[fixed]password inquires[fixed] :))
Moderator: General Moderators
i thought i did that with this
the page that post to this page defines the field password in it
please explain what you mean by saying
Code: Select all
$sql = "Select password FROM customer WHERE user_name= '{$_SESSION['logname']}' AND password =
'{$_POST['password']}'";
$result = mysql_query($sql,$conn) or die(mysql_error());
while ($newArray = mysql_fetch_array($result))
{
$password = $newArray['password'];
}Code: Select all
echo '
<form action="password_update.php" method="post">
<table class="text" border="1" bgcolor="blue" bordercolor="ivory">
<tr>
<td align="center" width="162"> Enter Current Password</td>
</tr>
<tr>
<td><input type="text" name="password" size="12"></td>
</tr>
</tr>
<td align="center" width="162"> Enter New Password</td>
</tr>
<tr>
<td><input type="text" name="new_password" size="12"></td>
</tr>
</table>
<input type="submit" value="submit">
</form>
</body>
</html>';and i thought i defined $passwordfeyd wrote: giving a plain password to the database without escaping
- RobertGonzalez
- Site Administrator
- Posts: 14293
- Joined: Tue Sep 09, 2003 6:04 pm
- Location: Fremont, CA, USA
After this:
do this:
And see what is coming out.
Code: Select all
<?php
while ($newArray = mysql_fetch_array($result))
{
$password = $newArray['password'];
}
?>Code: Select all
<?php
echo $password . ' is the password form the db...<br />';
echo hash('sha256', $_POST['password']) . ' is the post hash value...<br />';
?>Also: instead of in your code. Escape it before putting it in the database.
Code: Select all
_$POSTCode: Select all
$_POSTdone....it says thisEverah wrote: do this:And see what is coming out.Code: Select all
<?php echo $password . ' is the password form the db...<br />'; echo hash('sha256', $_POST['password']) . ' is the post hash value...<br />'; ?>
which means that php for some reason doesn't recognize that i have defined it in my array...if im understanding it correctly....unless ive defined it wronglyerror wrote: Notice: Undefined variable: password in C:\Program Files\xampp\htdocs\Log_In\agent\password_update.php on line 21
is the password form the db...
b8f81769f7d3c9409c46c78d2f69f9466353a0f5955ec14fb88fe3259a92a398 is the post hash value...
heres what i have now
Code: Select all
$sql = "Select password FROM customer WHERE user_name= '{$_SESSION['logname']}' AND password =
'{$_POST['password']}'";
$result = mysql_query($sql,$conn) or die(mysql_error());
while ($newArray = mysql_fetch_array($result))
{
$password = $newArray['password'];
}
echo $password . ' is the password form the db...<br />'; //line 21
echo hash('sha256', $_POST['password']) . ' is the post hash value...<br />';no....all im doing is trying to allow the person to change the original password...ill need to hash the other password going in via md5...but why isnt it allowing me to see the hash in the database...the passwords are hashed in the database i can open it up the database and see them hashed...if i change the query to select the password underthe person who is looged in write the array and echo it...it will print it to the screen....im not understanding what your suggesting the problem is
are you saying that when i first placed the passwords in the database they werent hashed properly?
are you saying that when i first placed the passwords in the database they werent hashed properly?
ok...i think were not on the same page so ill start from here...check this out....with the query and code i get my 2 hashes...notice i comented out that secound clause
now....when i leave the second clause in reflecting this
i get the error i posted earlier
the interesting thing is....if im understanding you right the hashes i got for output with the first snippet arent the same whether if i use md5 or sha256 your right
....meaning that something is really screwy in my database or the way i hased them the first time making
return false....what do i do?
Code: Select all
$conn = doDB();
$sql = "Select password FROM customer WHERE user_name= '{$_SESSION['logname']}'";
// AND password = 'md5{$_POST['password']}'";
$result = mysql_query($sql,$conn) or die(mysql_error());
while ($newArray = mysql_fetch_array($result))
{
$password = $newArray['password'];
}
echo $password .' is the password form the db...<br />';
echo hash('md5', $_POST['password']) . ' is the post hash value...<br />';i get the error i posted earlier
Code: Select all
$conn = doDB();
$sql = "Select password FROM customer WHERE user_name= '{$_SESSION['logname']}' AND password = 'md5{$_POST['password']}'";
$result = mysql_query($sql,$conn) or die(mysql_error());
while ($newArray = mysql_fetch_array($result))
{
$password = $newArray['password'];
}
echo $password .' is the password form the db...<br />';
echo hash('md5', $_POST['password']) . ' is the post hash value...<br />';Code: Select all
password = 'md5{$_POST['password']}'";return false....what do i do?
Code: Select all
password = 'md5{$_POST['password']}'Code: Select all
password = md5({$_POST['password']})Anyway, you should write it like this:
Code: Select all
$sPassword = mysql_real_escape_string($_POST['password']);Code: Select all
`password` = MD5($sPassword)- feyd
- Neighborhood Spidermoddy
- Posts: 31559
- Joined: Mon Mar 29, 2004 3:24 pm
- Location: Bothell, Washington, USA
Look very carefully at this query
Code: Select all
Select password FROM customer WHERE user_name= '{$_SESSION['logname']}' AND password = 'md5{$_POST['password']}'Whhops
Should be
otherwise quote-less injections were still possible.
Code: Select all
`password` = MD5($sPassword)Should be
Code: Select all
`password` = MD5('$sPassword')