Textpattern CMS support forum
You are not logged in. Register | Login | Help
- Topics: Active | Unanswered
Pages: 1
Passwords
I’m curious about how passwords are stored in the DB.
I’ve noticed that they have a $ in the first and third place by default.
I’ve also notice that if I run the PASSWORD function in phpMyAdmin the password gets reduced to a 16 character string.
Both appear to let people log in and out.
Can anyone tell me if it’s possible to generate one of these working types from a form submission?
I have a registration form where new registrants can create their password as part of the account creation proccess:
<form id="register" name="register" method="post" action="registration.php">
<input type="text" name="txtUser" id="txtUser" placeholder="username" /><br />
<input type="password" name="txtPassword" id="txtPassword" placeholder="password" /><br />
<input type="submit" name="btnRegister" id="btnRegister" value="Register" />
</form>
registration.php:
$userName = mysql_real_escape_string($_POST['txtUser']);
$password = mysql_real_escape_string($_POST['txtPassword']);
$password = md5($password);
if(isset($_POST['btnRegister']))
{
$query = "insert into txp_users(name,pass)values('$userName','$password')";
$res = mysql_query($query);
header('location:success_register.php');
}
I know md5($password);
ain’t gonna cut it and I’m not sure what to try next.
Last edited by whaleen (2012-12-22 21:35:02)
txtstrap (Textpattern + Twitter Bootstrap + etc…)
Offline
Re: Passwords
My wild theory is that the password are salted by the user id. If that was true then I’d have to find a way to make that then get it then use it. I’ll buy anyone a big beer or coffee if they can hold my hand here.
$password = crypt($password);
instead of $password = md5($password);
is the ticket. I’m able to register a user while allowing them to create their password at the same time.
Last edited by whaleen (2012-12-22 22:44:17)
txtstrap (Textpattern + Twitter Bootstrap + etc…)
Offline
Re: Passwords
$password = doSlash(txp_hash_password($_POST['txtPassword']));
Do the escaping after hashing the password, not before.
Use doSlash
instead of mysql_real_escape_string
.
Use safe_insert
instead of mysql_query
.
Be very very careful.
Offline
Re: Passwords
Thanks Ruud. I’ll use your advice now to see if I can now learn how to do this within Textpattern. I think the next step is to learn how to run this little script from within a txp plugin. I will try. Thank you.
txtstrap (Textpattern + Twitter Bootstrap + etc…)
Offline
Re: Passwords
Hi look at rah_change_password
Cheers
Online
Pages: 1