[Decypher]

Okay..So I've added the md5 encryption to the passwords when they register however, when I try and login with the username and password I registered with it says username and password do not match, which makes sense...so how do I get it to unecrypt when tryin to login? or how to make it recognise it's the right password?

This post has been edited by Decypher: 24 July 2009 - 04:07 AM

[no2pencil]

$password=strip_tags($_POST['password']);
if(md5($password)) == [encrypted password] {
  ..
}

[ghqwerty]

you cant 'unencrypt' md5 encryptions however what no2pencil does is encrypt the passwotrd they are trying to log on with and if that == the one stored in db then the unencrypted versions must be the same, right ? therefore, grant access

[Decypher]

ahh okay cheers

[Decypher]

hmm did what you said but get user and password do not match:

 $user=$_POST["username"];
 $pass=strip_tags($_POST['password']);
 $pass=md5($pass);

			
$queryz ="SELECT * FROM login WHERE `username` LIKE '$user'";
$queryz=mysql_query($queryz);
$num = mysql_num_rows($queryz); 

if ($num != 0){
	 
 $sql="SELECT * FROM login WHERE `username` LIKE '$user'";
 $result=mysql_query($sql);
while($row = mysql_fetch_array($result)){ // Start While
 
 $username = $row['username'];
 $password = $row['password'];

 if(strcasecmp ($username,$user) == 0 && $password != $pass){
	 echo'Your username and password do not match<br>
	 <a href="index.php">Return Home</a>';
 }else{
 if (strcasecmp ($username,$user) != 0 || $password != $pass){
	 echo'Your username and password do not match<br>
	 <a href="index.php">Return Home</a>';
 }else{
 if (strcasecmp ($username,$user) == 0 && $password == $pass){
 $_SESSION["userid"] = $row["id"];
 header ('Location: login.php');
 }
 }
 }
 }
 } else {
	 	 echo' This User does not exist!<br>
	 <a href="index.php">Return Home</a>';

[Decypher]

nvm found the problem...

I remember reading md5 = 156chars or something long and my field maxed out at 20 lol

The next question is how do I get the passwords that aren't encrypted due to this only being used to being encrypted

[RudiVisser]

Decypher, on 24 Jul, 2009 - 02:50 AM, said:

I remember reading md5 = 156chars or something long and my field maxed out at 20 lol

32 characters

Decypher, on 24 Jul, 2009 - 02:50 AM, said:

The next question is how do I get the passwords that aren't encrypted due to this only being used to being encrypted

You don't, MD5 crypts are one way. You could use a private key system where you can encrypt/decrypt based on a key that you provide, but that's obviously less secure if you're storing the key on your system.

Why would you want to do that anyway? Passwords should only be for comparison when stored in an "open" database.

[Decypher]

Some passwords aren't encrypted at the moment due to me only putting this in place..However while I still am updating and making the site, obviously my original account doesn't have an ecrypted password and therefore when it goes to login the passwords don't match as the script now converts the password to md5 encryption.

if that makes sense

[RudiVisser]

No, re-encrypt your password manually and re-renter it into the database.

[Decypher]

nvm found a script that does it

$q = "SELECT username,password FROM login";
$result = mysql_query($q);
while($data = mysql_fetch_array($result))
{
  $username = $data['username'];
  $password = $data['password'];
	  $q="UPDATE login SET password='".md5($password)."' where username='".$username."'";
	  mysql_query($q);
	}
	?>

This post has been edited by Decypher: 24 July 2009 - 04:06 AM

[izrafel]

just to be technically accurate md5 is not encrypting its hashing. hashing works only one way, meaning that you can hash something but you can not "dehash" it. The idea of hashing is that one sequence of characters (bytes) gives always the same hash.used to check if a file/string has changed since last check.
Using hash for something like passwords is by definition wrong. Furthermore md5 is very very easily broken.meaning that the "cracker" can find out a sequence of characters that produce the same hash.(for more info google md5 bruteforce rainbow tables).
To make a relatively good encrypting function for passwords, you can use some of the phps encryption/decryption functions (i propose using that mcrypt extension).
if you insist using hashing, then use sha1 not md5

This post has been edited by izrafel: 24 July 2009 - 06:42 AM

[Decypher]

cheers for that rafel...I only used md5 as it was the only one I knew...I take it mcrypt and sha1 work in the same way of md5 as in coding wise? so basically replace md5 with mcrypt?

[izrafel]

Decypher, on 24 Jul, 2009 - 05:48 AM, said:

cheers for that rafel...I only used md5 as it was the only one I knew...I take it mcrypt and sha1 work in the same way of md5 as in coding wise? so basically replace md5 with mcrypt?

well using md5 is not wrong when used for what it is meant to . sha1 is also a hashing algorithm. for mcrypt see this
if you want i can give you some hints on how to make a good login system .

[Decypher]

the only problem with the login system was that passwords weren't being encrypted apart from that the login system is great so far...(will get people in to test it throughly though)

will check it out the link thou

[izrafel]

Decypher, on 24 Jul, 2009 - 05:59 AM, said:

the only problem with the login system was that passwords weren't being encrypted apart from that the login system is great so far...(will get people in to test it throughly though)

will check it out the link thou

ok