MD5
#1 _*Creative Insanity_*
Posted 15 August 2007 - 09:49 PM
Both on the encrypting and logging in.
I under stand (I think) that as a login page you have to do some kind of compare.
But registering form I have no clue what so ever.
I went as far even as buying one of the lynda.com CDs (never again) and even that was pretty stink on describing or how it works.
Can someone please enlighten my on this md5() so I can get my sucker to work.
ta muchly.
#2
Posted 15 August 2007 - 11:11 PM
So, when registering and making a password, the password is encrypted (for more security use more than one encryption method and use salts and peppers), and stored in the database. When you log in, the user's submitted password is encrypted with the exact same algorithm and scheme, and compared to the database's stored value of the encrypted password submitted at registration.
All simple stuff, and to learn more on encryption, there's tons of tutorials and articles you can find here on P2L, or more in-depth by searching Google.
#3 _*Creative Insanity_*
Posted 16 August 2007 - 02:43 AM
I do understand the logic behind it, but all the tuts I have seen (and that is alot) they all seem to use some kind of variable, but there are no variables in a registration form, well none that I done in the past anyway.
All the are is just a forum and an insert and nothing much more. I have tried such things as:
$password = $_GET['pass']; md5($password);
But alas I think I am getting it wrong.
#4
Posted 16 August 2007 - 02:47 AM
Might try
$password = $_GET['pass']; $password = md5($password);
Then have it insert password into the database after it's been encrypted.
And do the same thing when logging in. Then compare the md5 password they used to login with the password in the database.
#5 _*Creative Insanity_*
Posted 16 August 2007 - 03:03 AM
The is driving me nuts.
#6
Posted 16 August 2007 - 03:38 AM
#7 _*Creative Insanity_*
Posted 16 August 2007 - 01:56 PM
$editFormAction = $_SERVER['PHP_SELF']; if (isset($_SERVER['QUERY_STRING'])) { $editFormAction .= "?" . htmlentities($_SERVER['QUERY_STRING']); } if ((isset($_POST["insert"])) && ($_POST["insert"] == "reg")) { $insertSQL = sprintf("INSERT INTO members (name, avatar, pass, cat) VALUES (%s, %s, %s, %s)", GetSQLValueString($_POST['name'], "text"), GetSQLValueString($_POST['avatar'], "text"), GetSQLValueString($_POST['pass'], "text"), GetSQLValueString($_POST['name'], "text")); mysql_select_db($database_DBcifarewell, $DBcifarewell); $Result1 = mysql_query($insertSQL, $DBcifarewell) or die(mysql_error()); }
#8
Posted 16 August 2007 - 04:42 PM
Simply run the password through md5() and whatever encryption method you chose, and use the same method when comparing for login.
#9 _*Creative Insanity_*
Posted 16 August 2007 - 04:47 PM
No matter where I place it I get errors like:
Unknown column 'd41d8cd98f00b204e9800998ecf8427e' in 'field list'
Edited by Creative Insanity, 16 August 2007 - 05:03 PM.
#10
Posted 16 August 2007 - 05:03 PM
Please show us both the registration code, and the login code, both with your attempts at using encryption.
#11 _*Creative Insanity_*
Posted 16 August 2007 - 05:12 PM
But will post my best attempt to date. I just don't understand this stuff at all.
#12
Posted 16 August 2007 - 05:25 PM
You have to use quotes for strings in SQL; complete basics there. Otherwise it assumes it to be a column name or a function of some sort.
sprintf("INSERT INTO members (name, avatar, pass, cat) VALUES ('%s', '%s', '%s', '%s')", GetSQLValueString($_POST['name'], "text"), GetSQLValueString($_POST['avatar'], "text"), GetSQLValueString($_POST['pass'], "text"), GetSQLValueString($_POST['name'], "text"));
#13 _*Creative Insanity_*
Posted 16 August 2007 - 05:49 PM
I would consider myself a real novice at php. I have used DW for years and years and now only (in the last 6 months) started to remove parts and change parts of what DW generates. DW code I know is like cracking eggs with a sledge hammer, but to date it has served me well for many years. It is only recently I have dug deeper into the code side and for a guy of my age (retired) it is a real hurdle. But many times I get there with a little push in the right direction.
But this md5 stuff mixing with dw code is a pain in the butt to say the least.
what using them in quotes I get the following error:
Query was empty
Edited by Creative Insanity, 16 August 2007 - 05:54 PM.
#14
Posted 16 August 2007 - 06:05 PM
$password = md5($_POST['pass']); mysql_query("INSERT INTO `members` (`name`,`avatar`,`pass`,`cat`) VALUES ('$name','$avatar','$password','$cat')")or die(mysql_error());
Obviously when registering, you would also want to make sure the username hasn't already been taken, plus check to make sure the fields have been entered, etc. and security measures.
If you need any help on all this, then feel free to post here or PM me.
#15 _*Creative Insanity_*
Posted 16 August 2007 - 06:16 PM
$editFormAction = $_SERVER['PHP_SELF']; if (isset($_SERVER['QUERY_STRING'])) { $editFormAction .= "?" . htmlentities($_SERVER['QUERY_STRING']); } if ((isset($_POST["MM_insert"])) && ($_POST["MM_insert"] == "form1")) { $password = md5($_POST['pass']); $name = $_POST['name']; $avatar = $_POST['avatar']; $cat = $_POST['name']; mysql_query("INSERT INTO `members` (`name`,`avatar`,`pass`,`cat`) VALUES ('$name','$avatar','$password','$cat')")or die(mysql_error()); }Next hurdle is login with md5.. but I am sure I can get there with something simular.
#16
Posted 16 August 2007 - 06:23 PM
$user = $_POST['user']; $pass = md5( $_POST['pass'] ); $query = mysql_query("SELECT * FROM `members` WHERE `username` = '$user'")or die(mysql_error()); $data = mysql_fetch_object($query); if( $pass == $data->pass ){ //Correct information, set cookie or sessions or whatever you're using. }else{ print 'Incorrect username or password }
Edit:
Well I'm gunna have to go now, but if you get any more problems, just post em here and I'm sure demonslay or someone similar will be here to help you soon.
Edited by nitr0x, 16 August 2007 - 06:30 PM.
#17 _*Creative Insanity_*
Posted 16 August 2007 - 06:35 PM
I added the md5 to the $password variable.
$loginFormAction = $_SERVER['PHP_SELF']; if (isset($_GET['accesscheck'])) { $_SESSION['PrevUrl'] = $_GET['accesscheck']; } if (isset($_POST['name'])) { $loginUsername=$_POST['name']; $password= md5($_POST['pass']); $MM_fldUserAuthorization = ""; $MM_redirectLoginSuccess = "members/logged/index.php"; $MM_redirectLoginFailed = "inc/failed.php"; $MM_redirecttoReferrer = false; mysql_select_db($database_DBcifarewell, $DBcifarewell); $LoginRS__query=sprintf("SELECT name, pass FROM members WHERE name=%s AND pass=%s", GetSQLValueString($loginUsername, "text"), GetSQLValueString($password, "text")); $LoginRS = mysql_query($LoginRS__query, $DBcifarewell) or die(mysql_error()); $loginFoundUser = mysql_num_rows($LoginRS); if ($loginFoundUser) { $loginStrGroup = ""; //declare two session variables and assign them $_SESSION['MM_Username'] = $loginUsername; $_SESSION['MM_UserGroup'] = $loginStrGroup; if (isset($_SESSION['PrevUrl']) && false) { $MM_redirectLoginSuccess = $_SESSION['PrevUrl']; } header("Location: " . $MM_redirectLoginSuccess ); } else { header("Location: ". $MM_redirectLoginFailed ); } }
#18
Posted 16 August 2007 - 06:37 PM
When you submit the login form, the password will be stored in:
$_POST['password']
You'll need to encrypt it, so put it into a variable:
$password = md5($_POST['password']);
Now you need to grab your user's info from the database. I will assume you know how to connect and select a database. When the form is submitted, you need to check if the password provided matches the password in the database, which might I add, should be encrypted anyway, this should of been done when inserting the user's data into the database after they registered.
if(isset($_POST['submit'])) { $query = 'SELECT * FROM {TABLE NAME}'; $row = mysql_fetch_object($query); if($row->password == $password) { echo('Hooray, your logged in!'); } else { echo('Not logged in!'); } }
As I stated, this isn't guaranteed to work, I'm just giving a helping hand. Good luck and hope you sort out your problem.
- Chris
Edited by .CJ, 16 August 2007 - 06:38 PM.
#19 _*Creative Insanity_*
Posted 16 August 2007 - 06:40 PM
#20
Posted 16 August 2007 - 07:30 PM
Goodness, the code Dreamweaver produces is weak, to say the least. And can be quite confusing at times.
This is seriously coding 101. I would like to see the source code for this GetSQLValueString() function, and if it actually enters quote marks on its return.
To nitr0x: using sprintf() is not an 'odd way of inserting'. It is actually the recommend way of executing SQL queries by php.net.
Lol, what is this supposed to accomplish? Because of the 'false' boolean, this will never be executed.
if (isset($_SESSION['PrevUrl']) && false) { $MM_redirectLoginSuccess = $_SESSION['PrevUrl']; }
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users