[fixed]password inquires[fixed] :))

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

User avatar
Obadiah
Forum Regular
Posts: 580
Joined: Mon Jul 31, 2006 9:13 am
Location: Ashland, KY
Contact:

[fixed]password inquires[fixed] :))

Post by Obadiah »

for some reason or another i get a blank screen for the output of this code code....im having trouble trying to figuring out why it wont at least give me an error...where am i screwing up here?

Code: Select all

<?php 
session_start();
error_reporting(E_ALL); 
ini_set('display_errors', 1); 

function doDB() 
{ 
    $conn = mysql_connect("somehost","dude","Whattheheck") or die(mysql_error()); 
    mysql_select_db("customerdirectory",$conn) or die(mysql_error()); 
    return $conn; 
} 

$conn = doDB(); 
echo '<html>
<head>
<title>Merchant Locater</title>
<link rel="stylesheet" type="text/css" href="cs.css">
</head>
<body>';
doDB();
    $sql = "Select fax FROM customer WHERE user_name = '{$_SESSION['logname']}'"; 
    $result = mysql_query($sql,$conn) or die(mysql_error()); 
    return $result; 

    while ($newArray = mysql_fetch_array($result)) 
    {        
        $fax = $newArray['fax']; 
    } 

    echo "$fax";
?>
Last edited by Obadiah on Tue Jan 30, 2007 11:19 am, edited 2 times in total.
User avatar
boo_lolly
Forum Contributor
Posts: 154
Joined: Tue Nov 14, 2006 5:04 pm

Post by boo_lolly »

try adding a value in replace of $_SESSION['logname'] that you know to be in the customer table in your database. maybe the sessions() aren't working? i'm also not sure if you need an extra doDB(); right above your $sql statement.

also, view the source of your page and see if it's even printing the <html><head............. stuff.
User avatar
mikeq
Forum Regular
Posts: 512
Joined: Fri May 03, 2002 3:33 am
Location: Edinburgh, Scotland

Post by mikeq »

also try looking at your webserver error log, can sometimes shed light on things.
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Post by Mordred »

Code: Select all

return $result;
This looks like it was a part of a function to do a query, and you copy/pasted it in your code. I suggest you keep the function ;)
User avatar
Obadiah
Forum Regular
Posts: 580
Joined: Mon Jul 31, 2006 9:13 am
Location: Ashland, KY
Contact:

Post by Obadiah »

Mordred wrote:

Code: Select all

return $result;
This looks like it was a part of a function to do a query, and you copy/pasted it in your code. I suggest you keep the function ;)
yes...it was part of the code im using for another project...i didnt see a reason to rewrite it at the time however maybe i should since im getting nowhere with this....im not sure why my session would die though if its live and all im doing is going to this page via link....and if the session was dead it woud give me an error saying that its undefined...but its not...hmm still confused...ill do a rewrite and post back
User avatar
Obadiah
Forum Regular
Posts: 580
Joined: Mon Jul 31, 2006 9:13 am
Location: Ashland, KY
Contact:

Post by Obadiah »

yep...ive been drinking again :drunk: ...heres the correct way :)

Code: Select all

<?php 
session_start();
error_reporting(E_ALL); 
ini_set('display_errors', 1); 

function doDB() 
{ 
    $conn = mysql_connect("somehost","Hellz","Yeah!!!") or die(mysql_error()); 
    mysql_select_db("customerdirectory",$conn) or die(mysql_error()); 
    return $conn; 
} 

echo '<html>
<head>
<title>Merchant Locater</title>
<link rel="stylesheet" type="text/css" href="cs.css">
</head>
<body>';
$conn = doDB(); 
$sql = "Select fax, password FROM customer WHERE user_name = '{$_SESSION['logname']}'";
$result = mysql_query($sql,$conn) or die(mysql_error());
while ($newArray = mysql_fetch_array($result))
{
	$fax = $newArray['fax'];
	$password= $newArray['password'];
}
echo"$fax<br>$password
</strong></div>";
?>
ok...thisa may be a bit :offtopic: but i noticed that when i tried to post the password from the database it stays in its hashed form...the real reason of this specific application is im needing to give the user the ability to change his password...i think a simple replace or update would do...but unhashing the one thats there so i could replace it how is that done....or should i go about this a different way?
User avatar
Obadiah
Forum Regular
Posts: 580
Joined: Mon Jul 31, 2006 9:13 am
Location: Ashland, KY
Contact:

Post by Obadiah »

i searched google and the forums here for something similar but i cant find anything specific...does anyone know of a site online where i could find something on this?
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

You cannot unhash the password. Typically, you ask them their current password and their new password (with confirmation.) Using the hashing function to check the current password is correct, you can then change the password to the new one.
User avatar
Obadiah
Forum Regular
Posts: 580
Joined: Mon Jul 31, 2006 9:13 am
Location: Ashland, KY
Contact:

Post by Obadiah »

ok so my query for this puppy would look something like

Code: Select all

$sql = "Select password FROM customer WHERE user_name= '{$_SESSION['logname']}' AND password =
('_$POST'[password]')";//[password] being the current password
$result = mysql_query($sql,$conn) or die(mysql_error()); 

if (mysql_num_rows($result)== 1) {
$sql = " update customer set password '{$_POST['new_pass']}' where password =  {_$POST'['password']}";
$result = mysql_query($sql,$conn) or die(mysql_error());
}
testing it now but i wanted to run it by you guys while i was doing it to get some much needed input
User avatar
RobertGonzalez
Site Administrator
Posts: 14293
Joined: Tue Sep 09, 2003 6:04 pm
Location: Fremont, CA, USA

Post by RobertGonzalez »

You don't display password, ever. If someone wants to change one, they should be asked to first authenticate their current password, then supply a new password, then a confirmation of the new password. If the current password (in hashed form) validates, then move on to the checking of the new/new confirm and if they match, then hash the new and update the database.
User avatar
RobertGonzalez
Site Administrator
Posts: 14293
Joined: Tue Sep 09, 2003 6:04 pm
Location: Fremont, CA, USA

Post by RobertGonzalez »

Obadiah wrote:ok so my query for this puppy would look something like

Code: Select all

$sql = "Select password FROM customer WHERE user_name= '{$_SESSION['logname']}' AND password =
('_$POST'[password]')";//[password] being the current password
$result = mysql_query($sql,$conn) or die(mysql_error()); 

if (mysql_num_rows($result)== 1) {
$sql = " update customer set password '{$_POST['new_pass']}' where password =  {_$POST'['password']}";
$result = mysql_query($sql,$conn) or die(mysql_error());
}
Not exactly... since the passwords are hashed in the database, you need to hash the posted value then compare code-side. If they are match, move on...

Code: Select all

<?php
// assume $current_password was fetched from the database
if (hash('sha256', $_POST['password']) === $current_password)
{
    // Yippee, there is a match
}
?>
User avatar
Obadiah
Forum Regular
Posts: 580
Joined: Mon Jul 31, 2006 9:13 am
Location: Ashland, KY
Contact:

Post by Obadiah »

so in essence were not really comparing the passwords but what they display in their hashed form? is that what your saying?
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

You don't have the ability to compare the passwords directly when dealing with a database stored hash value.. so it is the computed hashes that you must compare as far as the current one goes. The new password can be compared directly with the confirmation as they are both plain (typically.)
User avatar
RobertGonzalez
Site Administrator
Posts: 14293
Joined: Tue Sep 09, 2003 6:04 pm
Location: Fremont, CA, USA

Post by RobertGonzalez »

Obadiah wrote:so in essence were not really comparing the passwords but what they display in their hashed form? is that what your saying?
Yes, that is what we are saying. Lets say a users password is oBi-w4n. An MD5 hash of that string would be b91c253d338fe01303ec5d7b6f6653d0. Since you can't unhash a hash, how are you ever going to validate their password?
User avatar
Obadiah
Forum Regular
Posts: 580
Joined: Mon Jul 31, 2006 9:13 am
Location: Ashland, KY
Contact:

Post by Obadiah »

ok...ive implemented and tried to compile some new code from what i gathered here is what i have

Code: Select all

<?php 
session_start();
error_reporting(E_ALL); 
ini_set('display_errors', 1); 

function doDB() 
{ 
    $conn = mysql_connect("somehost","play","WorldofWarcraft") or die(mysql_error()); 
    mysql_select_db("customerdirectory",$conn) or die(mysql_error()); 
    return $conn; 
} 

$conn = doDB(); 
$sql = "Select password FROM customer WHERE user_name= '{$_SESSION['logname']}' AND password =
'{$_POST['password']}'";
$result = mysql_query($sql,$conn) or die(mysql_error()); 

while ($newArray = mysql_fetch_array($result))
{
	$password = $newArray['password'];
}

if (hash('sha256', $_POST['password']) === $password) {
$sql = " update customer set password '{$_POST['new_pass']}' where password =  {_$POST'['password']}";
$result = mysql_query($sql,$conn) or die(mysql_error());
}
else{
	echo"incorrect password matchup please try again";
}

?>
im getting a notice error for

Code: Select all

if (hash('sha256', $_POST['password']) === $password)
saying that password is undefined....why is that?....should i have made an array?...im trying that now

edited

even with the array i still get the same thing :?
Last edited by Obadiah on Fri Jan 26, 2007 5:00 pm, edited 2 times in total.
Post Reply