Posted: Fri Jan 26, 2007 4:46 pm
You're giving a plain password to the database without escaping?
$password wasn't set in your code.
$password wasn't set in your code.
A community of PHP developers offering assistance, advice, discussion, and friendship.
http://forums.devnetwork.net/
Code: Select all
$sql = "Select password FROM customer WHERE user_name= '{$_SESSION['logname']}' AND password =
'{$_POST['password']}'";
$result = mysql_query($sql,$conn) or die(mysql_error());
while ($newArray = mysql_fetch_array($result))
{
$password = $newArray['password'];
}Code: Select all
echo '
<form action="password_update.php" method="post">
<table class="text" border="1" bgcolor="blue" bordercolor="ivory">
<tr>
<td align="center" width="162"> Enter Current Password</td>
</tr>
<tr>
<td><input type="text" name="password" size="12"></td>
</tr>
</tr>
<td align="center" width="162"> Enter New Password</td>
</tr>
<tr>
<td><input type="text" name="new_password" size="12"></td>
</tr>
</table>
<input type="submit" value="submit">
</form>
</body>
</html>';and i thought i defined $passwordfeyd wrote: giving a plain password to the database without escaping
Code: Select all
<?php
while ($newArray = mysql_fetch_array($result))
{
$password = $newArray['password'];
}
?>Code: Select all
<?php
echo $password . ' is the password form the db...<br />';
echo hash('sha256', $_POST['password']) . ' is the post hash value...<br />';
?>Code: Select all
_$POSTCode: Select all
$_POSTdone....it says thisEverah wrote: do this:And see what is coming out.Code: Select all
<?php echo $password . ' is the password form the db...<br />'; echo hash('sha256', $_POST['password']) . ' is the post hash value...<br />'; ?>
which means that php for some reason doesn't recognize that i have defined it in my array...if im understanding it correctly....unless ive defined it wronglyerror wrote: Notice: Undefined variable: password in C:\Program Files\xampp\htdocs\Log_In\agent\password_update.php on line 21
is the password form the db...
b8f81769f7d3c9409c46c78d2f69f9466353a0f5955ec14fb88fe3259a92a398 is the post hash value...
Code: Select all
$sql = "Select password FROM customer WHERE user_name= '{$_SESSION['logname']}' AND password =
'{$_POST['password']}'";
$result = mysql_query($sql,$conn) or die(mysql_error());
while ($newArray = mysql_fetch_array($result))
{
$password = $newArray['password'];
}
echo $password . ' is the password form the db...<br />'; //line 21
echo hash('sha256', $_POST['password']) . ' is the post hash value...<br />';Code: Select all
$conn = doDB();
$sql = "Select password FROM customer WHERE user_name= '{$_SESSION['logname']}'";
// AND password = 'md5{$_POST['password']}'";
$result = mysql_query($sql,$conn) or die(mysql_error());
while ($newArray = mysql_fetch_array($result))
{
$password = $newArray['password'];
}
echo $password .' is the password form the db...<br />';
echo hash('md5', $_POST['password']) . ' is the post hash value...<br />';Code: Select all
$conn = doDB();
$sql = "Select password FROM customer WHERE user_name= '{$_SESSION['logname']}' AND password = 'md5{$_POST['password']}'";
$result = mysql_query($sql,$conn) or die(mysql_error());
while ($newArray = mysql_fetch_array($result))
{
$password = $newArray['password'];
}
echo $password .' is the password form the db...<br />';
echo hash('md5', $_POST['password']) . ' is the post hash value...<br />';Code: Select all
password = 'md5{$_POST['password']}'";Code: Select all
password = 'md5{$_POST['password']}'Code: Select all
password = md5({$_POST['password']})Code: Select all
$sPassword = mysql_real_escape_string($_POST['password']);Code: Select all
`password` = MD5($sPassword)Code: Select all
Select password FROM customer WHERE user_name= '{$_SESSION['logname']}' AND password = 'md5{$_POST['password']}'Code: Select all
`password` = MD5($sPassword)Code: Select all
`password` = MD5('$sPassword')