PHP Login With MD5 & Salt Help

Discussion in 'PHP' started by GeelongTECH, Feb 19, 2011.

0
  1. #1
    Hello,
    I want to make a script for http://comps.example.com/ but i need help.
    How do i code login.php to login a user that has password decrypted in md5 and salt?

    I have included an image oh what my database looks like
    [​IMG]
     
    GeelongTECH, Feb 19, 2011 IP
  2. Alex Roxon

    Alex Roxon Active Member

    Messages:
    424
    Likes Received:
    11
    Best Answers:
    7
    Trophy Points:
    80
    #2
    You can't decrypt it. What you can do is check whether the password hash in the database matches the encrypted string of the inputted password. For example, pseudo-code:

    if( md5( md5( INPUT_PASSWORD ) . salt ) == database( members_pass_hash ) ) {
    valid password
}
    PHP:
    It all depends on what algorithm you used to encrypt the password as well.
     
    Alex Roxon, Feb 19, 2011 IP
  3. GeelongTECH

    GeelongTECH Peon

    Messages:
    154
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    0
    #3
    I'm using
    <?php
$host="localhost"; // Host name
$username="cube_user1"; // Mysql username
$password="XXXXX"; // Mysql password
$db_name="cube_cubewarez"; // Database name
$tbl_name="members"; // Table name

// Connect to server and select databse.
mysql_connect("$host", "$username", "$password")or die("cannot connect");
mysql_select_db("$db_name")or die("cannot select DB");

// username and password sent from form
$myusername=$_POST['email'];
$mypassword=$_POST['mypassword'];

// To protect MySQL injection (more detail about MySQL injection)
$myusername = stripslashes($myusername);
$mypassword = stripslashes($mypassword);
$myusername = mysql_real_escape_string($myusername);
$mypassword = mysql_real_escape_string($mypassword);

$sql="SELECT * FROM $tbl_name WHERE email='$myusername' and members_pass_hash='$mypassword'";
$result=mysql_query($sql);

// Mysql_num_row is counting table row
$count=mysql_num_rows($result);
// If result matched $myusername and $mypassword, table row must be 1 row

if($count==1){
// Register $myusername, $mypassword and redirect to file "login_success.php"
$_SESSION['myusername'] = $myusername;
$_SESSION['mypassword'] = $mypassword;
echo 'In';

}
else {
echo "Wrong Username or Password";
}
?>
    PHP:
    Please help what should the full code be so they can login safely
     
    GeelongTECH, Feb 19, 2011 IP
  4. tvoodoo

    tvoodoo Active Member

    Messages:
    239
    Likes Received:
    9
    Best Answers:
    0
    Trophy Points:
    53
    #4
    The way you are doing things doesn't seem to safe.
    1st , don't ever store the account's password in the SESSION , just make a bool variable logged_in = true , username = the_username and user_id = the_user_id.

    Now , regarding passwords , if you want to be able to decrypt them you could use something like :
    
$salt = 'your_salt';
$password = 'my_password';

//to encrypt it
$encrypted = urlencode(base64_encode(mcrypt_encrypt(MCRYPT_RIJNDAEL_256, md5($salt),$password, MCRYPT_MODE_CBC, md5(md5($salt))));
echo $enctypted;

//to decrypt it
$decrypted = rtrim(mcrypt_decrypt(MCRYPT_RIJNDAEL_256, md5($salt), base64_decode($encrypted), MCRYPT_MODE_CBC, md5(md5($salt))), "\0")
echo $decrypted;
    PHP:
    Alternatively you could use MySQL AES_ENCRYPT/AES_DECRYPT (http://dev.mysql.com/doc/refman/5.1/en/encryption-functions.html#function_aes-encrypt) or pick one of the may encryption schemes that mcrypt has to offer (which are reversable) http://php.net/manual/en/ref.mcrypt.php
     
    tvoodoo, Feb 19, 2011 IP
  5. sharemonsters

    sharemonsters Peon

    Messages:
    17
    Likes Received:
    1
    Best Answers:
    0
    Trophy Points:
    0
    #5
    I need this, but can someone give me the full script?
    that sets the user I can't seem to get it to work properly.
     
    sharemonsters, Feb 20, 2011 IP
  6. tvoodoo

    tvoodoo Active Member

    Messages:
    239
    Likes Received:
    9
    Best Answers:
    0
    Trophy Points:
    53
    #6
    Is there any reward or just because you are a nice guy we are spose to code the script for you ?
     
    tvoodoo, Feb 20, 2011 IP
  7. srisen2

    srisen2 Peon

    Messages:
    359
    Likes Received:
    2
    Best Answers:
    0
    Trophy Points:
    0
    #7
    you should be able to rewrite the script using the above examples if you cant get a developer to help you try freelancer.com
     
    srisen2, Feb 22, 2011 IP
  8. Iwwaty

    Iwwaty Peon

    Messages:
    15
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    0
    #8 
    
<?php
$host="localhost"; // Host name
$username="cube_user1"; // Mysql username
$password="XXXXX"; // Mysql password
$db_name="cube_cubewarez"; // Database name
$tbl_name="members"; // Table name
$salt = '$$$';
// Connect to server and select databse.
mysql_connect("$host", "$username", "$password")or die("cannot connect");
mysql_select_db("$db_name")or die("cannot select DB");

// username and password sent from form
$myusername=$_POST['email'];
$mypassword=$_POST['mypassword'];

// To protect MySQL injection (more detail about MySQL injection)
$myusername = stripslashes($myusername);
$mypassword = stripslashes($mypassword);
$myusername = mysql_real_escape_string($myusername);
$mypassword = mysql_real_escape_string($mypassword);
$pass = md5(md5($mypassword).$salt);
$sql="SELECT * FROM $tbl_name WHERE email='$myusername' and members_pass_hash='$pass'";
$result=mysql_query($sql);

// Mysql_num_row is counting table row
$count=mysql_num_rows($result);
// If result matched $myusername and $mypassword, table row must be 1 row

if($count==1){
// Register $myusername, $mypassword and redirect to file "login_success.php"
$_SESSION['myusername'] = $myusername;
$_SESSION['mypassword'] = $mypassword;
echo 'In';

}
else {
echo "Wrong Username or Password";
}
?>
    PHP:
     
    Iwwaty, Feb 22, 2011 IP