[Resolved] md5()

sys4dm1n

I am trying to md5 encrypt the passwords for my login gate- so when a client logs in, their password is encrypted into the database, and also when i add a new client, their password is encrypted. here is the code i have, but im not sure how or were to put the md5().

login_check.php

<?
session_start();
$sid = session_id();

include ("config.php");

//checking to see if you have any users in the database, if so, the script continues, if not, it stops and lets you know
$usersquery=mysql_query("SELECT username FROM users")
	or die ("The query on the number of users didn't work. ".mysql_error());
if (mysql_num_rows($usersquery) == "0") {
	print "Deleted all ".
	"of the users.  That's no good.<br><br>If you are not the admin of this site, please email him/her at <a href=\"mailto:$admin_address\">$admin_address</a> to let him/her know that you received the error message.";
	exit();
}

$ip_address = "$REMOTE_ADDR";


//lock out option after 3 incorrect logins set this as "1"
if ($iplockout == "1") {
	$loginquery=mysql_query("SELECT * FROM logins WHERE ip_address = '$ip_address' AND incorrect")
		or die ("ip_address check/logins check query didn't work ".mysql_error());
	$logindata = mysql_fetch_object ($loginquery);

if (mysql_num_rows($loginquery) >= "4") {
	print "You have been locked out.  Too many incorrect logins from ip address: $ip_address";
	exit();
}
}


 // If $username and $password are set, match data against users table
$query=mysql_query("SELECT * FROM users WHERE username = '$username' AND password = '$password'")
	or die ("For some reason the script wasn't able to check the username/password. ".mysql_error());

// If num_rows from users table = 1, set session variables
if (mysql_num_rows($query) == "1") {

session_start();

// Declaring some varibles
$valid_user = $username;
$id = session_id();
$ip_address = "$REMOTE_ADDR";
$data = mysql_fetch_object ($query);
$seclevel = $data->securitylevel; // this declares the security level varibles
$rowid = $data->id;

// adds 1 to the users "logincount" in the users table.  that way you see how many times a person has logged in
mysql_query("UPDATE users SET logincount = logincount+1 WHERE (username = '$username')")
	or die("Bad query: ".mysql_error());

/*
the 4 lines below this comment registers variables so you can "call" this variables on other secure pages
example:
	print "You logged in as: $valid_user";
that code will display the users name
*/
session_register("valid_user");
session_register("ip_address");
session_register("id");
session_register("seclevel");

// inserting login information, 1 = correct login
$insert = 	"INSERT INTO logins(datetime, ip_address, username, password, correct, incorrect) ".
			"VALUES('$datetime', '$ip_address', '$username', '$password', '1', '0')" or die("Bad query: ".mysql_error());
$mysql_insert = mysql_query($insert, $mysql_link)
	or die("Please notify the admin that the script is connecting to the database, but not inserting the information ".mysql_error());
//moves you to the logged in page
header("Location: ./index.php?sid=$sid");
exit;  // exit; "cancels the script"
}



// if the data given is incorrect/doesn't match...
if (mysql_num_rows($query) == 0) {

// inserting login information, 0 = incorrect login
$insert = 	"INSERT INTO logins(datetime, ip_address, username, password, correct, incorrect) ".
			"VALUES('$datetime', '$ip_address', '$username', '$password', '0', '1')" or die("Bad query: ".mysql_error());
$mysql_insert = mysql_query($insert, $mysql_link)
	or die("Please notify the admin that the script is connecting to the database, but not inserting the information ".mysql_error());

// moves back to the login page
header("Location: ../index.php?id=home&login=error&sid=$sid");
}

?>

users.php (allowing me to add a user)

<? require ("../login_check.php"); ?>
<? include ("../config.php"); ?>
<? include ("login_check_admin.php"); ?>


<table class="bgBlueMed" cellspacing="0" cellpadding="1" width="170" border="0">
	<tr>
	<td align="left" valign="top" class="bgBlueMed" width="169">
	&nbsp;<b class="whitefront">Menu</b>
	</td>
	</tr>
	<tr>
	<td align="left" valign="top" class="backgroundBlueMed" width="169">
		<table cellspacing="0" cellpadding=1 width=168 bgcolor=#ffffff border="0">
		<tr>
		<td class="bgGreyLight" align="left" valign="top" width=168 bgcolor=#ffffff>
		<table class="bgGreyLight" align="left" border="0">
			<tr>
			<td align="left" valign="top">
<?
	include("menu.php");
?>
			</td>
			</tr>
		</table>
		</td>
		</tr>
		</table>
		</td>
		</tr>
		</table>
<!-- END BOX -->

<!-- QUICK ADD / DELETE -->
<form enctype="multipart/form-data" action="<? $PHP_SELF ?>" method="post">
<strong>Quick Add:</strong><br>
Username:<br>
<input type="text" name="username" class="form"><br>
Password:<br>
<input type="text" name="password" class="admin"><br>
Security Level:<br>
<input type="text" name="securitylevel" class="form"><br>
<div align="right"><input type=submit name="Add" value="Add"></div>
</form>

<form enctype="multipart/form-data" action="<? $PHP_SELF ?>" method="post">
<strong>Quick Delete:</strong><br>
<input type="text" name="username" class="form"><br>
<div align="right"><input type=submit name="Delete" value="Delete"></div>
</form>
<!-- END QUICK ADD / DELETE -->

<br>
</td>
<td width="10" align="left" valign="top"></td>
<td width="680" align="left" valign="top" colspan="3">
<?
// if any of the entries was checked, this deletes the entry form the database
if (count($del) > 0) { 
for ($i=0;$i<count($del);$i++) { 
$result[$i] = mysql_query("DELETE FROM users WHERE id = '$del[$i]'"); 
	}
}

//this checks to see of the "Add Submit" button was clicked
if (isset($Add)) {

//this checks the username field for a duplicate name, if so, it displays "Username already exists, choose something else"
$query = "SELECT * FROM users WHERE username = '$username'";
$result = mysql_query ($query);
if (mysql_num_rows($result)) die("That username already exsists, please choose a different name");
//this tries to insert the info to the database
	else {
	$insert = "INSERT INTO users(username, password, securitylevel) VALUES('$username', '(md5 $password)', '$securitylevel')";
	$mysql_insert = mysql_query($insert, $mysql_link)
		or die("Please notify <a href=\"mailto:$admin_address\">$admin_address</a> that the script is connecting to the database, but not inserting entries");
	}
print "<div align=\"center\"><strong>User \"$username\" Added</strong></div>";
}


//this checks to see of the "Delete Submit" button was clicked
if (isset($Delete)) {
$deletequery=mysql_query("DELETE FROM users WHERE username = '$username'");
print "<div align=\"center\"><strong>User \"$username\" Deleted</strong></div>";
}


?>

<form type="post" action="<? $PHP_SELF ?>" onSubmit="return confirmSubmit()">
<?
print "<table cellspacing=\"0\" cellpadding=\"1\" align=\"left\">";
print "<tr>
		<td></td>
		<td><div align=\"center\">ID</div></td>
		<td><div align=\"center\">Security</div></td>
		<td>Username</td>
		<td>Password</td>
		<td>Email</td>
		<td><div align=\"center\">ID</div></td>
		</tr>
		";
// this query shows everything (except comments) from the login table
$users_display = mysql_query("SELECT * FROM users") or die (mysql_error());
while ($row = mysql_fetch_array($users_display)) {

// this makes the rows different colors
if ($bgcolor == "#D5D5D5") {
$bgcolor = "#EFEFEF";
} else {
$bgcolor = "#D5D5D5";
}
	print "<tr bgcolor=\"$bgcolor\">\n";
	print "<td><div align=\"center\">";
	print "<a href=\"users_edit.php?rowid=$row[id]\">Edit</a>";
	print "</div></td>\n";
	print "<td><div align=\"center\">";
		echo $row["id"];
	print "</div></td>\n";
	print "<td><div align=\"center\">";
		echo $row["securitylevel"];
	print "</div></td>\n";
	print "<td>";
		echo $row["username"];
	print "</td>\n";
	print "<td>";
		echo $row["password"];
	print "</td>\n";
	print "<td>";
		echo $row["email"];
	print "</td>";
	print "<td><div align=\"center\">";
		print "<input type=\"checkbox\" name=\"del[]\" value=\"";
			echo $row["id"];
		print "\" class=\"checkbox\">";
	print "</div></td>\n";
	print "  </tr>";
	}
mysql_free_result($users_display);

?>
	<tr>
	<td colspan="7"><div align="right"><input type="submit" name="deletechecked" value="Delete Checked"></div></td>
	</tr>
</table>
</form>

</td>
</tr>

<tr>
    <td class="bgGreyDark" align="left" valign="top" colspan="5" height="1"></td>
</tr>
<tr>
    <td align="left" valign="top" colspan="5" height="4"></td>
</tr>
<tr>
    <td align="left" valign="top" colspan="5">
	<div class="copyright" align="center">
	<br>
	<br>
	<a href="../logout.php">Logout</a>
	</div>
	</td>
</tr>
</table>
<br><br>

</body>
</html>

😕

thanks in advanced!🙂

wilku

When you insert password into database use something like:

$password = md5("secret_word".$password);

and then use $password in insert statement (instead of the construction you use now). The same line should be placed before checking user and password against database. Adding secret word to hashing is a step in the "security" direction.

Bear in mind that after you introduce those changes, your old, not hashed password will cease to work.

sys4dm1n

hmm- i still dont quite understand how to do that with the format i have now?😕

wilku

$password = md5("secret_word".$password);
 // If $username and $password are set, match data against users table 
$query=mysql_query("SELECT * FROM users WHERE username = '$username' AND password = '$password'") 
    or die ("For some reason the script wasn't able to check the username/password. ".mysql_error());

//this tries to insert the info to the database 
        else { 
        $password = md5("secret_word".$password);
        $insert = "INSERT INTO users(username, password, securitylevel) VALUES('$username', '$password', '$securitylevel')"; 
        $mysql_insert = mysql_query($insert, $mysql_link) 
            or die("Please notify <a href=\"mailto:$admin_address\">$admin_address</a> that the script is connecting to the database, but not inserting entries"); 
        }

Write the script that will update all the passwords already in the database to their hashes (with the same secret word).

sys4dm1n

what is secret word suppose to be?

itunes66

the password

sys4dm1n

but every user has a different password...im so lost

itunes66

oh ok then im not sure what it is

kburger

Leave off the "secret_word" part if you want to. Just make it

$password = md5($password);

wilku was just trying to help you make it a little more secure. Don't let that part throw you off.

The basic idea is this: Take a plain text password and run it through a one-way hashing algorithm (md5) so that, for example, the password "jupiter" becomes something like "fa005d88656e61a2d506e8413727bac5". No one could look at that hash (very easily) and decrypt it back into "jupiter".

When a user logs in with "jupiter" as their password, run it through md5 to get its hash. Compare that hash to the hash you've stored for them in the database.

wilku

Secret word means anythying that only you know about. It has to be the same thing all the time. You can choose whatever string you want. For example "stownfljxAA", but it must be the same string in all md5 occurences. As it was suggested, it'll work even without it.

sys4dm1n

im still confused, do you think you could give me an example of using it with a part of my code...because i have it checking the $password row of the database

wilku

OK let's start once again from the beginning.
1. You say to yourself that secret word you want to use to create md5 hashes is "baklazan".
2. User sends password (probably with form) and the password is stored in your script in $password variable.
3. In the part when you create an account, you join both strings: secret word "baklazan" AND password using a dot operator
4 You perform md5 on a resulting string. The return value of md5 is then inserted into database. The operation of joining and hashing looks like:

$password=md5("baklazan".$password);

5. When the user wants to log in, the password he gave is once again stored in $password. Then you perform exactly the same operation (joining with "baklazan" and md5 hashing). You check if the result of those operation is the same as the result stored in database. If so then $password here and $password when creating account are the same.
6. Let's assume that the user gave different password when trying to log in. The result of md5 will be different because $password is different (even though "baklazan" stays the same). So he will not be logged in.

Understood?

So all you have to do is to insert those two lines with md5 (in a way I showed you couple of posts above) and put any word instead of "secret_word". It has to be the same word in both lines.

sys4dm1n

yes but i dont have a secret word for each of the users..they all have their own...look at the script again..thats what i dont get is why i need to include a word..i dont want all of them to know the one password..

kburger

That's NOT their password! That's ADDED TO their password. This is completely transparent to the user. They don't enter this.

You're overcomplicating this. Go back and read Wilku's previous post.

sys4dm1n

ok, now when i try to login, it wont work because the passwords dont match..the passwords i have in there are not md5..is that the problem?

kburger

Originally posted by wilku
Bear in mind that after you introduce those changes, your old, not hashed password will cease to work.

Yes. That's correct. See one of Wilku's prior posts. Just write a little script that will convert them to md5 in your table, and run it once.

sys4dm1n

i just googles for tutorials on that, and i cannot find anything- is there a site that you know of that would have a tutorial on this? or do you have one?

thanks.

kburger

Just execute this query.

UPDATE users SET password=MD5(password);

...or if you used that "secret_word" thing, make it UPDATE users SET password=md5(concat('secret_word', password));

But first, make sure your password field is VARCHAR(32).

sys4dm1n

ok, i did all of that, but it still doesnt think the passwords match...i have no idea...let me include the files, and maybe you could tell me what you think it maybe?

login_check.php

<?
// this needs to be on every page, it makes it remember all of the set variables that is done on the login_script.php
session_start();
$sid = session_id();

if (session_is_registered("valid_user")) {
	session_save_path("$sid.txt");
	}
else { header ("Location: login.php"); }
?>

login_script.php

<?
session_start();

include ("config.php");
//checking to see if you have any users in the database, if so, the script continues, if not, it stops and lets you know
$usersquery=mysql_query("SELECT username FROM users")
	or die ("The query on the number of users didn't work. ".mysql_error());
if (mysql_num_rows($usersquery) == "0") {
	print "Deleted all ".
	"of the users.  That's no good.<br><br>If you are not the admin of this site, please email him/her at <a href=\"mailto:$admin_address\">$admin_address</a> to let him/her know that you received the error message.";
	exit();
}

$ip_address = "$REMOTE_ADDR";


//lock out option
//if you want people to be locked out after 3 incorrect logins set this as "1"
//if you don't want to used this option, set this as "0" in config.php
if ($iplockout == "1") {
	$loginquery=mysql_query("SELECT * FROM logins WHERE ip_address = '$ip_address' AND incorrect")
		or die ("ip_address check/logins check query didn't work ".mysql_error());
	$logindata = mysql_fetch_object ($loginquery);

if (mysql_num_rows($loginquery) >= "4") {
	print "You have been locked out.  Too many incorrect logins from ip address: $ip_address";
	exit();
}
}


$password = md5($password);
 // If $username and $password are set, match data against users table
$query=mysql_query("SELECT * FROM users WHERE username = '$username' AND password = '$password'")
	or die ("For some reason the script wasn't able to check the username/password. ".mysql_error());

// If num_rows from users table = 1, set session variables
if (mysql_num_rows($query) == "1") {

session_start();

// Declaring some varibles
$valid_user = $username;
$id = session_id();
$ip_address = "$REMOTE_ADDR";
$data = mysql_fetch_object ($query);
$seclevel = $data->securitylevel; // this declares the security level varibles
$rowid = $data->id;
$datetime = date("n-d-y@h:iA", time() + 3600);

// adds 1 to the users "logincount" in the users table.  that way you see how many times a person has logged in
mysql_query("UPDATE users SET logincount = logincount+1 WHERE (username = '$username')")
	or die("Bad query: ".mysql_error());

/*
the 4 lines below this comment registers variables so you can "call" this variables on other secure pages
example:
	print "You logged in as: $valid_user";
that code will display the users name
*/
session_register("valid_user");
session_register("ip_address");
session_register("id");
session_register("seclevel");

$password = md5($password);
	// inserting login information, 1 = correct login
	$insert = 	"INSERT INTO logins(datetime, ip_address, username, password, correct, incorrect) ".
				"VALUES('$datetime', '$ip_address', '$username', '$password', '1', '0')" or die("Bad query: ".mysql_error());
	$mysql_insert = mysql_query($insert, $mysql_link)
		or die("Please notify the admin that the script is connecting to the database, but not inserting the information ".mysql_error());
	//moves you to the logged in page
	header("Location: ./index.php?sid=$id");
	exit;  // exit; "cancels the script"
}



// if the data given is incorrect/doesn't match...
if (mysql_num_rows($query) == 0) {
$password = md5($password);
	// inserting login information, 0 = incorrect login
	$insert = 	"INSERT INTO logins(datetime, ip_address, username, password, correct, incorrect) ".
				"VALUES('$datetime', '$ip_address', '$username', '$password', '0', '1')" or die("Bad query: ".mysql_error());
	$mysql_insert = mysql_query($insert, $mysql_link)
		or die("Please notify the admin that the script is connecting to the database, but not inserting the information ".mysql_error());

// moves back to the login page
header("Location: ../index.php?id=home&login=error&sid=$id");
}

?>

client/admin/users.php

<? require ("../login_check.php"); ?>
<? include ("../config.php"); ?>
<? include ("login_check_admin.php"); ?>

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
	<title>Admin Section</title>
	<link rel="STYLESHEET" type="text/css" href="../css.css">
<script LANGUAGE="JavaScript">
<!--
function confirmSubmit()
{
var agree=confirm("Are you sure you wish to continue?");
if (agree)
	return true ;
else
	return false ;
}
// -->
</script>
</head>

<body marginheight="0" marginwidth="0" topmargin="0" leftmargin="0">
<br>
<table class="sitewidth" align="center" valign="top" cellspacing="0" cellpadding="0" border="0">
<tr>
    <td valign="bottom" align="left" width="200">
	<div class="title" align="left">
	<? print "$version"; ?>
	</div>
	</td>
    <td valign="bottom" align="right">
	<div align="right">
	[ <a href="../index.php">Home</a> ] [ <a href="index.php">Admin Home</a> ]
	</div>
	</td>
    <td valign="bottom" align="right" width="120">
	<div align="right">
	<strong>Username:</strong> <? print "$valid_user";?><br>
	<strong>Security Level:</strong> <? print "$seclevel";?>
	</div>
	</td>
</tr>
</table>
<table class="sitewidth" align="center" valign="top" cellspacing="0" cellpadding="0" border="0">
<tr>
    <td valign="top" colspan="5" height="4"></td>
</tr>
<tr>
    <td class="bgBlueMed" align="left" valign="top" colspan="5" height="4"></td>
</tr>
<tr>
    <td valign="top" colspan="5" height="10"></td>
</tr>
<tr>
    <td width="170" align="left" valign="top">



<form enctype="multipart/form-data" action="<? $PHP_SELF ?>" method="post">
<strong>Quick Add:</strong><br>
Username:<br>
<input type="text" name="username" class="form"><br>
Password:<br>
<input type="text" name="password" class="admin"><br>
Security Level:<br>
<input type="text" name="securitylevel" class="form"><br>
<div align="right"><input type=submit name="Add" value="Add"></div>
</form>

<form enctype="multipart/form-data" action="<? $PHP_SELF ?>" method="post">
<strong>Quick Delete:</strong><br>
<input type="text" name="username" class="form"><br>
<div align="right"><input type=submit name="Delete" value="Delete"></div>
</form>


<br>
</td>
<td width="10" align="left" valign="top"></td>
<td width="680" align="left" valign="top" colspan="3">
<?
// if any of the entries was checked, this deletes the entry form the database
if (count($del) > 0) { 
for ($i=0;$i<count($del);$i++) { 
$result[$i] = mysql_query("DELETE FROM users WHERE id = '$del[$i]'"); 
	}
}

//this checks to see of the "Add Submit" button was clicked
if (isset($Add)) {

//this checks the username field for a duplicate name, if so, it displays "Username already exists, choose something else"
$query = "SELECT * FROM users WHERE username = '$username'";
$result = mysql_query ($query);
if (mysql_num_rows($result)) die("That username already exsists, please choose a different name");

//this tries to insert the info to the database
	else {
$password = md5($password);
		$insert = "INSERT INTO users(username, password, securitylevel) VALUES('$username', '$password)', '$securitylevel')";
		$mysql_insert = mysql_query($insert, $mysql_link)
			or die("Please notify <a href=\"mailto:$admin_address\">$admin_address</a> that the script is connecting to the database, but not inserting entries");
		}
	print "<div align=\"center\"><strong>User \"$username\" Added</strong></div>";
}


//this checks to see of the "Delete Submit" button was clicked
if (isset($Delete)) {
$deletequery=mysql_query("DELETE FROM users WHERE username = '$username'");
print "<div align=\"center\"><strong>User \"$username\" Deleted</strong></div>";
}


?>

<form type="post" action="<? $PHP_SELF ?>" onSubmit="return confirmSubmit()">
<?
print "<table cellspacing=\"0\" cellpadding=\"1\" align=\"left\">";
print "<tr>
		<td></td>
		<td><div align=\"center\">ID</div></td>
		<td><div align=\"center\">Security</div></td>
		<td>Username</td>
		<td>Password</td>
		<td>Email</td>
		<td><div align=\"center\">ID</div></td>
		</tr>
		";
// this query shows everything (except comments) from the login table
$users_display = mysql_query("SELECT * FROM users") or die (mysql_error());
while ($row = mysql_fetch_array($users_display)) {

// this makes the rows different colors
if ($bgcolor == "#D5D5D5") {
$bgcolor = "#EFEFEF";
} else {
$bgcolor = "#D5D5D5";
}
	print "<tr bgcolor=\"$bgcolor\">\n";
	print "<td><div align=\"center\">";
	print "<a href=\"users_edit.php?rowid=$row[id]\">Edit</a>";
	print "</div></td>\n";
	print "<td><div align=\"center\">";
		echo $row["id"];
	print "</div></td>\n";
	print "<td><div align=\"center\">";
		echo $row["securitylevel"];
	print "</div></td>\n";
	print "<td>";
		echo $row["username"];
	print "</td>\n";
	print "<td>";
		echo $row["password"];
	print "</td>\n";
	print "<td>";
		echo $row["email"];
	print "</td>";
	print "<td><div align=\"center\">";
		print "<input type=\"checkbox\" name=\"del[]\" value=\"";
			echo $row["id"];
		print "\" class=\"checkbox\">";
	print "</div></td>\n";
	print "  </tr>";
	}
mysql_free_result($users_display);

?>
	<tr>
	<td colspan="7"><div align="right"><input type="submit" name="deletechecked" value="Delete Checked"></div></td>
	</tr>
</table>
</form>

laserlight

Maybe a little introduction to what is happening is in order.

Suppose you store username/password pairs to enable your users to login into some system.
The storage is presumably reasonably secure, so most of the time the security problem lies in input and transmission, rather than storage.
Of course, since you are using an online server, you would like to provide your users with some privacy, just in case someone with sufficient privileges takes a look at the database and sees the passwords.

This can be accomplished by using a one-way cryptographic hashing algorithm like MD5.
Such hashes ideally have 2 properties:
1. It is computationally infeasible to find 2 messages (known as pre-images) that hash to the same hash.
2. It is computationally infeasible to find the pre-image given the hash.

Effectively, once you receive your users' passwords, you hash them, and from then on you consider the hashed passwords to be the passwords you deal with.
Because of property #2, you know that even if a malicious user has managed to peek at the username/password database, he/she will be very hard-pressed to determine what the original password a user is. In fact, that's impossible, for at best an attacker can only determine a message that hashes to the same hash as the original password (only the user knows what original password was used).

What's this thing about 'secret words' then?
Well, as it turns out, MD5 is quite popular, so chances are many different user systems would also use it to hash their passwords in storage. This allows for people to create reverse lookup directories of hashes to pre-images, hence defeating property #2 for common passwords.
But if you salt the original password, i.e. add some unique text which other systems do not add, the hash would then differ for the same password. This salt frustrates reverse lookup directories.

That said, I suggest using SHA1 (with PHP's [man]sha1/man function) instead of MD5.
MD5 hashes are of 128 bits (32 hexadecimal characters), SHA1 of 160 bits (40 hex chars).
While both are theoretically broken for property #1, SHA1 still is more viable on a practical level.
Furthermore, I've seen quite a few reverse lookup directories for MD5, but they seem much rarer for SHA1.

Concerning your code, you have a typo error that is causing your passwords to be hashed with a trailing ')'.

$insert = "INSERT INTO users(username, password, securitylevel) VALUES('$username', '$password)', '$securitylevel')";

Remove the closing parenthesis at the end of $password, and all will be fine (assuming you didnt have this error when generating the hashes from the original passwords).