Dayo Posted July 22, 2010 Share Posted July 22, 2010 Just recently i was asked, `how would i go about changing my existing DB password field from md5 to sha1` at first i thought it would involve loads of work but i came up with this work around ... Here is how i would do it ... please note you will have to edit the values in the sql to match your DB Right first of all were going to need another password field in our DB [mysql]ALTER TABLE `usertable` ADD `oldpass` VARCHAR( 255 ) NOT NULL[/mysql] now we have that we will need to transfer all the passwords from the old PW field to the `oldpass` feild [mysql]UPDATE `usertable` SET `oldpass`=`userpassfield`[/mysql] Then run this SQL to remove them from the old field (the soon to be sha1) [mysql]UPDATE `usertable` SET `userpassfield`=''[/mysql] Now thats all the sql sorted out! Now open your register then find the query that inserts the password to the DB and edit teh md5 to sha1 You will not have to open your login handler then find the query that selects the password from the DB then make edit it to something like this mysql_query("SELECT * FROM `usertable` WHERE `usernamefield`='".mysql_real_escape_string($_POST['username'])."' AND (`userpassfield`='".sha1($_POST['password'])."' OR `oldpass`='".md5($_POST['password'])."')"); What this will do is look for the username and the users password weather it is from the OLD md5 or the new sha1 Now we need to make a new file called `newpass.php` <?php include 'your_connect_file.php'; // Add your header here // We have to check if the user is still using there old MD5 Password (Please edit $user[''] to what ever varable you use) if (!empty($user['oldpass'])) { // We check if the form is submited if (!empty($_POST['submit'])) { // Now we check if all the values are entered if (empty($_POST['old']) || empty($_POST['new']) || empty($_POST['cnew']) || $_POST['cnew']!=$_POST['new']) { echo 'You need to add all values ot the passwords didnt match! [url="'.basename($_SERVER['SCRIPT_FILENAME']).'"]Back.[/url]'; } else { // If they are we have to check the old md5 password against what they inputed (Again please edit $user if need be) if ($user['oldpass']!=md5($_POST['old'])) { echo 'The submited password was incorect! [url="'.basename($_SERVER['SCRIPT_FILENAME']).'"]Back.[/url]'; } else { // Now lets update the users details (again please edit SQL to match your DB aswell as the $user varable) echo 'Thank you your password is now updated!'; mysql_query("UPDATE `usertable` SET `userpassfield`=".sha1($_POST['cnew']).", `oldpass`='' WHERE `usersid`=".$user['usersid']); } } } else { // If the form isnt submited show it! echo ' We are incresing security on this website, to do this we need you to create a new password please enter it in below! <form id="form1" name="form1" method="post" action="#"> <label> Old Password: <input name="old" type="password" id="old" /> </label> <label> New Password: <input name="new" type="password" id="new" /> </label> <label> Confirm Password: <input name="cnew" type="password" id="cnew" /> </label> <label> <input type="submit" name="Submit" value="Submit" /> </label> </form> '; } } // Add your footer here ?> then in a global file (file shown on all logedin pages) add this (above any html code) if (!empty($user['oldpass'])) {header("Location:newpass.php");} then you are done! :thumbsup: NOTE: This is a far from working script you have to alter it to fit your DB/Site :thumbup: Quote Link to comment Share on other sites More sharing options...
Dominion Posted July 22, 2010 Share Posted July 22, 2010 nice work i assume with a small edit you do not have to use sha1 :) Quote Link to comment Share on other sites More sharing options...
Dayo Posted July 22, 2010 Author Share Posted July 22, 2010 two edits in my post (not sure how many in your register page) Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.