Jump to content
MakeWebGames

Md5 to hash


Recommended Posts

Hello all I am looking to change from md5 to has, I have changed on the register page but I'm not sure what to change my login verification part to it said to use password_verify but I am stuck any idea what to replace my current one to? Thanks

 

 

$error = "";
    $back = "&gt; <a href = 'login.php'><font color = 'red'>Back</font></a>";
    $_POST['pass'] = htmlentities(stripslashes($_POST['pass']));
    $_POST['username'] = htmlentities(stripslashes($_POST['username']));
    if(!$_POST['username'] || !$_POST['pass']) {
       $error = "<table width = '390px' align = 'center' class = 'table' style = 'padding:5px; margin-top:87px; border-radius:5px;'>
               <tr>
                  <td align = 'center'><font color = 'red'><b>Please go back and fill in the form correctly<br>".$back;
    }
    else {
    $sql = "SELECT `usr_id`,`usr_fed`
            FROM `usr_tbl`
            WHERE `usr_login` = '".mysql_real_escape_string($_POST['username'])."'
            AND `usr_pas` = '".mysql_real_escape_string(md5($_POST['pass']))."'
            LIMIT 1";
    $sql = mysql_query($sql);
    if(!mysql_num_rows($sql)) {
    $error = "<table width = '390px' align = 'center' class = 'table' style = 'padding:5px; margin-top:87px; border-radius:5px;'>
               <tr>
                  <td align = 'center'><font color = 'red'><b>User not found! Please go back and try again.<br>".$back;
    }
    else
       {
       $user = mysql_fetch_array($sql);
       unset($_SESSION['feduser']);
       if($user['usr_fed'] > time()) {
       $_SESSION['feduser'] = $user['usr_id'];
       header('location:fedjail.php');
       exit;
       }
       else
          {
             if($user['usr_fed']) {
                $sql = "UPDATE `usr_tbl`
                        SET `usr_fed` = '0'
                        WHERE `usr_id` = '".mysql_real_escape_string($user['usr_id'])."'";
                mysql_query($sql);
             }
          }
       $_SESSION['myid'] = $user['usr_id'];
       $_SESSION['verified'] = 0;
       $sql = "UPDATE `usr_tbl`
               SET `usr_last_login` = '".mysql_real_escape_string(time())."',
                   `usr_lastact` = '".mysql_real_escape_string(time())."'
               WHERE `usr_id` = '".mysql_real_escape_string($_SESSION['myid'])."'";
       mysql_query($sql);

 

Link to comment
Share on other sites

<?php
/*
 * Set to true to enable automatically updating md5-encrypted passwords to the new hashing system. Set to false to disable.
 * 
 * Note: Ideally, a user should be prompted to update their password themselves, immediately after successful login with an MD5-encrypted password.
 */
define('UPDATE_OLD_PASSWORDS_TO_NEW_HASH', true);
$error             = "";
$back              = "&gt; <a href = 'login.php'><font color = 'red'>Back</font></a>";
$_POST['pass']     = htmlentities(stripslashes($_POST['pass']));
$_POST['username'] = htmlentities(stripslashes($_POST['username']));
if (!$_POST['username'] || !$_POST['pass']) {
    $error = "<table width = '390px' align = 'center' class = 'table' style = 'padding:5px; margin-top:87px; border-radius:5px;'>
               <tr>
                  <td align = 'center'><font color = 'red'><b>Please go back and fill in the form correctly<br>" . $back;
} else {
    $sql = "SELECT `usr_id`,`usr_fed`,`usr_pas`
            FROM `usr_tbl`
            WHERE `usr_login` = '" . mysql_real_escape_string($_POST['username']) . "'
            LIMIT 1";
    $sql = mysql_query($sql);
    if (!mysql_num_rows($sql)) {
        $error = "<table width = '390px' align = 'center' class = 'table' style = 'padding:5px; margin-top:87px; border-radius:5px;'>
               <tr>
                  <td align = 'center'><font color = 'red'><b>User not found! Please go back and try again.<br>" . $back;
    } else {
        $user      = mysql_fetch_array($sql);
        // Set vars, default to false
        $passIsMD5 = false;
        $authed    = false;
        // If their password checks out under the new hashing system
        if (password_verify($_POST['pass'], $user['usr_pas'])) {
            // They're authed
            $authed = true;
            // If their password checks out under the old md5-encryption
        } elseif (md5($_POST['pass']) === $user['usr_pas']) {
            // They're authed ..
            $authed    = true;
            // .. but we need to update their password*
            $passIsMD5 = true;
        }
        if ($authed !== true) {
            $error = "<table width = '390px' align = 'center' class = 'table' style = 'padding:5px; margin-top:87px; border-radius:5px;'>
               <tr>
                  <td align = 'center'><font color = 'red'><b>User not found! Please go back and try again.<br>" . $back;
        } else {
            if (UPDATE_OLD_PASSWORDS_TO_NEW_HASH === true && $passIsMD5 === true) {
                $newPass = password_hash($_POST['pass'], PASSWORD_BCRYPT);
                mysql_query('UPDATE `usr_tbl` SET `usr_pas` = \''.$newPass.'\' WHERE `usr_id` = '.$user['usr_id']);
            }
            unset($_SESSION['feduser']);
            if ($user['usr_fed'] > time()) {
                $_SESSION['feduser'] = $user['usr_id'];
                header('location:fedjail.php');
                exit;
            } else {
                if ($user['usr_fed']) {
                    $sql = "UPDATE `usr_tbl`
                        SET `usr_fed` = '0'
                        WHERE `usr_id` = '" . mysql_real_escape_string($user['usr_id']) . "'";
                    mysql_query($sql);
                }
            }
            $_SESSION['myid']     = $user['usr_id'];
            $_SESSION['verified'] = 0;
            $sql                  = "UPDATE `usr_tbl`
               SET `usr_last_login` = '" . mysql_real_escape_string(time()) . "',
                   `usr_lastact` = '" . mysql_real_escape_string(time()) . "'
               WHERE `usr_id` = '" . mysql_real_escape_string($_SESSION['myid']) . "'";
            mysql_query($sql);
        }
    }
}

Note: Untested!

Be sure to update the hashing algorithm used if you set `UPDATE_OLD_PASSWORD_TO_NEW_HASH` to true to whatever you've got in your register


Addition:
Depending on your DB setup, you may need to increase the storage capacity of the usr_pas column. For example, VARCHAR(255) may not be enough.
The query below will modify a column's type to be able to support a longer string of text (i.e., a long password hash).
Be sure to backup your database before you make any structural changes!
 

ALTER TABLE `usr_tbl` MODIFY `usr_pas` TEXT NOT NULL;

 

  • Like 2
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

×
×
  • Create New...