RaRa3 Posted April 29, 2015 Share Posted April 29, 2015 (edited) none Edited May 10, 2015 by RaRa3 Link to comment Share on other sites More sharing options...
Techneut Posted April 29, 2015 Share Posted April 29, 2015 The password is not hashing because $pass is an undefined variable; You can define $pass = $_POST['pass']; then password is $password = md5($pass); 1 Link to comment Share on other sites More sharing options...
CoconutJJ Posted April 29, 2015 Share Posted April 29, 2015 Hi RaRa3, I'm not quite sure about the question you're asking but here is how you would hash a password and insert it into a database Your HTML <form> element should be a POST request. (Using GET requests for passwords is a bad idea) It should look like this <form action="" method="post">...</form> <?php //CORRECTED VERSION//GET ALL THE VALUES AND STORE THEM INTO VARIABLES$firstname = $_POST["firstName"];$lastname = $_POST["lastName"];$user = $_POST["username"]$pass = $_POST["pass"]; //We first store the value of the password to $pass$email = $_POST["email"];$address = $_POST["address"];//HASH PASSWORD$pass = md5($pass); //We hash the value of $pass//INSERT THEM INTO DATABASE$sql = "INSERT INTO UserAccount (firstName, lastName, userName, password, email, address) VALUES ('$firstname','$lastname','$user','$pass','$email','$address')";$res=mysql_query($sql); //We INSERT $pass(HASHED) into the database, not $_POST["pass"](NOT HASHED) <?php //start php tag//include connect.php page for database connectioninclude('connect.php');//if submit is not blanked i.e. it is clicked.if(isset($_POST['submit'])) { //You do not need the !="". This line is enough for checking if a button has been clicked$firstname = $_POST["firstName"];$lastname = $_POST["lastName"];$user = $_POST["username"]$pass = $_POST["pass"];$email = $_POST["email"];$address = $_POST["address"];if(empty($firstname) || empty($lastname) || empty($user) || empty($pass) || empty($email) || empty($address)) { //Try using the built in empty() function to detect blank fields. Much easierEcho "Please fill the empty field(s).";}Else{//////////REPLACE THIS WITH CODE IN THE ABOVE SECTION//////////////$sql = "INSERT INTO UserAccount (firstName, lastName, userName, password, email, address) VALUES ('$_POST[firstName]','$_POST[lastName]','$_POST[user]','$_POST[pass]','$_POST[email]','$_POST[address]')";$password = md5($pass);$res=mysql_query($sql);This code will not work.. Notice how you have not defined $pass or $password yet? and your values are directly taken from a POST[] Request///////////////////////////////////////////////////////////////////if($res){Echo "Thank you for signing up";}Else{Echo "There is some problem in inserting record";}}}?> Tips for next time: 1. You should really start using mysqli_query since mysql_query is deprecated 2. When you're getting a value from a form please first store it into a variable first. Then you can manipulate the variable. 3. This code is insecure, you should use functions such as mysql_real_escape_string() or stripslashes() to prevent SQL INJECTION Measures. 4. Always use POST[] requests when handling sensitive data (passwords etc.). I'd prefer you stay away from the REQUEST[] operator. 1 Link to comment Share on other sites More sharing options...
Ingolme Posted April 29, 2015 Share Posted April 29, 2015 MD5 is not a secure hashing algorithm. It's far too easy to crack. See details right in the PHP manual: http://php.net/manual/en/faq.passwords.php#faq.passwords.fasthash Consider using PHP's crypt() function with Blowfish or SHA-512 algorithms. addslashes() (not stripslashes() because that doesn't escape the code at all) is not a sure way to prevent injection, use escape_string(), but even that is not ideal. Ideally, you would use Prepared Statements 1 Link to comment Share on other sites More sharing options...
RaRa3 Posted May 4, 2015 Author Share Posted May 4, 2015 (edited) Nevermind Edited May 4, 2015 by RaRa3 Link to comment Share on other sites More sharing options...
RaRa3 Posted May 4, 2015 Author Share Posted May 4, 2015 MD5 is not a secure hashing algorithm. It's far too easy to crack. See details right in the PHP manual: http://php.net/manual/en/faq.passwords.php#faq.passwords.fasthash Consider using PHP's crypt() function with Blowfish or SHA-512 algorithms. addslashes() (not stripslashes() because that doesn't escape the code at all) is not a sure way to prevent injection, use escape_string(), but even that is not ideal. Ideally, you would use Prepared Statements well its jsut gor a project now so something simple to show "security" thanks for your comment Link to comment Share on other sites More sharing options...
RaRa3 Posted May 4, 2015 Author Share Posted May 4, 2015 Hi RaRa3, I'm not quite sure about the question you're asking but here is how you would hash a password and insert it into a database Your HTML <form> element should be a POST request. (Using GET requests for passwords is a bad idea) It should look like this <form action="" method="post">...</form> <?php //CORRECTED VERSION//GET ALL THE VALUES AND STORE THEM INTO VARIABLES$firstname = $_POST["firstName"];$lastname = $_POST["lastName"];$user = $_POST["username"]$pass = $_POST["pass"]; //We first store the value of the password to $pass$email = $_POST["email"];$address = $_POST["address"];//HASH PASSWORD$pass = md5($pass); //We hash the value of $pass//INSERT THEM INTO DATABASE$sql = "INSERT INTO UserAccount (firstName, lastName, userName, password, email, address) VALUES ('$firstname','$lastname','$user','$pass','$email','$address')";$res=mysql_query($sql); //We INSERT $pass(HASHED) into the database, not $_POST["pass"](NOT HASHED) <?php //start php tag//include connect.php page for database connectioninclude('connect.php');//if submit is not blanked i.e. it is clicked.if(isset($_POST['submit'])) { //You do not need the !="". This line is enough for checking if a button has been clicked$firstname = $_POST["firstName"];$lastname = $_POST["lastName"];$user = $_POST["username"]$pass = $_POST["pass"];$email = $_POST["email"];$address = $_POST["address"];if(empty($firstname) || empty($lastname) || empty($user) || empty($pass) || empty($email) || empty($address)) { //Try using the built in empty() function to detect blank fields. Much easierEcho "Please fill the empty field(s).";}Else{//////////REPLACE THIS WITH CODE IN THE ABOVE SECTION//////////////$sql = "INSERT INTO UserAccount (firstName, lastName, userName, password, email, address) VALUES ('$_POST[firstName]','$_POST[lastName]','$_POST[user]','$_POST[pass]','$_POST[email]','$_POST[address]')";$password = md5($pass);$res=mysql_query($sql);This code will not work.. Notice how you have not defined $pass or $password yet? and your values are directly taken from a POST[] Request///////////////////////////////////////////////////////////////////if($res){Echo "Thank you for signing up";}Else{Echo "There is some problem in inserting record";}}}?> Tips for next time: 1. You should really start using mysqli_query since mysql_query is deprecated 2. When you're getting a value from a form please first store it into a variable first. Then you can manipulate the variable. 3. This code is insecure, you should use functions such as mysql_real_escape_string() or stripslashes() to prevent SQL INJECTION Measures. 4. Always use POST[] requests when handling sensitive data (passwords etc.). I'd prefer you stay away from the REQUEST[] operator. Wow Thanks so much you helped me a lot! but i have a question now, it does store a hashed password into the database, but now if i was to have someone login after registering they cant use the password they created the hashed one is the one that works, how can i make it so when the user logs in they use the password they created? is that possible? Link to comment Share on other sites More sharing options...
dsonesuk Posted May 4, 2015 Share Posted May 4, 2015 (edited) The idea is for the user to enter their original password this password is then encrypted and compared with encrypted password AND username stored in database. Edited May 4, 2015 by dsonesuk Link to comment Share on other sites More sharing options...
RaRa3 Posted May 4, 2015 Author Share Posted May 4, 2015 yes in the database its encrypted but if the user wants to login then they have to put in the encrypted password, but it should be the original password they created thats what im having trouble with Link to comment Share on other sites More sharing options...
Ingolme Posted May 4, 2015 Share Posted May 4, 2015 Here's the procedure: 1. User sends unencrypted password. 2. Encrypt the password. 3. Compare the encrypted password to the encrypted password that's in the database. 4. Log the user in if the two are the same. 1 Link to comment Share on other sites More sharing options...
dsonesuk Posted May 4, 2015 Share Posted May 4, 2015 Did i say they have to enter the encrypted password in database, i think if you read it AGAIN it says"The idea is for the user to enter their original password this password is then encrypted and compared with encrypted password AND username stored in database."It does not magically encrpyt the original password, i mean did it magically encrpyt the password and store it in database, NO! It used php encyption function, now THINK about it! Use those little grey cells, it is basically using the same principle, BUT! Instead of storing the encypted password you are NOW comparing the entered username and then encrypted password for that user WITH username and encrypted password in database. Facepalm 1 Link to comment Share on other sites More sharing options...
RaRa3 Posted May 4, 2015 Author Share Posted May 4, 2015 Did i say they have to enter the encrypted password in database, i think if you read it AGAIN it says"The idea is for the user to enter their original password this password is then encrypted and compared with encrypted password AND username stored in database."It does not magically encrpyt the original password, i mean did it magically encrpyt the password and store it in database, NO! It used php encyption function, now THINK about it! Use those little grey cells, it is basically using the same principle, BUT! Instead of storing the encypted password you are NOW comparing the entered username and then encrypted password for that user WITH username and encrypted password in database. Facepalm oh okay sorry, i got you thanks Link to comment Share on other sites More sharing options...
RaRa3 Posted May 4, 2015 Author Share Posted May 4, 2015 Here's the procedure: 1. User sends unencrypted password. 2. Encrypt the password. 3. Compare the encrypted password to the encrypted password that's in the database. 4. Log the user in if the two are the same. yes thats how it is working Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now