Feb20 in Design & Coding by David Shaw
This tutorial is a follow up to our PHP Login Script Tutorial. You will learn how to encrypt passwords to make your login script more secure.
To encrypt the passwords we will be using the md5() function. For the purpose of this tutorial we will use the same details as we used in the PHP Login Script Tutorial.
This is the data we added to the table in the Login Script Tutorial:
view plaincopy to clipboardprint?
INSERT INTO `members` VALUES (1, 'david', 'password');
As you can see the password is not very secure, with one quick glance you know the users username and password. Now if you used the MD5() function to encrypt the password it would look something like this:
view plaincopy to clipboardprint?
INSERT INTO `members` VALUES (1, 'david', '5f4dcc3b5aa765d61d8327deb882cf99');
As you can see that is not as easy to understand, and is alot more secure.
So how do we use the MD5() function on our Login Script?
Currently our login.php file looks like this:
view plaincopy to clipboardprint?
$host="localhost"; // Host name
$dbusername=""; // Mysql username
$dbpassword=""; // Mysql password
$db_name=""; // Database name
$tbl="members"; // Table name
// This connects to server and then selects the members databse.
mysql_connect("$host", "$dbusername", "$dbpassword")or die("cannot connect");
mysql_select_db("$db_name")or die("cannot select DB");
// Assign the username and password from the form to variables.
$username=$_POST['username'];
$password=$_POST['password'];
$sql="SELECT * FROM $tbl WHERE username='$username' and password='$password'";
$result=mysql_query($sql);
// This counts to see how many rows were found, there should be no more than 1
$count=mysql_num_rows($result);
// If result matched $username and $password, table row must be 1
if($count==1){
// Register $username, $password and send the user to the file "login_success.php"
session_start();
session_register("username");
session_register("password");
header("location:login_success.php");
}
else {
echo "Wrong Username or Password";
}
?>
To convert this code to accept MD5 encrypted passwords we need to add one extra line of code and edit the sql query.
When we get the password from the form, we added it to a variable, we now need to take this variable and encrypt the contents of it using the MD5() function, we can do that by using the code below:
view plaincopy to clipboardprint?
$encrypted_password=md5($password);
We now need to change the sql query so that it is now searching the database for encrypted password. We need to change it from:
view plaincopy to clipboardprint?
$sql="SELECT * FROM $tbl WHERE username='$username' and password='$password'";
to the following:
view plaincopy to clipboardprint?
$sql="SELECT * FROM $tbl WHERE username='$username' and password='$encrypted_password'";
So there you have it you can now use encrypted passwords in your login script. The new code in full for your login.php file is:
view plaincopy to clipboardprint?
$host="localhost"; // Host name
$dbusername=""; // Mysql username
$dbpassword=""; // Mysql password
$db_name=""; // Database name
$tbl="members"; // Table name
// This connects to server and then selects the members databse.
mysql_connect("$host", "$dbusername", "$dbpassword")or die("cannot connect");
mysql_select_db("$db_name")or die("cannot select DB");
// Assign the username and password from the form to variables.
$username=$_POST['username'];
$password=$_POST['password'];
$encrypted_password=md5($password);
$sql="SELECT * FROM $tbl WHERE username='$username' and password='$encrypted_password'";
$result=mysql_query($sql);
// This counts to see how many rows were found, there should be no more than 1
$count=mysql_num_rows($result);
// If result matched $username and $password, table row must be 1
if($count==1){
// Register $username, $password and send the user to the file "login_success.php"
session_start();
session_register("username");
session_register("password");
header("location:login_success.php");
}
else {
echo "Wrong Username or Password";
}
?>
Please remember that in order for this to work you need to encrypt the users password when you add it to the database when they register.
We will be adding a Register Script Tutorial later this week, so sign up to the RSS Feed to be notified when it is published.
Any comments can be posted below.
Tidak ada komentar:
Posting Komentar