0

I've created a login + register site. The register page works fine, login too except that when I have to write in my password I have to write in the encrypted version, the md5... I've done in register page so that their password gets encrypted. How can I make in login page so that they dont need to write their md5 password, just their normal one?

The register.php looks like: 

<?

$reg = @$_POST['reg'];
//declaring variables to prevent errors
$fn = ""; //First Name
$ln = ""; //Last Name
$un = ""; //Username
$em = ""; //Email
$em2 = ""; //Email 2
$pswd = ""; //Password
$pswd2 = ""; // Password 2
$d = ""; // Sign up Date
$u_check = ""; // Check if username exists
//registration form
$fn = strip_tags(@$_POST['fname']);
$ln = strip_tags(@$_POST['lname']);
$un = strip_tags(@$_POST['username']);
$em = strip_tags(@$_POST['email']);
$em2 = strip_tags(@$_POST['email2']);
$pswd = strip_tags(@$_POST['password']);
$pswd2 = strip_tags(@$_POST['password2']);
$d = date("Y-m-d"); // Year - Month - Day

if ($reg) {
if ($em==$em2) {
// Check if user already exists
$u_check = mysql_query("SELECT username FROM users WHERE username='$un'");
// Count the amount of rows where username = $un
$check = mysql_num_rows($u_check);
if ($check == 0) {
//check all of the fields have been filed in
if ($fn&&$ln&&$un&&$em&&$em2&&$pswd&&$pswd2) {
// check that passwords match
if ($pswd==$pswd2) {
// check the maximum length of username/first name/last name does not exceed 25   characters
if (strlen($un)>25||strlen($fn)>25||strlen($ln)>25) {
echo "The maximum limit for username/first name/last name is 25 characters!";
}
else
{
// check the maximum length of password does not exceed 25 characters and is not less   than 5 characters
if (strlen($pswd)>30||strlen($pswd)<5) {
echo "Your password must be between 5 and 30 characters long!";
}
else
{
//encrypt password and password 2 using md5 before sending to database
$pswd = md5($pswd);
$pswd2 = md5($pswd2);
$query = mysql_query("INSERT INTO users VALUES       ('','$un','$fn','$ln','$em','$pswd','$d','0')");
die("<h2>Welcome to InstaWord!</h2>Login to your account to get started ...");
}
}
}
else {
echo "Your passwords don't match!";
}
}
else
{
echo "Please fill in all of the fields";
}
}
else
{
echo "Username already taken ...";
}
}
else {
echo "Your E-mails don't match!";
}
}
?>
<table class="homepageTable">
   <tr>
       <td width="60%" valign="top">
        <h2>Share your texts!</h2>
        <img src="img/animation.gif" width="930">
       </td>
       <td width="40%" valign="top">
        <h2>Sign up</h2>
       <form action="#" method="post">
       <input type="text" size="25" name="fname" placeholder="First Name" value="<? echo   $fn; ?>">
       <input type="text" size="25" name="lname" placeholder="Last Name" value="<? echo $ln; ?>">
       <input type="text" size="25" name="username" placeholder="Username" value="<?   echo $un; ?>">
       <input type="text" size="25" name="email" placeholder="Email" value="<? echo $em; ?>">
       <input type="text" size="25" name="email2" placeholder="Repeat Email" value="<? echo $em2; ?>">
       <input type="password" size="25" name="password" placeholder="Password">
       <input type="password" size="25" name="password2" placeholder="Repeat Password">  <br />
       <input type="submit" name="reg" value="Sign Up!">
       </form>
       </td>
      </tr>
     </table>
   </body>
 </html>

And the login.php looks like this:

    <?php

session_start();


//This displays your login form

function index(){


echo "<form action='?act=login' method='post'>" 

."Username: <input type='text' name='username' size='30'><br>"

."Password: <input type='password' name='password' size='30'><br>"

."<input type='submit' value='Login'>"

."</form>"; 


}


//This function will find and checks if your data is correct

function login(){


//Collect your info from login form

$username = $_REQUEST['username'];

$password = $_REQUEST['password'];



//Connecting to database

$connect = mysql_connect("myserver", "username", "password");

if(!$connect){

die(mysql_error());

}


//Selecting database

$select_db = mysql_select_db("database_name", $connect);

if(!$select_db){

die(mysql_error());

}


//Find if entered data is correct


$result = mysql_query("SELECT * FROM users WHERE username='$username' AND password='$password'");

$row = mysql_fetch_array($result);

$id = $row['id'];


$select_user = mysql_query("SELECT * FROM users WHERE id='$id'");

$row2 = mysql_fetch_array($select_user);

$user = $row2['username'];


if($username != $user){

die("Username is wrong!");

}



$pass_check = mysql_query("SELECT * FROM users WHERE username='$username' AND id='$id'");

$row3 = mysql_fetch_array($pass_check);

$email = $row3['email'];

$select_pass = mysql_query("SELECT * FROM users WHERE username='$username' AND id='$id' AND email='$email'");

$row4 = mysql_fetch_array($select_pass);

$real_password = $row4['password'];


if($password != $real_password){

die("Your password is wrong!");

}




//Now if everything is correct let's finish his/her/its login


session_register("username", $username);

session_register("password", $password);


echo "Welcome, ".$username." please continue on our <a href=index.php>Index</a>";





}


switch($act){


default;

index();

break;


case "login";

login();

break;


}

?>

Please help me fix this...

Jacco
  • 22,184
  • 17
  • 83
  • 104
tracifycray
  • 1,403
  • 4
  • 18
  • 27
  • When users log onto my nonexistent website, the database has the md5 password, and the login page checks the md5 by using md5($password); and if md5($password) == $passindatabase { //logincode. – alexpja May 21 '12 at 06:01
  • 3
    * Please use proper variable names. * Please indent your code. * Please don't use mysql_* functions. * Your script is wide open to SQL injection attack. http://xkcd.com/327/ – GordonM May 21 '12 at 06:01
  • Please do not limit your user's maximum password length! There is no reason to limit the length to 30 characters. If you want to limit it anyhow, put the maximum at 1000 characters or so. – Jacco May 21 '12 at 06:13
  • But who wants a longer password than 30 characters? – tracifycray May 21 '12 at 06:14
  • @David Gabor, Your line of thinking is the wrong way around. You should not try think for them; let the user decide for themselves. Many security conscious people use password managers, they typically have 128 random characters. – Jacco May 21 '12 at 06:21
  • 1
    maybe also read: [The Definitive Guide To Forms based Website Authentication](http://stackoverflow.com/questions/549/the-definitive-guide-to-forms-based-website-authentication) and [How can I store my users passwords safely](http://stackoverflow.com/questions/1581610/how-can-i-store-my-users-passwords-safely) – Jacco May 21 '12 at 06:24

3 Answers3

3

You are not using md5 to check while login....

Use $password = md5($_REQUEST['password']); In your login function().

This will take the normal password and check it with encrypted version in database and then will successfully log the user in.

Hope this helps.

AlphaMale
  • 23,514
  • 4
  • 57
  • 77
  • Welcome... :) It should be... :D – AlphaMale May 21 '12 at 06:02
  • This is not secure! a: MD5 is considered both to fast and cryptographically broken and should not be used for anything security related anymore. b: you should add a salt value to the hash! – Jacco May 21 '12 at 06:09
  • @Jacco the nature of question was problem faced while login. Not the best practices for password hashes... – AlphaMale May 21 '12 at 06:48
  • Since the question is security related, you should, in my opinion, always point out best practices. The question makes clear that this is about to be implemented as is. So this question may be the last opportunity for us, the programmers community, to help the OP build a safer website, before yet another insecure login script goes live. – Jacco May 21 '12 at 07:10
1

You should not apply a strip_tags() to the $_POST['password'], just feed the incoming value to the password hashing function.

To protect your user's passwords, you need to do better than md5 hash the passwords. You need

  1. a better hashing algorithm: BCrypt hash
  2. add a random salt value

The good news is that you can just use a drop-in library and use that: PHPass

require('PasswordHash.php');

$pwdHasher = new PasswordHash(8, FALSE);

// $hash is what you would store in your database
$hash = $pwdHasher->HashPassword( $_POST['password'] );

// $hash would be the $hashed stored in your database for this user
$checked = $pwdHasher->CheckPassword($_POST['password'], $hash);
if ($checked) {
    echo 'password correct';
} else {
    echo 'wrong credentials';
}
Jacco
  • 22,184
  • 17
  • 83
  • 104
0

Encrypt the input password with md5() when you pass the details into sql query while checking correct login details.

$password_encrypt = md5($password);
$result = mysql_query("SELECT * FROM users WHERE username='$username' AND password='$password_encrypt '");
heyanshukla
  • 691
  • 8
  • 17
  • 1
    This is a non-secure example; the hash checking should be done in the PHP code. With your example the password hash can show up in MySQL query log. Also, MD5 is not good enough for password storage and a salt value should be added to the hash function. – Jacco May 21 '12 at 06:08
  • @Jacco thanks for the tips.I will take care of that now onwards. – heyanshukla May 21 '12 at 06:11