SitePoint Sponsor

User Tag List

Results 1 to 19 of 19
  1. #1
    SitePoint Member djdubuque's Avatar
    Join Date
    Nov 2007
    Posts
    18
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Post Need help adding/encryption to new and current users PWs

    I had a web site built and the developer didn't add encryption to the users passwords when they register. Could someone help me add this into the script?

    Also what files will the code need to go into?

    Thanks

  2. #2
    Utopia, Inc. silver trophy
    ScallioXTX's Avatar
    Join Date
    Aug 2008
    Location
    The Netherlands
    Posts
    9,039
    Mentioned
    152 Post(s)
    Tagged
    2 Thread(s)
    Can't you ask the original programmer to put it in there? It's really frowned upon not to encrypt passwords and he should fix that for you for free IMHO.
    Rémon - Hosting Advisor

    Minimal Bookmarks Tree
    My Google Chrome extension: browsing bookmarks made easy

  3. #3
    SitePoint Member djdubuque's Avatar
    Join Date
    Nov 2007
    Posts
    18
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by ScallioXTX View Post
    Can't you ask the original programmer to put it in there? It's really frowned upon not to encrypt passwords and he should fix that for you for free IMHO.
    I've already tried that no response now for over two weeks.

  4. #4
    Utopia, Inc. silver trophy
    ScallioXTX's Avatar
    Join Date
    Aug 2008
    Location
    The Netherlands
    Posts
    9,039
    Mentioned
    152 Post(s)
    Tagged
    2 Thread(s)
    Quote Originally Posted by djdubuque View Post
    I've already tried that no response now for over two weeks.
    That's a bummer. The problem is that each developer has his own way of setting up files, so we can not directly say you should add this and this to that and that file and all will be well with the world.
    I'd suggest you contact the developer another time (calling would be preferred over e-mailing) since he's the one who wrote the code and knows where everything is and should be therefore be able to implement the changes you asked for in a matter of minutes.
    If he doesn't react again come back here and we'll take it from there.

    PS. Don't read this as "I don't want to help you", but rather "I'd like to help you, but I don't know where to begin (which files, etc), whereas the original developer would, so I suggest you try him one more time".
    Rémon - Hosting Advisor

    Minimal Bookmarks Tree
    My Google Chrome extension: browsing bookmarks made easy

  5. #5
    SitePoint Member djdubuque's Avatar
    Join Date
    Nov 2007
    Posts
    18
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Angry

    Well things are not looking good with the original developer, I even offered to pay for the work but still no communications.

  6. #6
    Programming Team silver trophybronze trophy
    Mittineague's Avatar
    Join Date
    Jul 2005
    Location
    West Springfield, Massachusetts
    Posts
    17,053
    Mentioned
    187 Post(s)
    Tagged
    2 Thread(s)
    This doesn't sound like something that can be fixed by simply ALTERing a database field/table. What platform is it? Apache PHP MySQL ??

  7. #7
    SitePoint Member djdubuque's Avatar
    Join Date
    Nov 2007
    Posts
    18
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by Mittineague View Post
    This doesn't sound like something that can be fixed by simply ALTERing a database field/table. What platform is it? Apache PHP MySQL ??
    Apache PHP MySQL

    I think the only thing that needs to be done is that the hash code be placed in the registration.php and into any other file that the hash deals with. Like in the login, profile and forgot password or any where that a user would change or add a password.

  8. #8
    Utopia, Inc. silver trophy
    ScallioXTX's Avatar
    Join Date
    Aug 2008
    Location
    The Netherlands
    Posts
    9,039
    Mentioned
    152 Post(s)
    Tagged
    2 Thread(s)
    Could you post the content of those files? Or zip them and attach them to the post?
    Rémon - Hosting Advisor

    Minimal Bookmarks Tree
    My Google Chrome extension: browsing bookmarks made easy

  9. #9
    SitePoint Member djdubuque's Avatar
    Join Date
    Nov 2007
    Posts
    18
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by ScallioXTX View Post
    Could you post the content of those files? Or zip them and attach them to the post?

    Here are the three I think needs looking at.
    Attached Files Attached Files

  10. #10
    Utopia, Inc. silver trophy
    ScallioXTX's Avatar
    Join Date
    Aug 2008
    Location
    The Netherlands
    Posts
    9,039
    Mentioned
    152 Post(s)
    Tagged
    2 Thread(s)
    login.php
    Replace
    "select * from tbl_user where username='$username' and password='$password' and status=1"

    with

    "select * from tbl_user where username='$username' and password='".md5($password)."' and status=1"

    register.php
    Replace

    executeQuery("insert into tbl_user set membership_type='$membership_type',email='$email',username='$username',password='$password',country_id='$country',postcode='$postcode',gender='$gender',dob='$date',broadcast='$broadcast',post_date=CURDATE(),paid=0,status=0,exp_date='$dt2'");

    with

    executeQuery("insert into tbl_user set membership_type='$membership_type',email='$email',username='$username',password='".md5($password)."',country_id='$country',postcode='$postcode',gender='$gender',dob='$date',broadcast='$broadcast',post_date=CURDATE(),paid=0,status=0,exp_date='$dt2'");

    There is another query in this file that is a bit like the query above, but it's commented out (in a /* ... */ block), so you don't need to change it.

    profile.php only displays the profile. No insert/update queries here.
    There should be another PHP file where the password is changed. I couldn't find that in any of the three files you posted.
    Rémon - Hosting Advisor

    Minimal Bookmarks Tree
    My Google Chrome extension: browsing bookmarks made easy

  11. #11
    SitePoint Member djdubuque's Avatar
    Join Date
    Nov 2007
    Posts
    18
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    How about this file?
    Attached Files Attached Files
    Last edited by djdubuque; May 27, 2010 at 12:46. Reason: Forgot the file

  12. #12
    SitePoint Member djdubuque's Avatar
    Join Date
    Nov 2007
    Posts
    18
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by djdubuque View Post
    How about this file?
    One other file I just located would also need this.

    So far everything works...
    Attached Files Attached Files
    Last edited by djdubuque; May 27, 2010 at 13:02. Reason: This was in the admin area

  13. #13
    Utopia, Inc. silver trophy
    ScallioXTX's Avatar
    Join Date
    Aug 2008
    Location
    The Netherlands
    Posts
    9,039
    Mentioned
    152 Post(s)
    Tagged
    2 Thread(s)
    user_addf.php
    Replace

    $sql ="insert into tbl_user set membership_type='$membership_type',username='$username',email='$email',password='$password',country_id='$country',postcode='$postcode',gender='$gender',dob='$date',image='$image1',status=1,post_date=now()";

    with

    $sql ="insert into tbl_user set membership_type='$membership_type',username='$username',email='$email',password='".md5($password)."',country_id='$country',postcode='$postcode',gender='$gender',dob='$date',image='$image1',status=1,post_date=now()";

    AND

    $sql = "Update tbl_user set membership_type='$membership_type',username='$username',email='$email',password='$password',country_id='$country',postcode='$postcode',gender='$gender',dob='$date'";

    with

    $sql = "Update tbl_user set membership_type='$membership_type',username='$username',email='$email',password='".md5($password)."',country_id='$country',postcode='$postcode',gender='$gender',dob='$date'";

    login.php (didn't I already see another login.php!?)

    Replace
    $sql = "select * from tbl_admin where username='$username' and password='$password'";

    with

    $sql = "select * from tbl_admin where username='$username' and password='".md5($password)."'";

    PS. I assume the password field in tbl_user can hold at least 32 characters? Otherwise it won't work.
    Rémon - Hosting Advisor

    Minimal Bookmarks Tree
    My Google Chrome extension: browsing bookmarks made easy

  14. #14
    SitePoint Member djdubuque's Avatar
    Join Date
    Nov 2007
    Posts
    18
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Yes it will hold 32, so what would the code be for the other file? user_addf.zip

  15. #15
    Utopia, Inc. silver trophy
    ScallioXTX's Avatar
    Join Date
    Aug 2008
    Location
    The Netherlands
    Posts
    9,039
    Mentioned
    152 Post(s)
    Tagged
    2 Thread(s)
    Quote Originally Posted by djdubuque View Post
    Yes it will hold 32, so what would the code be for the other file? user_addf.zip
    See post #13
    Rémon - Hosting Advisor

    Minimal Bookmarks Tree
    My Google Chrome extension: browsing bookmarks made easy

  16. #16
    SitePoint Member djdubuque's Avatar
    Join Date
    Nov 2007
    Posts
    18
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Wrong file, yes I did input message #13, it was the file profile_setting.zip this is the one that users change there pw's.

  17. #17
    Utopia, Inc. silver trophy
    ScallioXTX's Avatar
    Join Date
    Aug 2008
    Location
    The Netherlands
    Posts
    9,039
    Mentioned
    152 Post(s)
    Tagged
    2 Thread(s)
    Replace

    mysql_query("update tbl_user set password='$new_password' where id= '".$_SESSION['sess_uid']."'");

    with

    mysql_query("update tbl_user set password='".md5($new_password)."' where id= '".$_SESSION['sess_uid']."'");

    Off Topic:


    FYI. The code is FULL of security issues.
    Rémon - Hosting Advisor

    Minimal Bookmarks Tree
    My Google Chrome extension: browsing bookmarks made easy

  18. #18
    SitePoint Member djdubuque's Avatar
    Join Date
    Nov 2007
    Posts
    18
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Could you elaborate on this in a PM to me?

  19. #19
    #titanic {float:none} silver trophy
    molona's Avatar
    Join Date
    Feb 2005
    Location
    from Madrid to Heaven
    Posts
    8,181
    Mentioned
    234 Post(s)
    Tagged
    1 Thread(s)
    It seems that the issue is more complicated that just simply changing one file... you may consider hire another developer to finish the job. As sad as it is (checking someone else's code is always a pain), you really need to make sure that everything is OK and I think this would be the best way.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •