A problem I'm not familiar with

Need help with an engine or coding not on the list? Need help with a game or the website and forums here? Direct all questions here.
Post Reply
User avatar
OoZI
Posts: 109
Joined: Mon Jan 02, 2012 4:22 pm

A problem I'm not familiar with

Post by OoZI »

So... I've been working on a game and decided I should probably use md5 encryption for my passwords. I figured out how to encrypt a user's password on registration, but I can't seem to figure out how to log them on. Here is my code for pro_login.php

Code: Select all

<?php

include('includes/connect.php');
include('includes/functions.php');

$user = $_POST['user'];
$password = $_POST['password'];


$user = mysql_real_escape_string(strip_tags($user));
$password = mysql_real_escape_string(strip_tags($password));

$get_stuffs = mysql_query("SELECT * FROM users WHERE name='$user'") or die(mysql_error());
$arr_stuffs = mysql_fetch_array($get_stuffs);

if(isset($arr_stuffs['user']) && $arr_stuffs['password'] == $password) {

$_SESSION['user'] = $user;

$time = time();

mysql_query("UPDATE users SET last_active='$time'") or die(mysql_error());
mysql_query("INSERT INTO chat (msg, sent_by, time_sent) VALUES ('$uname has logged on!', 'System', '$time')");

header('location: game/index.php');
} elseif(isset($arr_stuffs['user']) && $arr_stuffs['password'] != $password) {

header('location: index.php?error=1');

} elseif(!isset($arr_stuffs['user'])) {

//header('location: index.php?error=2');
echo $user;
echo $password;
echo $arr_stuffs['user'];

} else {

header('location: index.php?error=3');

}

?>

Now, I'm not sure on whether I'm supposed to run it like this, or if there is someway I should be un-encrypting the password.
-OoZI

My Blog
Top
User avatar
Jackolantern
Posts: 10891
Joined: Wed Jul 01, 2009 11:00 pm

Re: A problem I'm not familiar with

Post by Jackolantern »

MD5 and the much better SHA1 are hashing algorithms, not encryption, so it is 1-way. Just take the password that was entered on the login attempt, MD5 or SHA1 it again, and then compare the hashes. If they are equal, they entered the correct password and can be logged-in. If the passwords were hashed when the user was registered with SHA1 for example, you could simply change

Code: Select all

if(isset($arr_stuffs['user']) && $arr_stuffs['password'] == $password) { 
to this

Code: Select all

if(isset($arr_stuffs['user']) && $arr_stuffs['password'] == sha1($password)) { 
For MD5, just change the sha1() to md5().

Of course, you are still sending them "over the wire" unhashed. To fix that, you could either use a Javascript SHA1 function to hash it on the client and submit the data through Javascript, or set up SSL for real encryption.
The indelible lord of tl;dr
Top
User avatar
vitinho444
Posts: 2819
Joined: Mon Mar 21, 2011 4:54 pm

Re: A problem I'm not familiar with

Post by vitinho444 »

I don't know if this is what you want but according to your question:
but I can't seem to figure out how to log them on.
You just need to md5 the password from the login and check in the db if that md5 is the same as any record in the db. (Also check the user :D ) I think that's what you want right?
If yes:

Code: Select all

$password = md5($_POST["password"]);

//Query
$info = mysql_fetch_array(mysql_query("SELECT * FROM users WHERE username='$username' AND password='$password'"));

if($info) 
{
//everything is ok i guess :D
}
My Company Website: http://www.oryzhon.com

Skype: vpegas1234
Top
User avatar
Chris
Posts: 1580
Joined: Wed Sep 30, 2009 7:22 pm

Re: A problem I'm not familiar with

Post by Chris »

Oroton wrote:What's wrong with hashing it server side?
Nothing.

Also hashing it client-side has benefits.

There are network debugging tools like Fiddler that allow you to watch and decode nearly everything going over the lines in your network.

For example, say I go to the twitter website and try log in:
Image

I can see the header sent to twitter.com when I log in, and worse yet, I can read the password straight out of it. If someone is connected to a router in the path that package takes to reach twitter. They can read you password out of it. That's why we hash passwords client side as well.
Fighting for peace is declaring war on war. If you want peace be peaceful.
Top
User avatar
Jackolantern
Posts: 10891
Joined: Wed Jul 01, 2009 11:00 pm

Re: A problem I'm not familiar with

Post by Jackolantern »

Oroton wrote:What's wrong with hashing it server side?
Not much, considering that "across the wire" security was not really the problem that hashing was meant to fix. Hashing passwords is meant to keep the database table of passwords unusable if it falls into enemy hands. But it does not help if someone along the transmitted data's path intercepts the password, since it is being transmitted as plain text. Then they will be able to type it in and be logged in as normal.

But again, this is not really the problem that hashing was meant to fix. SSL/TLS (Secure Socket Layer/Transport Layer Security) are there to protect data over the wire. However, for a simple website/game that may not be a serious target (as in sites without financial or personal gain for hacking), TLS can be a bit far. In that case, client-side hashing can beef up the data transmission security a bit over sending it plain text.
The indelible lord of tl;dr
Top
Post Reply

Return to “Advanced Help and Support”