Secure my login script with MD5?

[TanTrazz]

Hi all,

Can someone help me to secure my login script to MD5?

Here is the script:
-------------------------------------------------------
<?
if ($Submit)
{
mysql_connect("localhost", "root", "");
mysql_select_db("db");

$LoginNaam = addslashes($LoginNaam);

$LoginPassword = addslashes($LoginPassword);

$rsrow = mysql_query("SELECT * FROM login WHERE username = '$LoginNaam' AND password= '$LoginPassword'");

$row = mysql_fetch_array($rsrow);

if(mysql_num_rows($rsrow) == '1')
{
session_start();
session_register("username");
$gebruikersnaam=$LoginNaam;

echo"login succesfull";

}
else
{
echo"User information incorrect\r\r";
}
}

?>
---------------------------------

Thanks in Advance.

TanTrazz

 

[sleipnir214]

Take all the passwords currently in your database and hash them with MD5.

Change:
$rsrow = mysql_query("SELECT * FROM login WHERE username = '$LoginNaam' AND password= '$LoginPassword'");

to:
$rsrow = mysql_query("SELECT * FROM login WHERE username = '$LoginNaam' AND password=md5('$LoginPassword')");

That should be all it takes to make this script work.

Want the best answers? Ask the best questions!

TANSTAAFL!!

 

[MattNeeley]

First, it appears that you have register_globals set to on, this is a security risk in itself and should be turned off. Turning off register_globals will probably break your pages until you properly code it using the $_GET and $_POST superglobals. After that is done you probably should use SHA1 instead of MD5 as SHA1 is just as easy to implement but a better hashing system. Your database structure would undoubtedly have to change to make the password field long enough to take the hash as you don't want to keep the passwords unhashed generally. then you'd merely need to compare the hashed password to the hashed password in the database by changing

$LoginPassword = addslashes($LoginPassword);

to

$LoginPassword = sha1($LoginPassword);