RaRa3 1 Posted April 29, 2015 Report Share Posted April 29, 2015 (edited) none Edited May 10, 2015 by RaRa3 Quote Link to post Share on other sites
Techneut 2 Posted April 29, 2015 Report Share Posted April 29, 2015 The password is not hashing because $pass is an undefined variable; You can define $pass = $_POST['pass']; then password is $password = md5($pass); 1 Quote Link to post Share on other sites
CoconutJJ 1 Posted April 29, 2015 Report Share Posted April 29, 2015 Hi RaRa3, I'm not quite sure about the question you're asking but here is how you would hash a password and insert it into a database Your HTML <form> element should be a POST request. (Using GET requests for passwords is a bad idea) It should look like this <form action="" method="post">...</form> <?php //CORRECTED VERSION//GET ALL THE VALUES AND STORE THEM INTO VARIABLES$firstname = $_POST["firstName"];$lastname = $_POST["lastName"];$user = $_POST["username"]$pass = $_POST["pass"]; //We first store the value of the password to $pass$email = $_POST["email"];$address = $_POST["address"];//HASH PASSWORD$pass = md5($pass); //We hash the value of $pass//INSERT THEM INTO DATABASE$sql = "INSERT INTO UserAccount (firstName, lastName, userName, password, email, address) VALUES ('$firstname','$lastname','$user','$pass','$email','$address')";$res=mysql_query($sql); //We INSERT $pass(HASHED) into the database, not $_POST["pass"](NOT HASHED) <?php //start php tag//include connect.php page for database connectioninclude('connect.php');//if submit is not blanked i.e. it is clicked.if(isset($_POST['submit'])) { //You do not need the !="". This line is enough for checking if a button has been clicked$firstname = $_POST["firstName"];$lastname = $_POST["lastName"];$user = $_POST["username"]$pass = $_POST["pass"];$email = $_POST["email"];$address = $_POST["address"];if(empty($firstname) || empty($lastname) || empty($user) || empty($pass) || empty($email) || empty($address)) { //Try using the built in empty() function to detect blank fields. Much easierEcho "Please fill the empty field(s).";}Else{//////////REPLACE THIS WITH CODE IN THE ABOVE SECTION//////////////$sql = "INSERT INTO UserAccount (firstName, lastName, userName, password, email, address) VALUES ('$_POST[firstName]','$_POST[lastName]','$_POST[user]','$_POST[pass]','$_POST[email]','$_POST[address]')";$password = md5($pass);$res=mysql_query($sql);This code will not work.. Notice how you have not defined $pass or $password yet? and your values are directly taken from a POST[] Request///////////////////////////////////////////////////////////////////if($res){Echo "Thank you for signing up";}Else{Echo "There is some problem in inserting record";}}}?> Tips for next time: 1. You should really start using mysqli_query since mysql_query is deprecated 2. When you're getting a value from a form please first store it into a variable first. Then you can manipulate the variable. 3. This code is insecure, you should use functions such as mysql_real_escape_string() or stripslashes() to prevent SQL INJECTION Measures. 4. Always use POST[] requests when handling sensitive data (passwords etc.). I'd prefer you stay away from the REQUEST[] operator. 1 Quote Link to post Share on other sites
Ingolme 1,020 Posted April 29, 2015 Report Share Posted April 29, 2015 MD5 is not a secure hashing algorithm. It's far too easy to crack. See details right in the PHP manual: http://php.net/manual/en/faq.passwords.php#faq.passwords.fasthash Consider using PHP's crypt() function with Blowfish or SHA-512 algorithms. addslashes() (not stripslashes() because that doesn't escape the code at all) is not a sure way to prevent injection, use escape_string(), but even that is not ideal. Ideally, you would use Prepared Statements 1 Quote Link to post Share on other sites
RaRa3 1 Posted May 4, 2015 Author Report Share Posted May 4, 2015 (edited) Nevermind Edited May 4, 2015 by RaRa3 Quote Link to post Share on other sites
RaRa3 1 Posted May 4, 2015 Author Report Share Posted May 4, 2015 MD5 is not a secure hashing algorithm. It's far too easy to crack. See details right in the PHP manual: http://php.net/manual/en/faq.passwords.php#faq.passwords.fasthash Consider using PHP's crypt() function with Blowfish or SHA-512 algorithms. addslashes() (not stripslashes() because that doesn't escape the code at all) is not a sure way to prevent injection, use escape_string(), but even that is not ideal. Ideally, you would use Prepared Statements well its jsut gor a project now so something simple to show "security" thanks for your comment Quote Link to post Share on other sites
RaRa3 1 Posted May 4, 2015 Author Report Share Posted May 4, 2015 Hi RaRa3, I'm not quite sure about the question you're asking but here is how you would hash a password and insert it into a database Your HTML <form> element should be a POST request. (Using GET requests for passwords is a bad idea) It should look like this <form action="" method="post">...</form> <?php //CORRECTED VERSION//GET ALL THE VALUES AND STORE THEM INTO VARIABLES$firstname = $_POST["firstName"];$lastname = $_POST["lastName"];$user = $_POST["username"]$pass = $_POST["pass"]; //We first store the value of the password to $pass$email = $_POST["email"];$address = $_POST["address"];//HASH PASSWORD$pass = md5($pass); //We hash the value of $pass//INSERT THEM INTO DATABASE$sql = "INSERT INTO UserAccount (firstName, lastName, userName, password, email, address) VALUES ('$firstname','$lastname','$user','$pass','$email','$address')";$res=mysql_query($sql); //We INSERT $pass(HASHED) into the database, not $_POST["pass"](NOT HASHED) <?php //start php tag//include connect.php page for database connectioninclude('connect.php');//if submit is not blanked i.e. it is clicked.if(isset($_POST['submit'])) { //You do not need the !="". This line is enough for checking if a button has been clicked$firstname = $_POST["firstName"];$lastname = $_POST["lastName"];$user = $_POST["username"]$pass = $_POST["pass"];$email = $_POST["email"];$address = $_POST["address"];if(empty($firstname) || empty($lastname) || empty($user) || empty($pass) || empty($email) || empty($address)) { //Try using the built in empty() function to detect blank fields. Much easierEcho "Please fill the empty field(s).";}Else{//////////REPLACE THIS WITH CODE IN THE ABOVE SECTION//////////////$sql = "INSERT INTO UserAccount (firstName, lastName, userName, password, email, address) VALUES ('$_POST[firstName]','$_POST[lastName]','$_POST[user]','$_POST[pass]','$_POST[email]','$_POST[address]')";$password = md5($pass);$res=mysql_query($sql);This code will not work.. Notice how you have not defined $pass or $password yet? and your values are directly taken from a POST[] Request///////////////////////////////////////////////////////////////////if($res){Echo "Thank you for signing up";}Else{Echo "There is some problem in inserting record";}}}?> Tips for next time: 1. You should really start using mysqli_query since mysql_query is deprecated 2. When you're getting a value from a form please first store it into a variable first. Then you can manipulate the variable. 3. This code is insecure, you should use functions such as mysql_real_escape_string() or stripslashes() to prevent SQL INJECTION Measures. 4. Always use POST[] requests when handling sensitive data (passwords etc.). I'd prefer you stay away from the REQUEST[] operator. Wow Thanks so much you helped me a lot! but i have a question now, it does store a hashed password into the database, but now if i was to have someone login after registering they cant use the password they created the hashed one is the one that works, how can i make it so when the user logs in they use the password they created? is that possible? Quote Link to post Share on other sites
dsonesuk 913 Posted May 4, 2015 Report Share Posted May 4, 2015 (edited) The idea is for the user to enter their original password this password is then encrypted and compared with encrypted password AND username stored in database. Edited May 4, 2015 by dsonesuk Quote Link to post Share on other sites
RaRa3 1 Posted May 4, 2015 Author Report Share Posted May 4, 2015 yes in the database its encrypted but if the user wants to login then they have to put in the encrypted password, but it should be the original password they created thats what im having trouble with Quote Link to post Share on other sites
Ingolme 1,020 Posted May 4, 2015 Report Share Posted May 4, 2015 Here's the procedure: 1. User sends unencrypted password. 2. Encrypt the password. 3. Compare the encrypted password to the encrypted password that's in the database. 4. Log the user in if the two are the same. 1 Quote Link to post Share on other sites
dsonesuk 913 Posted May 4, 2015 Report Share Posted May 4, 2015 Did i say they have to enter the encrypted password in database, i think if you read it AGAIN it says"The idea is for the user to enter their original password this password is then encrypted and compared with encrypted password AND username stored in database."It does not magically encrpyt the original password, i mean did it magically encrpyt the password and store it in database, NO! It used php encyption function, now THINK about it! Use those little grey cells, it is basically using the same principle, BUT! Instead of storing the encypted password you are NOW comparing the entered username and then encrypted password for that user WITH username and encrypted password in database. Facepalm 1 Quote Link to post Share on other sites
RaRa3 1 Posted May 4, 2015 Author Report Share Posted May 4, 2015 Did i say they have to enter the encrypted password in database, i think if you read it AGAIN it says"The idea is for the user to enter their original password this password is then encrypted and compared with encrypted password AND username stored in database."It does not magically encrpyt the original password, i mean did it magically encrpyt the password and store it in database, NO! It used php encyption function, now THINK about it! Use those little grey cells, it is basically using the same principle, BUT! Instead of storing the encypted password you are NOW comparing the entered username and then encrypted password for that user WITH username and encrypted password in database. Facepalm oh okay sorry, i got you thanks Quote Link to post Share on other sites
RaRa3 1 Posted May 4, 2015 Author Report Share Posted May 4, 2015 Here's the procedure: 1. User sends unencrypted password. 2. Encrypt the password. 3. Compare the encrypted password to the encrypted password that's in the database. 4. Log the user in if the two are the same. yes thats how it is working Quote Link to post Share on other sites
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.