PHP - Securely Storing Passwords

I have had a load of people who are silly enought to forget their username and or password so wish to add in the option for them to save their details in a cookie, and break my number one rule, never to use them!!!

can anyone suggest how i can do this so it is stored safely like most websites do it.

I came across this amazing (not) blog to allow the user to reset their password.  It basically does: User submits their email to server and requests new password. Server gets their users_id from the DB based on their email, and emails them with a link which contains ?encrypt=md5(1290*3+USERS_ID). When clicked, server retrieves user where md5(90*13+USERS_ID)=$_GET['encrypt'], and display a form.  I think the math is a typo. When the form is submitted, the password is changed. What is the correct way to do this?

Hey all,

I posted a few months ago trying out my first salted password and I utterly failed lol.

This is a small snippet from my current attempt.

Code: (php) [Select]
    $salt = md5(uniqid(rand()));
    $Pass_S = md5($pass.$salt);

This is only the password and salt generation part. I'm sure the salt generation is probably too simple so please feel free to give your thoughts on that part.

Also the salt is stored on the database to be pulled up later for login uses.

Thanks all!

What do I need to do to *safely* capture and store User Passwords in a Registration Form?

There was a thread that I started a few months ago where someone had given a really good response talking about "Salt" and so on, but for the life of me I cannot find that info.

Nonetheless, I need some help getting my head back into this topic!

My Registration Form is complete, and the last thing I need to do is make sure Users enter a "Strong Password" and then I need to store that somewhere, somehow, in the most *secure* manner possible...

Thanks,


Debbie

This is my code it's not working.

$username = $_POST['username'];


        $password = $_POST['password'];
        $encrypt_password = md5($password);

        $email = $_POST['email'];


        $usrsql = "SELECT * FROM $tbl_name WHERE username='$username' AND password='$encrypt_password'";

//--> Below is the INSERT Code

$query = "INSERT INTO `x_users` (username, password, email) VALUES ('$username', '$encrypt_password', '$email')";

        $result = mysql_query($query);

        if($result == 1) {

            print("Thank you, your accout has been created!");
        }

Can anyone tell me why the md5() function is not working?
Edited by Tom8001, 28 November 2014 - 07:49 PM.

I'm incorporating a dynamic salt into my user system, but I'm not sure how to store the salt itself. The password is hashed and added to the database, but wouldn't you need to store the salt as plain text in the database in order to verify the login later?

Also, I've read that using both a dynamic and static salt is good practice. If this is the case, is the static salt simply defined within the PHP? Or is there another method to storing it?

Thanks for the help

I'll start by apologizing for the stupid decision that led to this question.  A few years ago, I created a PHP/Myysql site with a login system and I created a field in the MySQL called "password" and it stored literally the exact password people entered (I know, I know).   The site has proven to have nice traffic potential, so I am going to re-vamp everything, including storing passwords properly (i.e. hashed).   My first question... Is there a way to convert regular text passwords to hashed passwords?  For example, I could create a new field in the "User" table for "hashedpassword" and write a script that takes all the insecure passwords and turns them into hashed passwords.  Then deleted the previous "bad" password field from the database.  This would allow me to do it without the customer every knowing anything changed.    Quick googling appears to support that it IS doable rather easily, with something like...

UPDATE mytable
SET password = MD5(password)

If not, I guess I would have to create a thing where the first time omeone logged in after I put hashing in place, the site would force them to change their password. I'd rather not annoy the visitors if it all possible.   Second question, what is the proper/recommended hashing method to use?   Some people seem to poo-poo MD5.  If you agree, should I use:   MD5 SHA MD5 with a salt SHA with a salt Something else i never heard of   NOTE:  My site is a fantasy sports site, so the data involved is not overly important.  Maybe a salt is overkill?  Or is being overly safe never a bad thing?   Lastly, don't need to address this, but if anyone can explain it like I'm 5 that would be great because i must be missing something... if you can easily turn a regular password into a hashed password, couldn't hackers easily do the reverse, which would render the hashing almost useless?  I get that salting helps, but before salting (i.e. doing ONLY MD5), I don't see how hashing helped that much (if you could reverese figure out the password).  What am I missing?   Thanks! Greg
Edited by galvin, 13 November 2014 - 09:44 AM.

Hey All,

I'm tryin to make a log-in system for multiple usernames and passwords, but I don't really know how many if statements i'd need for it.. I'm also a noob..


Code: [Select]
<?php

session_start();
$users = array("user1" =>"3202", "user2" =>"2002", "user3" =>"1061", "user4"=>"1400", "user5"=>"1001");

if($_REQUEST['username'] == "infs" && $_REQUEST['password'] == "3202"){

$_SESSION['username'] = "user1" ;
$_SESSION['password'] = "3202" ;

$_SESSION['username'] = "user2" ;
$_SESSION['password'] = "2002" ;

$_SESSION['username'] = "user5" ;
$_SESSION['password'] = "1001" ;

$_SESSION['username'] = "user3" ;
$_SESSION['password'] = "1061" ;

$_SESSION['username'] = "user4" ;
$_SESSION['password'] = "1400" ;
header("Location: home.php ");
}else{


 After checking if the matching username and password exist in my array then save them in a session...


What's the best way of doing it?

Hi there I have a problem here, I think I may know what it is but just wanted some guidance on this issue.

I took the logic from a previous help from the people on this forum and here is my landing page:

<?php
// ini_set("display_errors", 1);

// randomly starts a session!

session_name("jeremyBasicLogin");
session_start();

if(isset($_SESSION['username']))  {

// display whatever when the user is logged in:

echo <<<ADDENTRY

<html>
<head>
<title>User is now signed in:<title>
</head>

<body>
<h1>You are now signed in!</h1>
<p>You can do now what you want to do!</p>
</body>
</html>
ADDENTRY;

} else {
// If anything else dont allow access and send back to original page!

header("location: signin.php");

}
?>


This is where the user goes to when they go to this system (not a functional system, ie it doesnt actually do anything its more for my own theory.

As you wont have a session on the first turn to this page it goes to:

signin.php which contains:
<?php
// ini_set("display_errors", 1);

require_once('func.db.connect.php');

if(array_key_exists('submit',$_POST)) {

dbConnect(); // connect to database anyways!

// Do a procedure to log the user in:

// Santize User Inputs
$username = trim(stripslashes(mysql_real_escape_string($_POST['username']))); // cleans up with PHP first!
$password = trim(stripslashes(mysql_real_escape_string(md5($_POST['password'])))); // cleans up with PHP first!

$sql = "SELECT * FROM users WHERE username='$username' AND password='$password'";
$result = mysql_query($sql);

if(mysql_num_rows($result) == 1) {

session_name("jeremyBasicLogin");
session_start();
$_SESSION['is_logged_in'] = true;
$_SESSION['username'] = $username;
//print_r($_SESSION);  // debug purposes only!
$_SESSION['time_loggedin'] = time(); // this is adding to the array (have seen the output in the SESSION vars!

// call function to update the time stamp in MySQL?


header("location: index.php");

} else if(mysql_num_rows($result) != 1) {
$message = "You typed the wrong password or Username Please retry!";
}
} else {
$message = "";
}
// displays the login page:
echo <<<LOGIN
<html>
<body>
<h1>Example Login</h1>

<form id="login" name="login" action="{$_SERVER['PHP_SELF']}" method="post">
<label for="username">Username: </label><input type="text" id="username" name="username" value="" /><br>
<label for="password">Password: </label><input type="text" id="password" name="password" value="" /><br>
<input type="submit" id="submit" name="submit" value="Login" />
</form>
LOGIN;
echo "<p>" . $message . "</p>";
echo <<<LOGIN

<p>Please Login to View and Edit Your Entries</p>
<p><a href="register.php">Click Here To Signup</a><p>
</body>
</html>
LOGIN;
?>


This checks through user inputs and hopefully logs them in, when Ive inserted the data into the database itself it works, if I try and login but if a user fills in this form:

signup.php:

<?php
//ini_set("display_errors", 1);

$message ='';

require_once('func.db.connect.php');

if(array_key_exists('submit',$_POST)) {

dbConnect(); // connect to database anyways!

// do some safe protecting of the users variables, apply it to all details!
$username = trim(stripslashes(mysql_real_escape_string($_POST['username']))); // cleans up with PHP first!
$email = trim(stripslashes(mysql_real_escape_string($_POST['email']))); // cleans up with PHP first!
$password = trim(stripslashes(mysql_real_escape_string(md5($_POST['password'])))); // does as above but also encrypts it using the md5 function!
$password2 = trim(stripslashes(mysql_real_escape_string(md5($_POST['password2'])))); // does as above but also encrypts it using the md5 function!

if($username != '' && $email != '' && $password != '' && $password2 != '') {
// do whatever when not = to nothing/empty fields!

if($password === $password2) {
// do database stuff to enter users details

$sql = "INSERT INTO `test`.`users` (`id` ,`username` ,`password`) VALUES ('' , '$username', MD5( '$password' ));";
$result = mysql_query($sql);
if($result) {
$message = 'You may now login by clicking <a href="index.php">here</a>';
}

} else {
// echo out a user message says they got their 2 passwords incorrectly typed:
$message = 'Pleae re enter your password';
}

} else {
// they where obviously where empty
$message = 'You missed out some required fields, please try again';
}

}

echo <<<REGISTER

<html>
<body>
<h1>Register Form</h1>
<p>Please fill in this form to register</p>
<form id="register" name="register" action="{$_SERVER['PHP_SELF']}" method="post">

<table>
<tr>
<td><label for="username">Username: </label></td>
<td><input type="text" id="username" name="username" value="" /></td>
</tr>

<tr>
<td><label for="email">Email: </label></td>
<td><input type="text" id="email" name="email" value="" /></td>
</tr>

<tr>
<td><label for="password">Password: </label></td>
<td><input type="text" id="password" name="password" value="" /></td>
</tr>

<tr>
<td><label for="password">Confirm Password: </label></td>
<td><input type="text" id="password2" name="password2" value="" /></td>
</tr>

<tr>
<td><input type="submit" id="submit" name="submit" value="Register" /></td>
</tr>

<table>

REGISTER;
echo "<p>" . $message . "</p>";
echo <<<REGISTER

</form>
</body>
</html>
REGISTER;
?>


As I said when the user signs up when submitting the above form, it doesnt work, keeps coming up with a different value for the password, so I am about 99% certain its the password, but I have been maticulous about copying in the sanitize function for SQL injections and it just doesnt still work, really puzzled now.

Any helps appreciated,
Jeremy.

Hi,
I am struggling with a form in php. I am trying to add a form by using the include function. I want to include thsi form on all pages so it would be very useful if I can save the current page name somewhere so that I can use to validate the form.

For example, this is the form I am trying to include.

<?php
if(!empty($errors))
{
if(isset($errors['sendError']))
{
echo '<p><strong class="error">There was a problem with our system please contact us directly.</strong></p>';
}
else
{
echo '<p><strong class="error">Please check the form below for errors.</strong></p>';
}
}
?>
<form action="index.php" method="post" id="form1">
<p>
<label><?php if(isset($errors['name'])) { echo '<span class="error">'; } ?>Name<font color="red">*</font>: <?php if(isset($errors['name'])) { echo '</span>'; } ?></label>
<input id="search1" id="complete" type="text" value="<?php echo $form['name']; ?>" name="name" size="60" align="right" style="background:#EEF5A4" />

<label><?php if(isset($errors['company'])) { echo '<span class="error">'; } ?>Company: <?php if(isset($errors['company'])) { echo '</span>'; } ?></label>
<input id="search1" id="complete" type="text" value="<?php echo $form['company']; ?>" name="company" size="60" align="right" />

<label><?php if(isset($errors['phone'])) { echo '<span class="error">'; } ?>Phone Number: <?php if(isset($errors['phone'])) { echo '</span>'; } ?></label>
<input id="search1" id="complete" type="text" value="<?php echo $form['phone']; ?>" name="phone" size="60" align="right" />

<label><?php if(isset($errors['email'])) { echo '<span class="error">'; } ?>Email<font color="red">*</font>: <?php if(isset($errors['email'])) { echo '</span>'; } ?></label>
<input id="search1" id="complete" type="text" value="<?php echo $form['email']; ?>" name="email" size="60" align="right" style="background:#EEF5A4" />

<label><?php if(isset($errors['enquiry'])) { echo '<span class="error">'; } ?>Enquiry: <?php if(isset($errors['enquiry'])) { echo '</span>'; } ?></label>
<textarea id="search1" id="complete" textarea name="enquiry" rows=4 cols=40 value="<?php echo $form['enquiry']; ?>" name="enquiry" size="60" align="right"></textarea>
</p>
<p>
<input type="submit" class="formbutton" value="Submit" />&nbsp;<input type="reset" class="formbutton" value="Reset" />
</p>
<p><font color="red">*</font> Denotes a required field</p>
</form>

Because I am going to use this form on all pages, I would like it to include whatever the filename is rather than index.php in the first line of the form so that when the user clicks submit, it will stay on the same page but validate the form based on the mandatory fields.

I don't know if the question is clear. I would very much appreciate any help at all.

Thank you very much.

Hello all, I'm having some problems with a script ive written which is designed to allow me to send a message to all the users of my site.

the form works fine, the SQL works fine but im having a problem with storing php variables and outputting them in the message.

The form has a field named "allmessage" which is where i'll type my message, I'll type something like

"Hello $Name" and store the text as

$allmessage = $_POST['allmessage'];

example script


//loops through each member
    while ($row=mysql_fetch_array($sql)) 
    {
    
    //sets variables
    $ID=$row['ID'];
    $Name=$row['MemberName'];
    $Email=$row['Email'];
 
    $content_type = 'Content-Type: text/plain; charset="UTF-8"' ;

    mail($Email, $allsubject, $allmessage, $content_type);
    }
//loop ends send us a copy of the mail
mail("me@me.com", $allsubject, $allmessage, $headers );


Now what I want to be outputted in the email is "Hello John" or "Hello Paul"

but what I get is "Hello $Name".

Any ideas?!

Hi, when a user logs out, I want to store the last activity in for the user. I have a db table users:

userID  userName  userPassword lastSession     lastActivity
=====  =======  ==========  ========    =======
1            bob            password         2011-08-09   About.html
2            dre             passwords       2011-09-23   Home.php


here is logout script:
===============
Code: [Select]
<?php
//run this script only if the logout button has been clicked
if(array_key_exists('logout', $_POST)) {
        require("connect.inc");
$username=$_POST["username"];
$updateLastSessionQuery=mysql_query("UPDATE users SET lastSession=NOW() WHERE userName='$username'");

// end session and redirect
//empty the $_SESSION array
    $_SESSION = array();

    session_destroy();
header("Location: xmlShredderLogin.php");  
    exit;
}//END IF for when logout submitted
?>

here is Index.php:
=============
Code: [Select]
<?php
session_start();
if(isset($_SESSION["isAuthenticated"])) {
require("logout.inc.php");
$username=$_POST["username"];
//print $username."<br />";
print '
<html>
<head><title>Home</title></head>
<body>
<form id="logoutForm" name="logoutForm" method="post" action="">
<input name="logout" type="submit" id="logout" value="Log out" />
<input type="hidden" name="usernameHidden" value='; print$username; print '/>
</form>';
mysql_connect("localhost","root");
mysql_select_db("someDB");
$getUserInfoQuery=mysql_query("SELECT lastSession,lastActivity FROM users WHERE userName='$userName'");
$getUserInfo=mysql_fetch_assoc($getUserInfoQuery);
print "Last session: ".$getUserInfo["lastSession"]."<br />";
print "Last activity: ".$getUserInfo["lastActivity"]."<br />";


Let's say the last page the user is on is Index.php, so what do I use to track the last page they are on?? I can't user a form b/c if I have to type in the last activity, that's nonsense! So far I have only figured out how to store the current time in last session (but this doesn't work either).

I just want to track the last page and then have a switch such as:
switch(type)
case 1:
$lastActivity="About.html";
case 2:
$lastActivity="somethingelse.php";


Any help much appreciated!

Alright, the register/login system is fully working with sql injection, BUUUT now I want to store their IP Address. WHOLE new function that I've never dealt with before. So I need some help. Am I doing something wrong?

I have the IPadd in the database as INT(10) and then I went down to another drop down list and hit unsigned.
I feel like I'm doing something wrong with the field in the database..

{
$_SERVER['REMOTE_ADDR'] = $IPadd;
$sql = "INSERT INTO Member (username,createDate,password,firstName,email,IPadd) VALUES ('$username',NOW(),md5('$password'),'$firstName','$email',inet_aton('$IPadd'))";
mysqli_query($cxn,$sql);
$_SESSION['auth']="yes";
$_SESSION['username'] = $username;
header("Location: testing.php");
}

Code: [Select]
<?php $going='';
$name='<span id="name"></span>';
echo "$name";      //results : stevengoh   ---     wanted 
$going=substr($name, 1, 17);
echo "$name";   //results : <span id="going">     ----       don't want
?>
Is it possible to store in php the results of variable id="going" javascript instead of <span id="going"></span>?.

Im making a application but many users can access it at the same time, also the data that needs to be stored into the database in 3 parts firstly the user will enter some details the comany will fill out the reamining details and the user will then accept or decline the companies proposal. The issue im havign will it be easier to just store all of this information into session variables and then save them into the database at the end when all of the details are ready ?

Thank You