Page 1 of 4
[fixed]password inquires[fixed] :))
Posted: Fri Jan 26, 2007 9:33 am
by Obadiah
for some reason or another i get a blank screen for the output of this code code....im having trouble trying to figuring out why it wont at least give me an error...where am i screwing up here?
Code: Select all
<?php
session_start();
error_reporting(E_ALL);
ini_set('display_errors', 1);
function doDB()
{
$conn = mysql_connect("somehost","dude","Whattheheck") or die(mysql_error());
mysql_select_db("customerdirectory",$conn) or die(mysql_error());
return $conn;
}
$conn = doDB();
echo '<html>
<head>
<title>Merchant Locater</title>
<link rel="stylesheet" type="text/css" href="cs.css">
</head>
<body>';
doDB();
$sql = "Select fax FROM customer WHERE user_name = '{$_SESSION['logname']}'";
$result = mysql_query($sql,$conn) or die(mysql_error());
return $result;
while ($newArray = mysql_fetch_array($result))
{
$fax = $newArray['fax'];
}
echo "$fax";
?>
Posted: Fri Jan 26, 2007 9:40 am
by boo_lolly
try adding a value in replace of $_SESSION['logname'] that you know to be in the customer table in your database. maybe the sessions() aren't working? i'm also not sure if you need an extra doDB(); right above your $sql statement.
also, view the source of your page and see if it's even printing the <html><head............. stuff.
Posted: Fri Jan 26, 2007 9:50 am
by mikeq
also try looking at your webserver error log, can sometimes shed light on things.
Posted: Fri Jan 26, 2007 10:19 am
by Mordred
This looks like it was a part of a function to do a query, and you copy/pasted it in your code. I suggest you keep the function

Posted: Fri Jan 26, 2007 10:52 am
by Obadiah
Mordred wrote:
This looks like it was a part of a function to do a query, and you copy/pasted it in your code. I suggest you keep the function

yes...it was part of the code im using for another project...i didnt see a reason to rewrite it at the time however maybe i should since im getting nowhere with this....im not sure why my session would die though if its live and all im doing is going to this page via link....and if the session was dead it woud give me an error saying that its undefined...but its not...hmm still confused...ill do a rewrite and post back
Posted: Fri Jan 26, 2007 11:06 am
by Obadiah
yep...ive been drinking again

...heres the correct way
Code: Select all
<?php
session_start();
error_reporting(E_ALL);
ini_set('display_errors', 1);
function doDB()
{
$conn = mysql_connect("somehost","Hellz","Yeah!!!") or die(mysql_error());
mysql_select_db("customerdirectory",$conn) or die(mysql_error());
return $conn;
}
echo '<html>
<head>
<title>Merchant Locater</title>
<link rel="stylesheet" type="text/css" href="cs.css">
</head>
<body>';
$conn = doDB();
$sql = "Select fax, password FROM customer WHERE user_name = '{$_SESSION['logname']}'";
$result = mysql_query($sql,$conn) or die(mysql_error());
while ($newArray = mysql_fetch_array($result))
{
$fax = $newArray['fax'];
$password= $newArray['password'];
}
echo"$fax<br>$password
</strong></div>";
?>
ok...thisa may be a bit

but i noticed that when i tried to post the password from the database it stays in its hashed form...the real reason of this specific application is im needing to give the user the ability to change his password...i think a simple replace or update would do...but unhashing the one thats there so i could replace it how is that done....or should i go about this a different way?
Posted: Fri Jan 26, 2007 1:28 pm
by Obadiah
i searched google and the forums here for something similar but i cant find anything specific...does anyone know of a site online where i could find something on this?
Posted: Fri Jan 26, 2007 1:55 pm
by feyd
You cannot unhash the password. Typically, you ask them their current password and their new password (with confirmation.) Using the hashing function to check the current password is correct, you can then change the password to the new one.
Posted: Fri Jan 26, 2007 2:51 pm
by Obadiah
ok so my query for this puppy would look something like
Code: Select all
$sql = "Select password FROM customer WHERE user_name= '{$_SESSION['logname']}' AND password =
('_$POST'[password]')";//[password] being the current password
$result = mysql_query($sql,$conn) or die(mysql_error());
if (mysql_num_rows($result)== 1) {
$sql = " update customer set password '{$_POST['new_pass']}' where password = {_$POST'['password']}";
$result = mysql_query($sql,$conn) or die(mysql_error());
}
testing it now but i wanted to run it by you guys while i was doing it to get some much needed input
Posted: Fri Jan 26, 2007 2:51 pm
by RobertGonzalez
You don't display password, ever. If someone wants to change one, they should be asked to first authenticate their current password, then supply a new password, then a confirmation of the new password. If the current password (in hashed form) validates, then move on to the checking of the new/new confirm and if they match, then hash the new and update the database.
Posted: Fri Jan 26, 2007 2:54 pm
by RobertGonzalez
Obadiah wrote:ok so my query for this puppy would look something like
Code: Select all
$sql = "Select password FROM customer WHERE user_name= '{$_SESSION['logname']}' AND password =
('_$POST'[password]')";//[password] being the current password
$result = mysql_query($sql,$conn) or die(mysql_error());
if (mysql_num_rows($result)== 1) {
$sql = " update customer set password '{$_POST['new_pass']}' where password = {_$POST'['password']}";
$result = mysql_query($sql,$conn) or die(mysql_error());
}
Not exactly... since the passwords are hashed in the database, you need to hash the posted value then compare code-side. If they are match, move on...
Code: Select all
<?php
// assume $current_password was fetched from the database
if (hash('sha256', $_POST['password']) === $current_password)
{
// Yippee, there is a match
}
?>
Posted: Fri Jan 26, 2007 3:07 pm
by Obadiah
so in essence were not really comparing the passwords but what they display in their hashed form? is that what your saying?
Posted: Fri Jan 26, 2007 3:13 pm
by feyd
You don't have the ability to compare the passwords directly when dealing with a database stored hash value.. so it is the computed hashes that you must compare as far as the current one goes. The new password can be compared directly with the confirmation as they are both plain (typically.)
Posted: Fri Jan 26, 2007 3:59 pm
by RobertGonzalez
Obadiah wrote:so in essence were not really comparing the passwords but what they display in their hashed form? is that what your saying?
Yes, that is what we are saying. Lets say a users password is
oBi-w4n. An MD5 hash of that string would be
b91c253d338fe01303ec5d7b6f6653d0. Since you can't unhash a hash, how are you ever going to validate their password?
Posted: Fri Jan 26, 2007 4:43 pm
by Obadiah
ok...ive implemented and tried to compile some new code from what i gathered here is what i have
Code: Select all
<?php
session_start();
error_reporting(E_ALL);
ini_set('display_errors', 1);
function doDB()
{
$conn = mysql_connect("somehost","play","WorldofWarcraft") or die(mysql_error());
mysql_select_db("customerdirectory",$conn) or die(mysql_error());
return $conn;
}
$conn = doDB();
$sql = "Select password FROM customer WHERE user_name= '{$_SESSION['logname']}' AND password =
'{$_POST['password']}'";
$result = mysql_query($sql,$conn) or die(mysql_error());
while ($newArray = mysql_fetch_array($result))
{
$password = $newArray['password'];
}
if (hash('sha256', $_POST['password']) === $password) {
$sql = " update customer set password '{$_POST['new_pass']}' where password = {_$POST'['password']}";
$result = mysql_query($sql,$conn) or die(mysql_error());
}
else{
echo"incorrect password matchup please try again";
}
?>
im getting a notice error for
Code: Select all
if (hash('sha256', $_POST['password']) === $password)
saying that password is undefined....why is that?....should i have made an array?...im trying that now
edited
even with the array i still get the same thing
