SQL Members table (how do I update a users password to MD5)

[DJMK4]

I have two questions really.

If I have a members SQL table which consists of:

ID
Username
Password

and the password field is normal, how to I either update a single record to an MD5 password through SQL or the entire table list to MD5 passwords?

 

[DJMK4]

Iv created a PHP login script

(See below)

<?php
$host='**'; // Host name
$username='**'; // Mysql username
$password='**'; // Mysql password
$db_name='**'; // Database name
$tbl_name='**'; // Table name

// Connect to server and select databse.
mysql_connect($host, $username, $password)or die('cannot connect');
mysql_select_db($db_name)or die('cannot select DB');

// username and password sent from form
$myusername=$_POST['myusername'];
$mypassword=$_POST['mypassword'];
$encrypted_password=md5($mypassword);

// To protect MySQL injection (more detail about MySQL injection)
$myusername = stripslashes($myusername);
$mypassword = stripslashes($mypassword);
$myusername = mysql_real_escape_string($myusername);
$mypassword = mysql_real_escape_string($mypassword);

//$sql="SELECT * FROM $tbl_name WHERE username='$myusername' and password='$mypassword'";
//$result=mysql_query($sql);

$sql="SELECT * FROM $tbl_name WHERE username='$myusername' and password='$encrypted_password'";
$result=mysql_query($sql);

// Mysql_num_row is counting table row
$count=mysql_num_rows($result);
// If result matched $myusername and $mypassword, table row must be 1 row

if($count==1){
// Register $myusername, $mypassword and redirect to file "**.php"
session_register('myusername');
session_register('mypassword');
header('location:**');
}
else {
echo "Wrong Username or Password";
}
?>

However at present I am not planning on using a script to register users from the php page as the login script is for my use only, i currently have one user in the SQL table but the password is not encrypted, all I want to do is to use some SQL code in phpmyadmin to update either a single user or all users passwords to MD5 encypted passwords.

Hope this is enough info

EDIT: OK iv managed to get SQL table to encrypt the password, so now I have

id
username
password (showing as the encrypted password)

however when i try to log in it keeps saying "incorrect password" unless i enter the password in its encypted format.

 

[DJMK4]

have you even read the replies?

Yes, and I have it half working, see my edit in the last post I posted in this thread

 

[DJMK4]

this:

$mypassword = mysql_real_escape_string($mypassword);

to this:

$mypassword = mysql_real_escape_string($encrypted_password);

and to be a pedant, it's not encrypted, it's hashed. You should also not be using stripslashes without checking that magic_quotes is enabled.

Thanks for this, although this didnt work, it still redirects me to a page saying username or password incorrect.

// username and password sent from form
$myusername=$_POST['myusername'];
$mypassword=$_POST['mypassword'];
$encrypted_password=md5($mypassword);

// To protect MySQL injection (more detail about MySQL injection)
$myusername = stripslashes($myusername);
$mypassword = stripslashes($mypassword);
$myusername = mysql_real_escape_string($myusername);
$mypassword = mysql_real_escape_string($encrypted_password);

//$sql="SELECT * FROM $tbl_name WHERE username='$myusername' and password='$mypassword'";
//$result=mysql_query($sql);

$sql="SELECT * FROM $tbl_name WHERE username='$myusername' and password='$encrypted_password'";
$result=mysql_query($sql);

SQL Table fields
userid:1
username: darren
password:

 

[DJMK4]

As far as I know session_register isn't the preferred way to register a session - see http://us2.php.net/manual/en/function.session-register.php

Also, have you considered salting - http://php.robm.me.uk/#toc-TakingitfurtherSalting
At the minute someone could still run your hashed passwords through some sort of dictionary tool as they know you've used md5. As the guide says, the small extra effort required to salt your passwords is well worth it.

Thanks for this, ill give this a read

Im aware that there are still flaws in my script although I wanted to get MD5 working first, then I was going to go through and improve the security of my script.

 

[DJMK4]

Would anybody give me some tips on salting out my MD5 password?

Do I need to add any extra fields in my SQL table (at the moment I have id, username, password (MD5 hashed), would I need to enter another field called "salt" and have some random value in there - im assuming no seeing as the salt is stored in this checklogin.php file?

Im assuming the salting is all done in my checklogin.php file

something like this

$myusername=$_POST['myusername'];
$mypassword=$_POST['mypassword'];
$salt= "abcdef";
$encrypted_password = md5($salt.$mypassword);

$myusername = stripslashes($myusername);
$mypassword = stripslashes($mypassword);
$salt = stripslashes ($salt);
$myusername = mysql_real_escape_string($myusername);
$mypassword = mysql_real_escape_string($encrypted_password);
$salt = mysql_real_escape_string($salt);

$sql="SELECT * FROM $tbl_name WHERE username='$myusername' and password='$encrypted_password'";
$result=mysql_query($sql);

Tell me if im doing this completely wrong (Please bear in mind I do not have a registration form so the user details are manually added into my SQL database table).

Thanks

 

[DJMK4]

There's a bit much going on here. There's no need for the $encrypted_password variable as you can just do

... and password=md5('".$salt.$mypassword".');.

Also, you'd be a lot better off using sha() rather than md5(). md5 is fairly easy to bruteforce even without a dictionary.

And I don't think that you're salting very efficiently either, someone only needs to bruteforce two passwords to find the salt...

OK Thanks very much for this

So how are you suggesting I would get around the efficianty issue? double salted sha()? if that even will work?

Thanks bud