I had a web site built and the developer didn’t add encryption to the users passwords when they register. Could someone help me add this into the script?
Also what files will the code need to go into?
Thanks
It seems that the issue is more complicated that just simply changing one file… you may consider hire another developer to finish the job. As sad as it is (checking someone else’s code is always a pain), you really need to make sure that everything is OK and I think this would be the best way.
Could you elaborate on this in a PM to me?
Replace
mysql_query(“update tbl_user set password=‘$new_password’ where id= '”.$_SESSION[‘sess_uid’].“'”);
with
mysql_query(“update tbl_user set password='”.md5($new_password).“’ where id= '”.$_SESSION[‘sess_uid’].“'”);
Off Topic:
FYI. The code is FULL of security issues.
Wrong file, yes I did input message #13, it was the file profile_setting.zip this is the one that users change there pw’s.
See post #13
user_addf.php
Replace
$sql ="insert into tbl_user set membership_type='$membership_type',username='$username',email='$email',password='$password',country_id='$country',postcode='$postcode',gender='$gender',dob='$date',image='$image1',status=1,post_date=now()";
with
$sql ="insert into tbl_user set membership_type='$membership_type',username='$username',email='$email',password='".md5($password)."',country_id='$country',postcode='$postcode',gender='$gender',dob='$date',image='$image1',status=1,post_date=now()";
AND
$sql = "Update tbl_user set membership_type='$membership_type',username='$username',email='$email',password='$password',country_id='$country',postcode='$postcode',gender='$gender',dob='$date'";
with
$sql = "Update tbl_user set membership_type='$membership_type',username='$username',email='$email',password='".md5($password)."',country_id='$country',postcode='$postcode',gender='$gender',dob='$date'";
[B]login.php[/B] (didn't I already see another login.php!?)
Replace
$sql = "select * from tbl_admin where username='$username' and password='$password'";
with
$sql = "select * from tbl_admin where username='$username' and password='".md5($password)."'";
PS. I assume the password field in tbl_user can hold at least 32 characters? Otherwise it won’t work.
One other file I just located would also need this.
So far everything works…
How about this file?
Apache PHP MySQL
I think the only thing that needs to be done is that the hash code be placed in the registration.php and into any other file that the hash deals with. Like in the login, profile and forgot password or any where that a user would change or add a password.
This doesn’t sound like something that can be fixed by simply ALTERing a database field/table. What platform is it? Apache PHP MySQL ??
Well things are not looking good with the original developer, I even offered to pay for the work but still no communications.
login.php
Replace
"select * from tbl_user where username='$username' and password='$password' and status=1"
with
"select * from tbl_user where username='$username' and password='".md5($password)."' and status=1"
register.php
Replace
executeQuery("insert into tbl_user set membership_type='$membership_type',email='$email',username='$username',password='$password',country_id='$country',postcode='$postcode',gender='$gender',dob='$date',broadcast='$broadcast',post_date=CURDATE(),paid=0,status=0,exp_date='$dt2'");
with
executeQuery("insert into tbl_user set membership_type='$membership_type',email='$email',username='$username',password='".md5($password)."',country_id='$country',postcode='$postcode',gender='$gender',dob='$date',broadcast='$broadcast',post_date=CURDATE(),paid=0,status=0,exp_date='$dt2'");
There is another query in this file that is a bit like the query above, but it’s commented out (in a /* … */ block), so you don’t need to change it.
profile.php only displays the profile. No insert/update queries here.
There should be another PHP file where the password is changed. I couldn’t find that in any of the three files you posted.
Could you post the content of those files? Or zip them and attach them to the post?
Here are the three I think needs looking at.
I’ve already tried that no response now for over two weeks.
That’s a bummer. The problem is that each developer has his own way of setting up files, so we can not directly say you should add this and this to that and that file and all will be well with the world.
I’d suggest you contact the developer another time (calling would be preferred over e-mailing) since he’s the one who wrote the code and knows where everything is and should be therefore be able to implement the changes you asked for in a matter of minutes.
If he doesn’t react again come back here and we’ll take it from there.
PS. Don’t read this as “I don’t want to help you”, but rather “I’d like to help you, but I don’t know where to begin (which files, etc), whereas the original developer would, so I suggest you try him one more time”.
Can’t you ask the original programmer to put it in there? It’s really frowned upon not to encrypt passwords and he should fix that for you for free IMHO.