Hello colleagues, Please help me! I have this little annoying problem. When I want to log the user in using PHP and MySQL everything goes OK, using plain text as password. The thing is, that I want the passwords my users enter into the MySQL database to be md5 hash encrypted so that if any evil user break into the database he wouldn't be able to see the passwords. So long story short, here is the code, and please tell me what I have done wrong and why the user can't log in using the md5 hash even tho they can register and the MySQL database receives the passwords md5 hashed. // Registration process file $con = mysql_connect("localhost","root",""); global $con; $nickname = $_POST['nickname']; $password = $_POST['password']; $email = $_POST['email']; $name = $_POST['name']; $password_hash = md5($password); if (!$con) { die('Could not connect: ' . mysql_error()); } mysql_select_db("first_database"); $sql="INSERT INTO users (username, password, firstname, email)VALUES('$nickname','$password_hash','$name', '$email')"; if (!mysql_query($sql,$con)) { die('Error: ' . mysql_error()); } echo "1 record added"; mysql_close($con) PHP: And here is the login process file. <?php require 'mysql.php'; $nickname = $_POST['nickname']; $password = $_POST['password']; $password_hash = md5($password); if(!empty ($nickname) and !empty ($password)){ $query = "SELECT id FROM users WHERE username='$nickname' AND password='$password_hash'"; if($query_run = mysql_query($query)){ $mysql_num_rows = mysql_num_rows($query_run); if($mysql_num_rows==0){ echo 'Password/username error!'; }else if($mysql_num_rows==1){ $user_id = mysql_result($query_run, 0, 'id'); $_SESSION['user_id']=$user_id; header('Location: index.php'); echo 'You are now logged in!'; } } } ?> PHP: This is the root account of my local server. Thank you very much!! Best Regards Stefany
SHA1() is a one way encryption techq. and is available as for mysql 5.0.2, for earlier version MD5() is used. Must know... SHA1() do encryption of 40 characters long so ur pass column is defiined as CHAR(40) while MD5() encrypts to 32 characters long so ur pass column should be defined as CHAR(32) Simple query INSERT INTO USERS(first_name,last_name,email,pass,reg_date) VALUES ('john','lennon','john@beatles.com',SHA1('password'), NOW()); Hope this gives u some idea.. or furnish what exact error u get...
All you need to do is when the user is registered store the password into the database using this code: $password = md5($_POST['password']); PHP: When they login just do the same before you check whether the string matches in the database. Glen
Your code should be like following to solve this problem: <?php code for save the new user password in DB //establish connection here with DB function addNewUser($username, $password){ global $connection; $password = md5($password); $q = "INSERT INTO ".table _name." VALUES ('$username', '$password')"; return mysql_query($q, $connection); } ?> <?php function validateUserPassword($username, $password){ $password = md5($password); // Verify that user is in database $q = "SELECT password FROM ".table_name." WHERE username = '$username'"; $result = mysql_query($q, $connection); if(!$result || (mysql_numrows($result) < 1)){ return 1; //Indicates username failure } // Retrieve password from result $dbarray = mysql_fetch_array($result); // Validate that password is correct if($password == $dbarray['password']){ return 0; //Success! Username and password confirmed } else{ return 1; //Indicates password failure } } ?> I hope this will help; Let me know if you need any further help . Sheetal
Thank you so much guys, you are golden I can't say how grateful I am! Thank you, thank you, thank you! You ROCK!
There's a simpler way to check the password: // Verify that user is in database $q = "SELECT password FROM ".table_name." WHERE username = '$username' and password = '".md5($_GET['password']."'"; $result = mysql_query($q, $connection); if(!$result || (mysql_numrows($result) <> 1)){ return false; //Indicates username/password failure } return true; PHP: IOW, if you select for the username and hashed password, you should get one and only 1 row. If you get none or more than one, the login was unsuccessful. No need to retrieve the password and then check it.