cellspacing="1">
    <tr align="center"><td><img src="site_graphics/controls.jpg" alt="Control Background" width="600" height="300" /></td></tr>
    </table>
    
    <!-- PHP Coding -->
    <?PHP
    // Code below will create Code link at the center and bottom of the page
    echo("<p style='position:absolute; bottom:5px; left:49%;'><a href='javascript: logincode()'>Code</a></p>")
    ?> 
    
    </body>
    </html>
    
    <?PHP
    
    // username and password sent from form 
    // My username and passwords are case sensitive and are not making use of: strtolower or strtoupper
    $myusername=$_POST['myusername']; 
    $mypassword=$_POST['mypassword'];
    echo $mypassword.'<br />';
    // To protect MySQL injection
    $myusername = stripslashes($myusername);
    $mypassword = stripslashes($mypassword);
    echo $mypassword.'<br />';
    $myusername = mysql_real_escape_string($myusername);
    $mypassword = mysql_real_escape_string($mypassword);
    echo $mypassword.'<br />';
    
    /* With my research on google re PHP and passwords I came accross this neat little encryption trich for passwords, I have changed my database password varchar to 32 characters
    insted of 6 characters as specified to accomodate this feature as a MD5 hash generates a 32 character hash which by it self is pretty interesting as well. this is a 128 bit
    encryption and therefore should only generate 16 characters but it makes use of hexa-decimal therefore the 32 characters */
    $password_hash = md5($mypassword);
    echo $password_hash;
    	
    
    // Table name variable
    $tb_name = "tb_user";
    
    // Set the Query within a variable
    // I have sed SELECT 'id' instead of SELECT * as it speeds up the search especially if you have thousands of users
    $query = "SELECT 'id' FROM $tb_name WHERE username='$myusername' AND password='$password_hash'";
    $result = mysql_query($query);
    
    // Mysql_num_row is counting table row
    $count = mysql_num_rows($result);
    
    // Create a if statement to check if results returned and if not to display an error
    // I have created these messages with window.alert and window.confirm just to be snazzy
    // I am able to refer back to the index.php on both conditions as there is a conditional to change the menu links if user logged in.
    if($count == 1) {
    	// Register $myusername and redirect to file "securepage.php"
     	// Set myusername session variable
    	$_SESSION['myusername'] = $_POST['myusername'];
    	$username =  $_SESSION['myusername'];
    	echo "(<script type='text/javascript'>
        window.alert(\"Welcome $username you are successfully logged in.\")
        window.location.href='index.php'; 
        </script>)";
     	}
    else {
    	// else if incorrect ask user if they wish to register or try again
    	echo "(<script type='text/javascript'>	
        if (window.confirm('Username or Password INCORRECT!                                                               Press OK to Register a new user or CANCEL to try again.')) 
    		window.location.href='register.php'; 
    	else
    		window.location.href='index.php';
        </script>)";
     }
     
    ?>
    	
    
    // Table name variable
    $tb_name = "tb_user";
    
    // Set the Query within a variable
    // I have sed SELECT 'id' instead of SELECT * as it speeds up the search especially if you have thousands of users
    $query = "SELECT 'id' FROM $tb_name WHERE username='$myusername' AND password='$password_hash'";
    $result = mysql_query($query);
    
    // Mysql_num_row is counting table row
    $count = mysql_num_rows($result);
    
    // Create a if statement to check if results returned and if not to display an error
    // I have created these messages with window.alert and window.confirm just to be snazzy
    // I am able to refer back to the index.php on both conditions as there is a conditional to change the menu links if user logged in.
    if($count == 1) {
    	// Register $myusername and redirect to file "securepage.php"
     	// Set myusername session variable
    	$_SESSION['myusername'] = $_POST['myusername'];
    	$username =  $_SESSION['myusername'];
    	echo "(<script type='text/javascript'>
        window.alert(\"Welcome $username you are successfully logged in.\")
        window.location.href='index.php'; 
        </script>)";
     	}
    else {
    	// else if incorrect ask user if they wish to register or try again
    	echo "(<script type='text/javascript'>	
        if (window.confirm('Username or Password INCORRECT!                                                               Press OK to Register a new user or CANCEL to try again.')) 
    		window.location.href='register.php'; 
    	else
    		window.location.href='index.php';
        </script>)";
     }
     
    ?>
    I have added the echo statement to try and see what is happening but the password stays right before the md5.
    when I echo the $password_hash it adds a ( at the end I cant understand why.

    Am I doing something wrong?

    I have tried the code seperate as follows and it does not add the (

    Code:
    <?PHP
    if (isset($_POST['myusername']) && isset($_POST['mypassword'])) {
    // username and password sent from form 
    // My username and passwords are case sensitive and are not making use of: strtolower or strtoupper
    $myusername=$_POST['myusername']; 
    $mypassword=$_POST['mypassword'];
    echo $mypassword.'<br />';
    // To protect MySQL injection
    $myusername = stripslashes($myusername);
    $mypassword = stripslashes($mypassword);
    echo $mypassword.'<br />';
    $myusername = mysql_real_escape_string($myusername);
    $mypassword = mysql_real_escape_string($mypassword);
    echo $mypassword.'<br />';
    
    /* With my research on google re PHP and passwords I came accross this neat little encryption trich for passwords, I have changed my database password varchar to 32 characters
    insted of 6 characters as specified to accomodate this feature as a MD5 hash generates a 32 character hash which by it self is pretty interesting as well. this is a 128 bit
    encryption and therefore should only generate 16 characters but it makes use of hexa-decimal therefore the 32 characters */
    $password_hash = md5($mypassword);
    echo $password_hash;
    	}
    ?>
    
    <form name="form1" method="post" action="password2.php">
    <table width="300" border="0" align="center" cellpadding="0" cellspacing="1" bgcolor="#CCCCCC">
    <tr align="center"><td colspan="2" style="font-size: 120%;"><strong>Member Login </strong></td></tr>
    <tr><td align="right" width="100">Username:</td><td align="center" width="235"><input name="myusername" type="text" id="myusername" size="20" maxlength="6" /></td></tr>
    <tr><td align="right">Password:</td><td align="center"><input name="mypassword" type="password" id="mypassword" size="20" maxlength="6" /></td></tr>
    <tr><td>&nbsp</td><td align="center"><input type="submit" name="Submit" value="Log me in"></td></tr>
    </table>
    </form>
    Last edited by hans_cellc; 10-17-2012 at 02:37 PM.

  • #2
    New Coder
    Join Date
    Oct 2011
    Posts
    92
    Thanks
    38
    Thanked 0 Times in 0 Posts
    OK don't worry got it, the () brackets around the script within PHP caused the problem.

  • #3
    Senior Coder
    Join Date
    Feb 2011
    Location
    Your Monitor
    Posts
    4,299
    Thanks
    57
    Thanked 525 Times in 512 Posts
    Blog Entries
    5
    Don't be offended, this code needs to be completely re-written with error reporting turned on.

    I've put my comments in your code below.

    Quote Originally Posted by hans_cellc View Post
    PHP Code:
    <?PHP
    // Inialize session
    session_start();
     
    // Import the connect to DB code as required as we need it and can not continue with out it.
    require 'connect_db.php';

    ?>

    <!DOCTYPE html PUBLIC.. etc

    <?PHP //PHP opening tag

    <?PHP //What the? - Another one? - This code shouldn't work.
    // Inialize session
    session_start(); //You shouldn't be using this twice especially after html output has begun - This just shows you have error reporting turned off.
     
    // Import the connect to DB code as required as we need it and can not continue with out it.
    require 'connect_db.php';

    ?>

    <!DOCTYPE html PUBLIC
    "-//W3C//DTD XHTML 1.0 Transitional//EN"
    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

    <html xmlns="http://www.w3.org/1999/xhtml">
    <head>
    <title>Logging in - 48323934 - ICT 2613</title>
    <meta name="Description" content="PHP ICT2613 Exam Assignment. 48323934 - Logging in " />
    <meta http-equiv="content-language" content="en-za" />
    <meta http-equiv="content-type" content="text/html; charset=iso-8859-1" />
    <meta name="Author" content="S.J. Fouche, Student number: 48323934" />
    <meta name="HandheldFriendly" content="True" />
    <!-- Link to the external style sheet (CSS) -->
    <link rel="stylesheet" type="text/css" href="my_css.css" />
    <!-- Link to the external javascript file -->
    <script type="text/javascript" src="my_javascript.js"></script>

    </head>

    <body>
    <!-- Used the include feature for the header and links on all pages -->
    <?PHP require "header.txt" ?>

    <!-- Setup image -->
    <table width="640" height="350" align="center" cellpadding="0" cellspacing="1">
    <tr align="center"><td><img src="site_graphics/controls.jpg" alt="Control Background" width="600" height="300" /></td></tr>
    </table>

    <!-- PHP Coding -->
    <?PHP
    // Code below will create Code link at the center and bottom of the page
    echo("<p style='position:absolute; bottom:5px; left:49%;'><a href='javascript: logincode()'>Code</a></p>")
    ?> 

    </body>
    </html>

    <?PHP

    // username and password sent from form 
    // My username and passwords are case sensitive and are not making use of: strtolower or strtoupper
    $myusername=$_POST['myusername']; 
    $mypassword=$_POST['mypassword'];
    echo 
    $mypassword.'<br />';
    // To protect MySQL injection
    $myusername stripslashes($myusername); //Don't just use strip slashes 
    $mypassword stripslashes($mypassword); //Check for magic quotes first.
    I've not checked the rest as it looks like you need to learn the basics about a few things first such as keeping php and html seperate

    session_start() must be used before ANY output and should only be used once (ok you can use it more than once but only when you really know what you're doing and how it will work behind the scenes etc).

    At one point you have TWO <?php opening tags
    Last edited by tangoforce; 10-17-2012 at 06:29 PM.
    See my new CodingForums Blog: http://www.codingforums.com/blogs/tangoforce/

    Many useful explanations and tips including: Cannot modify headers - already sent, The IE if (isset($_POST['submit'])) bug explained, unexpected T_CONSTANT_ENCAPSED_STRING, debugging tips and much more!

  • Users who have thanked tangoforce for this post:

    hans_cellc (10-17-2012)

  • #4
    New Coder
    Join Date
    Oct 2011
    Posts
    92
    Thanks
    38
    Thanked 0 Times in 0 Posts
    Thanks a mil, I dont know what happened I think my copy and paste got mixed up it was only in once.
    How should I change the coding for the magic quotes?

    Below my code:

    config.php
    Code:
    <?PHP
    
    // Inialize session
    ob_start();
    session_start();
    
    // Create a function to shorten code on other pages to check if SESSION isset
    function loggedin() {
    	if (isset($_SESSION['myusername'])) {
    		return true;
    		}
    	else {
    		return false;
    		}
    }
    		
    ?>
    connect_db.php
    Code:
    <?PHP
    // I am setting all my variables to make it easier to change code at a later stage by just cganging the variables
    $mysql_host = "localhost";
    $mysql_user = "root";
    $mysql_passw = "";
    $mysql_db = "games";
    
    // Using a f statement with the not inside that if the DB does not exist or could not connect
    // it will die with an error message as per the variable, I used the @ sign to silence the normal error message
    if (!@mysql_connect($mysql_host, $mysql_user, $mysql_passw) OR !@mysql_select_db($mysql_db)) {
    	// If no such database found pop up error
    	echo ("<script type='text/javascript'>	
        window.alert('Could not connect to Database');
    	window.location.href = 'index.php'; 
        </script>");
    	}
    
    ?>
    header.txt
    Code:
    <h1 style="font-size: 400%; font-family: Forte, Verdana, Arial, Helvetica, sans-serif; color: #000000; margin-top: -7px;" align="center">CONSOLE GAMES FOR SALE</h1>
    <h1 style="font-size: 300%; font-family: Forte, Verdana, Arial, Helvetica, sans-serif; color: #FF0000; margin-top: -20px;" align="center">PS2 - PS3 - Wii - X-BOX</h1><br />
    
    <!-- Links -->
    <table width="100%" style = "margin-top: -25px;">
    <tr align="center"><td ><h3 style = "margin-top: -5px; margin-bottom: 1px;"><a href="http://127.0.0.1/exam/index.php" name="top">Home Page</a> | <a href="http://127.0.0.1/exam/insert.php">Insert</a> | 
    <a href="http://127.0.0.1/exam/list.php">List</a> | <a href="http://127.0.0.1/exam/source_code.php">Source Codes</a> | <a href="http://127.0.0.1/exam/register.php">Register</a> | 
    <a href="#" onclick="showDiv()">Login</a></h3></td></tr></table>
    
    <h2 style="color: yellow; font-family: Verdana, Arial, Helvetica, sans-serif;" align="center">Members Only</h2>
    
    <!-- Insert a horizontal line (ruler) -->
    <hr /><br />
    header_secure.txt
    Code:
    <h1 style="font-size: 400%; font-family: Forte, Verdana, Arial, Helvetica, sans-serif; color: #000000; margin-top: -7px;" align="center">CONSOLE GAMES FOR SALE</h1>
    <h1 style="font-size: 300%; font-family: Forte, Verdana, Arial, Helvetica, sans-serif; color: #FF0000; margin-top: -20px;" align="center">PS2 - PS3 - Wii - X-BOX</h1><br />
    
    <!-- Links -->
    <table width="100%" style = "margin-top: -25px;">
    <tr align="center"><td ><h3 style = "margin-top: -5px; margin-bottom: 1px;"><a href="http://127.0.0.1/exam/index.php" name="top">Home Page</a> | 
    <a href="http://127.0.0.1/exam/insert.php">Insert</a> | <a href="http://127.0.0.1/exam/list.php">List</a>| 
    <a href="http://127.0.0.1/exam/source_code.php">Source Codes</a> | Welcome: <strong><?php echo $_SESSION['myusername']; ?></strong> | <a href="logout.php">Logout</a></h3></td></tr></table>
    
    <h2 style="color: yellow; font-family: Verdana, Arial, Helvetica, sans-serif;" align="center">Members Zone</h2>
    
    <!-- Insert a horizontal line (ruler) -->
    <hr /><br />
    login.php
    Code:
    <?PHP
    require "config.php";
     
    // Import the connect to DB code as required as we need it and can not continue with out it.
    require "connect_db.php";
    
    ?>
    
    <!DOCTYPE html PUBLIC
    "-//W3C//DTD XHTML 1.0 Transitional//EN"
    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
    
    <html xmlns="http://www.w3.org/1999/xhtml">
    <head>
    <title>Logging in - 48323934 - ICT 2613</title>
    <meta name="Description" content="PHP ICT2613 Exam Assignment. 48323934 - Logging in " />
    <meta http-equiv="content-language" content="en-za" />
    <meta http-equiv="content-type" content="text/html; charset=iso-8859-1" />
    <meta name="Author" content="S.J. Fouche, Student number: 48323934" />
    <meta name="HandheldFriendly" content="True" />
    <!-- Link to the external style sheet (CSS) -->
    <link rel="stylesheet" type="text/css" href="my_css.css" />
    <!-- Link to the external javascript file -->
    <script type="text/javascript" src="my_javascript.js"></script>
    
    </head>
    
    <body>
    <!-- Used the include feature for the header and links on all pages -->
    <?PHP require "header.txt" ?>
    
    <!-- Setup image -->
    <table width="640" height="350" align="center" cellpadding="0" cellspacing="1">
    <tr align="center"><td><img src="site_graphics/controls.jpg" alt="Control Background" width="600" height="300" /></td></tr>
    </table>
    
    <!-- PHP Coding -->
    <?PHP
    // Code below will create Code link at the center and bottom of the page
    echo("<p style='position:absolute; bottom:5px; left:49%;'><a href='javascript: logincode()'>Code</a></p>")
    ?> 
    
    </body>
    </html>
    
    <?PHP
    
    // username and password sent from form 
    // My username and passwords are case sensitive and are not making use of: strtolower or strtoupper
    $myusername=$_POST['myusername']; 
    $mypassword=$_POST['mypassword'];
    // echo $mypassword.'<br />';	This was my test code
    // To protect MySQL injection
    $myusername = stripslashes($myusername);
    $mypassword = stripslashes($mypassword);
    // echo $mypassword.'<br />';	This was my test code
    $myusername = mysql_real_escape_string($myusername);
    $mypassword = mysql_real_escape_string($mypassword);
    // echo $mypassword.'<br />';	This was my test code
    
    /* With my research on google re PHP and passwords I came accross this neat little encryption trich for passwords, I have changed my database password varchar to 32 characters
    insted of 6 characters as specified to accomodate this feature as a MD5 hash generates a 32 character hash which by it self is pretty interesting as well. this is a 128 bit
    encryption and therefore should only generate 16 characters but it makes use of hexa-decimal therefore the 32 characters */
    $password_hash = md5($mypassword);
    // echo $password_hash;			This was my test code
    	
    
    // Table name variable
    $tb_name = "tb_user";
    
    // Set the Query within a variable
    // I have sed SELECT 'id' instead of SELECT * as it speeds up the search especially if you have thousands of users
    $query = "SELECT 'id' FROM $tb_name WHERE username='$myusername' AND password='$password_hash'";
    $result = mysql_query($query);
    
    // Mysql_num_row is counting table row
    $count = mysql_num_rows($result);
    
    // Create a if statement to check if results returned and if not to display an error
    // I have created these messages with window.alert and window.confirm just to be snazzy
    // I am able to refer back to the index.php on both conditions as there is a conditional to change the menu links if user logged in.
    if($count == 1) {
    	// Register $myusername and redirect to file "securepage.php"
     	// Set myusername session variable
    	$_SESSION['myusername'] = $_POST['myusername'];
    	$username =  $_SESSION['myusername'];
    	echo ("<script type='text/javascript'>
        window.alert(\"Welcome $username you are successfully logged in.\")
        window.location.href='index.php'; 
        </script>");
     	}
    else {
    	// else if incorrect ask user if they wish to register or try again
    	echo ("<script type='text/javascript'>	
        if (window.confirm('Username or Password INCORRECT!                                                               Press OK to Register a new user or CANCEL to try again.')) 
    		window.location.href='register.php'; 
    	else
    		window.location.href='index.php';
        </script>");
     }
     
    ?>

  • #5
    Senior Coder
    Join Date
    Feb 2011
    Location
    Your Monitor
    Posts
    4,299
    Thanks
    57
    Thanked 525 Times in 512 Posts
    Blog Entries
    5
    This is my way of doing it - I only check for gpc magix quotes

    PHP Code:
    if (get_magic_quotes_gpc())
       {
       foreach(
    $_POST as $Key => $Value)
          {
          
    $_POST[$Key] = (is_string($Value)) ? stripslashes($Value) : $Value;
          }
       } 
    See my new CodingForums Blog: http://www.codingforums.com/blogs/tangoforce/

    Many useful explanations and tips including: Cannot modify headers - already sent, The IE if (isset($_POST['submit'])) bug explained, unexpected T_CONSTANT_ENCAPSED_STRING, debugging tips and much more!

  • Users who have thanked tangoforce for this post:

    hans_cellc (10-17-2012)


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •