|
PHP - How To Add Sha1 Hash Password To Login Page
Hi guys I have a script which i've been playing around with thanks to Spiderwell: http://www.phpfreaks.com/forums/index.php?action=profile;u=35078
I have sort of merged it with another 'member managment' script which is working great. Now i can't seem to correctly create a login page to pass the hashed password using (sha1). Now all i want to do is verify the username and the (hashed) password according to the database and allow the user in. The script i am using to check login works fine without a hashed password in the database. But ideally i'd like to use a hashed form of password. Can somebody show me what change i need to make in this script below in order to pass a sha1 hashed password? I'm guessing it's a really small change from the examples i've seen online, but i just cant seem to get mine to work. :| Your help would be much appreciated. Login Page PHP: Code: [Select] <form name="login" method="post" action="check_login.php3"> <p><strong>Secured Area User Log-in</strong></p> <p>Username: <input name="bioname" type="text" id="bioname"></p> <p>Password: <input name="biopass" type="password" id="biopass"></p> <p> </p> <p><input type="submit" name="Submit" value="Login"></p> </form> Check Login Processor (which is the file i that needs the sha1 added somewhere i think) Code: [Select] <?php require_once('config.php3'); // Connect to the server and select the database. mysql_connect("$host", "$username", "$password")or die("cannot connect"); mysql_select_db("$db")or die("Unable to select database"); // $loginusername = false; $loginpassword = false; $err = false; // default error message is empty // The username and password sent from login.php //the isset() basically means if its there get it, otherwise dont bother if (isset($_POST['bioname'])) $loginusername=$_POST['bioname']; if (isset($_POST['biopass']))$loginpassword=$_POST['biopass']; // if either isnt filled in, tell the user, a very basic bit of validation if (!$loginusername || !$loginpassword) $err = "please complete the form"; if (!$err) //if no error continue { //The following bit of coding protects from MySQL injection attacks $loginusername = stripslashes($loginusername); $loginpassword = stripslashes($loginpassword); $loginusername = mysql_real_escape_string($loginusername); $loginpassword = mysql_real_escape_string($loginpassword); //you could add other things like check for text only blah blah $sql="SELECT * FROM $tbl WHERE bioname='$loginusername' and biopass='$loginpassword'"; $result=mysql_query($sql); // Count how many results were pulled from the table $count=mysql_num_rows($result); // If the result equals 1, continue if($count==1) { session_start(); $_SESSION['user'] = $loginusername; // store session data //please see I have used a session variable that is generic not specific, otherwise you will have to make this page different for every user //that would be a pain in the ass, you don't need to have user1 or user2, its the value stored that relevant, not what the variable name is header("Location: {$loginusername}/index.php3"); } else { $err = "Wrong Username or Password"; } }// end login if statement if ($err) // show error message if there is one { echo $err; echo "<br>Please go back in your browser and try again"; } ?> The secure page: Code: [Select] <?php session_start(); $mypath = $_SERVER["REQUEST_URI"]; //echo $mypath; // for debugging //now we have the path lets see if the username is in that path, i.e. test2 is inside /something/test2/index.php //use the built in strpos() function, which returns position of the last occurance of the string you are looking for inside another string. //http://php.net/manual/en/function.strrpos.php if(strpos($mypath,"/".$_SESSION['user']."/"))//on testing it failed initially as username test is found in path /test2/ so i added the slashes to stop that. so /test/ doesnt get found in /test2/ { echo "congratulations you are the right person in the right place"; } else { session_destroy(); //kill the session, naughty person trying to come here header("Location: ../login.php3"); die();// stop page executing any further } ?> <html> <body> </body> </html> Thanks and i look forward to your replies. Similar TutorialsHi, I am limbo with this one. What I have makes sense to me, but I know I'm missing something or doing something wrong I have been able to hash passwords with salt by new people registering to my site by doing this: if(!$error) { $alpha = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcedfghijklmnopqrstuvwxyz1234567890"; $rand = str_shuffle($alpha); $salt = substr($rand,0,40); $hashed_password = sha1($salt . $_POST['password']); $query = "INSERT INTO `cysticUsers` ( `FirstName`, `LastName`, `Email`, `Password`, `salt`, `RelationshipToCF`, `State`, `Gender`, `Birthday`, `Status` )VALUES( '" . mysql_real_escape_string($_POST['firstName']) . "', '" . mysql_real_escape_string($_POST['lastName']) . "', '" . mysql_real_escape_string($_POST['email']) . "', '" . $hashed_password . "', '" . $salt . "', '" . mysql_real_escape_string($_POST['RelationToCF']) . "', '" . mysql_real_escape_string($_POST['State']) . "', '" . mysql_real_escape_string($_POST['sex']) . "', '" . mysql_real_escape_string($_POST['DateOfBirth_Year'] . "-" . $_POST['DateOfBirth_Month'] . "-" . $_POST['DateOfBirth_Day']) . "', 'pending' )"; mysql_query($query, $connection); I have been able to to update EXISTING users passwords by doing this: $query = "SELECT * FROM `cysticUsers`"; $request = mysql_query($query,$connection); while($result = mysql_fetch_array($request)) { $alpha = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcedfghijklmnopqrstuvwxyz1234567890"; $rand = str_shuffle($alpha); $salt = substr($rand,0,40); $hashed_password = sha1($salt . $result['Password']); $user = $result['id']; $query2 = "UPDATE `cysticUsers` SET `salt` = '$salt' WHERE `id` = '$user'"; $request2 = mysql_query($query2,$connection) or die(mysql_error()); $query3 = "UPDATE `cysticUsers` SET `encrypted_passwords` = '$hashed_password' WHERE `id` = '$user'"; $request3 = mysql_query($query3,$connection) or die(mysql_error()); } Now, I want to be able to SIGN BACK IN with the existing password and I am failing miserably by doing this: $query = "SELECT `salt`,`id`,`email`,`password` FROM `cysticUsers` WHERE `Email` = '" . $email . "' AND `Password` = '" . $password . "' && `Status` = 'active' LIMIT 1"; $request = mysql_query($query,$connection) or die(mysql_error()); $email = mysql_real_escape_string($_POST['email']); $password = mysql_real_escape_string($_POST['password']); if(@mysql_num_rows($request)) { $row = mysql_fetch_assoc($request); if (sha1($row['salt'] . $_POST['password']) === $row['Password']) { $_SESSION['CLIFE']['AUTH'] = true; $_SESSION['CLIFE']['ID'] = $result['id']; // UPDATE LAST ACTIVITY FOR USER $query = "UPDATE `cysticUsers` SET `LastActivity` = '" . date("Y-m-d") . " " . date("g:i:s") . "' WHERE `id` = '" . mysql_real_escape_string($_SESSION['CLIFE']['ID']) . "' LIMIT 1"; mysql_query($query,$connection); if(!empty($_POST['return'])) { header("Location: " . $_POST['return']); }else{ header("Location: CysticLife-Dashboard.php?id=" . $_SESSION['CLIFE']['ID']); } } }else{ $_SESSION['CLIFE']['AUTH'] = false; $_SESSION['CLIFE']['ID'] = false; } } I've been scouring resources and am stuck on this. I have a deadline to meet that I am behind on. Needless to say I'm pulling my hair out and some help with this would be GREATLY appreciated. Thank you in advance! I am reworking some code from a password authentication I did a long long time ago. The original code is using SHA1() function to encrypt the passwords for storage in the MySQL database. Is that still considered the way to go, or should I be using a different method for encrypting the little buggers? Thanks Hi,
Recently I've been trying writing a safe password hash and I wanted to know that if I use an MD5 hash at the end, just so it will be like some short of "packed",so instead of saving a 128 string, I'll use md5 to "pack" it into 32 characters and save up to 96 characters.
I know MD5 isn't safe and all, but the question is, does it lower the security ?
Also, would be happy for feedbacks about my password hash
function hash_($input,$key) {
$op=hash("whirlpool",hash("sha512",$key) . "$" . $input . "$" . hash("sha512",$key));I have a login system Username and Password.
My password is encrypted with bcrypt, if it okay to store that bcrypt in a session as $_SESSION["hash"]
To verify that the user is who they say they are?
Or do i only need to do
$_SESSION["username"]
Hi,
I am trying to get this script to execute as an administrator of an online system. If a user has forgotten their password, I enter their username and enter a new password which they can update later. I am not sure why this is not updating the password for the username entered?
<?php
// Initialize the session
session_start();
// Check if the user is logged in, if not then redirect to login page
if(!isset($_SESSION["loggedin"]) || $_SESSION["loggedin"] !== true){
header("location: login.php");
exit;
}
// Include config file
require_once "config.php";
// Define variables and initialize with empty values
$new_password = $confirm_password = "";
$new_password_err = $confirm_password_err = "";
// Processing form data when form is submitted
if($_SERVER["REQUEST_METHOD"] == "POST"){
// Validate new password
if(empty(trim($_POST["new_password"]))){
$new_password_err = "Please enter the new password.";
} elseif(strlen(trim($_POST["new_password"])) < 6){
$new_password_err = "Password must have atleast 6 characters.";
} else{
$new_password = trim($_POST["new_password"]);
}
// Validate confirm password
if(empty(trim($_POST["confirm_password"]))){
$confirm_password_err = "Please confirm the password.";
} else{
$confirm_password = trim($_POST["confirm_password"]);
if(empty($new_password_err) && ($new_password != $confirm_password)){
$confirm_password_err = "Password did not match.";
}
}
// Check input errors before updating the database
if(empty($new_password_err) && empty($confirm_password_err)){
// Prepare an update statement
$sql = "UPDATE User_Accounts_ SET password = ? WHERE username = ?";
if($stmt = mysqli_prepare($link, $sql)){
// Bind variables to the prepared statement as parameters
mysqli_stmt_bind_param($stmt, "ss", $param_password, $username);
// Set parameters
$param_password = password_hash($new_password, PASSWORD_DEFAULT);
$username = $_POST['username'];
// Attempt to execute the prepared statement
if(mysqli_stmt_execute($stmt)){
// Password updated successfully. Destroy the session, and redirect to login page
session_destroy();
header("location: login.php");
exit();
} else{
echo "Oops! Something went wrong. Please try again later.";
}
// Close statement
mysqli_stmt_close($stmt);
}
}
// Close connection
mysqli_close($link);
}
?>
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<title>Reset Password</title>
<style type="text/css">
body{ font: 14px sans-serif; }
.wrapper{ width: 350px; padding: 20px; }
</style>
</head>
<body>
<div class="wrapper">
<h2>Reset Password</h2>
<p>Please fill out this form to reset your password.</p>
<p><strong>Username</strong>
<input type="text" name="username" class="form-control">
</p>
<p> </p>
<form action="<?php echo htmlspecialchars($_SERVER["PHP_SELF"]); ?>" method="post">
<div class="form-group <?php echo (!empty($new_password_err)) ? 'has-error' : ''; ?>">
<label>New Password</label>
<input type="password" name="new_password" class="form-control" value="<?php echo $new_password; ?>">
<span class="help-block"><?php echo $new_password_err; ?></span>
</div>
<div class="form-group <?php echo (!empty($confirm_password_err)) ? 'has-error' : ''; ?>">
<label>Confirm Password</label>
<input type="password" name="confirm_password" class="form-control">
<span class="help-block"><?php echo $confirm_password_err; ?></span>
</div>
<div class="form-group">
<input type="submit" class="btn btn-primary" value="Submit">
<a class="btn btn-link" href="welcome.php">Cancel</a>
</div>
</form>
</div>
</body>
</html>
Hi! I have read like crazy to find a tutorial on a login page without My_SQL. Anyway I am working on a easy login/logged out page with sessions. Here is the login page with tree users in an array.
The things that I need some hints to solve is, when clicking on login the error message don't show. Instead the script goes to the logged in page right away. And when you write the wrong password you get loged in anyway.
I am not sure how or if it's possible to write a varible to a file this way. But I tried and recived a parse error with the txt varible.
When searching for topics I get more confused with the My_SQL varibles. I am near a breaking point at cracking the first step on PHP, but need some advice.
<?php
$page_title = 'Logged in'; //Dynamic title
include('C:/wamp/www/PHP/includes/header.html');
?>
<?php
session_start();
//A array for the sites users with passwords
$users = array(
'Dexter'=>'meow1',
'Garfield'=>'meow2',
'Miro'=>'meow3'
);
//A handle to save the varible users to file on a new line from the last entry
$handle = fopen("newusers.txt, \n\r")
$txt = $users;
fclose($handle);
if(isset($_GET['logout'])) {
$_SESSION['username'] = '';
header('Location: ' . $_SERVER['PHP_SELF']);
}
if(isset($_POST['username'])) {
if($users[$_POST['username']] == $_POST['password']) {
$_SESSION['username'] = $_POST['username'];
}else {
echo "Something went wrong, Please try again";
}
}
?>
<?php
echo "<h3>Login</h3>";
echo "<br />";
?>
<!--A legend form to login-->
<fieldset><legend>Fill in your username and password</legend>
<form name="login" action="777log.php" method="post">
Username: <br />
<input type="text" name="username" value="" /><br />
Password: <br />
<input type="password" name="password" value="" /><br />
<br />
<input type="submit" name="submit" value="Login" />
</fieldset>
</form>
<?php //Footer include file
include('C:/wamp/www/PHP/includes/footer.html');
?>
The logged in page
<?php //Header
$page_title = 'Reading a file';
include('C:/wamp/www/PHP/includes/header.html');
?>
<?php
session_start();
//Use an array forthe sites users
$users = array(
'Dexter'=>'meow1',
'Garfield'=>'meow2',
'Miro'=>'meow3'
);
//
if(isset($_GET['logout'])) {
$_SESSION['username'] = '';
echo "You are now loged out";
//The user is loged out and returned to the login page
header('Location: ' . $_SERVER['PHP_SELF']);
}
if(isset($_POST['username'])) {
//Something goes wrong here when login without any boxes filled
if($users[$_POST['username']] == $_POST['password']) {
$_SESSION['username'] = $_POST['username'];
}else {
echo "Something went wrong, Please try again";
$redirect = "Location: 777.php";
}
}
?>
<?php if($_SESSION['username']): ?>
<p><h2>Welcome <?=$_SESSION['username']?></h2></p>
<p align="right"><a href="777.php">Logga ut</a></p><?php endif; ?>
<p>Today Ben&Jerrys Chunky Monkey is my favorite!</p>
<?php //Footer
include('C:/wamp/www/PHP/includes/footer.html');
?>
Alright, I have created a hash password checker and here is my code: include("include.php"); // include the mySQL info! $users = mysql_query(" SELECT * FROM User "); // Select all from the users table in the database! while($row = mysql_fetch_array($users)) // While it fetches the users do the following... { if (hash("sha256", $password) == $row["Password"]) echo "Congratulations! The Hash matches the password entered into the database!"; } elseif (hash("sha256", $password) != $row["Password"]) { echo "Your Hash failed to match the password entered!"; } Now for some reason this displays a totally blank page. When I turn error display on I get the error "Unexpected T_ELSEIF" on this line elseif (hash("sha256", $password) != $row["Password"]) Any help is appreciated... I have a register page that MD5 Hash's the users password and a login which also does this. However, no matter what I try it always says incorrect password. Even when I remove the MD5. Register Code: Code: [Select] <?php error_reporting (E_ALL ^ E_NOTICE); ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <title>Member System - Register</title> </head> <body> <?php if ( $_POST['registerbtn'] ){ $getuser = $_POST['user']; $getemail = $_POST['email']; $getpass = $_POST['pass']; $getretypepass = $_POST['retypepass']; if ($getuser){ if ($getemail){ if ($getpass){ if ($getretypepass){ if ( $getpass === $getretypepass ){ if ( (strlen($getemail) >= 7) && (strstr($getemail, "@")) && (strstr($getemail, ".")) ){ require("./connect.php"); $query = mysql_query("SELECT * FROM users WHERE username='$getuser'"); $numrows = mysql_num_rows($query); if ($numrows == 0){ $query = mysql_query("SELECT * FROM users WHERE email='$getemail'"); $numrows = mysql_num_rows($query); if ($numrows == 0){ $password = md5(md5("kjfiufj".$password."Fj56fj")); $date = date("F d, Y"); $code = md5(rand()); mysql_query("INSERT INTO users VALUES ( '', '$getuser', '$password', '$getemail', '0', '$code', '$date' )"); $query = mysql_query("SELECT * FROM users WHERE username='$getuser'"); $numrows = mysql_num_rows($query); if ($numrows == 1){ $site = "http://c3221281.web44.net/"; $webmaster = "Simon <admin@simon.com>"; $headers = "From: $webmaster"; $subject = "Activate Your Account"; $message = "Thanks for registering. Click the link below to activate your account.\n"; $message .= "$site/activate.php?user=$getuser&code=$code\n"; $message .= "You must activate your account to login."; if ( mail($getemail, $subject, $message, $headers) ){ $errormsg = "You have been registered. You must activate your account from the activation link sent to <b>$getemail</b>."; $getuser = ""; $getemail = ""; } else $errormsg = "An error has occueed. Your activation email was not sent."; } else $errormsg = "An error has occured. Your account was not created."; } else $errormsg = "There is already a user with that email."; } else $errormsg = "There is already a user with that username."; mysql_close(); } else $errormsg = "You must enter a valid email address to register."; } else $errormsg = "Your passwords did not match."; } else $errormsg = "You must retype your password to register."; } else $errormsg = "You must enter your password to register."; } else $errrosmg = "You must enter your email to register."; } else $errormsg = "You must enter your username to register."; } $form = "<form action='./register.php' method='post'> <table> <tr> <td></td> <td><font color='red'>$errormsg</font></td> </tr> <tr> <td>Username:</td> <td><input type='text' name='user' value='$getuser' /></td> </tr> <tr> <td>Email:</td> <td><input type='text' name='email' value='$getemail' /></td> </tr> <tr> <td>Password:</td> <td><input type='password' name='pass' value='' /></td> </tr> <tr> <td>Retype:</td> <td><input type='password' name='retypepass' value='' /></td> </tr> <tr> <td></td> <td><input type='submit' name='registerbtn' value='Register' /></td> </tr> </table> </form>"; echo $form; ?> </body> </html> Login Code: Code: [Select] <?php error_reporting (E_ALL ^ E_NOTICE); session_start(); $userid = $_SESSION['userid']; $username = $_SESSION['username']; ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <title>Member System - Login</title> </head> <body> <?php if ($username && $userid){ echo "You are already logged in as <b>$username</b>. <a href='./member.php'>Click here</a> to go to the member page."; } else{ $form = "<form action='./login.php' method='post'> <table> <tr> <td>Username:</td> <td><input type='text' name='user' /></td> </tr> <tr> <td>Password:</td> <td><input type='password' name='password' /></td> </tr> <tr> <td></td> <td><input type='submit' name='loginbtn' value='Login' /></td> </tr> <tr> <td><a href='./register.php'>Register</a></td> <td><a href='./forgotpass.php'>Forgot your password?</a></td> </tr> </table> </form>"; if ($_POST['loginbtn']){ $user = $_POST['user']; $password = $_POST['password']; if ($user){ if ($password){ require("connect.php"); $password = md5(md5("kjfiufj".$password."Fj56fj")); // make sure login info correct $query = mysql_query("SELECT * FROM users WHERE username='$user'"); $numrows = mysql_num_rows($query); if ($numrows == 1){ $row = mysql_fetch_assoc($query); $dbid = $row['id']; $dbuser = $row['username']; $dbpass = $row['password']; $dbactive = $row['active']; if ($password == $dbpass){ if ($dbactive == 1){ // set session info $_SESSION['userid'] = $dbid; $_SESSION['username'] = $dbuser; echo "You have been logged in as <b>$dbuser</b>. <a href='./member.php'>Click here</a> to go to the member page."; } else echo "You must activate your account to login. $form"; } else echo "You did not enter the correct password. $form"; } else echo "The username you entered was not found. $form"; mysql_close(); } else echo "You must enter your password. $form"; } else echo "You must enter your username. $form"; } else echo $form; } ?> </body> </html> Many thanks for your time and help, Hi all,
I have been reading in almost everywhere that we should not use our own custom login and password validations ( like regex etc.) but instead use the filter_var and filter_input built in functions provided by PHP 5 and above. However even after searching for more than an hour for with different search strings, I have not found even a single example that shows how we may validate for a username/login and password in a login form. Can someone be kind enough to provide a strong secure validations for username and login.
Additionally I would also like to clarify if the username and login fields in a Login form be manipulated in any manner to pose a security threat? I mean can a hacker craft a username/login or password in such a manner as to pose an injection or any other threat?
Thanks all.
(Main Objective) I need this login class to encrypt the password before it sends it to the database for login verification. (Alternative Solution) Force a login with just the username and captcha no password.. This is the original working script.. <? session_start(); include "config.php"; global $c; include "data.php"; global $config; require('funciones.php'); if ($_POST['username']) { session_start(); if($_POST['code']!=$_SESSION['string']){ header("Location: login.php?error=1"); } //Comprobacion del envio del nombre de usuario y password $username=uc($_POST['username']); $password=uc($_POST['password']); if ($password==NULL) { header("Location: login.php?error=2"); }else{ $query = mysql_query("SELECT username,password FROM tb_users WHERE username = '$username'") or die(mysql_error()); if(mysql_num_rows($query) == 0) { header("Location: login.php?error=3"); } else { $data = mysql_fetch_array($query); if($data['password'] != $password) { header("Location: login.php?error=4"); }else{ $query = mysql_query("SELECT username,password FROM tb_users WHERE username = '$username'") or die(mysql_error()); $row = mysql_fetch_array($query); $nicke=$row['username']; $passe=$row['password']; //90 day cookie setcookie("usNick",$nicke,time()+7776000); setcookie("usPass",$passe,time()+7776000); $lastlogdate=time(); $lastip = getRealIP(); $querybt = "UPDATE tb_users SET lastlogdate='$lastlogdate', lastiplog='$lastip' WHERE username='$nicke'"; mysql_query($querybt) or die(mysql_error()); header("Location: members.php"); // echo "Has sido logueado correctamente ".$_SESSION['s_username']." y puedes acceder al index.php."; // echo "<script>location.href='index.php';</script>"; ?> <META HTTP-EQUIV="REFRESH" CONTENT="0;URL=members.php"> <? } } } } ?> <div class="heading">Login</div><br /> <? if($_GET['error'] == 1) { print "<b>Error</b> - Wrong Captcha Code<br /><br/>"; } if($_GET['error'] == 2) { print "<b>Error</b> - Please supply a password<br /><br/>"; } if($_GET['error'] == 3) { print "<b>Error</b> - Invalid Username<br><br>"; } if($_GET['error'] == 4) { print "<b>Error</b> - Invalid Password<br /><br />"; } ?> <form action="login.php" method="post"> <table> <tr> <td class="midtext">Username:</td> <td> <input type="text" name="username" size="25" class="form" autocomplete="off"></td> </tr> <tr> <td class="midtext">Password:</td> <td> <input type="password" name="password" size="25" class="form" autocomplete="off"></td> </tr> <tr> <td class="midtext" valign="top">Security Code:</td> <td class="midtext"> <img src="image.php" onclick="this.src='image.php?newtime=' + (new Date()).getTime();">(Click to reload)<br /> <input type="text" name="code" size="17" maxlength="17" autocomplete="off" class="form"></td> </tr> <tr> <td></td> <td align="right"> <input type="submit" value="Login" name="loginsubmit" class="form"></td> </tr> </table> </form> Let me know if you need any files... Hi. I have made a login script, but I would wan't to encrypt the password. I followed a tutorial and got this: login.php <?php $password = "secret"; echo $password; /* displays secret */ $password = sha1($password); echo $password; /* displays e5e9fa1ba31ecd1ae84f75caaa474f3a663f05f4 */ ?> <form action="validate.php" method="post"> <label for="username">Username</label> <input type="text" name="username" id="username" /> <br /> <label for="password">Password</label> <input type="password" name="password" id="password" /> <br /> <input type="submit" name="submit" value="Submit" /> </form> <?php ?> validate.php <?php include "setup.php"; /* get the incoming ID and password hash */ $username=$_POST['username']; $password=$_POST['password']; $password=md5($password); // Encrypted Password /* establish a connection with the database */ $server = mysql_connect("$db_host", "$db_username","$db_password"); if (!$server) die(mysql_error()); mysql_select_db("$database"); /* SQL statement to query the database */ $query = "SELECT * FROM users WHERE Username = '$username' AND Password = '$password'"; /* query the database */ $result = mysql_query($query); /* Allow access if a matching record was found, else deny access. */ if (mysql_fetch_row($result)) echo "Access Granted: Welcome, $username!"; else echo "Access Denied: Invalid Credentials."; mysql_close($server); ?> Its the line $password=md5($password); // Encrypted Password that messes everything up. If I delete it and login, everything is fine, if I add it it says Code: [Select] Access Denied: Invalid Credentials I need help with this one! And if someone have time, give me some ideas how to make PHP scripts safer! Regards Worqy Hello: I wanted to see if I can make my password protected pages in my admin area, and the login form "more secure." I was told I should use MD5 / SALTING / HASHING to do this. I have tried some online tutorials, but am not understanding it, so I wanted to start from what I have and build upon it> This is my database table storing the myAdmins data (when I initially insert it into the database): Code: [Select] CREATE TABLE `myAdmins` ( `id` int(4) NOT NULL auto_increment, `myUserName` varchar(65) NOT NULL default '', `myPassword` varchar(65) NOT NULL default '', PRIMARY KEY (`id`) ) ENGINE=MyISAM AUTO_INCREMENT=2 DEFAULT CHARSET=utf8; INSERT INTO myAdmins VALUES("1","abc","123"); This is the login form I use: Code: [Select] <?php include('../include/myConn.php'); include('include/myAdminNav.php'); session_start(); session_destroy(); $message=""; $Login=$_POST['Login']; if($Login){ $myUserName=$_POST['myUserName']; $myPassword=$_POST['myPassword']; $result=mysql_query("select * from myAdmins where myUserName='$myUserName' and myPassword='$myPassword'"); if(mysql_num_rows($result)!='0'){ session_register("myUserName"); header("location:a_Home.php"); exit; }else{ $message="<div class=\"myAdminLoginError\">Incorrect Username or Password</div>"; } } ?> <form id="form1" name="form1" method="post" action="<? echo $PHP_SELF; ?>"> <? echo $message; ?> Username: <input name="myUserName" type="text" id="myUserName" size="40" /> Password: <input name="myPassword" type="password" id="myPassword" size="40" /> <input name="Login" type="submit" id="Login" value="Login" /> </form> This is the code on top of each page I password protect: Code: [Select] <? session_start(); if(!session_is_registered(myUserName)){ header("location:Login.php"); } ?> Works well, but can it be "better"?? And, if I am allowing the admin to update his/her username or password, I do it this way: Code: [Select] <?php include('../include/myConn.php'); include('include/myCheckLogin.php'); if ($_SERVER['REQUEST_METHOD'] == 'POST') { $myUserName = mysql_real_escape_string($_POST['myUserName']); $myPassword = mysql_real_escape_string($_POST['myPassword']); $sql = " UPDATE myAdmins SET myUserName = '$myUserName', myPassword = '$myPassword' "; mysql_query($sql) && mysql_affected_rows() ?> <?php } $query=mysql_query("SELECT * FROM myAdmins") or die("Could not get data from db: ".mysql_error()); while($result=mysql_fetch_array($query)) { $myUserName=$result['myUserName']; $myPassword=$result['myPassword']; } ?> <form method="post" action="<?php echo $PHP_SELF;?>"> <input type="hidden" name="POSTBACK" value="EDIT"> Username: <input type="text" size="60" maxlength="60" name="myUserName" value="<?php echo $myUserName; ?>"> Password: <input type="password" size="60" maxlength="60" name="myPassword" value="<?php echo $myPassword; ?>"> <input type="submit" value="Submit" /> </form> Should it be "better" .. ?? I don't seem to understand how to "encrypt" all of this to make it "stronger" .. Ideas? Improvements? Hello everyone: I wanted to see how I can make a simple login page (user name and password) that redirects to a page(s) if the login is correct. Also, I wanted to put protection on the page(s) that will send the user back to the login page if the credentials are nor correct. I would imagine the username/password would be stored in a database table (Admins), and the correct login info would be stored in a session ..? I am use to doing this with ASP, but never PHP. I want to make sure I understand how to do this properly and securely so I can use this as a model for other systems. In ASP I would do a protected page like this: a_login_check.asp Code: [Select] <% if session("admin_user_name") = "" then session.abandon response.redirect "login.asp" end if %> Protected-Page.asp Code: [Select] <!-- #include file="include/a_check_login.asp" --> <html> ... CONTENT ... </html> And of course there is the login page itself ... (I thought it would be nice to add a "Forgot Password" link on the login page, but if that is too complicated I can do that later .. or is it easy ??) Anyway, can someone point-out to me how to do this. I would appreciate it! Alright, I've been assigned a project at work. I did not develop the application and the individual who did used CodeIgnited framework and mysql as the db.
Here's the problem, I'm not given much OT to do this and in our meeting the best way to proceed was to replicate the database for different parts of the organization. Basically we are a subsidiary and have been using an application that other groups within the organization want to use. Usually I would reconfigure the db schema and add org ids and in the user table add the appropriate organization to go to. However, they are not giving me enough time to do that.
So what I'm thinking is to just create a copy of the database we use (just the structure) and create a new database.
What I want to know is how to use mysql to check to see if a user exists in one database and if they don't then to go on to the next database. I understand this is a very sloppy way to do it, but it's the way we are moving forward.
I found the code to connect to the db in CodeIgnitor... how can I connect to a database, check to see if the user exists, then close that db connection and try the next database?
/**
* Select the database
*
* @access private called by the base class
* @return resource
*/
function db_select()
{
return @mysql_select_db($this->database, $this->conn_id);
}
Thanks in advance.
Hello Everyone, I recent made a simple membership website. Every page I created works exactly how I envisioned it... All members data from my registration form goes into my database along with their md5 Encrypted passwords with a time-stamp. Subsequent pages have a start_session included. I am very please with it except ONE THING. Logging in is now a problem... username is recognized but NOT the password. Now the strange thing is that when I go into the database and copy the encrypted password and paste it into the password field in my login page, I miraculously get into my website with NO problem. " How do I get the registered members Encrypted Passwords to be recognized by the database when the registered members decide to logging in with the password that they create? " Is there a easy fix for this? I appreciate ALL your help... thanks mrjap1 hi i need help an idea how can i separate members from admins since i dont know how to create login form i used tutorial ( http://www.youtube.com/watch?v=4oSCuEtxRK8 ) (its session login form only that i made it work other tutorials wre too old or something) how what i want to do is separate members and admins because admin need more rights to do now i have idea but dont know will it work like that what i want to do is create additional row in table named it flag and create 0 (inactive user) 1 (member) 2 (admin) will that work? and how can i create different navigation bars for users and admins? do you recommend that i use different folders to create it or just script based on session and flag? I have developed a code for a login and seems to work well (No syntax error according to https://phpcodechecker.com/ but when I enter a username and a password in the login form, I get an error HTTP 500. I think that everything is ok in the code but obviously there is something that I am not thinking about. The code (excluding db connection): $id="''"; $username = $_POST['username']; $password = md5($_POST['password']); $func = "SELECT contrasena FROM users WHERE username='$username'"; $realpassask = $conn->query($func); $realpassaskres = $realpassask->fetch_assoc(); $realpass= $realpassaskres[contrasena]; $func2 = "SELECT bloqueado FROM users WHERE username='$username'"; $blockedask = $conn->query($func2); $blockedres = $blockedask->fetch_assoc(); $bloqueado = $blockedres[bloqueado];
//Login if(!empty($username)) { // Check the email with database Is this okay to do for dealing with passwords before running an insert query into a database? $password = sha1(mysqli_real_escape_string($dbc, $_POST['password'])); Is there anything wrong in doing this? I currently have 100,000+ users all with their passwords hashed in md5(). I want to secure it a bit by simply hashing all of their existing hashes to sha1() and then check their password matches the sha1(md5()). Is there any reason why I shouldn't do this? I have the following array which builds a concatenation of the items in tree-like form. $arrayT = array(); $arrayT[0] = "a"; $arrayT[1] = "b"; $arrayT[2] = "c"; $arrayT[3] = "d"; $arrayT[4] = "e"; $arrayT[5] = "f"; $arrayT[6] = "g"; $arrayT[7] = "h"; $arrayT = buildTree($arrayT); print_r($arrayT); function buildTree($array) { $arrayTree = $array; $start = 0; $end = count($arrayTree); $i = 0; while ($start != $end - 1) { if ($i % 2 == 1) { $arrayTree[count($arrayTree) - 1].=$arrayTree[$start + $i]; } else $arrayTree[] .= $arrayTree[$start + $i]; $i++; if (($start + $i) == $end) { $i = 0; $start = $end; $end = count($arrayTree); } } return $arrayTree; } Example output is Quote Array ( => a [1] => b [2] => c [3] => d [4] => e [5] => f [6] => g [7] => h [8] => ab [9] => cd [10] => ef [11] => gh [12] => abcd [13] => efgh [14] => abcdefgh ) I would like the values to be hashed using sha1. e.g value at [8] ab would be the hash of a and [1] b, value [12]abcd would be the hash of the values at [8]ab and [9]cd. I modified it myself in the next code snippet but I still don't feel it's doing what it's meant function buildTree($array) { $arrayTree = $array; $start = 0; $end = count($arrayTree); $i = 0; while ($start != $end - 1) { if ($i % 2 == 1) { $arrayTree[count($arrayTree) - 1].=$arrayTree[$start + $i]; sha1($arrayTree[count($arrayTree)-1].=$arrayTree[$start + $i]); } else $arrayTree[] .= sha1($arrayTree[$start + $i]); $i++; if (($start + $i) == $end) { $i = 0; $start = $end; $end = count($arrayTree); } } return $arrayTree; } $val1 = sha1($arrayT[0]); $val2 = sha1($arrayT[1]); $val3 = sha1($val1.$val2); $val4 = sha1("ab"); echo "VAL1 ".$val1; echo "<br/>"; echo "VAL2 ".$val2; echo "<br/>"; echo "VAL3 ".$val3; echo "<br/>"; echo "VAL4 ".$val4; Anyone any ideas? Thankyou. |
|||||||