Whirlpool / PHP
#1

I'm beginning to make a UCP but getting stuck on the login page. I am using MYSQL and Whirlpool to hash passwords, though I am not sure how to login. I've tried putting this line in a few places.

Code:
<?php 

include("config.php"); //including our config.php where is connecting to mysql... 
session_start(); //starting session for profile.php (Dunno how to explain better) look little down 
error_reporting(0); //without this we will always get some stupid notice that variable isn't defined.... 

$submit = $_POST['submit']; //variable for submit button, in this variable we save button that player press in <input type='submit' name="submit" value='Login' />.... 
$username = sanitize($_POST['username']); //variable for username, in this variable we save text that user type in <input type="text" name="username".... 
$password = sanitize($_POST['password']); //variable for password, in this variable we save text that user type in <input type="password" name="password".... 
$pass = hash('whirpool', $_POST['password']);
if($submit) //if he press submit button 
{     
    if($username && $password) //if he type both of username and password not just one of them 
    { 
        $query = mysql_query("SELECT Username, Password FROM accounts WHERE Username = '$username'"); //selecting user name and password, change it to your field names,  chage users to your table name, $username means username that he type... 
        if(mysql_num_rows($query) == 1) //if user exists 
        { 
            while($row = mysql_fetch_assoc($query)) //loop thought table that we select in mysql_query 
            { 
                $dbusername = $row['Username']; //setting dbusername as variable from table, change 'username' to your field! 
                $dbpassword = $row['Password']; //setting dbpassword as variable from table, change 'password' to your field! 
            } 
            if($username == $dbusername && $pass == $dbpassword) //if username is same as one from table and if password is the same as one from table... 
            { 
                $_SESSION['username'] = $dbusername; //setting session username to one from table, this is useful if you login, that restart your browser and than you go in url where is your profile.php... Anyway this is useful :D 
                echo header('location: profile.php'); //redirecting user to his profile page (profile.php) 
            } 
            else echo "Wrong password!"; //else if user type wrong password he will get this... 
        } 
        else echo "Username doesn't exist!"; //if username doesn't exist in table user will get this 
    } 
    else echo "Type name and password!"; //else if user doesn't type all fields he will get this... 
} 

?>

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Basic UCP</title>
<form action='login.php' method='POST'> 
<input type="text" name="username" value='<?php echo $username?>'/> 
<input type="password" name="password"/> 
<input type='submit' name="submit" value='Login' /> 
</form>
</head>
</html>
Reply
#2

Anyone able to help?
Reply
#3

use strcasecmp or just strtoupper or strtolower

strcasecmp :
pawn Code:
if($username == $dbusername && strcasecmp($pass, $dbpassword) == 0) //if username is same as one from table and if password is the same as one from table...
{
    $_SESSION['username'] = $dbusername; //setting session username to one from table, this is useful if you login, that restart your browser and than you go in url where is your profile.php... Anyway this is useful :D
    echo header('location: profile.php'); //redirecting user to his profile page (profile.php)
}
strtoupper :
pawn Code:
if($username == $dbusername && strtoupper($pass) == $dbpassword) //if username is same as one from table and if password is the same as one from table...
{
    $_SESSION['username'] = $dbusername; //setting session username to one from table, this is useful if you login, that restart your browser and than you go in url where is your profile.php... Anyway this is useful :D
    echo header('location: profile.php'); //redirecting user to his profile page (profile.php)
}
strtolower
pawn Code:
if($username == $dbusername && $pass == strtolower($dbpassword)) //if username is same as one from table and if password is the same as one from table...
{
    $_SESSION['username'] = $dbusername; //setting session username to one from table, this is useful if you login, that restart your browser and than you go in url where is your profile.php... Anyway this is useful :D
    echo header('location: profile.php'); //redirecting user to his profile page (profile.php)
}
Btw, $username == $dbusername is useless
Reply
#4

You need to know what is the hash used to hash password in MySQL database (MD5, SHA1 etc...)

and then use hash function to hash password that user typed and then compare it to password of data-base
Reply
#5

This may help you:
PHP Code:
$myHash hash'whirlpool'"password here." ); //Hashes the second param and stores it in myHash. 
Meaing that code will be:
PHP Code:
<?php 
include("config.php"); //including our config.php where is connecting to mysql... 
session_start(); //starting session for profile.php (Dunno how to explain better) look little down 
error_reporting(0); //without this we will always get some stupid notice that variable isn't defined.... 
$submit $_POST['submit']; //variable for submit button, in this variable we save button that player press in <input type='submit' name="submit" value='Login' />.... 
$username sanitize($_POST['username']); //variable for username, in this variable we save text that user type in <input type="text" name="username".... 
$password sanitize($_POST['password']); //variable for password, in this variable we save text that user type in <input type="password" name="password".... 
$pass hash('whirpool'$_POST['password']);
if(
$submit//if he press submit button 
{     
    if(
$username && $password//if he type both of username and password not just one of them 
    

        
$query mysql_query("SELECT Username, Password FROM accounts WHERE Username = '$username'"); //selecting user name and password, change it to your field names,  chage users to your table name, $username means username that he type... 
        
if(mysql_num_rows($query) == 1//if user exists 
        

            while(
$row mysql_fetch_assoc($query)) //loop thought table that we select in mysql_query 
            

                
$dbusername $row['Username']; //setting dbusername as variable from table, change 'username' to your field! 
                
$dbpassword $row['Password']; //setting dbpassword as variable from table, change 'password' to your field! 
            

            if(
$username == $dbusername && hash('whirlpool'$pass) == $dbpassword//if username is same as one from table and if password is the same as one from table... 
            

                
$_SESSION['username'] = $dbusername//setting session username to one from table, this is useful if you login, that restart your browser and than you go in url where is your profile.php... Anyway this is useful :D 
                
echo header('location: profile.php'); //redirecting user to his profile page (profile.php) 
            

            else echo 
"Wrong password!"//else if user type wrong password he will get this... 
        

        else echo 
"Username doesn't exist!"//if username doesn't exist in table user will get this 
    

    else echo 
"Type name and password!"//else if user doesn't type all fields he will get this... 

?>

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Basic UCP</title>
<form action='login.php' method='POST'> 
<input type="text" name="username" value='<?php echo $username?>'/> 
<input type="password" name="password"/> 
<input type='submit' name="submit" value='Login' /> 
</form>
</head>
</html>
Reply
#6

Quote:
Originally Posted by acade
View Post
I'm beginning to make a UCP
From a tutorial created 5 years ago? The 'mysql' module is deprecated. Use either mysqli or PDO.

You should also just check the username/password combination directly. By first checking if the user exists you give a possible attacker useful information. If nothing is found simply return a generic "username and password combination is incorrect" message. Much more secure and less work for you.

i.e.:
PHP Code:
$mysqli->query("SELECT id FROM accounts WHERE Username = '$username' AND Password = '$pass'"); 
Then assign the retrieved 'id' to a session variable so you can use it for further queries.
Reply


Forum Jump:


Users browsing this thread: 2 Guest(s)