forum with md5

ma3a

i am looking at creating a forum that cannot be viewed unless the user has already been logged in. there is 2 databases. one with usernames and the other with the forum. i know you need to use MD5 but can anyone help.

mmonaco

You're going to need to be a lot more specific to get more specific help... But if you want a general authentication method you can do something like:

// These two values coming from the form...
$username = $_POST['username'];
$password = $_POST['password'];

if (!authenticate($username, $password) {
     printf("I'm sorry but you are not authorized to view this page.");
     // Or you can redirect to a login screen, main page, or whatever you'd like
} else {
     // Show forum
}

function authenticate($username, $password) {
     $query = "SELECT password FROM users WHERE username='$username'";
    // Perform the query....  (You'll most likely want to select by id rather than username....)

/* $resultPassword is the value of the password that you've stored in your database.
 * When you store the password in the database you should first convert it to md5
 * $password is the password the user typed in at login */
if ($resultPassword == md5($password)) {
    return true;
} else {
    return false;
}
}

ma3a

thanks i will give it a try and let you know

emeraldcat

Hi!

This post seems to be the closest (and most recent) to the issue I am currently having.

I have three pages involved:

1) Register page (register.php) - enters a users' info into the database. It encrypts the user-selected password like this:

function process_form(){
session_start();
$loginname=trim(strip_tags($_POST['username']));
$pswd=trim(strip_tags($_POST['password']));
$password=md5($pswd);

$_SESSION['auth']="yes";

global $db;
$today = getdate();
$db->query('INSERT INTO customers (firstname, lastname, username, password, date, type)
			VALUES (?,?,?,?,?,?)',
			array($_POST['firstname'],$_POST['lastname'], $_POST['username'], $password, $today, 'empe'));

PS: The "get date" doesn't seem to work for me either, but I'm not worring about that right now...

2) The login page is called index.html. It grabs the password with a simple "password" input field in a POST form which has an action of "login.php":

<input name="password" type="password" id="password" size="20" />

3) The login script called login.php - this page takes the users' password entered on the index page and sends a query to the database thus:

function process_form(){
global $db;

$loginname=trim(strip_tags($_POST['username']));
$pswd=trim(strip_tags($_POST['password']));
$password=md5($pswd);

//grab info from database
$userGroup = $db->get_results("SELECT type
        FROM customers
        WHERE (username='$logincookie[user]' or username='$loginname') and (md5(password)='$logincookie[pwd]' or password='$password')",ARRAY_A);

So the passwords in my database are nicely coded with the md5 process.

6 | empe | Sally | Sand | ssand | 3afc79b597f88a72528e864cf81856d2 | 0000-00-00 00:00:00

However, when I look at the query results from my login script, the password is not coded. I'm guessing that this is why my query doesn't give me any results.

Query [1] -- [SELECT type FROM customers WHERE (username='' or username='ssand') and (md5(password)='' or md5(password)='pass3')]

Query Result..

(row) string 0
type
No Results

However, I don't know how to fix the code so that it will work properly. I know that md5 is supposed to be a 'one way street' but I can't seem to figure out the proper way to use it in a query.

Please help! 😕

Thanks!
eCat

emeraldcat

Anyone? Do I need to post this as a new thread? 😕

ahundiak

Where is this $logincookie coming from? At a minimum you need
function process_form(){
global $db;
global $logincookie;

But even then your query is messed up. I guess you are trying to pull the user info from either POST or logincookie? I'd suggest that you first get just the POST stuff working so your select looks something like
WHERE username = '$username' AND password = '$password'

Actually, password is a reserved word so you need to change the column name or use back ticks.

Then, once the user is logged in set a session variable to indicate this. Avoid using a cookie to store a password. To easy to intercept.

emeraldcat

Yes, you're right - I do plan to use a session to store login info. I just left that in there from some old code. Sorry!

However it didn't occur to me that password is a reserved word and that this might cause some problems.

You say,

But even then your query is messed up.

How else is it messed up besides the reserved word password?

Do you think that the word "password" as my database column name is why my query doesn't match the entered password to the one that is in the database?

Or is it because I'm not using md5 correctly?

All I want to do (and I've been trying for too TOO long with no success) is have one login form for two types of users: employers and employees.

If the user is an employer, I want to take them to the employer homepage. If they're an employee I want to take them to the employee homepage. If they're not registered (or type in the info wrong) I want to take them to a try again page.

So I was trying to use the username & password to query the correct database record for that user. Then grab that users' ID (employer or employee) from their "row" and redirect them based on that information.

I'm sooooo frustrated. :queasy:

emeraldcat

Whew!! Wow... with some help from the forums and trying every possible way I could think of to write this, I finally did it!! And I think I'll share if anyone is interested. Maybe I'll save someone else the headache.

This script takes a username & password, queries the database for their "type" (employer or employee) and uses a switch statement to take them to a different homepage (or a try again login page) based on that type:

<?php
require_once 'ez_sql.php';

if (!$_POST['submit_check']) {
	show_form();
	}else{
	process_form();
	}

function show_form() {
	include "index.html";
}	


function process_form(){
global $db;

$loginname=trim(strip_tags($_POST['username']));
$pswd=trim(strip_tags($_POST['password']));
$pass=md5($pswd);

//grab info from database
$user = $db->get_row("SELECT type
        FROM customers
        WHERE (username='$loginname' and pswd='$pass')");

$type=$user->type;

//Depending on Group
switch ($type) {
  case "empr":
  // home = emprhome.php
  header ("Location: emprhome.php");
   break;
  case "empe":
  header ("Location: empehome.php");
   break;
  default:
  header ("Location: index2.html");
   break;
  }
}
?>

I imagine that I'll probably need to start a session somewhere in there, but this is so encouraging! 🆒

By the way - this script uses a helpful little database class called ez_sql.php which can be found at this guy's website:

http://www.jvmultimedia.com/home/topics.php?topicId=5

Thanks to all for your help & suggestions! 😃