[fixed]password inquires[fixed] :))

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

User avatar
Obadiah
Forum Regular
Posts: 580
Joined: Mon Jul 31, 2006 9:13 am
Location: Ashland, KY
Contact:

Post by Obadiah »

ok...i implemented my code to reflect your suggestions

Code: Select all

$sPassword = mysql_real_escape_string($_POST['password']);
$sql = "Select password FROM customer WHERE user_name= '{$_SESSION['logname']}' AND password = md5('$sPassword')";
$result = mysql_query($sql,$conn) or die(mysql_error()); 
while ($newArray = mysql_fetch_array($result))
{
	$password = $newArray['password'];
}
echo $password .' is the password form the db...<br />'; 
echo hash('md5', $_POST['password']) . ' is the post hash value...<br />';
its giving me the same error....saying that $password(the value stored in the database is not defined) or its still returning 0
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

What does mysql_num_rows() tell you?
User avatar
RobertGonzalez
Site Administrator
Posts: 14293
Joined: Tue Sep 09, 2003 6:04 pm
Location: Fremont, CA, USA

Post by RobertGonzalez »

Try this...

Code: Select all

<?php
$sPassword = md5($_POST['password']);
$sql = "Select password FROM customer WHERE user_name= '{$_SESSION['logname']}' AND password = '$sPassword'";
$result = mysql_query($sql,$conn) or die(mysql_error());
while ($newArray = mysql_fetch_array($result))
{
    //    $password = $newArray['password'];
    echo $newArray['password'];
}
?>
Does that echo anything out?
User avatar
Obadiah
Forum Regular
Posts: 580
Joined: Mon Jul 31, 2006 9:13 am
Location: Ashland, KY
Contact:

Post by Obadiah »

no...its blank
User avatar
Obadiah
Forum Regular
Posts: 580
Joined: Mon Jul 31, 2006 9:13 am
Location: Ashland, KY
Contact:

Post by Obadiah »

feyd wrote:What does mysql_num_rows() tell you?
the number of rows from a result set
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

Obadiah wrote:
feyd wrote:What does mysql_num_rows() tell you?
the number of rows in your database
No... the number of records in the result set. Call it in your code. I would bet it will say zero.
User avatar
Obadiah
Forum Regular
Posts: 580
Joined: Mon Jul 31, 2006 9:13 am
Location: Ashland, KY
Contact:

Post by Obadiah »

OOOOOOOH...not because i wrote it wrong....because the statement
password = '$sPassword' is evaluating to false (hence the reason for $sPassword and password not looking duplicate when printed to the screen...i get ya) now...earlier you said because i was using a password not passed through a hashing function...but if it wasnt passed through a hashing function why does it display hashed...i think this is where im confused
User avatar
RobertGonzalez
Site Administrator
Posts: 14293
Joined: Tue Sep 09, 2003 6:04 pm
Location: Fremont, CA, USA

Post by RobertGonzalez »

Obadiah wrote:no...its blank
That means that there are no rows returned (which is what feyd was trying to get at with his question about mysql_num_rows()). Maybe you should echo out the $sql to see what the server is seeing and to determine where things need to be rewritten to make them work?
User avatar
Obadiah
Forum Regular
Posts: 580
Joined: Mon Jul 31, 2006 9:13 am
Location: Ashland, KY
Contact:

Post by Obadiah »

interesting.....very interesting....i just tried it...notice that blue reflect values stored in the database

Code: Select all

$conn = doDB(); 
$sPassword = mysql_real_escape_string($_POST['password']);
$sql = "Select user_name, password FROM customer WHERE user_name= '{$_SESSION['logname']}' AND password = md5('$sPassword')";
$result = mysql_query($sql,$conn) or die(mysql_error()); 
while ($newArray = mysql_fetch_array($result))
{
	$password = $newArray['password'];
	$user_name = $newArray['user_name'];
}
	echo "first test";
	echo "<p style=\"color=blue\">$password</p>";
	echo "<p style=\"color=red\">$sPassword</p>";
	echo "<p style=\"color=blue\">$user_name</p>";
	echo "<p style=\"color=red\">{$_SESSION['logname']}</p>";
	
$sPassword = mysql_real_escape_string($_POST['password']);
$sql = "Select user_name, password FROM customer WHERE user_name= '{$_SESSION['logname']}'";
$result = mysql_query($sql,$conn) or die(mysql_error()); 
while ($newArray = mysql_fetch_array($result))
{
	$user_name = $newArray['user_name'];
	$password = $newArray['password'];
}
	echo "second test";
	echo "<p style=\"color=blue\">$password</p>";
	echo "<p style=\"color=red\">$sPassword</p>";
	echo "<p style=\"color=blue\">$user_name</p>";
	echo "<p style=\"color=red\">{$_SESSION['logname']}</p>";
i got this as output
first test
Notice: Undefined variable: password in C:\password_update.php on line 23

Notice: Undefined variable: user_name in C:\password_update.php on line 25


owilliams0001


second test
d8611198ea8421180df8e80eab0f2da1


owilliams0001

owilliams0001
which tells me that the first time nothing in the database is being seen but the second time i was able to retrieve both the username and the hashed password

which leads me to think that theirs something funny about the way the password is being retrieved... then i tried this

Code: Select all

$sql = "Select user_name, password FROM customer WHERE user_name= '{$_SESSION['logname']}' AND password != md5('$sPassword')";
$result = mysql_query($sql,$conn) or die(mysql_error()); 
while ($newArray = mysql_fetch_array($result))
{
	$password = $newArray['password'];
	$user_name = $newArray['user_name'];
}
	echo "first test";
	echo "<p style=\"color=blue\">$password</p>";
	echo "<p style=\"color=red\">$sPassword</p>";
	echo "<p style=\"color=blue\">$user_name</p>";
	echo "<p style=\"color=red\">{$_SESSION['logname']}</p>";
and i got
first test
d8611198ea8421180df8e80eab0f2da1

owilliams0001

owilliams0001

second test
d8611198ea8421180df8e80eab0f2da1

owilliams0001

owilliams0001
which further leasds me to believe that there has to be something wrong with this and this is possibly the only issue

Code: Select all

password = md5('$sPassword');
how do i fix it?
User avatar
RobertGonzalez
Site Administrator
Posts: 14293
Joined: Tue Sep 09, 2003 6:04 pm
Location: Fremont, CA, USA

Post by RobertGonzalez »

Do a simple select * query on the database with a limit 0, 10 to see how they are stored. It looks like md5, but it could just as easily be the MySQL password() function that hashed them. This seems to be tied to how you hash the password when they go in the table more than how they are fetched. What hashing algorithm are you using when inserting the data?
User avatar
Obadiah
Forum Regular
Posts: 580
Joined: Mon Jul 31, 2006 9:13 am
Location: Ashland, KY
Contact:

Post by Obadiah »

done...here goes

Code: Select all

$sql = "Select * FROM customer LIMIT 0,10";
$result = mysql_query($sql,$conn) or die(mysql_error());
while ($newArray = mysql_fetch_array($result))
{
	$user_name = $newArray['user_name'];
	$password = $newArray['password'];
	$first_name = $newArray['first_name'];
	$last_name = $newArray['last_name'];
	$street = $newArray['street'];
	$city = $newArray['city'];
	$state = $newArray['state'];
	$zip = $newArray['zip'];
	$phone = $newArray['phone'];
	$fax = $newArray['fax'];
}
	echo "$user_name<br>";
	echo "$password<br>";
	echo "$first_name<br>";
	echo "$last_name<br>";
	echo "$street<br>";
	echo "$city<br>";
	echo "$state<br>";
	echo "$zip<br>";
	echo "$phone<br>";
	echo "$fax<br>";
Last edited by Obadiah on Mon Jan 29, 2007 4:10 pm, edited 1 time in total.
User avatar
RobertGonzalez
Site Administrator
Posts: 14293
Joined: Tue Sep 09, 2003 6:04 pm
Location: Fremont, CA, USA

Post by RobertGonzalez »

Ok, trash the output now as we don't want people's sensitive information floating around on our boards.

Are you using MD5 as the hash algorithm when inserting?
User avatar
Obadiah
Forum Regular
Posts: 580
Joined: Mon Jul 31, 2006 9:13 am
Location: Ashland, KY
Contact:

Post by Obadiah »

yes
User avatar
RobertGonzalez
Site Administrator
Posts: 14293
Joined: Tue Sep 09, 2003 6:04 pm
Location: Fremont, CA, USA

Post by RobertGonzalez »

Ok then, here is your process flow...

Select the users record based on a userid/email address/some other identifiable piece of information. Grab the entire row and read each column of that row into a var. Now, md5() the users entered password into a var. Then check if that new md5() of the posted password matches what was fetched from the database. If they match, you are cool. Otherwise, they entered the wrong thing.

Try not doing the comparison at the database.
User avatar
Obadiah
Forum Regular
Posts: 580
Joined: Mon Jul 31, 2006 9:13 am
Location: Ashland, KY
Contact:

Post by Obadiah »

8O guys i dont know what the hell i did but i got it to work....almost...check this out

Code: Select all

$conn = doDB(); 
$sql = "Select user_name, password FROM customer WHERE user_name= '{$_SESSION['logname']}' AND password = md5('$_POST[password]')";
$result = mysql_query($sql,$conn) or die(mysql_error()); 
while ($newArray = mysql_fetch_array($result))
{
	$password = $newArray['password'];
	$user_name = $newArray['user_name'];
}
	/*echo "first test";
	echo "<p style=\"color=blue\">$password</p>";
	echo "<p style=\"color=red\">$sPassword</p>";
	echo "<p style=\"color=blue\">$user_name</p>";
	echo "<p style=\"color=red\">{$_SESSION['logname']}</p>";
*/
echo $password .' is the password form the db...<br />'; 
echo hash('md5', $_POST['password']) . ' is the post hash value...<br />';

if (hash('md5','$_POST[password]') === $password) {
$sql = " update customer set password '{$_POST['new_pass']}' WHERE password =  md5('_$POST[password]')";
$result = mysql_query($sql,$conn) or die(mysql_error());
}
else{
	echo"incorrect password matchup please try again";
}
i get this as output
d8611198ea8421180df8e80eab0f2da1 is the password form the db...
d8611198ea8421180df8e80eab0f2da1 is the post hash value...
incorrect password matchup please try again
heres what im not getting....the hashed passwords are the same and still its crapping out on me....what gives?
Post Reply