On Sat, Nov 20, 2004 at 05:49:04PM -0500, Gregori Halsiber wrote:
> Hi, I'm trying to write a md5 hash to auth users... And before I get flamed
> about md5 not being a crypt system but a hashing system I know... Security
> is not a problem..
> I'm trying to build a standalone Message Update Center intranet with PHP
>
> The problem I'm having is comparing a user inputed word or passphrase and
> comparing the code to the hash on a mysql database....
>
> here's the code....
> <?php
> // connect to database
> $connection = mysql_connect("localhost","root");
> mysql_select_db("forum");
> $result = mysql_query('Select username, password from users');
Right here, why not do:
$username = $_POST['givenuser'];
$result = mysql_query("Select password from users where username='$username'");
That way you don't have to go through the loop for every user in the users
table.
> while($row = mysql_fetch_array($result, MYSQL_ASSOC))
> { // start while fetch loop
> // This is now guaranteed: if($_POST['givenuser'] == $row['username'])
> { // Begin user check
> if( md5($_POST['givenpassword']) == $row['password'] )
> print("Welcome!");
> // The problem I'm having is the comaprisons are not accurate.....
> // If I display ---> print(md5($_POST['givenpassword']);
> // and $row['password'] to the browser all 32 char are identical
> // No longer needed } // end user check
> } // end while fetch loop
> ?>
>
> Any Ideas at all? I was thinking that there could be somesort of WHITESPACE
> problem in the hashing of the passed var givenpassword
How is 'password' defined in the 'users' table? Is it a char(32) or a
varchar(32)? I would suspect a whitespace issue. Try rtrim on the password.
if( md5($_POST['givenpassword']) == rtrim($row['password']) )
> or possible a problem with a wierd floting point calculation at the
> comparision level?
>
> thanks in advance
>
--
Jim Kaufman
Linux Evangelist
public key 0x6D802619
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
