Forum Moderators: coopster
here is the code for the login page
Ok I think if I get this sorted out I should be good. I figured out how to encrypt the password, then put in the db. Problem is in authentication. Here's my code for the login page (this was generated by DreamWeaver):
<?php require_once('Connections/RegConnect.php');?>
<?php
// *** Validate request to login to this site.
session_start();
$loginFormAction = $_SERVER['PHP_SELF'];
if (isset($accesscheck)) {
$GLOBALS['PrevUrl'] = $accesscheck;
session_register('PrevUrl');
}
if (isset($_POST['username'])) {
$loginUsername=$_POST['username'];
$password=md5($_POST['password']); <=== RIGHT HERE?!? this is where it should go?
$MM_fldUserAuthorization = "access";
$MM_redirectLoginSuccess = "congrats.php";
$MM_redirectLoginFailed = "failed.html";
$MM_redirecttoReferrer = false;
mysql_select_db($database_RegConnect, $RegConnect);
$LoginRS__query=sprintf("SELECT username, password, access FROM users WHERE username='%s' AND password='%s'",
get_magic_quotes_gpc()? $loginUsername : addslashes($loginUsername), get_magic_quotes_gpc()? $password : addslashes($password));
$LoginRS = mysql_query($LoginRS__query, $RegConnect) or die(mysql_error());
$loginFoundUser = mysql_num_rows($LoginRS);
if ($loginFoundUser) {
$loginStrGroup = mysql_result($LoginRS,0,'access');
//declare two session variables and assign them
$GLOBALS['MM_Username'] = $loginUsername;
$GLOBALS['MM_UserGroup'] = $loginStrGroup;
//register the session variables
session_register("MM_Username");
session_register("MM_UserGroup");
if (isset($_SESSION['PrevUrl']) && false) {
$MM_redirectLoginSuccess = $_SESSION['PrevUrl'];
}
header("Location: " . $MM_redirectLoginSuccess );
}
else {
header("Location: ". $MM_redirectLoginFailed );
}
}
?>
$password=$_POST['password']; // submit from form
in your query ...
SELECT * FROM [table] WHERE password=password($password)
INSERT INTO [table] (password) VALUES (password($password))
This works the same
MD5 is a one-way encryption, this means that there is no decryption code for it (this is what makes it so popular). So when a user registers on your site, you should encrypt their password in md5 and insert that into your database (along with the rest of their details). Then when a user logs in, you simply encrypt the password they have entered in the form, and match it with the encrypted password in the database.
The only problem you will find is if people forget their passwords. The best thing to do in this scenario is to generate a new random password, encrypt it, replace that with their current password in the database, and then mail them the new password. I would do it like this:
$newpass = rand(1000,9999);
$newpass_encrypted = md5($newpass);mysql_query("UPDATE users SET password='$newpass_encrypted' WHERE email='$email'");
mail($email, "New Password", "Your password has been reset to: $newpass");
Hope that helps :-)
Could you explain this in lamens terms?
Kroegen.
This works the same
Kroegen, welcome to WebmasterWorld.
md5 is one-way, meaning that something run through it gets mangled up in a way that can't be undone. It's easier to look at if we use very simple math. Say you have a function that divides a number by 11 and returns an integer result. The number 36 then becomes 3. You can't take the 3 and multiply it by 11 to get back to 36. MD5 does that on a much higher level, turning input into a 128 bit value that's broken up into 32 hex digits. You might notice that the divide-by-11 function will return the same result for any number from 33 to 42. MD5 has the same problem, but the same result is only obtained in 242 tries.
Using a one-way encryption is good for things like people's passwords because you don't have any need to know what the original word is, and since people tend to use the same password for more than one purpose you do them a disservice by storing it plain text. FiRe pointed out that the disadvantage is that when people forget their passwords, you can't tell them what the password was, so the alternative is to generate a new one and email it. The user could then use that password to log in and change it to something easier to remember.
Kroegen.
