Customizing login.php

[latinguy]

Hi,

How can I modify the login.php file so when someone tries to log in it only checks 2 fields in the db table, the username and password. Nothing about salt and others.. only check if the username and password entered are in the database table, if they are found then you are logged in if they are not found give the error.

Thanks in advance

Daniel

[Andreas]

Impossible. You need the salt as for security reasons passwords aren't stored in the database - only MD5-Hashes with a salt to randomize the results.
This makes it more difficult to crack passwords, as MD5 itself is not collision-free.

But you could simplify the login very much, avoiding almost all "vB-Overhead".
What exactly do you want to achieve?

[latinguy]

Quote:

Originally Posted by KirbyDE

Impossible. You need the salt as for security reasons passwords aren't stored in the database - only MD5-Hashes with a salt to randomize the results.
This makes it more difficult to crack passwords, as MD5 itself is not collision-free.

But you could simplify the login very much, avoiding almost all "vB-Overhead".
What exactly do you want to achieve?

What I want to do is this.. in http://vac.dndweb.net/forum when someone tries to log in on top and click 'log in' the action page only looks for the username and password. If the query recordcount is 1 (meaning it was found) then you are successfuly logged in if not you get an error.

How can I do this??

[latinguy]

Quote:

Originally Posted by latinguy

What I want to do is this.. in http://vac.dndweb.net/forum when someone tries to log in on top and click 'log in' the action page only looks for the username and password. If the query recordcount is 1 (meaning it was found) then you are successfuly logged in if not you get an error.

How can I do this??

I was thinking something like this:

function login($username,$password)
{

global $myDB;

$myquery = "SELECT username, password FROM forum_user WHERE (username = '$username') AND (password = '".md5($password)."')";
$myresult = $myDB->query($myquery);

... rest of coding here before it gets logged in ...

}

login($_POST['vb_login_username'],$_POST['vb_login_password']);

Don't know if that makes sense at all.

Hope you get what I want to do

Hugs,

Daniel

[Andreas]

So you actually just want to verify that username and password are correct?

Then this might get you started:

PHP Code:

<?php
  if (!isset($_POST[username])) {
    echo "Please enter your username &amp; password below<br />";
    echo "<form method=\"post\" action=\"$PHP_SELF\">";
?>
    Username: <input name="username" size="30"><br /> 
    Password: <input name="password" type="password" size="30"><br>
    <input type="submit">&nbsp;<input type="reset">
    </form>
<?php    
  } else {
    // Check if combination is correct
    include('./includes/config.php');
    $link = mysql_connect($servername, $dbusername, $dbpassword) or die("Could not connect mySQL-Server");
    mysql_select_db($dbname) or die ("Could not open vB database"); 
    $res = mysql_query("SELECT userid,username,password FROM user WHERE MD5(CONCAT(MD5('$_POST[password]'), salt)) = password AND username='$_POST[username]'", $link) or die ("Invalid query");
    if (mysql_num_rows($res) == 1)
      echo "Login OK";
    else
      echo "Login failed";
  }
?>

[yoyo]

Oh, thank you! I searched ages for this!

Can I ask, though, are there any security implications in accessing username and password in this way?