Forum Moderators: coopster
I'm currently taking my first steps into coding a PHP register / login page and have hit a snag.
The register page works fine and sends an encrypted password to the database, however when I try to access and decrypt this password on the login page it seems to fail.
The section of code looks like this:
<?php
include("header.php");
// dBase file
include ("dbConfig.php");
if ($_GET["op"] == "login")
{
if (!$_POST["username"] ¦¦ !$_POST["password"])
{
die("You need to provide a username and password.");
}
// Create query
$q = "SELECT * FROM `member` "
."WHERE `username`='".$_POST["username"]."' "
."AND `password`=PASSWORD('".$_POST["password"]."') "
."LIMIT 1";
// Run query
$r = mysql_query($q);
if ( $obj = @mysql_fetch_object($r) )
{
// Login good, create session variables
$_SESSION["valid_id"] = $obj->id;
$_SESSION["valid_user"] = $_POST["username"];
$_SESSION["valid_time"] = time();
// Redirect to member page
echo '<META HTTP-EQUIV="Refresh" Content="0; URL=hurrihome.php">';
exit;
}
else
{
// Login not successful
die("Sorry, your username or password was incorrect please <a href=login.php>try again</a> or contact your Team Administrator.");
}
}
else
{
//If all went right the Web form appears and users can log in
echo "<div id=\"login\">";
echo "<form class=\"login\" action=\"?op=login\" method=\"POST\">";
echo "<p>Username: <input name=\"username\" size=\"15\"></p>";
echo "<p>Password: <input type=\"password\" name=\"password\" size=\"8\"></p>";
echo "<input type=\"submit\" value=\"Login\">";
echo "</form>";
echo "</div>";
}
?>
If I use an unencrypted password in the DB and take out the 'PASSWORD' command then this works ok... but I want to get the decryption working!
Could anybody offer any advice?
<snip>
[edited by: dreamcatcher at 7:08 pm (utc) on Jan. 14, 2010]
[edit reason] no urls please, see T.O.S [/edit]
I find that using [''] single quotes makes life easier, as for the password, the error I think lies in the:-
."AND `password`= '".password($_POST['password'])."' LIMIT 1";
You can concatonate the actual passowrd part, no need to concatonate in the password function itself, as this will create errors.
Try echoing the actual passed query to see if the variables popualte the query, then carry on from that point.
Good Luck,
MRb
BTW topherknowles & eliza81: Welcome to WebmasterWorld!
mysql password() [dev.mysql.com]
The PASSWORD() function is used by the authentication system in MySQL Server; you should not use it in your own applications. For that purpose, consider MD5() or SHA1() instead.
With proper setup rainbow tables, it is not so hard to crack MD5 passwords these days.
Gone are the days where basic steps such as MD5'ing the password, were "strong enough" to hold back serious attacks.
I just wanted to get this bit done so I could move onto more interesting stuff but I'll look into doing it with proper encryption now!
... I just wanted to get this bit done so I could move onto more interesting stuff ...
Yeah, the basic 'not-so-fun' stuff is really 'not-so-fun', but if you get it right this time you will have a good base for all future projects and it will come in handy and save you all kinds of time in the future ... One of the biggest issues I had when I first started coding was wanting to 'get it done', but after a couple times of going back later and having to re-write an entire system to 'get it done right' I decided right the first time was much more important... It starts to get to be more fun (started for me anyway) when you have the basic knowledge of what you can do and how, because then you can really start using creativity to do different things, or things most people can't do.
Sometimes there are things I leave out of posts because they're 'known' to me and I forget to type them in... For instance the other day I posted a loop that would put 3 cols across in a table, and someone pointed out it wouldn't work if there wasn't an even count, which was true, because I only posted the loop... Outside the loop I usually have if(!preg_match('#</tr>$#',$string)) { $string.='</td></tr>'; } I really didn't even think about it... They wanted a loop. I posted the loop. It's simple because I've done it so many times and I didn't even think about having to explain the closing in a non-even situation. When you get there, it's more fun, because what you're doing when you're not solving (or helping solve) other people's issues here is dreaming stuff up and then making it happen... Then it's fun :)
Of course, I think: How can I make the security on 'blah system' more secure than usual and such a headache for a hacker to deal with they decide to go somewhere else? Is fun...
