web intersect forum new_topic.php $session issue! PLZ HELP - Page 2
Page 2 of 2 FirstFirst 12
Results 16 to 27 of 27

Thread: web intersect forum new_topic.php $session issue! PLZ HELP

  1. #16
    Member
    Join Date
    Jul 2013
    Posts
    63
    Oh that would be the registration form...

    This is probebly what you are looking for??

    PHP Code:
    $p_hash md5 ($p);
                
    $sql "INSERT INTO users (username, email, password, firstname, lastname, ip, signup, lastlogin, notescheck)       
                    VALUES('
    $u','$e','$p_hash','$c','$ip',now(),now(),now())";
            
    $query mysqli_query($db_conx$sql); 
            
    $uid mysqli_insert_id($db_conx);
                
    $sql "INSERT INTO useroptions (id, username, background) VALUES ('$uid','$u','original')";
            
    $query mysqli_query($db_conx$sql);
                if (!
    file_exists("user/$u")) {
                
    mkdir("user/$u"0755);
            } 

  2. #17
    Member
    Join Date
    Jul 2013
    Posts
    63
    Found it! Is this what we are looking for? It was in the registration.php file

    PHP Code:
     } else {
               
    $p_hash md5 ($p);
                
    $sql "INSERT INTO users (username, email, password, firstname, lastname, ip, signup, lastlogin, notescheck)       
                    VALUES('
    $u','$e','$p_hash','$c','$ip',now(),now(),now())";
            
    $query mysqli_query($db_conx$sql); 
            
    $uid mysqli_insert_id($db_conx);
                
    $sql "INSERT INTO useroptions (id, username, background) VALUES ('$uid','$u','original')";
            
    $query mysqli_query($db_conx$sql);
                if (!
    file_exists("user/$u")) {
                
    mkdir("user/$u"0755);
            } 

  3. #18
    Senior Member cluelessPHP's Avatar
    Join Date
    Apr 2015
    Location
    Scotland
    Posts
    324
    Don't use MD5 it's out of date and easy to break now

    PHP hashing
    http://php.net/manual/en/faq.passwords.php


    Also always use prepared statements
    http://php.net/manual/en/mysqli.prepare.php

    Also when possible use try
    http://php.net/manual/en/language.exceptions.php
    You need to believe in things that aren't true. How else can they become?― Terry Pratchett, Hogfather
    Blog

    Six month project

  4. #19
    High Energy Magic Dept. NogDog's Avatar
    Join Date
    Aug 2006
    Location
    Ankh-Morpork
    Posts
    14,675
    Yep, looks like it's just using md5 with no salt. Better than no hashing, but not much. If this is not yet a live system, I'd definitely recommend migrating to something more up to date and much, much more difficult for crackers to crack. But whatever you end up using is what you'd need both for the initial creation and then any subsequent checks.
    "Well done....Consciousness to sarcasm in five seconds!" ~ Terry Pratchett, Night Watch

    How to Ask Questions the Smart Way (not affiliated with this site, but well worth reading)

    My Blog
    cwrBlog: simple, no-database PHP blogging framework

  5. #20
    Senior Member Derokorian's Avatar
    Join Date
    Apr 2011
    Location
    Denver
    Posts
    2,232
    Use password_hash! Its the best

    If the system is live, you can do something like this at the login step to migrate users to password_hash and keep the hash up to date:

    PHP Code:
    $logged_in  false;
    $user get_user_by_username($username);

    if (
    strpos($user->password'$') === false) {
        
    // password is hashed with md5
        
    if ($user->password == md5($password)) {
            
    // password is correct, update to new hash
            
    $logged_in true;
            
    $user->password password_hash($passwordPASSWORD_DEFAULT);
            
    save_user($user);
        }
    }
    elseif (
    password_verify($password$user->password)) {
        
    // password is correct
        
    $logged_in true;
        if (
    password_needs_rehash($user->passwordPASSWORD_DEFAULT)) {
            
    // Password is hashed with older algorithm, update to current algorithm
            
    $user->password password_hash($passwordPASSWORD_DEFAULT);
            
    save_user($user);
        }

    Sadly, nobody codes for anyone on this forum. People taste your dishes and tell you what is missing, but they don't cook for you. ~anoopmail
    I'd rather be a comma, then a full stop.
    User Authentication in PHP with MySQLi - Don't forget to mark threads resolved - MySQL(i) warning

  6. #21
    Member
    Join Date
    Jul 2013
    Posts
    63
    uggh thanks for the help guys. I need this system to go live by March 1. Thought it was all going well. Not sure what to replace in my login.php script in regards to what you recommend.

  7. #22
    High Energy Magic Dept. NogDog's Avatar
    Join Date
    Aug 2006
    Location
    Ankh-Morpork
    Posts
    14,675
    Basically, where you do the md5() now, you instead want:
    PHP Code:
    $p_hash password_hash($pPASSWORD_BCRYPT); 
    You'll need to make sure your password column in the DB is long enough to hold the result, which with the BCRYPT option will be 60 characters. You'll then want to use the same thing when validating a login attempt: applying password_hash() to the incoming password so that it will match what's in the DB.
    "Well done....Consciousness to sarcasm in five seconds!" ~ Terry Pratchett, Night Watch

    How to Ask Questions the Smart Way (not affiliated with this site, but well worth reading)

    My Blog
    cwrBlog: simple, no-database PHP blogging framework

  8. #23
    Member
    Join Date
    Jul 2013
    Posts
    63
    okay, so I did that and now I cant even log in... I dont get this... logically nothing is making sense its so frustrating! ... I replaced $p = md5($_POST['p']); with $p_hash = password_hash($p, PASSWORD_BCRYPT); and now cant even login so i reverted back...

  9. #24
    Member
    Join Date
    Jul 2013
    Posts
    63
    I have my password field set at varchar 255 in my DB

  10. #25
    Member
    Join Date
    Jul 2013
    Posts
    63
    NRM I found and replaced the code from my registration.php... What do I change in the login.php thou?

  11. #26
    Senior Member cluelessPHP's Avatar
    Join Date
    Apr 2015
    Location
    Scotland
    Posts
    324
    PHP Code:
     $user->password password_verify($passwordPASSWORD_DEFAULT); 
    or
    PHP Code:
     $user->password password_verify($passwordPASSWORD_BCRYPT); 
    You need to believe in things that aren't true. How else can they become?― Terry Pratchett, Hogfather
    Blog

    Six month project

  12. #27
    Settled 4 red convertible dalecosp's Avatar
    Join Date
    Jul 2002
    Location
    Accelerating Windows at 9.81 m/s....
    Posts
    8,364
    Quote Originally Posted by jfleck25 View Post
    okay, so I did that and now I cant even log in... I dont get this... logically nothing is making sense its so frustrating! ... I replaced $p = md5($_POST['p']); with $p_hash = password_hash($p, PASSWORD_BCRYPT); and now cant even login so i reverted back...
    Well, unless you changed the password in the database somehow, that would be the expected result. You can't just change the verification procedure for an existing account without changing the data that's already there so that your login routine will work with it.
    /!!\ mysql_ is deprecated --- don't use it! Tell your hosting company you will switch if they don't upgrade! /!!!\ ereg() is deprecated --- don't use it!

    dalecosp "God doesn't play dice." --- Einstein "Perl is hardly a paragon of beautiful syntax." --- Weedpacket

    Getting Help at All --- Collected Solutions to Common Problems --- Debugging 101 --- Unanswered Posts --- OMBE: Office Machines, Business Equipment

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •