Login in code will just login with md5 encrypted p

2019-09-18 17:54发布

站内问答 / PHP
892 3 4

I've created a login + register site. The register page works fine, login too except that when I have to write in my password I have to write in the encrypted version, the md5... I've done in register page so that their password gets encrypted. How can I make in login page so that they dont need to write their md5 password, just their normal one?

The register.php looks like: 

<?

$reg = @$_POST['reg'];
//declaring variables to prevent errors
$fn = ""; //First Name
$ln = ""; //Last Name
$un = ""; //Username
$em = ""; //Email
$em2 = ""; //Email 2
$pswd = ""; //Password
$pswd2 = ""; // Password 2
$d = ""; // Sign up Date
$u_check = ""; // Check if username exists
//registration form
$fn = strip_tags(@$_POST['fname']);
$ln = strip_tags(@$_POST['lname']);
$un = strip_tags(@$_POST['username']);
$em = strip_tags(@$_POST['email']);
$em2 = strip_tags(@$_POST['email2']);
$pswd = strip_tags(@$_POST['password']);
$pswd2 = strip_tags(@$_POST['password2']);
$d = date("Y-m-d"); // Year - Month - Day

if ($reg) {
if ($em==$em2) {
// Check if user already exists
$u_check = mysql_query("SELECT username FROM users WHERE username='$un'");
// Count the amount of rows where username = $un
$check = mysql_num_rows($u_check);
if ($check == 0) {
//check all of the fields have been filed in
if ($fn&&$ln&&$un&&$em&&$em2&&$pswd&&$pswd2) {
// check that passwords match
if ($pswd==$pswd2) {
// check the maximum length of username/first name/last name does not exceed 25   characters
if (strlen($un)>25||strlen($fn)>25||strlen($ln)>25) {
echo "The maximum limit for username/first name/last name is 25 characters!";
}
else
{
// check the maximum length of password does not exceed 25 characters and is not less   than 5 characters
if (strlen($pswd)>30||strlen($pswd)<5) {
echo "Your password must be between 5 and 30 characters long!";
}
else
{
//encrypt password and password 2 using md5 before sending to database
$pswd = md5($pswd);
$pswd2 = md5($pswd2);
$query = mysql_query("INSERT INTO users VALUES       ('','$un','$fn','$ln','$em','$pswd','$d','0')");
die("<h2>Welcome to InstaWord!</h2>Login to your account to get started ...");
}
}
}
else {
echo "Your passwords don't match!";
}
}
else
{
echo "Please fill in all of the fields";
}
}
else
{
echo "Username already taken ...";
}
}
else {
echo "Your E-mails don't match!";
}
}
?>
<table class="homepageTable">
   <tr>
       <td width="60%" valign="top">
        <h2>Share your texts!</h2>
        <img src="img/animation.gif" width="930">
       </td>
       <td width="40%" valign="top">
        <h2>Sign up</h2>
       <form action="#" method="post">
       <input type="text" size="25" name="fname" placeholder="First Name" value="<? echo   $fn; ?>">
       <input type="text" size="25" name="lname" placeholder="Last Name" value="<? echo $ln; ?>">
       <input type="text" size="25" name="username" placeholder="Username" value="<?   echo $un; ?>">
       <input type="text" size="25" name="email" placeholder="Email" value="<? echo $em; ?>">
       <input type="text" size="25" name="email2" placeholder="Repeat Email" value="<? echo $em2; ?>">
       <input type="password" size="25" name="password" placeholder="Password">
       <input type="password" size="25" name="password2" placeholder="Repeat Password">  <br />
       <input type="submit" name="reg" value="Sign Up!">
       </form>
       </td>
      </tr>
     </table>
   </body>
 </html>

And the login.php looks like this:

    <?php

session_start();


//This displays your login form

function index(){


echo "<form action='?act=login' method='post'>" 

."Username: <input type='text' name='username' size='30'><br>"

."Password: <input type='password' name='password' size='30'><br>"

."<input type='submit' value='Login'>"

."</form>"; 


}


//This function will find and checks if your data is correct

function login(){


//Collect your info from login form

$username = $_REQUEST['username'];

$password = $_REQUEST['password'];



//Connecting to database

$connect = mysql_connect("myserver", "username", "password");

if(!$connect){

die(mysql_error());

}


//Selecting database

$select_db = mysql_select_db("database_name", $connect);

if(!$select_db){

die(mysql_error());

}


//Find if entered data is correct


$result = mysql_query("SELECT * FROM users WHERE username='$username' AND password='$password'");

$row = mysql_fetch_array($result);

$id = $row['id'];


$select_user = mysql_query("SELECT * FROM users WHERE id='$id'");

$row2 = mysql_fetch_array($select_user);

$user = $row2['username'];


if($username != $user){

die("Username is wrong!");

}



$pass_check = mysql_query("SELECT * FROM users WHERE username='$username' AND id='$id'");

$row3 = mysql_fetch_array($pass_check);

$email = $row3['email'];

$select_pass = mysql_query("SELECT * FROM users WHERE username='$username' AND id='$id' AND email='$email'");

$row4 = mysql_fetch_array($select_pass);

$real_password = $row4['password'];


if($password != $real_password){

die("Your password is wrong!");

}




//Now if everything is correct let's finish his/her/its login


session_register("username", $username);

session_register("password", $password);


echo "Welcome, ".$username." please continue on our <a href=index.php>Index</a>";





}


switch($act){


default;

index();

break;


case "login";

login();

break;


}

?>

Please help me fix this...

标签: php security md5
举报
3条回答
Juvenile、少年°
2楼-- · 2019-09-18 18:28

You are not using md5 to check while login....

Use $password = md5($_REQUEST['password']); In your login function().

This will take the normal password and check it with encrypted version in database and then will successfully log the user in.

Hope this helps.

查看更多
0人赞 添加讨论(0) 举报
做个烂人
3楼-- · 2019-09-18 18:28

Encrypt the input password with md5() when you pass the details into sql query while checking correct login details.

$password_encrypt = md5($password);
$result = mysql_query("SELECT * FROM users WHERE username='$username' AND password='$password_encrypt '");
查看更多
0人赞 添加讨论(0) 举报
Viruses.
4楼-- · 2019-09-18 18:43

You should not apply a strip_tags() to the $_POST['password'], just feed the incoming value to the password hashing function.

To protect your user's passwords, you need to do better than md5 hash the passwords. You need

  1. a better hashing algorithm: BCrypt hash
  2. add a random salt value

The good news is that you can just use a drop-in library and use that: PHPass

require('PasswordHash.php');

$pwdHasher = new PasswordHash(8, FALSE);

// $hash is what you would store in your database
$hash = $pwdHasher->HashPassword( $_POST['password'] );

// $hash would be the $hashed stored in your database for this user
$checked = $pwdHasher->CheckPassword($_POST['password'], $hash);
if ($checked) {
    echo 'password correct';
} else {
    echo 'wrong credentials';
}
查看更多
0人赞 添加讨论(0) 举报
登录 后发表回答
相关问题
查看全部
相关文章
查看全部
收藏的人(4)