Using md5hash function for logging in

[tam2000k2]

I posted the following on vBulletin.com and they suggested to post it here:

Hi Everyone,

I am somewhat new to vBulletin and Moveable Type technologies, but I have been involved with the web since 1994. So, I'm pretty good with catching on, but I need your assistance.

I hope someone can help me with my understanding of this function.

I am one of the administrators for forums.tvgasm.com and I also maintain tvgasm.com. As mentioned above, I am new to both types of web technologies.

In trying to use one of the tables of the database, namely the table tvgvbuser within the database forumdb, which holds usernames and passwords, among other information, but the passwords are encrypted.

Since we were having issues with typekey authentication systems and we have over 100,000 readers, we grew tired of the issues associated with that login system. Naturally we thought, we already have a log in system and our readers have accounts within our forums section, why not use what we have and, at the same time, not loose this huge audience.

I understand that the "md5" system of encrypting a word is being used for the passwords, but I do not know how to compare the password that the user types in, from the password in the table.

I have tried the following AJAX code:

Code:

var user = document.getElementById('navbar_username').value;
var pass = document.getElementById('navbar_password').value;
var vb_login_md5password = document.getElementById('vb_login_md5password').value;
var vb_login_md5password_utf = document.getElementById('vb_login_md5password_utf').value;
var s = document.getElementById('s').value;

// Open PHP script for requests -- phpscript2 is a pre-defined php file

http.open('post', phpscript2);
http.setRequestHeader('Content-Type', 'application/x-www-form-urlencoded');
http.onreadystatechange = handleResponsePost;
http.send('username='+ user +'&password='+ md5hash(pass,vb_login_md5password, vb_login_md5password_utf, 0));

The username and password are sent to a php file which then executes a simple SQL string:

Code:

$query = mysql_query("SELECT * FROM tvgvbuser WHERE username='". $username ."' AND password='". $password ."'");

My php file simply determines if it was successful or not, followed by echoing a statement to that affect.

But I receive an error from the JavaScript Console of my browser that "s" is not defined.

I know that since I am not calling these functions from within the forums section and, instead from within tvgasm.com, that this would probably not work.

I do realize that there has been a great deal of effort in creating an entire system and that I am only trying to use a small portion of that system, outside it's natural environment.

So, my ultimate question is -- is there a simple way to query this table using the natural password that the user types in and there by allowing us to continue to use the resource that we have available.

Here is a link to an example of what my code is attempting to do -- http://beta.tvgasm.com/shows/login3.htm

When you enter a registered username and click within the password text field, it automatically checks to see if this username is legit and responds accordingly.

However, sending an SQL string for the password is another issue and that's what I need assistance with your expertise.

Thanks in advance,
Tarik (Kronus)

[Dismounted]

Passwords are encrypted in the database like so:

PHP Code:

$password = md5(md5($password) . $salt); 


Where $password is the password string and $salt is the field "salt" in the database.

[tam2000k2]

That worked perfectly. I had to modify my code to retrieve $salt first, so for anyone else who needs it.

Code:

 // connect to mysql 
 $mysql = mysql_connect('localhost','adminusername','adminpassword'); 
 
 // fail on database errors 
 if (!$mysql) 
 {     die('false|Could not connect to MySQL'); } 
 
	 // connect to the database 
	 mysql_select_db('forumdb', $mysql); 
	 
$username = $_POST['username']; 
$password = $_POST['password']; 

$query = mysql_query("SELECT salt FROM tvgvbuser WHERE username='". $username ."'");
$row = mysql_fetch_array($query);

$salt = $row["salt"];

$password = md5(md5($password) . $salt);


$query = mysql_query("SELECT * FROM tvgvbuser WHERE username='". $username ."' AND password='". $password ."'"); 
$result = mysql_num_rows($query); 
$row = mysql_fetch_array($query); 

if ($result == 1) 
{ 
    $_SESSION["user"] = $row["username"]; 
     
    echo 'Welcome, '. $row["username"].' . Please fill out our spam verification and post your comments.

<p>
	  <label for="comment-email">Email Address:</label>
	  <input id="comment-email" name="email" size="30" />
   </p>
</div>

<p>
   <label for="comment-url">URL:</label>
   <input id="comment-url" name="url" size="30" />
</p>
<p>
   <label for="comment-bake-cookie"><input type="checkbox"
	  id="comment-bake-cookie" name="bakecookie" onClick="if (!this.checked) forgetMe(document.comments_form)" value="1" />
	  Remember personal info?</label>
</p>
</div>

<p id="comments-open-text">
<label for="comment-text">Comments: </label>
<textarea id="comment-text" name="text" rows="15" cols="50"></textarea>
</p>
<div id="comments-open-footer" class="comments-open-footer">


<input type="submit" accesskey="v" name="preview" id="comment-preview" value="Preview" />
<input type="submit" accesskey="s" name="post" id="comment-post" value="Post" />
	'; 
} 
else 
{ 
    echo 'Wrong combination of User Name and Password. Did you forget your Password? <a href="http://forums.tvgasm.com/login.php?do=lostpw" target="_blank"> Click here to retrieve it.</a>'; 
} 

?>

Thank you very much for your assistance. :-)

[Opserty]

Clean your variables:

PHP Code:

$username = mysql_real_escape_string($_POST['username']); 


Also add LIMIT 1 to the end of your query and fetch the password and username from the DB instead of querying twice. So you have something like
[sql]SELECT `username`,`password`, `salt` FROM tvgvbuser WHERE username='". $username ."' LIMIT 1[/sql]
The you can remove this:

PHP Code:

$query = mysql_query("SELECT * FROM tvgvbuser WHERE username='". $username ."' AND password='". $password ."'"); 
$result = mysql_num_rows($query); 
$row = mysql_fetch_array($query); 


And instead use something like:

PHP Code:

// I'm not a hundred percent sure if this works 
// You can maybe use:
// if(mysql_num_row($query) == 0) instead
if(!mysql_num_rows($query))
{
    // Wrong username but we won't tell them that
        echo 'Wrong combination of User Name and Password. Did you forget your Password? <a href="http://forums.tvgasm.com/login.php?do=lostpw" target="_blank"> Click here to retrieve it.</a>'; 
}
else
{
    $hashedpassword = md5(md5($password) . $salt);
    if($hashedpassword != $row['password'])
    {
        // Wrong username but we won't tell them that
            echo 'Wrong combination of User Name and Password. Did you forget your Password? <a href="http://forums.tvgasm.com/login.php?do=lostpw" target="_blank"> Click here to retrieve it.</a>'; 
    }
    else
    {
        // Do you session stuff here
    }
} 


There might be some parse errors...I'm using notepad

[tam2000k2]

Thanks for the feedback. Keep it coming :-)

Have a good one,
Tarik (kronus)

[Dismounted]

There's no need to do two queries. Just query once for the password and salt. Then hash the inputted password and match it up with the password fetched from the database.