News:

Wondering if this will always be free?  See why free is better.

Main Menu

PHP and passwords

Started by lather, June 14, 2022, 04:41:25 PM

Previous topic - Next topic

lather

I am converting an online app I coded 10 years ago using Access and Active Server Pages. I am converting to MySQL and PHP, learning as I go along. I have about 50 users that I migrated from Access to MySQL. The old passwords work and updating is functional. But when I register a new test user the test user's password is changed to "my_password". I am reading now about password hashing which I had never heard of before now although I was aware that the password in my SMF database are encrypted. But I am wondering how and why my test passwords are all getting changed to "my_password".

Oldiesmann

It's hard to say what could be causing that without seeing the code you're using.
Michael Eshom
Christian Metal Fans

lather

Thanks for the reply. I am on a road trip now. Will post code when I get back.

lather

OK. Back from a two week 3200 mile motorcycle trip. I caught covid on the second to last day of the trip, lucky to be able to get home on my own!

Trying to figure out how my code to register a new user to my mileage logging app results in a password of "my_password" stored in the mysql database instead of the actual text entered in the html form.
Here is my code for adding the new record.
// prepare and bind
$stmt = $conn->prepare("INSERT INTO riders (ridername, lifemiles, password, email, fname, lname, dob, state, country, clubname, category, bike1, bike2, previousyear, lastupdate, logupdate, remind) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?,?)");
$stmt->bind_param("sisssssssssssiiss", $rider, $lifemiles, $password, $email,$fname, $lname, $dob, $state, $country, $clubname, $category, $bike1, $bike2, $previousyear, $lastupdate, $logupdate, $remind);
$stmt->execute();

//$stmt = $conn->prepare("INSERT INTO riders (ridername,  remind) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?,?)");
$stmt2 = $conn->prepare("INSERT INTO RiderMiles (ridername) VALUES(?)");
$stmt2->bind_param("s", $rider);
$stmt2->execute();


Thanks in advance for any help

SpacePhoenix

Quick question, is the password being stored in plain text form?

lather

Quote from: SpacePhoenix on July 05, 2022, 01:53:52 AMQuick question, is the password being stored in plain text form?
Yes. Looking at the fields in phpMyAdmin it is a plain text "my_password".
Whereas when I look at the password field in the smf members table the passwords are encrypted

Arantor

So what exactly are you trying to do? SMF passes the username and password to a hash function and inserts the result in the database. There's no magic about how this happens - take a look in Subs-Members.PHP, in registerMember().

The username/passwords are then hashed again during login to verify that what the result of the hash is, is what is in the database (see Login2() in LogInOut.PHP)

lather

I am just trying to register a new member. I am passing new user input info from an html form, including an html password field which html displays as ******, to a php script that updates the mysql database.
The only problem is that instead of the password the registrant enters I get "my_password".

I understand I need to rewrite my code and use the hashing technique and I will look at Subs-Members.PHP for guidance, thanks!

But I am wondering what magic is changing the entered password text to "my_passord.


Thanks again.

Arantor

No magic. The password is not reverse engineered in SMF.

What is stored is the encrypted form and the nature of the form is that you *cannot* reverse engineer it. The comparison is between "database has the encrypted form" and "the user has entered the username and password and we'll do the encryption on that"

As for getting "my password", a password field in HTML literally is a text box that displays the content as * or dots, but when the form is submitted, the content is passed like any other input.

Advertisement: