tags:

views:

124

answers:

1

Hi mates,

i looking some help and nice attention here..

i bought some php script many years ago and now no suport anymore... i just want to add md5 to password field..

here my form:

<?php
$SQL = "SELECT * from USERS WHERE USERNAME = '$_SESSION[username]'"; $result = @mysql_query( $SQL ); $row = @mysql_fetch_array( $result );

include 'menu.php';
?>
<FORM METHOD="post" ACTION="?page=query_client">
 <INPUT TYPE="hidden" NAME="controller" VALUE="USERS~update~account_details&up=1~<?php echo $row[ID]; ?>">

 <TABLE CLASS="basictable">
  <TR> 
   <TD CLASS="tdmenu"  WIDTH="40%">Username</TD>
   <TD CLASS="tdmenu"  WIDTH="60%"> 
    <b><?php echo $row[USERNAME]; ?></b>
   </TD>
  </TR>
  <TR> 
   <TD CLASS="tdmenu"  WIDTH="40%">Password *</TD>
   <TD CLASS="tdmenu"  WIDTH="60%"> 
    <INPUT TYPE="PASSWORD" NAME="PASSWORD" SIZE="40" VALUE="<?php echo $row[PASSWORD]; ?>">
   </TD>
  </TR>
  <TR> 
   <TD CLASS="tdmenu"  WIDTH="40%">Email Address *</TD>
   <TD CLASS="tdmenu"  WIDTH="60%"> 
    <INPUT TYPE="text" NAME="EMAIL" SIZE="40" VALUE="<?php echo $row[EMAIL]; ?>">
   </TD>
  </TR>
  <TR> 
   <TD CLASS="tdmenu"  WIDTH="40%">Full Name *</TD>
   <TD CLASS="tdmenu"  WIDTH="60%"> 
    <INPUT TYPE="text" NAME="FULLNAME" SIZE="40" VALUE="<?php echo $row[FULLNAME]; ?>">
   </TD>

  <TR> 
   <TD CLASS="tdmenu"  WIDTH="40%">Address *</TD>
   <TD CLASS="tdmenu"  WIDTH="60%"> 
    <INPUT TYPE="text" NAME="ADDRESS1" SIZE="40" VALUE="<?php echo $row[ADDRESS1]; ?>">
   </TD>
  </TR>

 <BR>
 <TABLE CLASS="basictable">
  <TR> 
   <TD CLASS="tdhead2" > 
    <DIV ALIGN="CENTER"><B> 
     <INPUT TYPE="submit" NAME="Submit" VALUE="Submit">
     </B></DIV>
   </TD>
  </TR>
 </TABLE>
</FORM>

and the

it self as query_client.php inside look like:

<?PHP
@session_start();

$controller = $_POST['controller'];
$pieces = explode("~", $controller);
$table = $pieces[0];
$qt =  $pieces[1];
$return =  $pieces[2];
$id =  $pieces[3];
$hack =  $pieces[4];

if ($qt == insert) $qt = 'INSERT INTO';
if ($qt == update) { $qt = 'UPDATE'; $end = "WHERE ID = '$id'"; }
$pre = array_keys( $_POST );

mysql_query ("CREATE TABLE IF NOT EXISTS `$table` (`ID` INT NOT NULL AUTO_INCREMENT , PRIMARY KEY ( `id` ) )");

$count = count($pre); $count = $count - 2;
$sql = "$qt $table SET";
for ($i=0; $i < $count; $i++)
{
$x=$i+1;
$y = $_POST[$pre[$x]];
$d = $y;
mysql_query ("ALTER TABLE `$table` ADD `$pre[$x]` TEXT NOT NULL");
$sql .= " `$pre[$x]` = '$d',";
}
$sql .= " ID = '$id' $end";
$query = mysql_query($sql) or die("$sql_error" . mysql_error());

if (empty($hack)) { } else {
$pieces = explode("/", $hack);
$h0 = $pieces[0];
$h1 = $pieces[1];
$h2 = $pieces[2];
$h3 = $pieces[3];
$h4 = $pieces[4];
$h5 = $pieces[5];

mysql_query ("ALTER TABLE `$table` $h0 $h1 $h2 $h3 $h4 $h5");
$query = mysql_query($sql) or die("$sql_error" . mysql_error());
}

if (isset($_GET[inc])) include "$_GET[inc].php";

?>

so please help me how to add md5 in PASSWORD field? thanks in advance..

+2  A: 

Best to use a salt also - hashing and verification should be done at server - see secure hash and salt for PHP

Some links on writing secure code:

bignum
ok just please help me how to do this, any sample related to my script above.?
jones
@jones: I think the prudent thing to do would be to follow the advice of comments to your post i.e., rewrite it securely. I've added some additional links that may be of use in doing this.
bignum
@ biffabacon, nice suggestion mate, thanks a lot
jones