rocknbil
msg:4395602 | 4:32 pm on Dec 8, 2011 (gmt 0) |
What happens when you do this?
// Get the database password to match, then
echo "Entered $password, database $db_password";
exit;
Do they match? I suspect not?
View the source in case any characters are hidden by the browser. I suspect addcslashes but that's a wild guess.
|
eelixduppy
msg:4395605 | 4:35 pm on Dec 8, 2011 (gmt 0) |
>> addcslashes
This would be the first thing I removed to make things consistent.
How are you comparing the two hashes in the login process? You should be hashing what they type in and comparing it to the hash stored in the database.
|
Gilead
msg:4395607 | 4:46 pm on Dec 8, 2011 (gmt 0) |
Unless I did something completely nuts, I added this piece to the login just as it checks the admin table.
$row = mysql_fetch_array($result);
$dbpassword=$row['password'];
echo "Entered Password";
echo $mypassword;
echo '<br />';
echo "Database password";
echo $dbpassword;
the dbpassword is blank!
In phpmyadmin, the password appears in a 40 character string of number and letters.
Do I need to encrypt the input so it matches the one in the database?
|
Gilead
msg:4395627 | 5:03 pm on Dec 8, 2011 (gmt 0) |
If I do encrypt it, it works just fine as long as the password has already been encrypted. However not all users, admins included have logged in initially to reset their own passwords. How can I get around this?
|
eelixduppy
msg:4395629 | 5:13 pm on Dec 8, 2011 (gmt 0) |
>> Do I need to encrypt the input so it matches the one in the database?
Yes.
>> How can I get around this?
If you are storing their passwords as plain text, you can do an update on that field with the new hash. The difficulty here being how to differentiate between an already hashed password and one that still needs to be hashed.
|
brotherhood of LAN
msg:4395630 | 5:15 pm on Dec 8, 2011 (gmt 0) |
Encrypt the passwords as soon as they get into the database.
For existing ones, if your SHA1 method has a fixed length, you can update all the password rows that don't have that length (make a backup first if you try it)
UPDATE table SET password = SHA1(password) WHERE LENGTH(password) != 40
This assumes that anyone with an unencrypted password does not have a password with a 40 character length, or it'll remain unencrypted.
|
Gilead
msg:4395638 | 5:25 pm on Dec 8, 2011 (gmt 0) |
I'm really confused now.
The temp password that sent to the user/admin is md5 limited to 8. I wanted something easy for anyone with a temp password.
My problem comes once they login. What is the best way to check for both the full encrypted password and the 8char temp password?
2 database queries? or can I somehow combine them? or doesn't seem to work.
...WHERE member_login='$myusername' and member_password='$mypassword' or '$mytemppassword'";
|
|
