Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

MD5

Started by _*Creative Insanity_* , Aug 15 2007 09:49 PM

Prev

Please log in to reply

31 replies to this topic

#21 _Creative Insanity_

Guests

Posted 16 August 2007 - 08:10 PM

Yeah I know about programs writing for you Demonslay, but in the pass with some minor additions it has done the trick for me since I started php wil UltraDev (man that is going back some now).

anyway.. here is the full login code.

if (!function_exists("GetSQLValueString")) {
function GetSQLValueString($theValue, $theType, $theDefinedValue = "", $theNotDefinedValue = "") 
{
  $theValue = get_magic_quotes_gpc() ? stripslashes($theValue) : $theValue;

  $theValue = function_exists("mysql_real_escape_string") ? mysql_real_escape_string($theValue) : mysql_escape_string($theValue);

  switch ($theType) {
	case "text":
	  $theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";
	  break;	
	case "long":
	case "int":
	  $theValue = ($theValue != "") ? intval($theValue) : "NULL";
	  break;
	case "double":
	  $theValue = ($theValue != "") ? "'" . doubleval($theValue) . "'" : "NULL";
	  break;
	case "date":
	  $theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";
	  break;
	case "defined":
	  $theValue = ($theValue != "") ? $theDefinedValue : $theNotDefinedValue;
	  break;
  }
  return $theValue;
}
}

if (!function_exists("GetSQLValueString")) {
function GetSQLValueString($theValue, $theType, $theDefinedValue = "", $theNotDefinedValue = "") 
{
  $theValue = get_magic_quotes_gpc() ? stripslashes($theValue) : $theValue;

  $theValue = function_exists("mysql_real_escape_string") ? mysql_real_escape_string($theValue) : mysql_escape_string($theValue);

  switch ($theType) {
	case "text":
	  $theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";
	  break;	
	case "long":
	case "int":
	  $theValue = ($theValue != "") ? intval($theValue) : "NULL";
	  break;
	case "double":
	  $theValue = ($theValue != "") ? "'" . doubleval($theValue) . "'" : "NULL";
	  break;
	case "date":
	  $theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";
	  break;
	case "defined":
	  $theValue = ($theValue != "") ? $theDefinedValue : $theNotDefinedValue;
	  break;
  }
  return $theValue;
}
}

$colname_RSmembers = "-1";
if (isset($_SESSION['MM_Username'])) {
  $colname_RSmembers = $_SESSION['MM_Username'];
}
mysql_select_db($database_DBcifarewell, $DBcifarewell);
$query_RSmembers = sprintf("SELECT * FROM members WHERE cat = %s", GetSQLValueString($colname_RSmembers, "text"));
$RSmembers = mysql_query($query_RSmembers, $DBcifarewell) or die(mysql_error());
$row_RSmembers = mysql_fetch_assoc($RSmembers);
$totalRows_RSmembers = mysql_num_rows($RSmembers);
?><?php
// *** Validate request to login to this site.
if (!isset($_SESSION)) {
  session_start();
}

$loginFormAction = $_SERVER['PHP_SELF'];
if (isset($_GET['accesscheck'])) {
  $_SESSION['PrevUrl'] = $_GET['accesscheck'];
}

if (isset($_POST['name'])) {
  $loginUsername=$_POST['name'];
  $password= md5($_POST['pass']);
  $MM_fldUserAuthorization = "";
  $MM_redirectLoginSuccess = "members/logged/index.php";
  $MM_redirectLoginFailed = "inc/failed.php";
  $MM_redirecttoReferrer = false;
  mysql_select_db($database_DBcifarewell, $DBcifarewell);
  
  $LoginRS__query=sprintf("SELECT name, pass FROM members WHERE name=%s AND pass=%s",
	GetSQLValueString($loginUsername, "text"), GetSQLValueString($password, "text")); 
   
  $LoginRS = mysql_query($LoginRS__query, $DBcifarewell) or die(mysql_error());
  $loginFoundUser = mysql_num_rows($LoginRS);
  if ($loginFoundUser) {
	 $loginStrGroup = "";
	
	//declare two session variables and assign them
	$_SESSION['MM_Username'] = $loginUsername;
	$_SESSION['MM_UserGroup'] = $loginStrGroup;		  

	if (isset($_SESSION['PrevUrl']) && false) {
	  $MM_redirectLoginSuccess = $_SESSION['PrevUrl'];	
	}
	header("Location: " . $MM_redirectLoginSuccess );
  }
  else {
	header("Location: ". $MM_redirectLoginFailed );
  }
}

Back to top

#22 Demonslay

P2L Jedi

Members
973 posts

Gender:Male
Location:A strange world where water falls out of the sky... for no reason.
Interests:Graphic Design, Coding, Splinter Cell, Cats

Posted 16 August 2007 - 09:26 PM

To me it looks operational.
What is the problem? Are you being directed to the failed login page, or are you getting a blank page?

Back to top

#23 _Creative Insanity_

Guests

Posted 16 August 2007 - 10:44 PM

It is going to the failed login page. With what little I know of php I thought it should work also. But nup.

Update:

After looking at all the code and knowing it should work and then Demonslay convinced me of the same I thought it was time to look else where.
So I checked the members table and found I had limited the chars to 30 (yeah I know.. daaa ken) and so changed that field to text and now all works and can login a treat woo hoo!

Ta guys for all the help with this.. very much appreciated.

Edited by Creative Insanity, 16 August 2007 - 10:55 PM.

Back to top

#24 .CJ

Young Padawan

Members
114 posts

Gender:Male
Location:Leeds, UK

Posted 17 August 2007 - 07:11 AM

Sorry if you consider this 'hijacking' CI.

Are you using Dreamweaver's built in PHP scripts, which use Recordset's? Or perhaps the add-on called Developer Toolbox?

I agree with Deamonslay, that writing your own code is so much better and it feels more rewarding, but of course that's only if you know HOW to code, otherwise pre-made code works... just isn't guarenteed 100% safeness.

To Deamonslay, this is the function...

function GetSQLValueString($theValue, $theType, $theDefinedValue = "", $theNotDefinedValue = "") 
{
  $theValue = get_magic_quotes_gpc() ? stripslashes($theValue) : $theValue;

  $theValue = function_exists("mysql_real_escape_string") ? mysql_real_escape_string($theValue) : mysql_escape_string($theValue);

  switch ($theType) {
	case "text":
	  $theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";
	  break;	
	case "long":
	case "int":
	  $theValue = ($theValue != "") ? intval($theValue) : "NULL";
	  break;
	case "double":
	  $theValue = ($theValue != "") ? "'" . doubleval($theValue) . "'" : "NULL";
	  break;
	case "date":
	  $theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";
	  break;
	case "defined":
	  $theValue = ($theValue != "") ? $theDefinedValue : $theNotDefinedValue;
	  break;
  }
  return $theValue;
}

Back to top

#25 Demonslay

P2L Jedi

Members
973 posts

Gender:Male
Location:A strange world where water falls out of the sky... for no reason.
Interests:Graphic Design, Coding, Splinter Cell, Cats

Posted 17 August 2007 - 11:58 AM

Ya, he posted the code with it for that function. Actually was shown twice for some reason...

Haha, checking the database was my very next thought, that seems to be a very common mistake lately.

Back to top

#26 _Creative Insanity_

Guests

Posted 17 August 2007 - 01:51 PM

*shrink* I normally make password fields 100 char, what for I made it 30 this time I have no idea.. but found the fault and now the registration works and the login works also. Cool.

CJ please don't mention that Developers Toolbox.
I downloaded the demo of MX Kollection some time back and only used it once and then removed it. Junk in my view.
You use one small feature, like say, upload page.. and it creates another 300 odd files for a feature that requires only one.
Not only that it messes up your layout by inserting it's own css file. UGLY!

Then I saw that Developers Tool Box and bought that and found is was only the same junk as that InterACT MX thing and thought.. damn waste of money and have never used it. I have no extensions installed and since buying that DTB I don't think I will ever buy any more.

Edited by Creative Insanity, 17 August 2007 - 03:26 PM.

Back to top

#27 .CJ

Young Padawan

Members
114 posts

Gender:Male
Location:Leeds, UK

Posted 17 August 2007 - 03:46 PM

CJ please don't mention that Developers Toolbox.
I downloaded the demo of MX Kollection some time back and only used it once and then removed it. Junk in my view.
You use one small feature, like say, upload page.. and it creates another 300 odd files for a feature that requires only one.
Not only that it messes up your layout by inserting it's own css file. UGLY!

Then I saw that Developers Tool Box and bought that and found is was only the same junk as that InterACT MX thing and thought.. damn waste of money and have never used it. I have no extensions installed and since buying that DTB I don't think I will ever buy any more.

lol, here here!! I used it once, and never again!

Back to top

#28 nitr0x

Young Padawan

Members
201 posts

Posted 17 August 2007 - 04:52 PM

I've never used an extension for DW... and CI, instead of using TEXT for the password field, use VARCHAR with the limit of 35, that should keep it safe as well as lowering the space of the database.

Back to top

#29 _Creative Insanity_

Guests

Posted 17 August 2007 - 05:02 PM

Yeah good thought nitr0x. Only made it text that time for testing purposes. Now I know it works a treat will limit that size and go back to limited chars.

Back to top

#30 Ziggy

Young Padawan

Members
14 posts

Posted 22 August 2007 - 07:52 AM

isn't sha better than md5?

Back to top

#31 _Creative Insanity_

Guests

Posted 22 August 2007 - 02:44 PM

I personally don't think that sha is better than MD5() I have my encryption salted as demonslay suggested and that works a treat and if one wants to crack that they have to know what salt was used.. pretty hard task I would say no? hehe

Back to top

#32 Demonslay

P2L Jedi

Members
973 posts

Gender:Male
Location:A strange world where water falls out of the sky... for no reason.
Interests:Graphic Design, Coding, Splinter Cell, Cats

Posted 22 August 2007 - 05:15 PM

Ziggy - do a search on Google. You'll find millions of debates on md5 vs. sha1 vs. every other one-way encryption method out there.

It can get extremely technical, and I can't remember the debates I last read, but I think md5 has usually been viewed as easier to use. I think it really comes down to simple preference. Hell, some sites suggest to use both, such as run the string through md5 and a md5'd salt, then run the whole thing through sha1, lol.

But this topic isn't to be a battle over encryption methods, so let's just end it at that...