Jump to content

hash in PHP


RaRa3
 Share

Recommended Posts

The password is not hashing because $pass is an undefined variable;

 

You can define

$pass = $_POST['pass'];

 

then password is

 

$password = md5($pass);

  • Like 1
Link to comment
Share on other sites

Hi RaRa3, I'm not quite sure about the question you're asking but here is how you would hash a password and insert it into a database

Your HTML <form> element should be a POST request. (Using GET requests for passwords is a bad idea)

It should look like this <form action="" method="post">...</form>

<?php //CORRECTED VERSION//GET ALL THE VALUES AND STORE THEM INTO VARIABLES$firstname = $_POST["firstName"];$lastname = $_POST["lastName"];$user = $_POST["username"]$pass = $_POST["pass"]; //We first store the value of the password to $pass$email = $_POST["email"];$address = $_POST["address"];//HASH PASSWORD$pass = md5($pass); //We hash the value of $pass//INSERT THEM INTO DATABASE$sql = "INSERT INTO UserAccount (firstName, lastName, userName, password, email, address) VALUES ('$firstname','$lastname','$user','$pass','$email','$address')";$res=mysql_query($sql); //We INSERT $pass(HASHED) into the database, not $_POST["pass"](NOT HASHED)
<?php //start php tag//include connect.php page for database connectioninclude('connect.php');//if submit is not blanked i.e. it is clicked.if(isset($_POST['submit'])) { //You do not need the !="". This line is enough for checking if a button has been clicked$firstname = $_POST["firstName"];$lastname = $_POST["lastName"];$user = $_POST["username"]$pass = $_POST["pass"];$email = $_POST["email"];$address = $_POST["address"];if(empty($firstname) || empty($lastname) || empty($user) || empty($pass) || empty($email) || empty($address)) { //Try using the built in empty() function to detect blank fields. Much easierEcho "Please fill the empty field(s).";}Else{//////////REPLACE THIS WITH CODE IN THE ABOVE SECTION//////////////$sql = "INSERT INTO UserAccount (firstName, lastName, userName, password, email, address) VALUES ('$_POST[firstName]','$_POST[lastName]','$_POST[user]','$_POST[pass]','$_POST[email]','$_POST[address]')";$password = md5($pass);$res=mysql_query($sql);This code will not work.. Notice how you have not defined $pass or $password yet? and your values are directly taken from a POST[] Request///////////////////////////////////////////////////////////////////if($res){Echo "Thank you for signing up";}Else{Echo "There is some problem in inserting record";}}}?>

Tips for next time:

1. You should really start using mysqli_query since mysql_query is deprecated

2. When you're getting a value from a form please first store it into a variable first. Then you can manipulate the variable.

3. This code is insecure, you should use functions such as mysql_real_escape_string() or stripslashes() to prevent SQL INJECTION Measures.

4. Always use POST[] requests when handling sensitive data (passwords etc.). I'd prefer you stay away from the REQUEST[] operator.

  • Like 1
Link to comment
Share on other sites

MD5 is not a secure hashing algorithm. It's far too easy to crack. See details right in the PHP manual: http://php.net/manual/en/faq.passwords.php#faq.passwords.fasthash

 

Consider using PHP's crypt() function with Blowfish or SHA-512 algorithms.

 

addslashes() (not stripslashes() because that doesn't escape the code at all) is not a sure way to prevent injection, use escape_string(), but even that is not ideal. Ideally, you would use Prepared Statements

  • Like 1
Link to comment
Share on other sites

MD5 is not a secure hashing algorithm. It's far too easy to crack. See details right in the PHP manual: http://php.net/manual/en/faq.passwords.php#faq.passwords.fasthash

 

Consider using PHP's crypt() function with Blowfish or SHA-512 algorithms.

 

addslashes() (not stripslashes() because that doesn't escape the code at all) is not a sure way to prevent injection, use escape_string(), but even that is not ideal. Ideally, you would use Prepared Statements

well its jsut gor a project now so something simple to show "security"

thanks for your comment :)

Link to comment
Share on other sites

Hi RaRa3, I'm not quite sure about the question you're asking but here is how you would hash a password and insert it into a database

Your HTML <form> element should be a POST request. (Using GET requests for passwords is a bad idea)

It should look like this <form action="" method="post">...</form>

<?php //CORRECTED VERSION//GET ALL THE VALUES AND STORE THEM INTO VARIABLES$firstname = $_POST["firstName"];$lastname = $_POST["lastName"];$user = $_POST["username"]$pass = $_POST["pass"]; //We first store the value of the password to $pass$email = $_POST["email"];$address = $_POST["address"];//HASH PASSWORD$pass = md5($pass); //We hash the value of $pass//INSERT THEM INTO DATABASE$sql = "INSERT INTO UserAccount (firstName, lastName, userName, password, email, address) VALUES ('$firstname','$lastname','$user','$pass','$email','$address')";$res=mysql_query($sql); //We INSERT $pass(HASHED) into the database, not $_POST["pass"](NOT HASHED)
<?php //start php tag//include connect.php page for database connectioninclude('connect.php');//if submit is not blanked i.e. it is clicked.if(isset($_POST['submit'])) { //You do not need the !="". This line is enough for checking if a button has been clicked$firstname = $_POST["firstName"];$lastname = $_POST["lastName"];$user = $_POST["username"]$pass = $_POST["pass"];$email = $_POST["email"];$address = $_POST["address"];if(empty($firstname) || empty($lastname) || empty($user) || empty($pass) || empty($email) || empty($address)) { //Try using the built in empty() function to detect blank fields. Much easierEcho "Please fill the empty field(s).";}Else{//////////REPLACE THIS WITH CODE IN THE ABOVE SECTION//////////////$sql = "INSERT INTO UserAccount (firstName, lastName, userName, password, email, address) VALUES ('$_POST[firstName]','$_POST[lastName]','$_POST[user]','$_POST[pass]','$_POST[email]','$_POST[address]')";$password = md5($pass);$res=mysql_query($sql);This code will not work.. Notice how you have not defined $pass or $password yet? and your values are directly taken from a POST[] Request///////////////////////////////////////////////////////////////////if($res){Echo "Thank you for signing up";}Else{Echo "There is some problem in inserting record";}}}?>

Tips for next time:

1. You should really start using mysqli_query since mysql_query is deprecated

2. When you're getting a value from a form please first store it into a variable first. Then you can manipulate the variable.

3. This code is insecure, you should use functions such as mysql_real_escape_string() or stripslashes() to prevent SQL INJECTION Measures.

4. Always use POST[] requests when handling sensitive data (passwords etc.). I'd prefer you stay away from the REQUEST[] operator.

 

 

Wow Thanks so much you helped me a lot! but i have a question now, it does store a hashed password into the database, but now if i was to have someone login after registering they cant use the password they created the hashed one is the one that works, how can i make it so when the user logs in they use the password they created? is that possible?

Link to comment
Share on other sites

yes in the database its encrypted but if the user wants to login then they have to put in the encrypted password, but it should be the original password they created

 

thats what im having trouble with

Link to comment
Share on other sites

Here's the procedure:

 

1. User sends unencrypted password.

2. Encrypt the password.

3. Compare the encrypted password to the encrypted password that's in the database.

4. Log the user in if the two are the same.

  • Like 1
Link to comment
Share on other sites

Did i say they have to enter the encrypted password in database, i think if you read it AGAIN it says"The idea is for the user to enter their original password this password is then encrypted and compared with encrypted password AND username stored in database."It does not magically encrpyt the original password, i mean did it magically encrpyt the password and store it in database, NO! It used php encyption function, now THINK about it! Use those little grey cells, it is basically using the same principle, BUT! Instead of storing the encypted password you are NOW comparing the entered username and then encrypted password for that user WITH username and encrypted password in database. Facepalm

  • Like 1
Link to comment
Share on other sites

Did i say they have to enter the encrypted password in database, i think if you read it AGAIN it says"The idea is for the user to enter their original password this password is then encrypted and compared with encrypted password AND username stored in database."It does not magically encrpyt the original password, i mean did it magically encrpyt the password and store it in database, NO! It used php encyption function, now THINK about it! Use those little grey cells, it is basically using the same principle, BUT! Instead of storing the encypted password you are NOW comparing the entered username and then encrypted password for that user WITH username and encrypted password in database. Facepalm

oh okay sorry, i got you

 

thanks

Link to comment
Share on other sites

Here's the procedure:

 

1. User sends unencrypted password.

2. Encrypt the password.

3. Compare the encrypted password to the encrypted password that's in the database.

4. Log the user in if the two are the same.

yes thats how it is working

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

×
×
  • Create New...