Jump to content


Photo

hashing a login password


  • Please log in to reply
2 replies to this topic

#1 Hostile

Hostile

    Benefitting Humanity Simply by Showing Up!

  • Veterans
  • 9,551 posts
  • Location:Washington DC
  •  T3A Founder
  • Division:Revora
  • Job:Global Administrator
  • Donated
  • Association

Posted 12 May 2009 - 04:56 AM

I looked over my old db and login and can't figure out how I hashed the entry for the password. Remember I'm starting php coding after a few years.

I am creating an admin login. So I need a username and a hashed password. There will only be one user. I have an old script that allowed the admin to create users and add passwords. these passwords wrote to the db in a hashed form.

<?php
session_start(); 

if ($_SESSION['valid'] == 'yes') {
} else {
header('Location: adminlogin.php');
}

?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">

<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>Atlas Nation-State RPG System</title>
<link href="common/style.css" rel="stylesheet" type="text/css" />
</head>
<body>
<?php @include ("http://www.revora.net/events.php"); ?>
<div id="wrapper">
<?php @include ("http://abzo.net/atlas/common/topnav.php"); ?>
	<div id="maintop"></div>
	<div id="maintile">
		<div id="maintilenormal"><br /><h1>Add a New Nation</h1>
		
		
			<form method="post"  action="do_addnation.php">
			
			<fieldset>
			<legend>Nation/Password:</legend>
			
			<p><strong>Nation Name:</strong><br />
			<input type="text" name="nation" size=25 maxlength=25></p>
			
			<p><strong>Password:</strong><br />
			<input type="password" name="password" size=25 maxlength=25></p>
			</fieldset><br />
			
			<fieldset>
			<legend>Map Location/Tech Level:</legend>
			
			<p><strong>Map Location:</strong><br />
			<input type="text" name="maplocation" size=25 maxlength=25><br />
			This marks the map location, usually denoted by a number on the world map. This number must
			be unique or it will cause an error in the database.</p>		
			
			<p><strong>Technology Level:</strong><br />
			<select name="tech" >
				<option value="1" selected="selected">1</option>
				<option value="2">2</option>
				<option value="3">3</option>
			</select><br />
			Starting players should have a level one tech level and superpowers should be level two. This tech level determines what units and upgrades are
			 avaliable to the player from the start of the game.</p>
			</fieldset><br />		
			
			<fieldset>
			<legend>Economic Resources:</legend>
			
			<p><strong>Starting RP:</strong><br />
			<input type="text" name="rp" size=25 maxlength=25 value="100"><br />
			This is the number of Resource Points this nation will start the game with.</p>
			
			<p><strong>Base RP:</strong><br />
			<input type="text" name="rpbase" size=25 maxlength=25 value="5"><br />
			This is the number of Resource Points this nation will use for determining each days points. This is a core element. 
			By changing this number for some and not for all nations will mean some nations make more Resource Points than others. Use this with discretion.</p>
			
			<p><strong>Modifier RP:</strong><br />
			<select name="rpmodifier" >
				<option value=".5">.5</option>
				<option value=".75">.75</option>
				<option value="1.0" selected="selected">1.0</option>
				<option value="1.25">1.25</option>
				<option value="1.50">1.50</option>
			</select><br />
			This is a modifier that this nation will use when calculating how many RPs this nations gets per day. If you are not sure what this means, just use default.</p>
			</fieldset><br />
			
			<fieldset>
			<legend>Science Resources:</legend>
			
			<p><strong>Starting SP:</strong><br />
			<input type="text" name="sp" size=25 maxlength=25 value="25"><br />
			This is the number of Science Points this nation will start the game with.</p>
			
			<p><strong>Base SP:</strong><br />
			<input type="text" name="spbase" size=25 maxlength=25 value="5"><br />
			This is the number of Science Points this nation will use for determining each days points. This is a core element. 
			By changing this number for some and not for all nations will mean some nations make more Science Points than others. Use this with discretion.</p>
			
			<p><strong>Modifier SP:</strong><br />
			<select name="spmodifier" >
				<option value=".5">.5</option>
				<option value=".75">.75</option>
				<option value="1.0" selected="selected">1.0</option>
				<option value="1.25">1.25</option>
				<option value="1.50">1.50</option>
			</select><br />
			This is a modifier that this nation will use when calculating how many SPs this nations gets per day. If you are not sure what this means, just use default.
			</p></fieldset>
			
			<input type="hidden" name="government" value="">
			<input type="hidden" name="capital" value="">
			<input type="hidden" name="map" value="">
			<input type="hidden" name="flag" value="">
			<input type="hidden" name="history" value="">
			<input type="hidden" name="politics" value="">
			<input type="hidden" name="economy" value="">
			<input type="hidden" name="geography" value="">
			<input type="hidden" name="military" value="">
			
			<p><input type="submit" name="submit" value="Create Nation" />&nbsp;&nbsp;<a href="do_authadmin.php" target="_self">Return to Admin Panel</a></p><br />
			
			</form>
		</div>
	</div>
	<div id="mainbottom"></div>

</div>

</body>
</html>

See the adding password part is simply text. The actual writing record script is:

<?php
session_start(); 

if ($_SESSION['valid'] == 'yes') {
} else {
header('Location: adminlogin.php');
}

$db_name = "XXX_";
$table_name = "users";

$connection = @mysql_connect("localhost", "XXX", "XXX")
	or die(mysql_error());
	
$db = @mysql_select_db($db_name, $connection) or die(mysql_error());


$sql = "INSERT INTO $table_name
(id, nation, password, maplocation, government, population, tech, rp, rpbase, rpmodifier, sp,
spbase, spmodifier, capital, map, flag, history, politics, economy, geography, social, military)
VALUES ('', '{$_POST['nation']}', PASSWORD('{$_POST['password']}'), '{$_POST['maplocation']}', '{$_POST['government']}',
'{$_POST['population']}', '{$_POST['tech']}', '{$_POST['rp']}', '{$_POST['rpbase']}', '{$_POST['rpmodifier']}',
'{$_POST['sp']}', '{$_POST['spbase']}', '{$_POST['spmodifier']}', '{$_POST['capital']}', '{$_POST['map']}',
'{$_POST['flag']}', '{$_POST['history']}', '{$_POST['politics']}', '{$_POST['economy']}', '{$_POST['geography']}',
'{$_POST['social']}', '{$_POST['military']}')";
  
$result = @mysql_query($sql, $connection) or die(mysql_error());

?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">

<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>Atlas Nation-State RPG System</title>
<link href="common/style.css" rel="stylesheet" type="text/css" />
</head>
<body>
<?php @include ("http://www.revora.net/events.php"); ?>
<div id="wrapper">
<?php @include ("http://abzo.net/atlas/common/topnav.php"); ?>
	<div id="maintop"></div>
	<div id="maintile">
		<div id="maintilenormal"><br /><h1>Add a New Nation</h1>
		
			<P><h2><? echo "$_POST[nation]"; ?></h2></P>
			
			<fieldset>
			<legend>Map Location/Tech Level:</legend>
			
			<p><strong>Map Location:</strong><br />
			<? echo "$_POST[maplocation]"; ?><br /></p>		
			
			<p><strong>Technology Level:</strong><br />
			<? echo "$_POST[tech]"; ?><br /></p>
			</fieldset><br />		
			
			<fieldset>
			<legend>Economic Resources:</legend>
			
			<p><strong>Starting RP:</strong><br />
			<? echo "$_POST[rp]"; ?><br /></p>
			
			<p><strong>Base RP:</strong><br />
			<? echo "$_POST[rpbase]"; ?><br /></p>
			
			<p><strong>Modifier RP:</strong><br />
			<? echo "$_POST[rpmodifier]"; ?><br /></p>
			</fieldset><br />
			
			<fieldset>
			<legend>Science Resources:</legend>
			
			<p><strong>Starting SP:</strong><br />
			<? echo "$_POST[sp]"; ?><br /></p>
			
			<p><strong>Base RP:</strong><br />
			<? echo "$_POST[spbase]"; ?><br /></p>
			
			<p><strong>Modifier RP:</strong><br />
			<? echo "$_POST[spmodifier]"; ?><br /></p>
			</fieldset>
			
			<p><a href="do_authadmin.php" target="_self">Return to Admin Panel</a></p><br />
						
		</div>
	</div>
	<div id="mainbottom"></div>

</div>

</body>
</html>

PASSWORD('{$_POST['password']}') appears to be the hashing part. Do I have to actually write a temporary unprotected page to add an admin login with a hashed password or can I insert it directly in Myphp or what?

I can't remember how I did it in the first place...

Also, does this page help in making it really secure and if it does how do I implement it?
http://www.sajithmr....k-the-password/

#2 Phil

Phil

    Force Majeure

  • Network Leaders
  • 7,971 posts
  • Location:Switzerland
  • Projects:Revora, C&C:Online
  •  Thought Police
  • Division:Revora
  • Job:Network Leader
  • Donated
  • Association

Posted 12 May 2009 - 06:12 AM

You can add it to the database without an intial unprotected page. If using your old script it's even easier to do because you relied on MySQL's hashing function ("PASSWORD(....)") instead of PHP's. If you log in to phpMyAdmin and insert a row into the user table, there should be a function dropdown in which you can find PASSWORD (in front of the password input field).

For your uses MySQL's hashing might be enough. If you really want to focus on security, pick one of PHP's hash() function algorithms, for example SHA-256. These functions are dependent on the PHP installation though, so they might not work everywhere.

The article raises a good point on salting and secret salts. In terms of encryption, it's probably the most you can do (obviously the rest of the system still needs to be secure). Depending on if you want to use MySQL or PHP for the hashing, the actual code will look a little different. Once you have decided I can show you how to implement it.

revorapresident.jpg
My Political Compass

Sieben Elefanten hatte Herr Dschin
Und da war dann noch der achte.
Sieben waren wild und der achte war zahm
Und der achte war's, der sie bewachte.


#3 Hostile

Hostile

    Benefitting Humanity Simply by Showing Up!

  • Veterans
  • 9,551 posts
  • Location:Washington DC
  •  T3A Founder
  • Division:Revora
  • Job:Global Administrator
  • Donated
  • Association

Posted 13 May 2009 - 02:40 AM

Inserting the PASSWORD was what I needed to know. For what I'm doing that should be enough. But knowing what you told me I also was able to fix my login into my old ATLAS system as well. Thanks...




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users