0

I want to the page 'encryptionmachine1.php' to run a query against a database to ensure that the inputted password is correct. To keep things safe, I first want the page to encrypt the password that is inputted and then check against the database field 'EncryptedPasswords' to see if it exists. At the moment when I input a correct a password (number1) only the message 'pwd does not exists' displays. I am also using the md5() function to encrypt the passwords. Any help? Thanks Dan 

<?php

if(isset($_POST['submit'])){
$str=$_POST['pwd'];
md5($str);
$dblink=mysql_connect("localhost","Dan");
mysql_select_db("Dan");
$rs=mysql_query("SELECT * FROM passwords WHERE EncryptedPassword='".$str."'");
if($row = mysql_fetch_assoc($rs)){
$dbPassword=$row['EncryptedPassword'];
echo "password exists";
header('Location:http://localhost/encryptionmachine2.php?pwd='.$str);//http://194.36.155.250/POO12104368/encryptionmachine2.php
}else{
echo"pwd does not exist";

}

 }

?>
<html>
<head>

<title>EncryptionMachine1</title>

</head>
<body>

<form name="myForm" action="#" method="POST"> 
<p>Pwd:<input type="text" name="pwd"></p>
<input type="submit" value="Submit" name="submit">
</form>

</body>
</html>
Dan
  • 11
  • 2
  • 1
    You need to learn about hashing. Use bcrypt. – SLaks Nov 23 '14 at 16:26
  • 4
    Stop using md5, which is about as secure as a wet paper bag, and start using PHP's built-in [password_hash()](http://nl1.php.net/manual/en/function.password-hash.php) or the [userland equivalent](https://github.com/ircmaxell/password_compat) if you're not yet running PHP 5.5 or above – Mark Baker Nov 23 '14 at 16:27
  • Check out http://daveismyname.com/login-and-registration-system-with-php-bp - It uses PDO with prepared statements and PHP 5.5's `password_hash()` function. Call your code's failure, a "blessing in disguise" ;) – Funk Forty Niner Nov 23 '14 at 16:28
  • I've tested your code and got success. You're actually outputting before header with `echo "password exists";` - Add error reporting to the top of your file(s) right after your opening ` – Funk Forty Niner Nov 23 '14 at 17:08
  • **Warning:** `mysql_*` extension is deprecated as of PHP 5.5.0, and has been removed as of PHP 7.0.0. Instead, either the [mysqli](https://www.php.net/manual/en/book.mysqli.php) or [PDO_MySQL](https://www.php.net/manual/en/book.pdo.php) extension should be used. See also the [MySQL API Overview](https://www.php.net/manual/en/mysqlinfo.api.choosing.php) for further help while choosing a MySQL API. – Dharman Nov 03 '19 at 18:42

1 Answers1

2

There's a lot of things that need to be changed with your code to be secure. The most pressing two are:

  1. You want to hash passwords, not encrypt them.
  2. You want to use prepared statements.
    • This necessarily means stop using mysql_query() and mysql_fetch_assoc() in favor of PDO or mysqli.

I highly recommend starting with A Gentle Introduction to Application Security. It can seem like a lot, but I promise you this is manageable and you can do it.

Scott Arciszewski
  • 33,610
  • 16
  • 89
  • 206