www.webdeveloper.com
Results 1 to 15 of 15

Thread: md5 php4/php5

  1. #1
    Join Date
    Oct 2005
    Location
    UK
    Posts
    630

    md5 php4/php5

    is MD5 for PHP4 and PHP5 different?

    iv just moved host my old host was PHP4 and my new host is PHP5 and it wont let me login when i copied the databases directly across.

  2. #2
    Join Date
    May 2006
    Location
    the netherlands
    Posts
    454
    MD5 is an algorith, this doesn't change acros platforms or programming languages. it will always be the same algorithm
    besides, the problem is probably in your database, not php. check the values in the database in both versions and also check what TYPE en Length the column is that has the password stored. For example if it's less then 32 chars, then that would explain a lot.

    ah another problem could be (and this ís in php) is that your script doesn't function with register_globals=off
    please also do a check if the login routine is executed at all .. otherwise you're chasing non-existent bugs

  3. #3
    Join Date
    Oct 2005
    Location
    UK
    Posts
    630
    ah i forgot about that i had to rewrite some of my site to allow for navigation because of the registered globals


    i got my login script off a mate and i dont know much about HTTP auth would i need to assign some form of global to $PHP_AUTH_USER and $PHP_AUTH_PW
    PHP Code:
    <?php
    function displayLogin()
        { 
        
    header("WWW-Authenticate: Basic realm=\"www.knowj.com - email = login/user name\"");
        
    header("HTTP/1.0 401 Unauthorized"); 
        echo 
    '<div id="contleft">';
        echo 
    "<h1>Authentication Failure</h1>"
        echo 
    "<p>The username and password provided did not work. Please reload this page and try again.</p>"
        include 
    "includes/footer.php";
        exit; 
        }

    if (!isset(
    $PHP_AUTH_USER) || !isset($PHP_AUTH_PW))
        { 
        
    // If username or password hasn't been set, display the login request. 
        
    displayLogin(); 
        }
    else
        { 
        
    $banlist = array
            (
            
    "insert""select""update""delete""distinct""having""truncate""replace",
            
    "handler""procedure""limit""order by""group by""asc""desc"
            
    );

        if (
    eregi("^[_a-z0-9-]+(\.[_a-z0-9-]+)*@[a-z0-9-]+(\.[a-z0-9-]+)*(\.[a-z]{2,3})$"$PHP_AUTH_USER))
            {
            
    $PHP_AUTH_USER trim(str_replace($banlist''strtolower($PHP_AUTH_USER)));
            }
        else
            {
            echo 
    "Login Name not a valid Email Address";
            
    displayLogin(); 
            }
        
    //check the password is valid
        
    if (eregi("[a-zA-Z0-9]+"$PHP_AUTH_PW))
            {
            
    $PHP_AUTH_PW trim(str_replace($banlist''strtolower($PHP_AUTH_PW)));
            }
        else
            {
            echo 
    "Login Password not a valid Email Address";
            
    displayLogin(); 
            }
    // Escape both the password and username string to prevent users from inserting bogus data. 
    $PHP_AUTH_USER addslashes($PHP_AUTH_USER); 
    $PHP_AUTH_PW md5($PHP_AUTH_PW); 

    // Check username and password against the database. 
    $results mysql_query("SELECT * FROM atable WHERE someuser='$PHP_AUTH_USER'") or die("Couldn't query the user-database."); 
    $sql mysql_fetch_array($results);
    if(!
    $sql || !($PHP_AUTH_PW === $sql['somepass']) || !$PHP_AUTH_PW)
        {
        
    displayLogin(); 
        }
    }
    ?>

    i realize it isn't a very well wrote script but its old and i implemented it long before i know what i know now i will probably rewrite it when i get time
    Last edited by knowj; 11-01-2006 at 09:51 AM.

  4. #4
    Join Date
    Oct 2005
    Location
    UK
    Posts
    630
    iv changed all the variables but for some reason i just keep getting the login box reload every time :S even tho my password and login are incorrect.


    PHP Code:
    <?php
    function displayLogin()
        { 
        
    header("WWW-Authenticate: Basic realm='www.knowj.com - email = login/user name'");
        
    header("HTTP/1.0 401 Unauthorized"); 
        echo 
    "<h1>Authentication Failure</h1>"
        echo 
    "<p>The username and password provided did not work. Please reload this page and try again.</p>"
        include 
    "includes/footer.php";
        exit; 
        }

    if (!isset(
    $_SERVER['PHP_AUTH_USER']) || !isset($_SERVER['PHP_AUTH_PW']))
        { 
        
    // If username or password hasn't been set, display the login request. 
        
    displayLogin(); 
        }
    else
        {
        if (
    eregi("^[_a-z0-9-]+(\.[_a-z0-9-]+)*@[a-z0-9-]+(\.[a-z0-9-]+)*(\.[a-z]{2,3})$"$_SERVER['PHP_AUTH_USER']))
            {
            
    $_SERVER['PHP_AUTH_USER'] = mysql_real_escape_string($_SERVER['PHP_AUTH_USER']);
            }
        else
            {
            echo 
    "Login Name not a valid Email Address";
            
    displayLogin(); 
            }
        
    //check the password is valid
        
    if (eregi("[a-zA-Z0-9]+"$_SERVER['PHP_AUTH_PW']))
            {
            
    $_SERVER['PHP_AUTH_PW'] = mysql_real_escape_string($_SERVER['PHP_AUTH_PW']);
            }
        else
            {
            echo 
    "Login Password not a valid Email Address";
            
    displayLogin(); 
            }
    // Escape both the password and username string to prevent users from inserting bogus data. 
    $_SERVER['PHP_AUTH_PW'] = md5($_SERVER['PHP_AUTH_PW']); 

    // Check username and password against the database. 
    $results mysql_query("SELECT * FROM users WHERE user='$_SERVER[PHP_AUTH_USER]'") or die("Couldn't query the user-database."); 
    $sql mysql_fetch_array($results);
    if(!
    $sql || !($_SERVER['PHP_AUTH_PW'] === $sql['pass']) || !$_SERVER['PHP_AUTH_PW'])
        {
        
    displayLogin(); 
        }
    }
    ?>

  5. #5
    Join Date
    May 2006
    Location
    the netherlands
    Posts
    454
    what have you done to try to debug it?

    first of all, set the error_reporting to E_ALL
    second, find out which route the parser takes you. for example, just put a die("here") after an if or else. if it is being outputted to the screen, you know that that if or else validates to True. If not, you know something is wrong there. Right now you still don't know whether the database is queried at all

    also, in some cases you're outputting stuff to the screen (echo "Login Name not a valid Email Address"; ) for example), after which you try to modify the headers (with the displayLogin() function) - this should/will generate errors

    http://www.php.net/header
    Remember that header() must be called before any actual output is sent, either by normal HTML tags, blank lines in a file, or from PHP. It is a very common error to read code with include(), or require(), functions, or another file access function, and have spaces or empty lines that are output before header() is called. The same problem exists when using a single PHP/HTML file.
    btw, your email address validation is also a bit outdated. For example person@domain.info wouldn't pass the validation, but is a valid email address however.

  6. #6
    Join Date
    Oct 2005
    Location
    UK
    Posts
    630
    it's only for me to login tbh i'm not having people register.

    this file is included and the file ob_start() ob_end_flush() as i use this for cookies which are set in parts of my site

    thanks for the help ill look into it.

    update:

    error reporting did nothing the script seems to compile fine.

    PHP Code:
    if (!isset($_SERVER['PHP_AUTH_USER']) || !isset($_SERVER['PHP_AUTH_PW']))
        {
        
    // If username or password hasn't been set, display the login request.
        
    displayLogin();
        } 
    i think thats the route which it's taking as i have put exit; and error messages on all the other areas which the function could be called but i cant error report the top one as its what calls the function when your not logged in.

    Last edited by knowj; 11-02-2006 at 05:06 AM.

  7. #7
    Join Date
    May 2006
    Location
    the netherlands
    Posts
    454
    of course you can:

    PHP Code:
    if (!isset($_SERVER['PHP_AUTH_USER']) || !isset($_SERVER['PHP_AUTH_PW']))
        {
        
    // If username or password hasn't been set, display the login request.
    //    displayLogin();
          
    echo "Can you see me? Can you? Can you? eh? well....???";
        } 
    also print_r($_SERVER) might be helpfull

    btw, if you have the error_reporting indeed set to E_ALL, then the query is clearly not executed.
    mysql_query("SELECT * FROM users WHERE user='$_SERVER[PHP_AUTH_USER]'")
    should give an error in that case (undefined constand PHP_AUTH_USER)

    you might also want to stop using that hidious buffering. in my opinion it's bad practice to rely on that for your script/program to work.
    Last edited by themarty; 11-02-2006 at 05:16 AM.

  8. #8
    Join Date
    Oct 2005
    Location
    UK
    Posts
    630
    buffering?

    sorry im a n00b to some of the terms still.

    if i did what you said the function would be called in the first place as that call is what initiates the script so it would just let me through to the admin page which is restricting access to.

    so my script is compiling alright its just not working :S


    Notice: Undefined index: admin in /home/.mantra/john5115/knowj.com/admin/new.php on line 24

    Notice: Undefined index: admin in /home/.mantra/john5115/knowj.com/admin/new.php on line 45

    Notice: Undefined variable: admin in /home/.mantra/john5115/knowj.com/admin/edit.php on line 3

    Notice: Undefined variable: admin in /home/.mantra/john5115/knowj.com/admin/edit.php on line 22

    Notice: Undefined variable: admin in /home/.mantra/john5115/knowj.com/admin/edit_forms.php on line 3

    Notice: Undefined variable: admin in /home/.mantra/john5115/knowj.com/admin/edit_forms.php on line 40

  9. #9
    Join Date
    May 2006
    Location
    the netherlands
    Posts
    454
    Quote Originally Posted by knowj
    buffering?

    sorry im a n00b to some of the terms still.
    Yes, that's what you do with ob_start() (OutputBuffering_start)
    you put everything into a buffer, until you output it with ob_flush().
    But if you structure your code well, there's no need to apply this hack.

    if i did what you said the function would be called in the first place as that call is what initiates the script so it would just let me through to the admin page which is restricting access to.
    i don't think i understand what you mean ...

    undefined index [...] undefined variable [...]
    you get these errors because you're trying to use values in an array or variables that do not exist. so check that out.

  10. #10
    Join Date
    Oct 2005
    Location
    UK
    Posts
    630
    they arnt defined as there got from the url i was saying there the only errors which are got and i understand why they are there.

    If i remove the line you say it wont call the function at all because that check defines if the person is logged in or not. so it just lets you through to the page which it is restricting.

  11. #11
    Join Date
    May 2006
    Location
    the netherlands
    Posts
    454
    If i remove the line you say it wont call the function at all because that check defines if the person is logged in or not. so it just lets you through to the page which it is restricting.
    i didn't put it there to solve your problems, i showed you that it was possible to get debug-information there. If that line is printed on the screen then you know the displayLogin() function is being called from there.

  12. #12
    Join Date
    May 2006
    Location
    the netherlands
    Posts
    454
    ok, i have the feeling this is gonna take weeks.

    please try this:

    PHP Code:
    <?php
    error_reporting
    (E_ALL);
    include 
    "file-that-connects-to-the-database.php";
    function 
    displayLogin($error=False)
    {
        
    header("WWW-Authenticate: Basic realm='www.knowj.com - email = login/user name'");
        
    header("HTTP/1.0 401 Unauthorized");
        echo 
    "<h1>Authentication Failure</h1>";
        if (
    $error)
        {
            echo 
    "<p>The username and password provided did not work. Please reload this page and try again.</p>";
        }
        include 
    "includes/footer.php";
        exit;
    }

    if (!isset(
    $_SERVER['PHP_AUTH_USER']) || !isset($_SERVER['PHP_AUTH_PW']))
    {
        
    // If username or password hasn't been set, display the login request.
        
    displayLogin("Username has not been provided yet");
    }
    else
    {
        if (
    eregi("^[_a-z0-9-]+(\.[_a-z0-9-]+)*@[a-z0-9-]+(\.[a-z0-9-]+)*(\.[a-z]{2,3})$"$_SERVER['PHP_AUTH_USER']))
        {
            
    $_SERVER['PHP_AUTH_USER'] = mysql_real_escape_string($_SERVER['PHP_AUTH_USER']);
        }
        else
        {
            
    displayLogin("Login Name not a valid Email Address");
        }
        
    //check the password is valid
        
    if (!eregi("[a-zA-Z0-9]+"$_SERVER['PHP_AUTH_PW']))
        {
            
    displayLogin("Login Password not a valid Password");
        }

        
    // Check username and password against the database.
        
    $query "SELECT * FROM users WHERE user='".$_SERVER['PHP_AUTH_USER']."'";
        if (!
    $results mysql_query($query))
        {
            
    displayLogin("A database error occured. please try again later<br>".$query."<br>".mysql_error());
        }
        elseif (
    mysql_num_rows($result) == 0)
        {
            
    // normally you wouldn't give this extra information. it's no-ones business that the username doesn't exist
            // but we do it now for debugging purposes
            
    displayLogin("This username doesn't exist");
        }
        else
        {
            
    $sql mysql_fetch_array($results);
            if(
    md5($_SERVER['PHP_AUTH_PW']) != $sql['pass'])
            {
                
    displayLogin("Incorrect password");
            }
        }
    }
    echo 
    "logged in";
    ?>
    please only inlude this file:
    include "file-that-connects-to-the-database.php";
    in which you substitute file-that-connects-to-the-database.php for the file that creates the databse connection.
    so don't include any other things. (especially not things that include output buffering and such)
    Last edited by themarty; 11-02-2006 at 09:27 AM.

  13. #13
    Join Date
    Oct 2005
    Location
    UK
    Posts
    630
    ye its not reporting any errors or working.

    im going to give up and write a cookie based login it will make thing a alot easier and this script just seems to be causing me hassel since i moved to php5

  14. #14
    Join Date
    May 2006
    Location
    the netherlands
    Posts
    454
    ye its not reporting any errors or working.
    what is the output you get on the screen ????

    no script is ever gonna work if you don't analyze what is happening

  15. #15
    Join Date
    May 2006
    Location
    the netherlands
    Posts
    454
    oh i realize now i made one mistake in the script:

    PHP Code:
    if ($error)
        {
            echo 
    "<p>The username and password provided did not work. Please reload this page and try again.</p>";
        } 
    should be

    PHP Code:
        if ($error)
        {
            echo 
    $error;
        } 
    so, in full:
    PHP Code:
    <?php
    error_reporting
    (E_ALL);
    include 
    "file-that-connects-to-the-database.php";
    function 
    displayLogin($error=False)
    {
        
    header("WWW-Authenticate: Basic realm='www.knowj.com - email = login/user name'");
        
    header("HTTP/1.0 401 Unauthorized");
        echo 
    "<h1>Authentication Failure</h1>";
        if (
    $error)
        {
            echo 
    $error;
        }
        include 
    "includes/footer.php";
        exit;
    }

    if (!isset(
    $_SERVER['PHP_AUTH_USER']) || !isset($_SERVER['PHP_AUTH_PW']))
    {
        
    // If username or password hasn't been set, display the login request.
        
    displayLogin("Username has not been provided yet");
    }
    else
    {
        if (
    eregi("^[_a-z0-9-]+(\.[_a-z0-9-]+)*@[a-z0-9-]+(\.[a-z0-9-]+)*(\.[a-z]{2,3})$"$_SERVER['PHP_AUTH_USER']))
        {
            
    $_SERVER['PHP_AUTH_USER'] = mysql_real_escape_string($_SERVER['PHP_AUTH_USER']);
        }
        else
        {
            
    displayLogin("Login Name not a valid Email Address");
        }
        
    //check the password is valid
        
    if (!eregi("[a-zA-Z0-9]+"$_SERVER['PHP_AUTH_PW']))
        {
            
    displayLogin("Login Password not a valid Password");
        }

        
    // Check username and password against the database.
        
    $query "SELECT * FROM users WHERE user='".$_SERVER['PHP_AUTH_USER']."'";
        if (!
    $results mysql_query($query))
        {
            
    displayLogin("A database error occured. please try again later<br>".$query."<br>".mysql_error());
        }
        elseif (
    mysql_num_rows($result) == 0)
        {
            
    // normally you wouldn't give this extra information. it's no-ones business that the username doesn't exist
            // but we do it now for debugging purposes
            
    displayLogin("This username doesn't exist");
        }
        else
        {
            
    $sql mysql_fetch_array($results);
            if(
    md5($_SERVER['PHP_AUTH_PW']) != $sql['pass'])
            {
                
    displayLogin("Incorrect password");
            }
        }
    }
    echo 
    "logged in";
    ?>

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
HTML5 Development Center



Recent Articles