PDA

View Full Version : 32 bit password instead of 16



smithster
06-07-2007, 02:09 AM
I have a login script for a web application that I am still currently scripting. The login script looks for a 16bit string for a password. I already have a bunch of users in my database and I just want to use their login info save them having to sign up again. I transferred the login info table to another database but the login script when used just says invalid password.

All the passwords in the database are 32 bit. How do I set the login script to look for 32 bit passwords instead of 16 bit.

If you need me to post the script let me know.

Thanks

Smithster

Twey
06-07-2007, 10:07 AM
Of course we need you to post both scripts -- the original one and the new one.

Also, I doubt you really mean 16-bit and 32-bit passwords. In ASCII, 16 bits is two characters; 32 is four. In UTF-16, 16 bits is only one character. This is not a secure password.

smithster
06-07-2007, 02:47 PM
Well I wouldn't really have a clue as I only found out about this today when I searched for "length of encripted passwords" because I noticed that the encription was twice as long in the original database.

I only have the sql file and the original login script. I didn't do anything to it as I only wanted to get it working first of all.



CREATE TABLE tbl_auth_user (
user_id VARCHAR(10) NOT NULL,
user_password CHAR(32) NOT NULL,

PRIMARY KEY (user_id)
);

INSERT INTO tbl_auth_user (user_id, user_password) VALUES ('someuser', PASSWORD('somepass'));


If I use the SQL to create a user then it encripts the password to 16 characters.


<?php
// we must never forget to start the session
session_start();

$errorMessage = '';
if (isset($_POST['txtUserId']) && isset($_POST['txtPassword'])) {
// first check if the number submitted is correct
$number = $_POST['txtNumber'];

if (md5($number) == $_SESSION['image_random_value']) {
include 'library/config.php';
include 'library/opendb.php';

$userId = $_POST['txtUserId'];
$password = $_POST['txtPassword'];


// check if the user id and password combination exist in database
$sql = "SELECT user_id
FROM tbl_auth_user
WHERE user_id = '$userId' AND user_password = PASSWORD('$password')";

$result = mysql_query($sql) or die('Query failed. ' . mysql_error());

if (mysql_num_rows($result) == 1) {
// the user id and password match,
// set the session
$_SESSION['image_is_logged_in'] = true;

// remove the random value from session
$_SESSION['image_random_value'] = '';

// after login we move to the main page
header('Location: main.php');
exit;
} else {
$errorMessage = 'Sorry, wrong user id / password';
}

include 'library/closedb.php';
} else {
$errorMessage = 'Sorry, wrong number. Please try again';
}
}
?>
<html>
<head>
<title>Basic Login</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
</head>

<body>
<?php
if ($errorMessage != '') {
?>
<p align="center"><strong><font color="#990000"><?php echo $errorMessage; ?></font></strong></p>
<?php
}
?>
<form action="" method="post" name="frmLogin" id="frmLogin">
<table width="500" border="1" align="center" cellpadding="2" cellspacing="2">
<tr>
<td width="150">User Id</td>
<td><input name="txtUserId" type="text" id="txtUserId"></td>
</tr>
<tr>
<td width="150">Password</td>
<td><input name="txtPassword" type="password" id="txtPassword"></td>
</tr>
<tr>
<td width="150">Enter Number</td>
<td><input name="txtNumber" type="text" id="txtNumber" value="">
&nbsp;&nbsp;<img src="randomImage.php"></td>
</tr>

<tr>
<td width="150">&nbsp;</td>
<td><input name="btnLogin" type="submit" id="btnLogin" value="Login"></td>
</tr>
</table>
</form>
</body>
</html>



This is all I have really, hope it helps.

Thanks.

Twey
06-07-2007, 05:35 PM
And the other script?

smithster
06-07-2007, 09:34 PM
What other script?!?!? There is no other script!

Twey
06-08-2007, 01:22 PM
The script that generated the passwords originally.