danposs86 Posted April 12, 2007 Share Posted April 12, 2007 I have the line: if ($row['member_login_key'] == $u_password) member_login_key is a md5 hash, what i want is to make the string $u_password into an md5 hash (hope i am using the right terminology!)i have tried: if ($row['member_login_key'] == md5($u_password)) but it doesnt appear to work, any ideas? Link to comment Share on other sites More sharing options...
danposs86 Posted April 12, 2007 Author Share Posted April 12, 2007 done a quick check, and using the first script i mentioned, i copy and pasted the actual hashed code from the table and it still doesnt work. all the table names are right. whats going on? Link to comment Share on other sites More sharing options...
Hooch Posted April 12, 2007 Share Posted April 12, 2007 I'm not sure how your code picks up the password, but here's something that may help. <?PHP$u_password = md5($_POST[u_password]); $info = mysql_query("SELECT * FROM users WHERE username = '$_POST[u_name]'") or die(mysql_error()); $row = mysql_fetch_array($info); if ($row['member_login_key'] == $u_password)?> Link to comment Share on other sites More sharing options...
danposs86 Posted April 12, 2007 Author Share Posted April 12, 2007 this is all the script: <?php# Simple password protection## (c) http://www.phpbuddy.com# Author: Ranjit Kumar# Feel free to use this script but keep this message intact!## To protect a page include this file in your PHP pages!session_start();//you can change the username and password by changing the above two stringsif (!isset($HTTP_SESSION_VARS['user'])) { if(isset($HTTP_POST_VARS['u_name'])) $u_name = $HTTP_POST_VARS['u_name']; if(isset($HTTP_POST_VARS['u_password'])) $u_password = $HTTP_POST_VARS['u_password']; if(!isset($u_name)) { ?> <HTML> <HEAD> <TITLE><?php echo $HTTP_SERVER_VARS['HTTP_HOST']; ?> : Authentication Required</TITLE> </HEAD> <BODY bgcolor=#ffffff> <table border=0 cellspacing=0 cellpadding=0 width=100%> <TR><TD> <font face=verdana size=2><B>(Access Restricted to Authorized Personnel)</b> </font></td> </tr></table> <P></P> <font face=verdana size=2> <center> <?php $form_to = "http://$HTTP_SERVER_VARS[HTTP_HOST]$HTTP_SERVER_VARS[PHP_SELF]"; if(isset($HTTP_SERVER_VARS["QUERY_STRING"])) $form_to = $form_to ."?". $HTTP_SERVER_VARS["QUERY_STRING"]; ?> <form method=post action=<?php echo $form_to; ?>> <table border=0 width=350> <TR> <TD><font face=verdana size=2><B>User Name</B></font></TD> <TD><font face=verdana size=2><input type=text name=u_name size=20></font></TD></TR> <TR> <TD><font face=verdana size=2><B>Password</B></font></TD> <TD><font face=verdana size=2><input type=password name=u_password size=20></font></TD> </TR> </table> <input type=submit value=Login></form> </center> </font> </BODY> </HTML> <?php exit; } else { function login_error($host,$php_self) { echo "<HTML><HEAD> <TITLE>$host : Administration</TITLE> </HEAD><BODY bgcolor=#ffffff> <table border=0 cellspacing=0 cellpadding=0 width=100%> <TR><TD align=left> <font face=verdana size=2><B> You Need to log on to access this part of the site! </b> </font></td> </tr></table> <P></P> <font face=verdana size=2> <center>"; echo "Error: You are not authorized to access this part of the site! <B><a href=$php_self>Click here</a></b> to login again.<P> </center> </font> </BODY> </HTML>"; session_unregister("adb_password"); session_unregister("user"); exit; } $user_checked_passed = false; mysql_connect("localhost", "xxx", "xxx"); mysql_select_db("xxx"); if (isset($HTTP_SESSION_VARS['adb_password']) && isset($HTTP_SESSION_VARS['user'])) { $adb_session_password = $HTTP_SESSION_VARS['adb_password']; $session_user = $HTTP_SESSION_VARS['user']; $result = mysql_query("SELECT member_login_key FROM ibf_members WHERE name='".mysql_real_escape_string($session_user)."'"); if ($row = mysql_fetch_assoc($result)) { if ($row['member_login_key'] == $adb_session_password) $admin = true; else $admin = false; } else $admin = false; if (!$admin) login_error($HTTP_SERVER_VARS['HTTP_HOST'],$HTTP_SERVER_VARS['PHP_SELF']); else { $user_checked_passed = true; } } if($user_checked_passed == false) { $result = mysql_query("SELECT member_login_key FROM ibf_members WHERE name='" . mysql_real_escape_string($u_name) . "'"); if ($row = mysql_fetch_assoc($result)) { if ($row['member_login_key'] == $u_password) $admin = true; else $admin = false; } else $admin = false; if (!$admin) login_error($HTTP_SERVER_VARS['HTTP_HOST'],$HTTP_SERVER_VARS['PHP_SELF']); session_register("adb_password"); session_register("user"); $adb_password = $u_password; $user = $u_name; $page_location = $HTTP_SERVER_VARS['PHP_SELF']; if(isset($HTTP_SERVER_VARS["QUERY_STRING"])) $page_location = $page_location ."?". $HTTP_SERVER_VARS["QUERY_STRING"]; header ("Location: ". $page_location); } }}?> I want to sort out the lines: if ($row['member_login_key'] == $adb_session_password) and if ($row['member_login_key'] == $u_password) Link to comment Share on other sites More sharing options...
Hooch Posted April 12, 2007 Share Posted April 12, 2007 I commented the lines that I edited.Hope it works...Hooch <?PHP# Simple password protection## (c) http://www.phpbuddy.com# Author: Ranjit Kumar# Feel free to use this script but keep this message intact!## To protect a page include this file in your PHP pages!session_start();//you can change the username and password by changing the above two stringsif (!isset($HTTP_SESSION_VARS['user'])) { if(isset($HTTP_POST_VARS['u_name'])) $u_name = $HTTP_POST_VARS['u_name']; if(isset($HTTP_POST_VARS['u_password'])) //*************************Changed line below*************************// $u_password = md5($HTTP_POST_VARS['u_password']); if(!isset($u_name)) { ?> <HTML> <HEAD> <TITLE><?php echo $HTTP_SERVER_VARS['HTTP_HOST']; ?> : Authentication Required</TITLE> </HEAD> <BODY bgcolor=#ffffff> <table border=0 cellspacing=0 cellpadding=0 width=100%> <TR><TD> <font face=verdana size=2><B>(Access Restricted to Authorized Personnel)</b> </font></td> </tr></table> <P></P> <font face=verdana size=2> <center> <?php $form_to = "http://$HTTP_SERVER_VARS[HTTP_HOST]$HTTP_SERVER_VARS[PHP_SELF]"; if(isset($HTTP_SERVER_VARS["QUERY_STRING"])) $form_to = $form_to ."?". $HTTP_SERVER_VARS["QUERY_STRING"]; ?> <form method=post action=<?php echo $form_to; ?>> <table border=0 width=350> <TR> <TD><font face=verdana size=2><B>User Name</B></font></TD> <TD><font face=verdana size=2><input type=text name=u_name size=20></font></TD></TR> <TR> <TD><font face=verdana size=2><B>Password</B></font></TD> <TD><font face=verdana size=2><input type=password name=u_password size=20></font></TD> </TR> </table> <input type=submit value=Login></form> </center> </font> </BODY> </HTML> <?php exit; } else { function login_error($host,$php_self) { echo "<HTML><HEAD> <TITLE>$host : Administration</TITLE> </HEAD><BODY bgcolor=#ffffff> <table border=0 cellspacing=0 cellpadding=0 width=100%> <TR><TD align=left> <font face=verdana size=2><B> You Need to log on to access this part of the site! </b> </font></td> </tr></table> <P></P> <font face=verdana size=2> <center>"; echo "Error: You are not authorized to access this part of the site! <B><a href=$php_self>Click here</a></b> to login again.<P> </center> </font> </BODY> </HTML>"; session_unregister("adb_password"); session_unregister("user"); exit; } $user_checked_passed = false; mysql_connect("localhost", "xxx", "xxx"); mysql_select_db("xxx"); if (isset($HTTP_SESSION_VARS['adb_password']) && isset($HTTP_SESSION_VARS['user'])) { //*************************Changed line below*************************// $adb_session_password = md5($HTTP_SESSION_VARS['adb_password']); $session_user = $HTTP_SESSION_VARS['user']; $result = mysql_query("SELECT member_login_key FROM ibf_members WHERE name='".mysql_real_escape_string($session_user)."'"); if ($row = mysql_fetch_assoc($result)) { if ($row['member_login_key'] == $adb_session_password) $admin = true; else $admin = false; } else $admin = false; if (!$admin) login_error($HTTP_SERVER_VARS['HTTP_HOST'],$HTTP_SERVER_VARS['PHP_SELF']); else { $user_checked_passed = true; } } if($user_checked_passed == false) { $result = mysql_query("SELECT member_login_key FROM ibf_members WHERE name='" . mysql_real_escape_string($u_name) . "'"); if ($row = mysql_fetch_assoc($result)) { if ($row['member_login_key'] == $u_password) $admin = true; else $admin = false; } else $admin = false; if (!$admin) login_error($HTTP_SERVER_VARS['HTTP_HOST'],$HTTP_SERVER_VARS['PHP_SELF']); session_register("adb_password"); session_register("user"); $adb_password = $u_password; $user = $u_name; $page_location = $HTTP_SERVER_VARS['PHP_SELF']; if(isset($HTTP_SERVER_VARS["QUERY_STRING"])) $page_location = $page_location ."?". $HTTP_SERVER_VARS["QUERY_STRING"]; header ("Location: ". $page_location); } }}?> Link to comment Share on other sites More sharing options...
danposs86 Posted April 12, 2007 Author Share Posted April 12, 2007 no luck i'm affraid Link to comment Share on other sites More sharing options...
Hooch Posted April 12, 2007 Share Posted April 12, 2007 Show how you insert the 'member_login_key'to the database.Better make sure it's getting an MD5 correctly. Link to comment Share on other sites More sharing options...
danposs86 Posted April 12, 2007 Author Share Posted April 12, 2007 what i am trying to do is create a log in system on a website that uses the same username and password as a forum (Invision Power Board v2.2.1).So the 'member_login_key' is generated when a user first registers with the forum.the only think i can think of is that 'member_login_key' isnt actually the password or it isnt actually generated using md5? Link to comment Share on other sites More sharing options...
danposs86 Posted April 12, 2007 Author Share Posted April 12, 2007 more investigating, created a test user with the password "test123" (original i know lol)anyway, i then typed this into a md5 generator online and got this: cc03e747a6afbbcbf8be7668acfebee5however member_login_key is: 4a75eabdad08c6ecd83af1f364e127c2so obviously i am either barking up the wrong field, or it uses something that isnt md5. Link to comment Share on other sites More sharing options...
Hooch Posted April 12, 2007 Share Posted April 12, 2007 I suggest again to look how that is entered in the DB.Find the registration script and see how it's hashed. Link to comment Share on other sites More sharing options...
justsomeguy Posted April 12, 2007 Share Posted April 12, 2007 Also, about the changes from Hooch, you will not want to hash both the password from $_POST and $_SESSION. Do not hash the session password, because you are saving the already-hashed password in the session. Hashing it again would produce a different value. Link to comment Share on other sites More sharing options...
Hooch Posted April 13, 2007 Share Posted April 13, 2007 I'm confused as to how the same password is getting hashed twice with the code I added. To my knowledge I am hashing 2 different password entries. I understand they couldbe the same password, but when "u_password" is hashed, I don't see how this ishashing "adb_password". Waiting to learn from the master....Hooch Link to comment Share on other sites More sharing options...
justsomeguy Posted April 16, 2007 Share Posted April 16, 2007 Well, the password from POST when the user logs in gets set here: if(isset($HTTP_POST_VARS['u_password'])) $u_password = md5($HTTP_POST_VARS['u_password']); So, $u_password is an md5 hash. Then, lower down when the login is checked, the password gets saved in the session here: session_register("adb_password"); session_register("user"); $adb_password = $u_password; $user = $u_name; So, now $_SESSION['adb_password'] has the same hashed password from POST. So the password in $_SESSION is already hashed. So when you read the password from the session here: if (isset($HTTP_SESSION_VARS['adb_password']) && isset($HTTP_SESSION_VARS['user'])) { $adb_session_password = md5($HTTP_SESSION_VARS['adb_password']); You are hashing it again, so it is a hash of a hash, which is going to be different then the value you are checking against. So you don't want to hash the password from the session, you just want to store the value in the session into the $adb_session_password variable. You would only hash the password in the session if you were storing the plain-text password in the session, but the password you are storing in this case has already been hashed when you save it, you don't need to do it again when you read it. Link to comment Share on other sites More sharing options...
grappy Posted April 17, 2007 Share Posted April 17, 2007 i thought md5 was 36 characters, that member login key is only 32, perhaps its a randomly generated string by invision power boards in which case u should have access to the source code, meaning u could find where it is generated and submit it to your own personal database at the same time giving you access to it from your own site. Link to comment Share on other sites More sharing options...
justsomeguy Posted April 17, 2007 Share Posted April 17, 2007 MD5 is a 128-bit, 32 hex character value. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now