Join 136,487 PHP Programmers for FREE! Get instant access to thousands of PHP experts, tutorials, code snippets, and more! There are 1,702 people online right now. Registration is fast and FREE... Join Now!
<?php require_once('../Connections/ilovephysics.php'); ?><?php // *** Validate request to login to this site. if (!isset($_SESSION)) { session_start(); }
$loginFormAction = $_SERVER['PHP_SELF']; if (isset($_GET['accesscheck'])) { $_SESSION['PrevUrl'] = $_GET['accesscheck']; }
if (isset($_POST['email'])) { $loginUsername=$_POST['email']; $password=$_POST['password'];
Thanks k0b13r! I was able to encrypt all passwords on POST of edited and newly added users. But because the web app has to compare the encrypted password with the unencrypted password on login, I've found that my secondary admin account won't log on (I have yet to encrypt the primary admin account). Above I've included the login PHP code. I've tried to adjust it slightly to reflect the changes but login's still fail. Any help would be appreciated.
Thanking you in advance!
This post has been edited by jeansymolanza: 27 Feb, 2008 - 10:05 AM
From the way it sounds it sounds like you are going from an unencrypted setup to an encrypted one where all the passwords are encrypted. If that is the case, to correct your issue, you are going to have to go through all the accounts (preferably using a script) that will read in the username and password, encrypt it, and then set the password to that value. Then you can work on the login script to match them up.
Because you are right, if you are encrypting the string and trying to compare, you will have to first query the record from the database for the username and pass that matches what they supplied, concatenate the values together, encrypt it, and then put it back into the database. You could do that or if it was me, I would just run a quick script that does all account encryptions and be done with it.
seems like your posting something violating IPR laws. I can't open them as blogger is blocked at my place. Edit your post to remove all copyright material links.
Just to let you know that you are getting the md5 hash of 0 everytime you run this script. Because in PHP unlike in other languages the plus(+) is a math operation but not a concat one. So it will result in zero, had the same problem a few days ago, it is really hard to spot because it seems to be working fine until you check the value :S.
Just to let you know that you are getting the md5 hash of 0 everytime you run this script. Because in PHP unlike in other languages the plus(+) is a math operation but not a concat one. So it will result in zero, had the same problem a few days ago, it is really hard to spot because it seems to be working fine until you check the value :S.
change all pages that input/check user name password. or make a function. function is prefered. so all are the same.
php
function clean_input($input,$chrs = '',$with = '') { //and char found that are not alloud are replaced $with return eregi_replace("[^A-Z,0-9,_%".$chrs."]", $with, $input); }
function hash_password($loginUsername,$password){ //clean and hash password return(md5(clean_input(urlencode($loginUsername)).clean_input($password))); } $hashed_password = hash_password($_POST['email'],$_POST['password']);
This post has been edited by SpaceMan: 28 Feb, 2008 - 11:24 AM
function clean_input($input,$chrs = '',$with = '') { //and char found that are not alloud are replaced $with return eregi_replace("[^A-Z,0-9,_".$chrs."]", $with, $input); }
function hash_password($loginUsername,$password){ //clean and encode password return(md5(strtolower(clean_input($loginUsername)).clean_input($password)));
Thanks a lot guys, I've given it a shot using your advice SpaceMan and it seems to be working. Although I'm only building a school site I'm hoping to eliminate all security threats.
| 