Passwords

whaleen · 2012-12-19 21:07:20

I’m curious about how passwords are stored in the DB.

I’ve noticed that they have a $ in the first and third place by default.

I’ve also notice that if I run the PASSWORD function in phpMyAdmin the password gets reduced to a 16 character string.

Both appear to let people log in and out.

Can anyone tell me if it’s possible to generate one of these working types from a form submission?

I have a registration form where new registrants can create their password as part of the account creation proccess:

<form id="register" name="register" method="post" action="registration.php">

<input type="text" name="txtUser" id="txtUser" placeholder="username"  /><br />
<input type="password" name="txtPassword" id="txtPassword" placeholder="password" /><br />
<input type="submit" name="btnRegister" id="btnRegister" value="Register" />

</form>

registration.php:


$userName    =    mysql_real_escape_string($_POST['txtUser']);
$password    =    mysql_real_escape_string($_POST['txtPassword']);

$password    =    md5($password);

if(isset($_POST['btnRegister']))
{
$query    =    "insert into txp_users(name,pass)values('$userName','$password')";
$res    =    mysql_query($query);
header('location:success_register.php');
}

I know md5($password); ain’t gonna cut it and I’m not sure what to try next.

Last edited by whaleen (2012-12-22 21:35:02)

whaleen · 2012-12-22 22:21:46

My wild theory is that the password are salted by the user id. If that was true then I’d have to find a way to make that then get it then use it. I’ll buy anyone a big beer or coffee if they can hold my hand here.

$password = crypt($password); instead of $password = md5($password); is the ticket. I’m able to register a user while allowing them to create their password at the same time.

Last edited by whaleen (2012-12-22 22:44:17)

ruud · 2012-12-23 00:07:56

$password = doSlash(txp_hash_password($_POST['txtPassword']));

Do the escaping after hashing the password, not before.
Use doSlash instead of mysql_real_escape_string.
Use safe_insert instead of mysql_query.

Be very very careful.

whaleen · 2012-12-23 01:29:35

Thanks Ruud. I’ll use your advice now to see if I can now learn how to do this within Textpattern. I think the next step is to learn how to run this little script from within a txp plugin. I will try. Thank you.

Dragondz · 2012-12-23 07:59:36

Hi look at rah_change_password

Cheers

Textpattern CMS

Textpattern CMS support forum

#1 2012-12-19 21:07:20

Passwords

#2 2012-12-22 22:21:46

Re: Passwords

#3 2012-12-23 00:07:56

Re: Passwords

#4 2012-12-23 01:29:35

Re: Passwords

#5 2012-12-23 07:59:36

Re: Passwords

Board footer