HomeBuilding Your WebsiteWeb Database Development

Getting password from own database...

Renegade posted this at 11:44 — 8th November 2005.

Renegade's picture

He has: 3,022 posts

Joined: Oct 2002

Being really new to MySQL, I decided to try my hand at a login script. Also because client needs one for an admin panel.

Here is what I'm using to authenticate users (using PHP):

<?php
      if($_POST['password'] == $row['password']) {
          echo \"You're in\";
        }
      else {
          echo \"You're not in\";
        }
?>

When I echo $row['password'] I get this:

5d2e19393cc5ef67'

My guess is that it's some kind of encryption? Question is, how do I get the actual password and not what I see above?

This is just a loose and simple login script.

timjpriebe posted this at 13:19 — 8th November 2005.

timjpriebe's picture

He has: 2,667 posts

Joined: Dec 2004

I find it works to do it in the SQL code itself. If it's encrypted in the database, you don't unencrypt it, you just encrypt the one the user just tried to enter.

This is pseudo code, but...

$sql = "SELECT * WHERE username = '$_POST['username']' AND
password = password('$_POST['password']')";

$ref = $sql->execute();

if ($ref->rows())
{
  echo "You're in.";
}
else
{
  echo "Nice try, but I don't think so.";
}
'

Tim
http://www.tandswebdesign.com

Renegade posted this at 08:10 — 9th November 2005.

Renegade's picture

He has: 3,022 posts

Joined: Oct 2002

What algorithm does MySQL use and how can I check that the right password has been used? This is the query that I used:

INSERT INTO `user` ( `userID` , `username` , `password` , `userlevel` )
VALUES (
'', '<username>', PASSWORD( '<password>' ) , '<userlevel>'
);
'

Renegade posted this at 08:27 — 9th November 2005.

Renegade's picture

He has: 3,022 posts

Joined: Oct 2002

Thanks for replying imjpriebe, I found out that it's not recommended to use the password function of MySQL.

A better way would be to encrypt the password first, and then put it into the database as text. That way, even if someone gets a hold of your database, they won't easily get the passwords. Or something like that.

After that, to check, as you say, is to encrypt the password that the user inputs.

Smiling

Busy posted this at 09:37 — 9th November 2005.

Busy's picture

He has: 6,151 posts

Joined: May 2001

md5 is pretty good, but long. can be shortened

Think there is a thread around somewhere on md5 passwords

Want to join the discussion? Create an account or log in if you already have one. Joining is fast, free and painless! We’ll even whisk you back here when you’ve finished.