Jump to content

Inserting MD5 hashes into database using an array


Vegeta ZA
 Share

Recommended Posts

I have a problem inserting passwords from a text file into a database using md5 hashes. It inputs everything else from the text file as it should but I don't know how to get it to input unique hash values using the 'Password' fields from the text file. I know the problem is with the array and it is not done correctly, can anyone help me fix this?

 //insert from text file
    
     $Password = $_POST['Password'];
     $passwordmd5 = md5 ($Password); 
  
     mysql_select_db("test") or die ("Unable to select database!"); 
  $file = file('C:\wamp\www\a1\userData.txt'); # read file into array
  $count = count($file);
  if($count > 0) # file is not empty
 {
     $milestone_query = "INSERT into tbl_User(ID, FName, LName, Email, Password) values";
     $i = 1;
     foreach($file as $row)
     {
         $milestone = explode(';',$row);
         $milestone_query .= "('$milestone[0]',  '$milestone[1]', '$milestone[2]', '$milestone[3]', '$passwordmd5')";
         $milestone_query .= $i < $count ? ',':'';
         $i++;
     }
     mysql_query($milestone_query) or die(mysql_error());
 }
 echo "Done!";

post-198492-0-43617100-1460313801_thumb.png

Link to comment
Share on other sites

This code is very insecure. MD5 is very easy to crack these days and the mysql_ library is deprecated. See the severe warnings on the PHP manual.

 

On MD5 hashing: http://php.net/md5

Note: Secure password hashing

It is not recommended to use this function to secure passwords, due to the fast nature of this hashing algorithm. See here for details

 

On the mysql extension: http://php.net/mysql_query

 

Warning

This extension was deprecated in PHP 5.5.0, and it was removed in PHP 7.0.0. Instead, the MySQLi or PDO_MySQL extension should be used. See also MySQL: choosing an API guide and related FAQ for more information. Alternatives to this function include:

 

If you don't heed these warnings your site will be hacked.

 

With that out of the way, if the password is coming from a file then hash the value that came out of the file

$pdo = new PDO( /* Database connection parameters */ );
$file = file('userData.txt');
$query = $pdo->prepare('INSERT into tbl_User(ID, FName, LName, Email, Password) values (?, ?, ?, ?, ?)');
foreach($file as $row) {
  $milestone = explode(';',$row);
  $milestone[4] = password_hash($milestone[4], PASSWORD_DEFAULT);
  $query->execute($milestone);
}
Link to comment
Share on other sites

It doesn't need to be secure because it's just work for college, they want us to do it that way so it's not going to be used for anything else so it doesn't need to do anything but just work. I'll try this method later, thank you for your input!

Edited by Vegeta ZA
Link to comment
Share on other sites

I've changed up my code but I get this error now: Fatal error: Call to a member function execute() on a non-object in C:\wamp\www\a1\createTable.php on line 44 which is $query->execute($milestone);

 

I'm not sure why it has a problem with the execute statement?

 

Here's the code:

//insert from text file
if(isset($_POST['ID'])){ $ID = $_POST['ID']; } 
if(isset($_POST['FName'])){ $FName = $_POST['FName']; } 
if(isset($_POST['LName'])){ $LName = $_POST['LName']; } 
if(isset($_POST['Email'])){ $Email = $_POST['Email']; } 
if(isset($_POST['Password'])){ $Password = $_POST['Password']; }  


  


$file = file('userData.txt');
$query = $DBConnect->prepare('INSERT into tbl_User(ID, FName, LName, Email, Password) values ($ID, $FName, $LName, $Email, $Password)');
foreach($file as $row) {
  $milestone = explode(';',$row);
  $milestone[4] = password_hash($milestone[4], PASSWORD_DEFAULT);
  $query->execute($milestone);
}
    mysql_query($milestone_query) or die(mysql_error());


echo "Done!";




mysqli_close($DBConnect);
Link to comment
Share on other sites

The query has errors in it. You are supposed to have literal question marks which act as placeholders for data.

 

Don't just copy code without knowing what it does. Read this article about prepared statements to understand what the example code I gave you does: http://php.net/manual/en/pdo.prepared-statements.php

Link to comment
Share on other sites

The query has errors in it. You are supposed to have literal question marks which act as placeholders for data.

 

Don't just copy code without knowing what it does. Read this article about prepared statements to understand what the example code I gave you does: http://php.net/manual/en/pdo.prepared-statements.php

 

I understand what you mean, I've changed it again.

 

Fatal error: Class 'myPDO' not found in C:\wamp\www\a1\createTable.php on line 34 for the line of code?

 

Here's my new code:

 

//insert from text file
$host = 'localhost';

$dbname = 'test';

$pdo = new myPDO('mysql:host=$host;dbname=$dbname', 'C:\wamp\www\a1');

$file = file('userData.txt');

$sql = 'INSERT INTO tbl_User (FName, LName, Email, Password) VALUES ';

 

foreach (

$file as $records) {

 

$record = explode(";", $records);

 

$query[] = '(:FName' . $n . ', :LName' . $n . ', :Email' . $n . ', :Password' . $n . ')';

 

 

$iData['FName' . $n] = $record[1];

$iData['LName' . $n] = $record[2];

$iData['Email' . $n] = $record[3];

$password = password_hash($record[4], PASSWORD_DEFAULT);

$iData['Password' . $n] = $password;

 

$n += 1;

}

 

if (!empty(

$query)) {

$sql .= implode(', ', $query);

$stmt = $pdo->prepare($sql);

$result = $stmt->execute($iData);

}

 

try {

 

} catch (

Exception $exc) {

echo

$exc->getTraceAsString();

}

Edited by Vegeta ZA
Link to comment
Share on other sites

why are you calling it myPDO? The name of the class is PDO

http://php.net/manual/en/book.pdo.php

I

 

why are you calling it myPDO? The name of the class is PDO

http://php.net/manual/en/book.pdo.php

I've changed the code again because when I do it this way, I get everything else to work so it is easier for me to understand. I got everything working besides the hash into the database, is it possible to make it hash the passwords into the array that inserts it into the database? When I do it by using $milestone_query .= "('$milestone[0]', '$milestone[1]', '$milestone[2]', '$milestone[3]', '$milestone[4]')"; it inserts the original passwords into the database but when I do $milestone_query .= "('$milestone[0]', '$milestone[1]', '$milestone[2]', '$milestone[3]', 'password_hash($milestone[4], DEFAULT_PASSWORD)')"; it inserts the string for password_hash etc. Is it possible to make it insert the hash passwords into the database without using the PDO method and by doing it the way I am asking?

 

 

 

//insert from text file
if(isset($_POST['ID']))
{
$ID = $_POST['ID'];
}
if(isset($_POST['FName']))
{
$FName = $_POST['FName'];
}
if(isset($_POST['LName']))
{
$LName = $_POST['LName'];
}
if(isset($_POST['Email']))
{
$Email = $_POST['Email'];
}
if(isset($_POST['Password']))
{
$Password = $_POST['Password'];
$Password = password_hash($Password, PASSWORD_DEFAULT);
}
mysql_select_db("test") or die ("Unable to select database!");
$file = file('C:\wamp\www\a1\userData.txt'); # read file into array
$count = count($file);
if($count > 0) # file is not empty
{
$milestone_query = "INSERT into tbl_User(ID, FName, LName, Email, Password) values";
$i = 1;
foreach($file as $row)
{
$milestone = explode(';',$row);
$milestone_query .= "('$milestone[0]', '$milestone[1]', '$milestone[2]', '$milestone[3]', '$milestone[4]')";
$milestone_query .= $i < $count ? ',':'';
$i++;
}
mysql_query($milestone_query) or die(mysql_error());
}
echo "Done!";
Link to comment
Share on other sites

Is it possible to make it insert the hash passwords into the database without using the PDO method and by doing it the way I am asking?

It's possible, but there's not much point to learning the wrong way to do something. You're learning something that has been out of date for over 12 years, why not learn the modern way to do it? The way that you want to learn how to do it is easy, vulnerable, and wrong. The way with PDO is correct and secure.

 

Go back to your code in post 6 and create the PDO object normally (not with "myPDO", just "PDO"), and set it to throw an exception if there is a problem:

 

try {
  $pdo = new PDO('mysql:host=$host;dbname=$dbname', 'username', 'password', array(
    PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION,
  ));
}
catch(PDOException $pe){
  echo $pe->getMessage();
} 
Make sure to fill in the correct username and password to connect to the database (or use variables there). If that connection fails then you will see the exception message printed out. That also tells PDO to throw an exception if there was an error, so run that and see how it goes.
Link to comment
Share on other sites

After making it insert all the hashes into the database, I made a login form which is supposed to use the original FName and Password to log into the system. I have an issue with the password field, if I insert the original password, it does not work, but if I enter the hash that it generated then it is successful. I've altered the code to make it change the string entered into a hash so that it matches the one in the database but it does not work.

Can anyone tell me what I did wrong or help me correct the code?

include 'DBConn.php';
  mysql_select_db("test") or die ("Unable to select database!");
  if(isset($_POST['FName'])){ $FName = $_POST['FName']; } 
  if(isset($_POST['Password'])){ $Password = password_hash($Password = $_POST['Password']); }
      
      
  
          if( empty($FName) || empty($Password) )
             echo "Username and Password Mandatory - from PHP";
         else
         {
     
     $sql = "SELECT count(*) FROM tbl_User where(
                 FName='$FName' 
                 AND 
                 Password='$Password')";
                 
         $res = mysql_query($sql);
         $row = mysql_fetch_array($res);
  
         if( $row[0] > 0 )
          echo "Login Successful";
         else
          echo $sql;
         }    

Here's the PDO code for reference:

 

//insert from text file

$host = 'localhost';
$dbname = 'test';
$PDO = new PDO("mysql:dbname=$dbname; host=$host");
$file = file('userData.txt');
$query = $PDO->prepare('INSERT into tbl_User(ID, FName, LName, Email, Password) values (?, ?, ?, ?, ?)');

foreach($file as $row) {
  $milestone = explode(';',$row);
  $milestone[4] = password_hash($milestone[4], PASSWORD_DEFAULT);
  $query->execute($milestone);
}

echo "Done!";

mysqli_close($DBConnect);
?>



Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

×
×
  • Create New...