Page 3 of 4
Posted: Mon Jan 29, 2007 10:19 am
by Obadiah
ok...i implemented my code to reflect your suggestions
Code: Select all
$sPassword = mysql_real_escape_string($_POST['password']);
$sql = "Select password FROM customer WHERE user_name= '{$_SESSION['logname']}' AND password = md5('$sPassword')";
$result = mysql_query($sql,$conn) or die(mysql_error());
while ($newArray = mysql_fetch_array($result))
{
$password = $newArray['password'];
}
echo $password .' is the password form the db...<br />';
echo hash('md5', $_POST['password']) . ' is the post hash value...<br />';
its giving me the same error....saying that $password(the value stored in the database is not defined) or its still returning 0
Posted: Mon Jan 29, 2007 10:24 am
by feyd
What does
mysql_num_rows() tell you?
Posted: Mon Jan 29, 2007 10:29 am
by RobertGonzalez
Try this...
Code: Select all
<?php
$sPassword = md5($_POST['password']);
$sql = "Select password FROM customer WHERE user_name= '{$_SESSION['logname']}' AND password = '$sPassword'";
$result = mysql_query($sql,$conn) or die(mysql_error());
while ($newArray = mysql_fetch_array($result))
{
// $password = $newArray['password'];
echo $newArray['password'];
}
?>
Does that echo anything out?
Posted: Mon Jan 29, 2007 10:32 am
by Obadiah
no...its blank
Posted: Mon Jan 29, 2007 10:33 am
by Obadiah
the number of rows from a result set
Posted: Mon Jan 29, 2007 10:35 am
by feyd
Obadiah wrote:
the number of rows in your database
No... the number of records in the result set. Call it in your code. I would bet it will say zero.
Posted: Mon Jan 29, 2007 11:15 am
by Obadiah
OOOOOOOH...not because i wrote it wrong....because the statement
password = '$sPassword' is evaluating to false (hence the reason for $sPassword and password not looking duplicate when printed to the screen...i get ya) now...earlier you said because i was using a password not passed through a hashing function...but if it wasnt passed through a hashing function why does it display hashed...i think this is where im confused
Posted: Mon Jan 29, 2007 12:07 pm
by RobertGonzalez
Obadiah wrote:no...its blank
That means that there are no rows returned (which is what feyd was trying to get at with his question about
mysql_num_rows()). Maybe you should echo out the $sql to see what the server is seeing and to determine where things need to be rewritten to make them work?
Posted: Mon Jan 29, 2007 1:09 pm
by Obadiah
interesting.....very interesting....i just tried it...notice that blue reflect values stored in the database
Code: Select all
$conn = doDB();
$sPassword = mysql_real_escape_string($_POST['password']);
$sql = "Select user_name, password FROM customer WHERE user_name= '{$_SESSION['logname']}' AND password = md5('$sPassword')";
$result = mysql_query($sql,$conn) or die(mysql_error());
while ($newArray = mysql_fetch_array($result))
{
$password = $newArray['password'];
$user_name = $newArray['user_name'];
}
echo "first test";
echo "<p style=\"color=blue\">$password</p>";
echo "<p style=\"color=red\">$sPassword</p>";
echo "<p style=\"color=blue\">$user_name</p>";
echo "<p style=\"color=red\">{$_SESSION['logname']}</p>";
$sPassword = mysql_real_escape_string($_POST['password']);
$sql = "Select user_name, password FROM customer WHERE user_name= '{$_SESSION['logname']}'";
$result = mysql_query($sql,$conn) or die(mysql_error());
while ($newArray = mysql_fetch_array($result))
{
$user_name = $newArray['user_name'];
$password = $newArray['password'];
}
echo "second test";
echo "<p style=\"color=blue\">$password</p>";
echo "<p style=\"color=red\">$sPassword</p>";
echo "<p style=\"color=blue\">$user_name</p>";
echo "<p style=\"color=red\">{$_SESSION['logname']}</p>";
i got this as output
first test
Notice: Undefined variable: password in C:\password_update.php on line 23
Notice: Undefined variable: user_name in C:\password_update.php on line 25
owilliams0001
second test
d8611198ea8421180df8e80eab0f2da1
owilliams0001
owilliams0001
which tells me that the first time nothing in the database is being seen but the second time i was able to retrieve both the username and the hashed password
which leads me to think that theirs something funny about the way the password is being retrieved... then i tried this
Code: Select all
$sql = "Select user_name, password FROM customer WHERE user_name= '{$_SESSION['logname']}' AND password != md5('$sPassword')";
$result = mysql_query($sql,$conn) or die(mysql_error());
while ($newArray = mysql_fetch_array($result))
{
$password = $newArray['password'];
$user_name = $newArray['user_name'];
}
echo "first test";
echo "<p style=\"color=blue\">$password</p>";
echo "<p style=\"color=red\">$sPassword</p>";
echo "<p style=\"color=blue\">$user_name</p>";
echo "<p style=\"color=red\">{$_SESSION['logname']}</p>";
and i got
first test
d8611198ea8421180df8e80eab0f2da1
owilliams0001
owilliams0001
second test
d8611198ea8421180df8e80eab0f2da1
owilliams0001
owilliams0001
which further leasds me to believe that there has to be something wrong with this and this is possibly the only issue
how do i fix it?
Posted: Mon Jan 29, 2007 1:27 pm
by RobertGonzalez
Do a simple select * query on the database with a limit 0, 10 to see how they are stored. It looks like md5, but it could just as easily be the MySQL password() function that hashed them. This seems to be tied to how you hash the password when they go in the table more than how they are fetched. What hashing algorithm are you using when inserting the data?
Posted: Mon Jan 29, 2007 2:28 pm
by Obadiah
done...here goes
Code: Select all
$sql = "Select * FROM customer LIMIT 0,10";
$result = mysql_query($sql,$conn) or die(mysql_error());
while ($newArray = mysql_fetch_array($result))
{
$user_name = $newArray['user_name'];
$password = $newArray['password'];
$first_name = $newArray['first_name'];
$last_name = $newArray['last_name'];
$street = $newArray['street'];
$city = $newArray['city'];
$state = $newArray['state'];
$zip = $newArray['zip'];
$phone = $newArray['phone'];
$fax = $newArray['fax'];
}
echo "$user_name<br>";
echo "$password<br>";
echo "$first_name<br>";
echo "$last_name<br>";
echo "$street<br>";
echo "$city<br>";
echo "$state<br>";
echo "$zip<br>";
echo "$phone<br>";
echo "$fax<br>";
Posted: Mon Jan 29, 2007 2:58 pm
by RobertGonzalez
Ok, trash the output now as we don't want people's sensitive information floating around on our boards.
Are you using MD5 as the hash algorithm when inserting?
Posted: Mon Jan 29, 2007 3:13 pm
by Obadiah
yes
Posted: Mon Jan 29, 2007 4:41 pm
by RobertGonzalez
Ok then, here is your process flow...
Select the users record based on a userid/email address/some other identifiable piece of information. Grab the entire row and read each column of that row into a var. Now, md5() the users entered password into a var. Then check if that new md5() of the posted password matches what was fetched from the database. If they match, you are cool. Otherwise, they entered the wrong thing.
Try not doing the comparison at the database.
Posted: Tue Jan 30, 2007 9:01 am
by Obadiah

guys i dont know what the hell i did but i got it to work....almost...check this out
Code: Select all
$conn = doDB();
$sql = "Select user_name, password FROM customer WHERE user_name= '{$_SESSION['logname']}' AND password = md5('$_POST[password]')";
$result = mysql_query($sql,$conn) or die(mysql_error());
while ($newArray = mysql_fetch_array($result))
{
$password = $newArray['password'];
$user_name = $newArray['user_name'];
}
/*echo "first test";
echo "<p style=\"color=blue\">$password</p>";
echo "<p style=\"color=red\">$sPassword</p>";
echo "<p style=\"color=blue\">$user_name</p>";
echo "<p style=\"color=red\">{$_SESSION['logname']}</p>";
*/
echo $password .' is the password form the db...<br />';
echo hash('md5', $_POST['password']) . ' is the post hash value...<br />';
if (hash('md5','$_POST[password]') === $password) {
$sql = " update customer set password '{$_POST['new_pass']}' WHERE password = md5('_$POST[password]')";
$result = mysql_query($sql,$conn) or die(mysql_error());
}
else{
echo"incorrect password matchup please try again";
}
i get this as output
d8611198ea8421180df8e80eab0f2da1 is the password form the db...
d8611198ea8421180df8e80eab0f2da1 is the post hash value...
incorrect password matchup please try again
heres what im not getting....the hashed passwords are the same and still its crapping out on me....what gives?