TalkPHP

TalkPHP (http://www.talkphp.com/forums.php)
-   General (http://www.talkphp.com/general/)
-   -   Password Hashing (http://www.talkphp.com/general/3755-password-hashing.html)

Normo 12-11-2008 12:02 PM
Password Hashing
 
Hey I'm having some problems with hashing passwords into a database and then comparing them to a user input.

Here's my code:
PHP Code:
if(isset($_REQUEST['username'])){
session_start();
$con mysql_connect("localhost","","") or die('Could not connect: ' mysql_error());

mysql_select_db("normo_mydb") or die(mysql_error());


$_SESSION['username'] = $_POST['username'];
$_SESSION['password'] = md5($_POST['password']);
$result mysql_query("SELECT Password FROM Users WHERE Username = '$username'");
$row mysql_fetch_array($result);
$num mysql_num_rows($result);

if($num != "0" && $password == $row['Password']) {
header('location:new.php');
}
else {
session_unset();
session_destroy();
}

mysql_close($con);
}
if(isset($_REQUEST['userReg'])){
session_start();
$con mysql_connect("localhost","","") or die('Could not connect: ' mysql_error());

mysql_select_db("normo_mydb") or die(mysql_error());

$_SESSION['userReg'] = $_POST['userReg'];
$_SESSION['passReg'] = md5($_POST['passReg']);
$sql mysql_query("INSERT INTO Users
(Username, Password) VALUES('$userReg','$passReg')") or die(mysql_error());
echo "You are now registered!";

mysql_close($con);
I have the script running fine without hashing the passwords, just when I add the MD5 function it goes wrong.

I do manage to hash the password into the database but it doesn't work when the user logs in.

Also it doesn't hash the password every time. Sometimes it just enters the password as plain text into the database.

Any help would be appreciated. :)

CoryMathews 12-11-2008 01:01 PM
It seems to me that you are setting the password with encryption into the session here

$_SESSION['password'] = md5($_POST['password']);

and then trying to check a variable called password here.

if($num != "0" && $password == $row['Password']) {

You do this in the register as well. This is the problem. There is no need to store that stuff in the session for now just setting it to the variable would work. Otherwise your logic seems good.

Normo 12-11-2008 05:43 PM
Thanks that does make sense, however even when I take out the sessions it still doesn't work! It just says says "Username or Password was wrong" although I can't figure out why?! :S

PHP Code:
if(isset($_REQUEST['username'])){
session_start();
$con mysql_connect("localhost","","") or die('Could not connect: ' mysql_error());

mysql_select_db("normo_mydb") or die(mysql_error());

$_SESSION['username'] = $_POST['username'];
$username $_POST['username'];
$password md5($_POST['password']);
$result mysql_query("SELECT Password FROM Users WHERE Username = '$username'");
$row mysql_fetch_array($result);
$num mysql_num_rows($result);

if($num != "0" && $password == $row['Password']) {
header('location:new.php');
}
else {
session_unset();
session_destroy();
}

mysql_close($con);
}
if(isset($_REQUEST['userReg'])){
session_start();
$con mysql_connect("localhost","","") or die('Could not connect: ' mysql_error());

mysql_select_db("normo_mydb") or die(mysql_error());

$userReg $_POST['userReg'];
$passReg md5($_POST['passReg']);
$sql mysql_query("INSERT INTO Users
(Username, Password) VALUES('$userReg','$passReg')") or die(mysql_error());
echo "You are now registered!";

mysql_close($con);

Normo 12-14-2008 11:14 AM
Can anyone help with my problem?

Salathe 12-14-2008 01:01 PM
The code you posted above does not contain the string "Username or Password was wrong" so we can't see the process leading to that message being displayed.

Normo 12-17-2008 11:00 AM
Ah sorry here is my entire code:
PHP Code:
<?PHP
if(isset($_REQUEST['username'])){
session_start();
$con mysql_connect("localhost","","") or die('Could not connect: ' mysql_error());

mysql_select_db("normo_mydb") or die(mysql_error());

$_SESSION['username'] = $_POST['username'];
$username $_POST['username'];
$password md5($_POST['password']);
$result mysql_query("SELECT Password FROM Users WHERE Username = '$username'");
$row mysql_fetch_array($result);
$num mysql_num_rows($result);

if($num != "0" && $password === $row['Password']) {
header('location:new.php');
}
else {
session_unset();
session_destroy();
}

mysql_close($con);
}
if(isset($_REQUEST['userReg'])){
session_start();
$con mysql_connect("localhost","","") or die('Could not connect: ' mysql_error());

mysql_select_db("normo_mydb") or die(mysql_error());

$userReg $_POST['userReg'];
$passReg md5($_POST['passReg']);
$sql mysql_query("INSERT INTO Users
(Username, Password) VALUES('$userReg','$passReg')") or die(mysql_error());
echo "You are now registered!";

mysql_close($con);
}
?>

<html>
<body>

<?PHP if(isset($_REQUEST['username'])){ echo "<b>Username or password was wrong!</b>"; } ?>
<form method="post" action="login.php">
<input type="text" name="username" /><br />
<input type="password" name="password" /><br />
<input type="submit" value="Login" />
</form>
<br />
<br />
<fieldset>
<legend>Register an Account:</legend>
<form method="post" action="login.php">
<input type="text" name="userReg" /><br />
<input type="password" name="passReg" /><br />
<input type="submit" value="Register" />
</form>
</legend>
</fieldset>

</body>
</html>


All times are GMT. The time now is 02:07 AM.

Powered by vBulletin® Version 3.6.8
Copyright ©2000 - 2013, Jelsoft Enterprises Ltd.
Search Engine Optimization by vBSEO 3.1.0