Page 2 of 4

Posted: Fri Jan 26, 2007 4:46 pm
by feyd
You're giving a plain password to the database without escaping?

$password wasn't set in your code.

Posted: Fri Jan 26, 2007 5:05 pm
by Obadiah
i thought i did that with this

Code: Select all

$sql = "Select password FROM customer WHERE user_name= '{$_SESSION['logname']}' AND password =
'{$_POST['password']}'";
$result = mysql_query($sql,$conn) or die(mysql_error()); 

while ($newArray = mysql_fetch_array($result))
{
	$password = $newArray['password'];
}
the page that post to this page defines the field password in it

Code: Select all

echo '
<form action="password_update.php" method="post">
<table class="text" border="1" bgcolor="blue" bordercolor="ivory">
<tr>
<td align="center" width="162"> Enter Current Password</td>
</tr>
<tr>
<td><input type="text" name="password" size="12"></td>
</tr>
</tr>
<td align="center" width="162"> Enter New Password</td>
</tr>
<tr>
<td><input type="text" name="new_password" size="12"></td>
</tr>
</table>
<input type="submit" value="submit">
</form>
</body>
</html>';
please explain what you mean by saying
feyd wrote: giving a plain password to the database without escaping
and i thought i defined $password

Posted: Fri Jan 26, 2007 5:53 pm
by RobertGonzalez
After this:

Code: Select all

<?php
while ($newArray = mysql_fetch_array($result))
{
        $password = $newArray['password'];
}
?>
do this:

Code: Select all

<?php
echo $password . ' is the password form the db...<br />';
echo hash('sha256', $_POST['password']) . ' is the post hash value...<br />';
?>
And see what is coming out.

Posted: Fri Jan 26, 2007 6:05 pm
by feyd
Plain password: not passed through a hashing function.

Posted: Sun Jan 28, 2007 10:44 am
by Mordred
Also:

Code: Select all

_$POST
instead of

Code: Select all

$_POST
in your code. Escape it before putting it in the database.

Posted: Mon Jan 29, 2007 8:13 am
by Obadiah
Everah wrote: do this:

Code: Select all

<?php
echo $password . ' is the password form the db...<br />';
echo hash('sha256', $_POST['password']) . ' is the post hash value...<br />';
?>
And see what is coming out.
done....it says this
error wrote: Notice: Undefined variable: password in C:\Program Files\xampp\htdocs\Log_In\agent\password_update.php on line 21
is the password form the db...
b8f81769f7d3c9409c46c78d2f69f9466353a0f5955ec14fb88fe3259a92a398 is the post hash value...
which means that php for some reason doesn't recognize that i have defined it in my array...if im understanding it correctly....unless ive defined it wrongly

heres what i have now

Code: Select all

$sql = "Select password FROM customer WHERE user_name= '{$_SESSION['logname']}' AND password =
'{$_POST['password']}'";
$result = mysql_query($sql,$conn) or die(mysql_error()); 
while ($newArray = mysql_fetch_array($result))
{
	$password = $newArray['password'];
}
echo $password . ' is the password form the db...<br />'; //line 21
echo hash('sha256', $_POST['password']) . ' is the post hash value...<br />';
its strange that its not spitting out the hash from the database :?

Posted: Mon Jan 29, 2007 8:35 am
by feyd
$password wasn't set, that means that mysql_fetch_array() returned false (most likely.) Therefore one can guess that your query returned no records. Again, this is because you are using the plain password. i.e. The password has not passed through sha256.

Posted: Mon Jan 29, 2007 8:55 am
by Obadiah
i didnt use sha256 when i placed them in my database the first time...i used md5...is this the issue that your suggesting?

Posted: Mon Jan 29, 2007 8:58 am
by feyd
It doesn't change the fact that you're not hashing the password for the database to use.

What's the point of sha256 if the passwords are md5? Are you changing the database over to sha256?

Posted: Mon Jan 29, 2007 9:08 am
by Obadiah
no....all im doing is trying to allow the person to change the original password...ill need to hash the other password going in via md5...but why isnt it allowing me to see the hash in the database...the passwords are hashed in the database i can open it up the database and see them hashed...if i change the query to select the password underthe person who is looged in write the array and echo it...it will print it to the screen....im not understanding what your suggesting the problem is

are you saying that when i first placed the passwords in the database they werent hashed properly?

Posted: Mon Jan 29, 2007 9:12 am
by feyd
$_POST['password'] != md5($_POST['password'])

Posted: Mon Jan 29, 2007 9:36 am
by Obadiah
ok...i think were not on the same page so ill start from here...check this out....with the query and code i get my 2 hashes...notice i comented out that secound clause

Code: Select all

$conn = doDB(); 
$sql = "Select password FROM customer WHERE user_name= '{$_SESSION['logname']}'";
// AND password = 'md5{$_POST['password']}'";
$result = mysql_query($sql,$conn) or die(mysql_error()); 
while ($newArray = mysql_fetch_array($result))
{
	$password = $newArray['password'];
}
echo $password .' is the password form the db...<br />'; 
echo hash('md5', $_POST['password']) . ' is the post hash value...<br />';
now....when i leave the second clause in reflecting this
i get the error i posted earlier

Code: Select all

$conn = doDB(); 
$sql = "Select password FROM customer WHERE user_name= '{$_SESSION['logname']}' AND password = 'md5{$_POST['password']}'";
$result = mysql_query($sql,$conn) or die(mysql_error()); 
while ($newArray = mysql_fetch_array($result))
{
	$password = $newArray['password'];
}
echo $password .' is the password form the db...<br />'; 
echo hash('md5', $_POST['password']) . ' is the post hash value...<br />';
the interesting thing is....if im understanding you right the hashes i got for output with the first snippet arent the same whether if i use md5 or sha256 your right 8O ....meaning that something is really screwy in my database or the way i hased them the first time making

Code: Select all

password = 'md5{$_POST['password']}'";

return false....what do i do?

Posted: Mon Jan 29, 2007 9:50 am
by Mordred

Code: Select all

password = 'md5{$_POST['password']}'
The right side of the expression you wrote is a string, it's in quotes.

Code: Select all

password = md5({$_POST['password']})
Should be like this (parentheses after md5, as it is a function)

Anyway, you should write it like this:

Code: Select all

$sPassword = mysql_real_escape_string($_POST['password']);
and

Code: Select all

`password` = MD5($sPassword)

Posted: Mon Jan 29, 2007 9:51 am
by feyd
Look very carefully at this query

Code: Select all

Select password FROM customer WHERE user_name= '{$_SESSION['logname']}' AND password = 'md5{$_POST['password']}'

Posted: Mon Jan 29, 2007 9:56 am
by Mordred
Whhops

Code: Select all

`password` = MD5($sPassword)

Should be

Code: Select all

`password` = MD5('$sPassword')
otherwise quote-less injections were still possible.