PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!
for some reason or another i get a blank screen for the output of this code code....im having trouble trying to figuring out why it wont at least give me an error...where am i screwing up here?
try adding a value in replace of $_SESSION['logname'] that you know to be in the customer table in your database. maybe the sessions() aren't working? i'm also not sure if you need an extra doDB(); right above your $sql statement.
also, view the source of your page and see if it's even printing the <html><head............. stuff.
This looks like it was a part of a function to do a query, and you copy/pasted it in your code. I suggest you keep the function
yes...it was part of the code im using for another project...i didnt see a reason to rewrite it at the time however maybe i should since im getting nowhere with this....im not sure why my session would die though if its live and all im doing is going to this page via link....and if the session was dead it woud give me an error saying that its undefined...but its not...hmm still confused...ill do a rewrite and post back
<?php
session_start();
error_reporting(E_ALL);
ini_set('display_errors', 1);
function doDB()
{
$conn = mysql_connect("somehost","Hellz","Yeah!!!") or die(mysql_error());
mysql_select_db("customerdirectory",$conn) or die(mysql_error());
return $conn;
}
echo '<html>
<head>
<title>Merchant Locater</title>
<link rel="stylesheet" type="text/css" href="cs.css">
</head>
<body>';
$conn = doDB();
$sql = "Select fax, password FROM customer WHERE user_name = '{$_SESSION['logname']}'";
$result = mysql_query($sql,$conn) or die(mysql_error());
while ($newArray = mysql_fetch_array($result))
{
$fax = $newArray['fax'];
$password= $newArray['password'];
}
echo"$fax<br>$password
</strong></div>";
?>
ok...thisa may be a bit but i noticed that when i tried to post the password from the database it stays in its hashed form...the real reason of this specific application is im needing to give the user the ability to change his password...i think a simple replace or update would do...but unhashing the one thats there so i could replace it how is that done....or should i go about this a different way?
i searched google and the forums here for something similar but i cant find anything specific...does anyone know of a site online where i could find something on this?
You cannot unhash the password. Typically, you ask them their current password and their new password (with confirmation.) Using the hashing function to check the current password is correct, you can then change the password to the new one.
$sql = "Select password FROM customer WHERE user_name= '{$_SESSION['logname']}' AND password =
('_$POST'[password]')";//[password] being the current password
$result = mysql_query($sql,$conn) or die(mysql_error());
if (mysql_num_rows($result)== 1) {
$sql = " update customer set password '{$_POST['new_pass']}' where password = {_$POST'['password']}";
$result = mysql_query($sql,$conn) or die(mysql_error());
}
testing it now but i wanted to run it by you guys while i was doing it to get some much needed input
You don't display password, ever. If someone wants to change one, they should be asked to first authenticate their current password, then supply a new password, then a confirmation of the new password. If the current password (in hashed form) validates, then move on to the checking of the new/new confirm and if they match, then hash the new and update the database.
$sql = "Select password FROM customer WHERE user_name= '{$_SESSION['logname']}' AND password =
('_$POST'[password]')";//[password] being the current password
$result = mysql_query($sql,$conn) or die(mysql_error());
if (mysql_num_rows($result)== 1) {
$sql = " update customer set password '{$_POST['new_pass']}' where password = {_$POST'['password']}";
$result = mysql_query($sql,$conn) or die(mysql_error());
}
Not exactly... since the passwords are hashed in the database, you need to hash the posted value then compare code-side. If they are match, move on...
<?php
// assume $current_password was fetched from the database
if (hash('sha256', $_POST['password']) === $current_password)
{
// Yippee, there is a match
}
?>
You don't have the ability to compare the passwords directly when dealing with a database stored hash value.. so it is the computed hashes that you must compare as far as the current one goes. The new password can be compared directly with the confirmation as they are both plain (typically.)
Obadiah wrote:so in essence were not really comparing the passwords but what they display in their hashed form? is that what your saying?
Yes, that is what we are saying. Lets say a users password is oBi-w4n. An MD5 hash of that string would be b91c253d338fe01303ec5d7b6f6653d0. Since you can't unhash a hash, how are you ever going to validate their password?