Web Hosting Talk






PDA

View Full Version : Password is not being decrypted?

crEA-tEch
08-05-2004, 09:56 AM
I've got a password encrypted into a mySQL database (im using PHP)

and I've got a login script

$sql = mysql_query("SELECT * FROM bet_users WHERE username='$username' AND password=PASSWORD('$password')");
$login_check = mysql_num_rows($sql);

if($login_check > 0){
while($row = mysql_fetch_array($sql)){
foreach( $row AS $key => $val ){
$$key = stripslashes( $val );
}
// Register some session variables!
session_register('login_userid');
$_SESSION['login_userid'] = $user_id;
session_register('login_first_name');
$_SESSION['login_first_name'] = $first_name;
session_register('login_username');
$_SESSION['login_username'] = $username;
session_register('login_last_name');
$_SESSION['login_last_name'] = $last_name;
session_register('login_email_address');
$_SESSION['login_email_address'] = $email_address;
session_register('login_user_level');
$_SESSION['login_user_level'] = $user_level;



setcookie ("auth", "$userid", time() + 3600, "/insideodds", "eeeep.com", 0);
header("Location: index.php?p=members");

}

} else {
$msg="The username and/or password you entered are not valid, please go back. <a href='javascript:history.back(-2)'>Click Here</a>";
include 'blank.php';
}

It will not check the database with the encrypted version..

I have tried logging in with the decrypted code "0da687eb112a767" and it logs in if i use that as the password...

Is there something wrong with my code?
kneuf
08-05-2004, 11:36 AM
nevermind my post, missed something in yours...
i believe you have to first encrypt the password before sending it off to the database. how are you encrypting the original password (the one in the db)?
stormraven
08-05-2004, 11:37 AM
Try running your SELECT statement in a mySQL window and see what comes back. That should give you some insight as to what's going on.

You could echo your SQL Statement before executing it so that you know what it's using in the variables as well.
Designz
08-05-2004, 11:42 AM
what i would use is the MD5 functions

so when a user registers instead of using password(); i would use md5()

that way when you come to select it from the database you would use


$pass = md5($password);
$sql = mysql_query("SELECT * FROM bet_users WHERE username='$username' AND password='$pass'");
$login_check = mysql_num_rows($sql);

if($login_check > 0){
while($row = mysql_fetch_array($sql)){
foreach( $row AS $key => $val ){
$$key = stripslashes( $val );
}
// Register some session variables!
session_register('login_userid');
$_SESSION['login_userid'] = $user_id;
session_register('login_first_name');
$_SESSION['login_first_name'] = $first_name;
session_register('login_username');
$_SESSION['login_username'] = $username;
session_register('login_last_name');
$_SESSION['login_last_name'] = $last_name;
session_register('login_email_address');
$_SESSION['login_email_address'] = $email_address;
session_register('login_user_level');
$_SESSION['login_user_level'] = $user_level;



setcookie ("auth", "$userid", time() + 3600, "/insideodds", "eeeep.com", 0);
header("Location: index.php?p=members");

}

} else {
$msg="The username and/or password you entered are not valid, please go back. <a href='java script:history.back(-2)'>Click Here</a>";
include 'blank.php';
}


hope that helps,

Phil
kneuf
08-05-2004, 11:46 AM
what version of mysql are you running? i think the password() function has become useless, as stated in the manual:

Calculates and returns a password string from the plaintext password str, or NULL if the argument was NULL. This is the function that is used for encrypting MySQL passwords for storage in the Password column of the user grant table. mysql> SELECT PASSWORD('badpwd');
-> '7f84554057dd964b'

PASSWORD() encryption is one-way (not reversible). PASSWORD() does not perform password encryption in the same way that Unix passwords are encrypted. See ENCRYPT(). Note: The PASSWORD() function is used by the authentication system in MySQL Server, you should not use it in your own applications. For that purpose, use MD5() or SHA1() instead. Also see RFC 2195 for more information about handling passwords and authentication securely in your application.

http://dev.mysql.com/doc/mysql/en/Encryption_functions.html
I would do as Designz states, use md5() to encrypt the passwords.