Mysql/php crypterer user password

md5($_POST['password']);//Hvis det er md5

Man skulle da helst ikke skrive det krypterede password for at logge ind. Hvordan ser den side ud hvor man opretter en bruger, og den hvor man logger ind?

Her har du den

<?php
if(isset($_POST['Submit'])){
//NEED TO CHECK IF FIELDS ARE FILLED IN
if( empty($_POST['name']) && (empty($_POST['email']))){
header("Location:Messages.php?msg=3");
exit();
}
if( empty($_POST['pw1']) && (empty($_POST['pw2']))){
header( "Location:Messages.php?msg=4" );
exit();
}
$name=$_POST['name'];
$email=$_POST['email'];

$pw1=$_POST['pw1'];
$pw2=$_POST['pw2'];

if("$pw1" !== "$pw2"  ){
header( "Location:Messages.php?msg=5" );
exit();
}
$ip = $_SERVER['REMOTE_ADDR'];

//connect to the db server , check if uname exist
include('config.php');
$query=("Select * from user where uname='$name'");
$result= mysql_query($query);
$num=mysql_num_rows($result);
if ($num > 0) {//Username already exist
header( "Location:Messages.php?msg=6" );
exit();
}else{
//if username does not exist insert user details
$query=( "INSERT INTO user (uname, pw,email,date_joined,ip,level) VALUES ('$name',password('$pw1'),'$email',NOW(),'$ip','Normal')");
if (@mysql_query ($query)) {
header("location:login.php?reg=1");
exit;
}
}
mysql_close();
}
?>

og noget i html bagefter som ikke er relevant

Hvis man lægger et krypteret password ind i en database, skal man også checke mod et krypteret password. Ellers kan man jo aldrig lave checket ;o)

hvad med siden hvor man logger ind?

Login!!!

<?
session_start();
if(isset($_GET['reg'])){
$reg=$_GET['reg'];
}else{
$reg="";
}
if($reg==1){
$msg1="<font color=\"#FF0000\"><b>Your details have been added, please login</b></font>";
}elseif($reg==2){
$msg1="<font color=\"#FF0000\"><b>You have been successfully logged out.</b></font>";
}

if(isset($_POST['submit'])){
if( empty($_POST['uname']) && (empty($_POST['upass']))){
header( "Location:Messages.php?msg=1" );
exit();
}
//transfer to shorter var
$n=$_POST['uname'];
$p=$_POST['upass'];

//connect to db
include('config.php');
$query="select * from user where uname='$n'  and pw='$p' ";
$result=mysql_query($query);
   
$num=mysql_num_rows($result);
if($num>0 ){

//put in session vars

$mytime=time();
$mytime=date("H:i:s A",$mytime);
$_SESSION['time'] = $mytime;
$_SESSION['status'] = 'logged';
$_SESSION['username'] = $n;
//goto next page
header("location:welcome.php");
exit;
}else{
$_SESSION['status'] = 'not logged';

header( "Location:Messages.php?msg=2" );
exit();

}
}
?>

yep. man plejer at lægge et krypteret password ind i databasen. Lad os sige mit password skal være "test1234".

det smider jeg så f.eks ind i db: md5("test1234") .. Så ligger mit password i DB som noget volapyk. Når jeg så skal logge ind bruger jeg mit password "test1234", så spørger den om md5("test1234") er lig med det volapyk der står i databasen, og det vil det være

//transfer to shorter var
$n=$_POST['uname'];
$p=$_POST['upass'];
Skal være:

//transfer to shorter var
$n=$_POST['uname'];
$p=password($_POST['upass']);

ja men det kan ik lade sig gøre den siger bare : Your username and password do not match, please try again.

Og hvis jeg så kopierer værdien fra DB kan jeg komme ind....

fil1:

$query=( "INSERT INTO user (uname, pw,email,date_joined,ip,level) VALUES ('$name',md5('$pw1'),'$email',NOW(),'$ip','Normal')");

fil2:

$query="select * from user where uname='$n' and pw=md5('$p')";

prøv at ændre dette :)

Hov i MySQL'en ;o)
$query="select * from user where uname='$n'  and pw=password('$p') ";

Det var fordi du i Fil1 sagde at den skulle smide et krypteret password i DB.
Men i Fil2, stod der den skulle matche et plaintext password med et krypteret, og det vil aldrig virke :)

tester lige...

Det kører som en drøm :D tak for hjælpen

men nu er der tilgengæld en anden fejl...

Change Password :

Warning: mysql_query() [function.mysql-query]: Access denied for user 'ODBC'@'localhost' (using password: NO) in C:\Webserver\fns.php on line 35

Warning: mysql_query() [function.mysql-query]: A link to the server could not be established in C:\Webserver\fns.php on line 35

Warning: mysql_num_rows(): supplied argument is not a valid MySQL result resource in C:\Webserver\fns.php on line 37

-------------------------------------------------------------------------------------

<?
function userexist($username){
include('config.php');
$result=mysql_query("Select * from user where uname='$username'") or die(mysql_error());
//$result= mysql_query($query);

if(mysql_num_rows($result)>0)

return true;//username exist
else
return false;//username not in db
}

function sendpass($user){
include("config.php");
$result =mysql_query("Select pw from user where uname='$user'") or die(mysql_error());
//$result= mysql_query($query);
if(mysql_num_rows($result)>0)
return true;//password exist
else
return false;//password not in db
}

function filledin($form_vars){
foreach($form_vars as $key=> $value)
{
if(!isset($key) || ($value == ''))
return false;
}
return true;
}

function changepw($name){
$query="Select pw from user where uname='$name'" or die(mysql_error());
$result= mysql_query($query);

if(mysql_num_rows($result)>0){
for ($i=0; $i<mysql_num_rows($result); $i++) {
$row = mysql_fetch_assoc($result);

$pass=$row['pw'];
echo '
<center><form name="form1" method="post" action="forgotten.php">';
echo 'Please fill in the following:<br>';
 
echo ' <table width="445" border="0">';
echo ' <tr>
    <td width="187"><div align="left">Old Password</div></td>
    <td width="242"><input name="oldpass" type="text" size="40" value="'.$pass.'"></td>
  </tr>
  <tr>
    <td><div align="left">New Password  </div></td>
    <td><input name="newpass" type="text" size="40"></td>
  </tr>';
 
echo '</table>';
echo '<br>
  <input name="submit" type="submit" value="Save">';
echo '</form>';

}
}
}
function update($newpass,$uname){
if(isset($_POST['submit'])){
//1. Check fields are filled in
if (!filledin($form_vars)){
echo "Please ensure that you have filled in ALL fields.";
exit;
}else{
$newpass=$_POST['newpass'];


}

include "config.php";
$query="Update user SET pw='$newpass' Where uname=$uname Limit 1 ";
$result=mysql_query($query);
if(mysql_affected_rows()==1){
echo "Record number <b>$id</b> has been updated";
}else{
echo "Could not update record number <b>$id</b> because " .mysql_error() . "";
}
}
}
?>

function changepw($name){
include('config.php');
$query="Select pw from user where uname='$name'" or die(mysql_error());
$result= mysql_query($query);

config.php er inkluderet i de andre funktioner, og det er nok der database tilgangen ligger, så den skal også lige ind i den funktion :)

aha manglede mysql forbindelsen ?

yup

mange tak for hjælpen

Var så lidt :)