UOTS-Owner Posted June 7, 2021 Posted June 7, 2021 Hello all I am looking to change from md5 to has, I have changed on the register page but I'm not sure what to change my login verification part to it said to use password_verify but I am stuck any idea what to replace my current one to? Thanks $error = ""; $back = "> <a href = 'login.php'><font color = 'red'>Back</font></a>"; $_POST['pass'] = htmlentities(stripslashes($_POST['pass'])); $_POST['username'] = htmlentities(stripslashes($_POST['username'])); if(!$_POST['username'] || !$_POST['pass']) { $error = "<table width = '390px' align = 'center' class = 'table' style = 'padding:5px; margin-top:87px; border-radius:5px;'> <tr> <td align = 'center'><font color = 'red'><b>Please go back and fill in the form correctly<br>".$back; } else { $sql = "SELECT `usr_id`,`usr_fed` FROM `usr_tbl` WHERE `usr_login` = '".mysql_real_escape_string($_POST['username'])."' AND `usr_pas` = '".mysql_real_escape_string(md5($_POST['pass']))."' LIMIT 1"; $sql = mysql_query($sql); if(!mysql_num_rows($sql)) { $error = "<table width = '390px' align = 'center' class = 'table' style = 'padding:5px; margin-top:87px; border-radius:5px;'> <tr> <td align = 'center'><font color = 'red'><b>User not found! Please go back and try again.<br>".$back; } else { $user = mysql_fetch_array($sql); unset($_SESSION['feduser']); if($user['usr_fed'] > time()) { $_SESSION['feduser'] = $user['usr_id']; header('location:fedjail.php'); exit; } else { if($user['usr_fed']) { $sql = "UPDATE `usr_tbl` SET `usr_fed` = '0' WHERE `usr_id` = '".mysql_real_escape_string($user['usr_id'])."'"; mysql_query($sql); } } $_SESSION['myid'] = $user['usr_id']; $_SESSION['verified'] = 0; $sql = "UPDATE `usr_tbl` SET `usr_last_login` = '".mysql_real_escape_string(time())."', `usr_lastact` = '".mysql_real_escape_string(time())."' WHERE `usr_id` = '".mysql_real_escape_string($_SESSION['myid'])."'"; mysql_query($sql); Quote
Magictallguy Posted June 7, 2021 Posted June 7, 2021 <?php /* * Set to true to enable automatically updating md5-encrypted passwords to the new hashing system. Set to false to disable. * * Note: Ideally, a user should be prompted to update their password themselves, immediately after successful login with an MD5-encrypted password. */ define('UPDATE_OLD_PASSWORDS_TO_NEW_HASH', true); $error = ""; $back = "> <a href = 'login.php'><font color = 'red'>Back</font></a>"; $_POST['pass'] = htmlentities(stripslashes($_POST['pass'])); $_POST['username'] = htmlentities(stripslashes($_POST['username'])); if (!$_POST['username'] || !$_POST['pass']) { $error = "<table width = '390px' align = 'center' class = 'table' style = 'padding:5px; margin-top:87px; border-radius:5px;'> <tr> <td align = 'center'><font color = 'red'><b>Please go back and fill in the form correctly<br>" . $back; } else { $sql = "SELECT `usr_id`,`usr_fed`,`usr_pas` FROM `usr_tbl` WHERE `usr_login` = '" . mysql_real_escape_string($_POST['username']) . "' LIMIT 1"; $sql = mysql_query($sql); if (!mysql_num_rows($sql)) { $error = "<table width = '390px' align = 'center' class = 'table' style = 'padding:5px; margin-top:87px; border-radius:5px;'> <tr> <td align = 'center'><font color = 'red'><b>User not found! Please go back and try again.<br>" . $back; } else { $user = mysql_fetch_array($sql); // Set vars, default to false $passIsMD5 = false; $authed = false; // If their password checks out under the new hashing system if (password_verify($_POST['pass'], $user['usr_pas'])) { // They're authed $authed = true; // If their password checks out under the old md5-encryption } elseif (md5($_POST['pass']) === $user['usr_pas']) { // They're authed .. $authed = true; // .. but we need to update their password* $passIsMD5 = true; } if ($authed !== true) { $error = "<table width = '390px' align = 'center' class = 'table' style = 'padding:5px; margin-top:87px; border-radius:5px;'> <tr> <td align = 'center'><font color = 'red'><b>User not found! Please go back and try again.<br>" . $back; } else { if (UPDATE_OLD_PASSWORDS_TO_NEW_HASH === true && $passIsMD5 === true) { $newPass = password_hash($_POST['pass'], PASSWORD_BCRYPT); mysql_query('UPDATE `usr_tbl` SET `usr_pas` = \''.$newPass.'\' WHERE `usr_id` = '.$user['usr_id']); } unset($_SESSION['feduser']); if ($user['usr_fed'] > time()) { $_SESSION['feduser'] = $user['usr_id']; header('location:fedjail.php'); exit; } else { if ($user['usr_fed']) { $sql = "UPDATE `usr_tbl` SET `usr_fed` = '0' WHERE `usr_id` = '" . mysql_real_escape_string($user['usr_id']) . "'"; mysql_query($sql); } } $_SESSION['myid'] = $user['usr_id']; $_SESSION['verified'] = 0; $sql = "UPDATE `usr_tbl` SET `usr_last_login` = '" . mysql_real_escape_string(time()) . "', `usr_lastact` = '" . mysql_real_escape_string(time()) . "' WHERE `usr_id` = '" . mysql_real_escape_string($_SESSION['myid']) . "'"; mysql_query($sql); } } } Note: Untested! Be sure to update the hashing algorithm used if you set `UPDATE_OLD_PASSWORD_TO_NEW_HASH` to true to whatever you've got in your register Addition: Depending on your DB setup, you may need to increase the storage capacity of the usr_pas column. For example, VARCHAR(255) may not be enough. The query below will modify a column's type to be able to support a longer string of text (i.e., a long password hash). Be sure to backup your database before you make any structural changes! ALTER TABLE `usr_tbl` MODIFY `usr_pas` TEXT NOT NULL; 2 Quote
UOTS-Owner Posted June 8, 2021 Author Posted June 8, 2021 (edited) Perfect thank you 🙂 Edited June 8, 2021 by UOTS-Owner 1 Quote
Magictallguy Posted June 8, 2021 Posted June 8, 2021 10 hours ago, UOTS-Owner said: Perfect thank you 🙂 You're most welcome 🙂 See the edit for additional information Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.