SitePoint Sponsor

User Tag List

Results 1 to 6 of 6
  1. #1
    SitePoint Enthusiast
    Join Date
    Nov 2003
    Location
    austalia
    Posts
    59
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    password() function not working

    Hi all

    I'm setting up an authentication system on a site and have reached a road block with the login procedure. The following query doesn't authorise login where the password is encrypted using the password() function.

    SELECT * FROM registrations WHERE username='$username' and password1 = password('$password1')

    However if I modify the query to remove the encrytion component as such:

    SELECT * FROM registrations WHERE username='$username' and password1 = '$password1'

    Then I can gain access if the relevant password is not encrypted. Obviously I'd prefer to encrypt passwords for added security. Am I making any errors in how this should be done.

    There are two main scripts involved. This one:

    function login($username, $password1)
    {
    $conn = db_connect();
    if (!$conn)
    return 0;

    $result = mysql_query("SELECT * FROM registrations
    WHERE username='$username'
    and password1 = password('$password1')");
    if (!$result)
    return 0;

    if (mysql_num_rows($result)>0)
    return 1;
    else
    return 0;
    }

    and this one:

    <?
    require_once("functions.php");
    session_start();

    if ($username && $password1)
    {
    if (login($username, $password1))
    {
    $valid_user = $username;
    session_register("valid_user");
    }
    else
    {
    // unsuccessful login
    do_html_header("Problem:");
    echo "You could not be logged in. You must be logged in to view this page.";
    do_html_url("index.php", "Login");
    do_html_footer();
    exit;
    }
    }

    do_html_header("Home");
    check_valid_user();
    if ($url_array = get_user_urls($valid_user));
    display_user_urls($url_array);

    display_user_menu();
    do_html_footer();
    ?>

    Appreciate any suggestions about a solution to this.
    Thanks
    David

  2. #2
    Programming Team silver trophybronze trophy
    Mittineague's Avatar
    Join Date
    Jul 2005
    Location
    West Springfield, Massachusetts
    Posts
    16,457
    Mentioned
    160 Post(s)
    Tagged
    1 Thread(s)

    password function

    You should not be using the MySQL password function to encrypt your login passwords. Try using PHP's md5 function on the input and then inserting the result of that into the database's password field.

  3. #3
    reads the ********* Crier silver trophybronze trophy longneck's Avatar
    Join Date
    Feb 2004
    Location
    Tampa, FL (US)
    Posts
    9,854
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    or even mysql's md5() or sha1(). mittineaque is right about password(); the mysql manual specifically says to NOT use the password() function.

  4. #4
    SitePoint Enthusiast
    Join Date
    Nov 2003
    Location
    austalia
    Posts
    59
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I've now used MD5() to encrypt and insert the passwords into the database.

    Having trouble with the syntax for my query though. I'm using:

    $result = mysql_query("SELECT * FROM registrations
    WHERE username='$username'
    and password1=md5('$password1')");

    This isn't working though. Is there a sytax problem. Can't find too many examples to help.

    Thanks
    David

  5. #5
    reads the ********* Crier silver trophybronze trophy longneck's Avatar
    Join Date
    Feb 2004
    Location
    Tampa, FL (US)
    Posts
    9,854
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    what is the length of the field password1? it needs to be varchar(32) or larger.

  6. #6
    SitePoint Enthusiast
    Join Date
    Nov 2003
    Location
    austalia
    Posts
    59
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Thanks

    The length of the field was the problem. All working fine now

    David


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •