[fixed]password inquires[fixed] :))

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

You're giving a plain password to the database without escaping?

$password wasn't set in your code.
User avatar
Obadiah
Forum Regular
Posts: 580
Joined: Mon Jul 31, 2006 9:13 am
Location: Ashland, KY
Contact:

Post by Obadiah »

i thought i did that with this

Code: Select all

$sql = "Select password FROM customer WHERE user_name= '{$_SESSION['logname']}' AND password =
'{$_POST['password']}'";
$result = mysql_query($sql,$conn) or die(mysql_error()); 

while ($newArray = mysql_fetch_array($result))
{
	$password = $newArray['password'];
}
the page that post to this page defines the field password in it

Code: Select all

echo '
<form action="password_update.php" method="post">
<table class="text" border="1" bgcolor="blue" bordercolor="ivory">
<tr>
<td align="center" width="162"> Enter Current Password</td>
</tr>
<tr>
<td><input type="text" name="password" size="12"></td>
</tr>
</tr>
<td align="center" width="162"> Enter New Password</td>
</tr>
<tr>
<td><input type="text" name="new_password" size="12"></td>
</tr>
</table>
<input type="submit" value="submit">
</form>
</body>
</html>';
please explain what you mean by saying
feyd wrote: giving a plain password to the database without escaping
and i thought i defined $password
User avatar
RobertGonzalez
Site Administrator
Posts: 14293
Joined: Tue Sep 09, 2003 6:04 pm
Location: Fremont, CA, USA

Post by RobertGonzalez »

After this:

Code: Select all

<?php
while ($newArray = mysql_fetch_array($result))
{
        $password = $newArray['password'];
}
?>
do this:

Code: Select all

<?php
echo $password . ' is the password form the db...<br />';
echo hash('sha256', $_POST['password']) . ' is the post hash value...<br />';
?>
And see what is coming out.
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

Plain password: not passed through a hashing function.
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Post by Mordred »

Also:

Code: Select all

_$POST
instead of

Code: Select all

$_POST
in your code. Escape it before putting it in the database.
User avatar
Obadiah
Forum Regular
Posts: 580
Joined: Mon Jul 31, 2006 9:13 am
Location: Ashland, KY
Contact:

Post by Obadiah »

Everah wrote: do this:

Code: Select all

<?php
echo $password . ' is the password form the db...<br />';
echo hash('sha256', $_POST['password']) . ' is the post hash value...<br />';
?>
And see what is coming out.
done....it says this
error wrote: Notice: Undefined variable: password in C:\Program Files\xampp\htdocs\Log_In\agent\password_update.php on line 21
is the password form the db...
b8f81769f7d3c9409c46c78d2f69f9466353a0f5955ec14fb88fe3259a92a398 is the post hash value...
which means that php for some reason doesn't recognize that i have defined it in my array...if im understanding it correctly....unless ive defined it wrongly

heres what i have now

Code: Select all

$sql = "Select password FROM customer WHERE user_name= '{$_SESSION['logname']}' AND password =
'{$_POST['password']}'";
$result = mysql_query($sql,$conn) or die(mysql_error()); 
while ($newArray = mysql_fetch_array($result))
{
	$password = $newArray['password'];
}
echo $password . ' is the password form the db...<br />'; //line 21
echo hash('sha256', $_POST['password']) . ' is the post hash value...<br />';
its strange that its not spitting out the hash from the database :?
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

$password wasn't set, that means that mysql_fetch_array() returned false (most likely.) Therefore one can guess that your query returned no records. Again, this is because you are using the plain password. i.e. The password has not passed through sha256.
User avatar
Obadiah
Forum Regular
Posts: 580
Joined: Mon Jul 31, 2006 9:13 am
Location: Ashland, KY
Contact:

Post by Obadiah »

i didnt use sha256 when i placed them in my database the first time...i used md5...is this the issue that your suggesting?
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

It doesn't change the fact that you're not hashing the password for the database to use.

What's the point of sha256 if the passwords are md5? Are you changing the database over to sha256?
User avatar
Obadiah
Forum Regular
Posts: 580
Joined: Mon Jul 31, 2006 9:13 am
Location: Ashland, KY
Contact:

Post by Obadiah »

no....all im doing is trying to allow the person to change the original password...ill need to hash the other password going in via md5...but why isnt it allowing me to see the hash in the database...the passwords are hashed in the database i can open it up the database and see them hashed...if i change the query to select the password underthe person who is looged in write the array and echo it...it will print it to the screen....im not understanding what your suggesting the problem is

are you saying that when i first placed the passwords in the database they werent hashed properly?
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

$_POST['password'] != md5($_POST['password'])
User avatar
Obadiah
Forum Regular
Posts: 580
Joined: Mon Jul 31, 2006 9:13 am
Location: Ashland, KY
Contact:

Post by Obadiah »

ok...i think were not on the same page so ill start from here...check this out....with the query and code i get my 2 hashes...notice i comented out that secound clause

Code: Select all

$conn = doDB(); 
$sql = "Select password FROM customer WHERE user_name= '{$_SESSION['logname']}'";
// AND password = 'md5{$_POST['password']}'";
$result = mysql_query($sql,$conn) or die(mysql_error()); 
while ($newArray = mysql_fetch_array($result))
{
	$password = $newArray['password'];
}
echo $password .' is the password form the db...<br />'; 
echo hash('md5', $_POST['password']) . ' is the post hash value...<br />';
now....when i leave the second clause in reflecting this
i get the error i posted earlier

Code: Select all

$conn = doDB(); 
$sql = "Select password FROM customer WHERE user_name= '{$_SESSION['logname']}' AND password = 'md5{$_POST['password']}'";
$result = mysql_query($sql,$conn) or die(mysql_error()); 
while ($newArray = mysql_fetch_array($result))
{
	$password = $newArray['password'];
}
echo $password .' is the password form the db...<br />'; 
echo hash('md5', $_POST['password']) . ' is the post hash value...<br />';
the interesting thing is....if im understanding you right the hashes i got for output with the first snippet arent the same whether if i use md5 or sha256 your right 8O ....meaning that something is really screwy in my database or the way i hased them the first time making

Code: Select all

password = 'md5{$_POST['password']}'";

return false....what do i do?
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Post by Mordred »

Code: Select all

password = 'md5{$_POST['password']}'
The right side of the expression you wrote is a string, it's in quotes.

Code: Select all

password = md5({$_POST['password']})
Should be like this (parentheses after md5, as it is a function)

Anyway, you should write it like this:

Code: Select all

$sPassword = mysql_real_escape_string($_POST['password']);
and

Code: Select all

`password` = MD5($sPassword)
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

Look very carefully at this query

Code: Select all

Select password FROM customer WHERE user_name= '{$_SESSION['logname']}' AND password = 'md5{$_POST['password']}'
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Post by Mordred »

Whhops

Code: Select all

`password` = MD5($sPassword)

Should be

Code: Select all

`password` = MD5('$sPassword')
otherwise quote-less injections were still possible.
Post Reply