Page 1 of 1
A problem I'm not familiar with
Posted: Sun Apr 28, 2013 9:19 pm
by OoZI
So... I've been working on a game and decided I should probably use md5 encryption for my passwords. I figured out how to encrypt a user's password on registration, but I can't seem to figure out how to log them on. Here is my code for pro_login.php
Code: Select all
<?php
include('includes/connect.php');
include('includes/functions.php');
$user = $_POST['user'];
$password = $_POST['password'];
$user = mysql_real_escape_string(strip_tags($user));
$password = mysql_real_escape_string(strip_tags($password));
$get_stuffs = mysql_query("SELECT * FROM users WHERE name='$user'") or die(mysql_error());
$arr_stuffs = mysql_fetch_array($get_stuffs);
if(isset($arr_stuffs['user']) && $arr_stuffs['password'] == $password) {
$_SESSION['user'] = $user;
$time = time();
mysql_query("UPDATE users SET last_active='$time'") or die(mysql_error());
mysql_query("INSERT INTO chat (msg, sent_by, time_sent) VALUES ('$uname has logged on!', 'System', '$time')");
header('location: game/index.php');
} elseif(isset($arr_stuffs['user']) && $arr_stuffs['password'] != $password) {
header('location: index.php?error=1');
} elseif(!isset($arr_stuffs['user'])) {
//header('location: index.php?error=2');
echo $user;
echo $password;
echo $arr_stuffs['user'];
} else {
header('location: index.php?error=3');
}
?>
Now, I'm not sure on whether I'm supposed to run it like this, or if there is someway I should be un-encrypting the password.
Re: A problem I'm not familiar with
Posted: Sun Apr 28, 2013 10:41 pm
by Jackolantern
MD5 and the much better SHA1 are hashing algorithms, not encryption, so it is 1-way. Just take the password that was entered on the login attempt, MD5 or SHA1 it again, and then compare the hashes. If they are equal, they entered the correct password and can be logged-in. If the passwords were hashed when the user was registered with SHA1 for example, you could simply change
Code: Select all
if(isset($arr_stuffs['user']) && $arr_stuffs['password'] == $password) {
to this
Code: Select all
if(isset($arr_stuffs['user']) && $arr_stuffs['password'] == sha1($password)) {
For MD5, just change the sha1() to md5().
Of course, you are still sending them "over the wire" unhashed. To fix that, you could either use a
Javascript SHA1 function to hash it on the client and submit the data through Javascript, or
set up SSL for real encryption.
Re: A problem I'm not familiar with
Posted: Mon Apr 29, 2013 1:21 pm
by vitinho444
I don't know if this is what you want but according to your question:
but I can't seem to figure out how to log them on.
You just need to md5 the password from the login and check in the db if that md5 is the same as any record in the db. (Also check the user
) I think that's what you want right?
If yes:
Code: Select all
$password = md5($_POST["password"]);
//Query
$info = mysql_fetch_array(mysql_query("SELECT * FROM users WHERE username='$username' AND password='$password'"));
if($info)
{
//everything is ok i guess :D
}
Re: A problem I'm not familiar with
Posted: Mon Apr 29, 2013 1:23 pm
by Chris
Oroton wrote:What's wrong with hashing it server side?
Nothing.
Also hashing it client-side has benefits.
There are network debugging tools like Fiddler that allow you to watch and decode nearly everything going over the lines in your network.
For example, say I go to the twitter website and try log in:
I can see the header sent to twitter.com when I log in, and worse yet, I can read the password straight out of it. If someone is connected to a router in the path that package takes to reach twitter. They can read you password out of it. That's why we hash passwords client side as well.
Re: A problem I'm not familiar with
Posted: Tue Apr 30, 2013 1:22 am
by Jackolantern
Oroton wrote:What's wrong with hashing it server side?
Not much, considering that "across the wire" security was not really the problem that hashing was meant to fix. Hashing passwords is meant to keep the database table of passwords unusable if it falls into enemy hands. But it does not help if someone along the transmitted data's path intercepts the password, since it is being transmitted as plain text. Then they will be able to type it in and be logged in as normal.
But again, this is not really the problem that hashing was meant to fix. SSL/TLS (Secure Socket Layer/Transport Layer Security) are there to protect data over the wire. However, for a simple website/game that may not be a serious target (as in sites without financial or personal gain for hacking), TLS can be a bit far. In that case, client-side hashing can beef up the data transmission security a bit over sending it plain text.