Hashing

programming
1

Hello,
Could someone please help me figure out or suggest a tutorial about hasing, etc… I am creating a member registration and people have reccomended that. Also, could someone suggest a tutorial on how I should make the checking page. Or, in better explanation how to check and see if something matches a row in the SQL database.

All help will help :slight_smile:

2

The really popular hashing functions are:
crypt (which uses DES and/or 3DES, depending on the system)
md5
sha1

If you’re using PHP, you can use the builtin functions:

http://us4.php.net/manual/en/function.crypt.php
http://us4.php.net/manual/en/function.md5.php

To use it in code is pretty simple …


// escape the username to avoid sql injection
$username = mysql_escape_string($_POST['username']);
// don't escape the password, because md5 will produce
// known-safe content and escaping it may cause you
// problems unless you're very careful
$plaintextpass = $_POST['password'];
 
// hash the password using md5 ... 
// you could also use sha1()
$hashpass = md5($plaintextpass);
 
// create the sql string - we're asking for the userid 
// that matches the given username and password 
$sql = "SELECT userid FROM user WHERE 
	 user=\"$username\" AND password=\"$hashpass\" ";
 
$result = mysql_query($sql);
 
// Check the result by counting the rows returned
if(mysql_num_rows($result)) {
// we've returned one row, it's a valid user
echo "You're logged in!";
}
else {
// oops
// no rows returned => bad pass
Header("Location: http://www.yourdomain.com/login.php");
exit;
}

It’s pretty simple … just setup a form that POST’s to this code, passing a username and password variable, and you’re all set.

3

Ok, so should I put that in the “checking” page. Should it be included in a certain part?

4

check out a similiar question i had a while ago, and as the above poster said- its really very easy.
http://www.kirupaforum.com/forums/showthread.php?t=58828&page=1&pp=15

5

Hey, I got everything working, thanks so much :slight_smile:

6

There is only one problem, I want to have seperate profiles for each member. So I organize them by the id that is automatically created every single time. I created that, but when I want them to login and show their current profile I want it to be organized by the Id, so what should I do? I try to have a hidden field on the login.php and then take it over by doing the $id = $_POST etc, and I had the action logincheck.php?id=$id but it doesnt work. Any suggestions or help?

7

hmmm, i am not really getting what you are trying to do…
Do you want it so the person when they log in go to a profile page?
Why do you have a hidden field on the login page? I am confused at to what you are trying to acomplish.

8

Ok sorry. I’ll try to explain better.

I want them to be able to login, and view their current profile. On the login page it will say like name: $name and will go to the database and retrieve their name. But, if I login with a certain username it does not retrieve the correct names etc because it isn’t selecting a certain row. How can I tell it to select the row of the person that is logged in?

9

Set a cookie or a session cookie on login, with the id of that member as the cookie’s value. Then all you have to do is use the cookie’s value in the WHERE clause in your SELECT query, like this…

$userID = $_COOKIE['whateverTheCookieNameIs'];
$query = "SELECT * FROM login WHERE id = '$userID';";
10

ok but what would I put as the cookie name? and which file would I put that on?

11

Well seeing as your the one setting the cookie, name it whatever you want. And the most obvious place to set the cookie is the page on which you’re checking the login details of the user, as there is no point in posting data to another page just to set the cookie :thumb:

12

Oh and just in case - http://uk.php.net/setcookie & [url=“http://uk.php.net/manual/en/ref.session.php”]http://uk.php.net/manual/en/ref.session.php

13

Do I have to use cookies or sessions in order to do this?

14

Nope, you could send the userid in a POST or a GET. Mind you, you’d have to do it on every single page on your site if you want to keep them logged in.

15

Ok, in the login.php file should I put a hidden field and then get the userid? Or what would I put on the login.php page? Nothing? Should I use something like this on the user check:
I connect to the database, then

$id = $_GET[‘id’];
$query = “SELECT * FROM users WHERE id=$id”;
$result = mysql_query($query);
$row = mysql_fetch_array($result);

16

You’ll have to excuse me if any part of this reply is condescending, cause I’m half asleep at the moment :sleep: When your logging people into your site, set a cookie with their username or userid. Then on any page on which you want display their individual information, just use the query I posted. There is no point in using GETs or POSTs in hidden forms or in the URL, because like I said in my last post you’d have to send the userid in every single page on the site to ensure that the user stayed logged in. Also, if you put the userid in the URL, it would be dead simple for the user to alter the URL and then get all of the personal information of another user on your site.