Hi, currently I am trying to get my CMS to log in with an md5 hashed password, however for some reason it isn't working. My code is: $myusername=$_POST['username']; $mypassword=$_POST['password']; $md5password = md5($mypassword); $sql="SELECT * FROM profile WHERE username='$myusername'"; $result=mysql_query($sql); $count=mysql_num_rows($result); if($count==1 && $row['password'] == $md5password){ session_register("myusername"); session_register("md5password"); $_SESSION['username']=$_POST['username']; } else { } Code (markup): Everything looks fine to me but it just doesn't log in. Can anyone tell me what is wrong with it. Thanks Simon North
You're not fetching the row. $row = mysql_fetch_assoc($result); PHP: And a further suggestion, LIMIT your query to 1, to speed it up. Oh, and don't forget mysql_real_escape_string() on the username...
I now have this: $myusername=$_POST['username']; $mypassword=$_POST['password']; $md5password = md5($mypassword); $sql="SELECT * FROM profile WHERE username='$myusername'"; $result=mysql_query($sql); $count=mysql_num_rows($result); while ($row = mysql_fetch_assoc($result)) { if($count==1 && $row['password'] == $md5password){ session_register("myusername"); session_register("md5password"); $_SESSION['username']=$_POST['username']; } else { } } Code (markup): but it still isn't working
Because when a session is started, the sidebar changes to show the members links. Also this is at the top of the phpBB login.php script because I have integrated it with phpBB. The script worked perfectly until I started hashing passwords.
OK, I have done it $myusername=$_POST['username']; $mypassword=$_POST['password']; $md5password = md5($mypassword); $sql="SELECT * FROM profile WHERE username='$myusername' AND password='$md5password'"; $result=mysql_query($sql); $count=mysql_num_rows($result); if($count==1){ session_register("myusername"); session_register("md5password"); $_SESSION['username']=$_POST['username']; } else { } Code (markup):
I am very glad you got it working! But please, regardless of what/where this will be use, please please use some sanitization on user input.
You should clean (or sanitize) all input, regardless of how it is used, that comes from a user. This prevents things such as SQL Injection. I unfortunately don't have a public cleaning class that I have to show you, but if you do a bit of poking around on Google or phpClasses, you should see some tips/scripts. Here is a basic overview of injection, and how to prevent it with PHP. But don't rely on just one source.
Does this look right to you: mysql_real_escape_string($_POST['password']); mysql_real_escape_string($_POST['username']); addslashes($_POST['password']); addslashes($_POST['username']); $myusername=$_POST['username']; $mypassword=$_POST['password']; $md5password = md5($mypassword); $sql="SELECT * FROM profile WHERE username='$myusername' AND password='$md5password'"; $result=mysql_query($sql); $count=mysql_num_rows($result); if($count==1){ session_register("myusername"); session_register("md5password"); $_SESSION['username']=$_POST['username']; } else { } Code (markup):
No, do it this way: $myusername = mysql_real_escape_string($_POST['username']); PHP: And forget about addslashes().
You don't need to sanitize the password field because you are hashing it and addslashes() is redundant. Also, you should only be using session_register() if register_globals is turned on, otherwise you should be using $_SESSION to set your session vars. Since you use $_SESSION right below it I'm going to assume this isn't the case, but if it is then you should seriously re-evalutate your need to have it turned on. I've changed that part accordingly and removed the part where you were putting unsanitized POST data into your session. $myusername=mysql_real_escape_string($_POST['password']); $md5password=md5($_POST['password']); $sql="SELECT * FROM profile WHERE username='{$myusername}' AND password='{$md5password}'"; $result=mysql_query($sql); if($mysql_num_rows($result)==1){ $_SESSION['username']=$myusername; $_SESSION['password']=$md5password; } else { } PHP:
Happy to help. Keep in mind, however, that I don't know which session vars you actually use in your user validation, so you might have to change the names.