Hi.

I am developing an administration area that lets the admin to do some modifications.

I have created the login.php which contains a form that posts 2 variables:
$login_username & $password.

Now, I have a table (admin_table) in my database which contains 3 fields (admin_id,username,password).
This table has only 1 record since there should be only 1 admin.

Inside the administration area I have created a file called init.php.
No one can access this file except the admin since it is inside the administration area.
(I am using sessions for security, so any one who would try to access any file will be redirected to the login.php).

The purpose of the init.php is to initiate the login name and the password as follows:

$login_username = admin111;
$password = "admin111";
$password = MD5($password);

mysql_connect ("localhost","root","");
mysql_select_db (db_name);

$q_result = mysql_query("update admin_table set username = '$login_username' , password = '$password'
where admin_id = '1'");

My questions are:

1- When I executed init.php and then logged out, I tried to login with the username (admin111)
and the password (admin111), but I couldn't ????

2- I am using md5() for Encription as shown above. Do I need to Decript the password when validating the form?

3- Am I using the correct methology for achieving my administration area, or there could be a better way?

Note that I am getting something like 'bbad8d72c1fac1d08172' as a password when I do select.

Pleeeeeeeeeeeease Help πŸ˜•

Thx

    MD5 is a one way encryption, meaning that you can't decrypt it.
    However, to make it useful in the first place, whenever you encode the same string, you get the same hash value for it returned.

    So, once you stored your MD5 encrypted password in the database, what you would have to do to verify a login is:
    Retrieve the encrypted pwd from the database (if there'll ever be only one admin, you can do a simple select pwd from whateverYourTableπŸ˜‰.
    Then, you enrypt the password entered for the login (by a form most likely) and then compare the encrypted passwords. If both are equal, the original passwords are equal and you can proceed with the login.
    What won't work is comparing the unencrypted password with the encrypted one.
    Also, I don't know if MySQL / PHP has this problem, but on a recent project (involving an IBM database and JSP pages) I used the MD5 algorithm and got problems with storing the encrypted passwords in the database. It turned out that the MD5 generated " ' " chars which ended the SQL string preliminarily.
    Storing the password in binary format solved the problem.
    Another solution would be to use str_replace to eliminate all "dangerous" chars.

    Hope this helps

      GBahle,
      you're never wrong but now you are.
      You CAN decrypt MD5 with Jack The Ripper πŸ˜ƒ

        Thank you GBahle..
        This works fine now πŸ˜‰

        Now if any one see the code above, he will notice that the password is written clear in my code.
        Is this a good idea? I mean what is the benefit for using MD5(),
        Is it only secure the passsword in the Database?

        What if someone by some way see the source code of the file init.php, he can immediately execute it and gain the password !!!!

        Thanks

          its easier to hack a database (and more threating) then a actual web server,

            Originally posted by intenz
            GBahle,
            you're never wrong but now you are.
            You CAN decrypt MD5 with Jack The Ripper πŸ˜ƒ

            Well then you shouldn't be encrypting such obvious passwords, should you :p

              First, (without ME delving into one way hashing, others do that better πŸ˜‰ a little quote

              One-way encryption ("secure hashing")
              hash function takes an input string (variable length) and converts it into an output (fixed length)
              Not possible to reverse the process - except by trying every possible input.
              Examples:
              Unix 'crypt' (based on DES)
              MD4, MD5 (Message Digest)
              SHA (Secure Hash Algorithm)
              md5("My name is Brian\n") = 0134b6e9397f36c7c9f78fe17d2d7d8e
              md5("Test123\n") = 36a03a8a4c00e81f03d62d8b04bbbf4d

              Applications:
              Storing passwords
              Unix password database contains hash(password). When the user types a password, the hash function is applied and compared to the stored hashed password.

              In theory, password cannot be recovered from the hashed version. In practice, users tend to choose 'bad' passwords (easily guessed).

              Some possible solutions:

              Machine-generated passwords (but users write these down)
              Password complexity tests
              Periodically scan password file with 'crack'

              Keep hashed passwords away from prying eyes - "shadow passwords"

              so, the password cannot be decrypted, only guessed.

              Anyway, about the init.php problem. Just use it once to create a password for your admin, then delete it. No file, no security leak. The password is stored safely in your db then.

                @: Btw, I'm wrong all the time. I just know how to cover it πŸ˜‰

                  Write a Reply...