checking my understanding

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

m2babaey
Forum Contributor
Posts: 364
Joined: Sun May 20, 2007 9:26 am

checking my understanding

Post by m2babaey »

Hi
There were 3 posts in feyd's SHA256. That someone here advised me to use it for encrypting users' passwords in the database. (please tell me if i am wrong). now should I save all that 3 posts in 1 file and include it, shouldn't i?
Then I should use the following code:

Code: Select all

$pass=$_POST['password'];
$pass=SHA256::hash($pass,hex);
mysql_query("INSERT ....VALUES(...,$pass,...);
right?
Then when I want to check if users have entered correct password, again i use this:

Code: Select all

$pass=$_POST['password']
$pass=SHA256::hash($pass,hex)
$realpass = mysql_query("SELECT pass FROM database where username=$_POST['username]"); 
if $pass==$realpass{
//show user panel
}
Please tell me if i am somewhere wrong
User avatar
superdezign
DevNet Master
Posts: 4135
Joined: Sat Jan 20, 2007 11:06 pm

Post by superdezign »

Aside from not escaping $_POST['username'], looks fine to me.

What seems to be the problem?
bdlang
Forum Contributor
Posts: 395
Joined: Tue May 16, 2006 8:46 pm
Location: Ventura, CA US

Post by bdlang »

That was me, I believe.

You've got the general idea. I'm not certain if all three scripts shown in that post are to be put together into one script or not; you want to read that thread again, and at the top there is a link to a demo page where you can download a sha256.zip file with the appropriate script in it.

Make sure you wrap all string data headed towards the database in quotes, e.g.

Code: Select all

mysql_query("INSERT ....VALUES(...,'$pass',...);
I'm not sure if this was just a quick example or if you expect this to work:

Code: Select all

$pass=$_POST['password']
$pass=SHA256::hash($pass,hex)
$realpass = mysql_query("SELECT pass FROM database where username=$_POST['username]");
if $pass==$realpass{
//show user panel
}
You've got a problem with that script, aside from the missing semicolons and forgetting to wrap that data in quotes as well - mysql_query() will not retrieve the data for you, it only performs the query and returns a MySQL Result resource if successful. You have to then use one of the functions meant to fetch data based on that resource, in this case I'd use mysql_result().

You also want to make sure you validate and escape the username to avoid SQL injection or other problems. At the very least use mysql_real_escape_string() on any data headed towards the database.

Typically you'd pass the password value along with the username to validate a user, e.g.

Code: Select all

if ( !empty($_POST['username']) && !empty($_POST['password']) ) {
    // further validation here, escape data using mysql_real_escape_string(), etc
    // you wind up with two variables, $cleanUsername and $cleanPassword
    // the SQL statement
    $sql= "SELECT ID FROM userTable WHERE username= '$cleanUsername' AND password= '$cleanPassword'";
    // the query
    $result= mysql_query($sql);
    // check the number of records returned, we must have exactly 1 to match the user 
    if ( mysql_num_rows($result) == 1 ) {
        // log the user in, redirect, etc
    } else {
        // there were either 0 records, no match or more than 1 record, bad bad bad
        // show an error message, redirect, etc
    }
}
User avatar
superdezign
DevNet Master
Posts: 4135
Joined: Sat Jan 20, 2007 11:06 pm

Post by superdezign »

bdlang wrote:Typically you'd pass the password value along with the username to validate a user
Really? I never do. It allows more possibility for SQL injection and, whenever I teach it to others (or if I ever were to somehow forget to type mysql_real_escape_string), I tell them to do it the way that he's doing it. This way, you're not vulnerable to an injected OR or something.
m2babaey
Forum Contributor
Posts: 364
Joined: Sun May 20, 2007 9:26 am

Post by m2babaey »

I should have opened this thread in php security. but..
thanks for your replies. yes there was error and you pointed to them.
now 2 other questions:
1. where should i upload the mysql-connect file in my host?
2. there are functions for avoiding bad queries. which of them is the best?( if i want the users to post articles)
Last edited by m2babaey on Mon May 28, 2007 8:28 am, edited 1 time in total.
m2babaey
Forum Contributor
Posts: 364
Joined: Sun May 20, 2007 9:26 am

Post by m2babaey »

I'm not clear on how to use feyd's work yet.
I downloaded the zip file and it seemed it was the demo. so I saved all the codes in the 3 posts in 1 file and included it in a file named testhash.php with the code below to hash m2babaey:

Code: Select all

<?php
include('hash_sha256.php');
$pass=m2babaey;
$pass=sha256::($pass,hex);
echo "$pass";
?>
When I called for testhash.php I got this error in my browser:
Parse error: parse error, expecting `T_STRING' or `T_VARIABLE' or `'$'' in g:\programs(2)\easyphp1-8\www\ha\testhash.php on line 4
User avatar
superdezign
DevNet Master
Posts: 4135
Joined: Sat Jan 20, 2007 11:06 pm

Post by superdezign »

m2babaey wrote:I'm not clear on how to use feyd's work yet.
I downloaded the zip file and it seemed it was the demo. so I saved all the codes in the 3 posts in 1 file and included it in a file named testhash.php with the code below to hash m2babaey:

Code: Select all

<?php
include('hash_sha256.php');
$pass=m2babaey;
$pass=sha256::($pass,hex);
echo "$pass";
?>
When I called for testhash.php I got this error in my browser:
Parse error: parse error, expecting `T_STRING' or `T_VARIABLE' or `'$'' in g:\programs(2)\easyphp1-8\www\ha\testhash.php on line 4
Sounds like your local PHP parser doesn't handle constants correctly. I'm not sure though... I've no idea what is on line 4 of testhash.php.
Which PHP version are you using...?
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

You're missing the method "hash" after the scope operator.
User avatar
superdezign
DevNet Master
Posts: 4135
Joined: Sat Jan 20, 2007 11:06 pm

Post by superdezign »

feyd wrote:You're missing the method "hash" after the scope operator.
That DID look odd, but he said that you wrote it, so I figured if anyone could make it do something funky like run a function without calling one, it'd be feyd.
m2babaey
Forum Contributor
Posts: 364
Joined: Sun May 20, 2007 9:26 am

Post by m2babaey »

Which PHP version are you using...?
as you see in the error, i'm using easyphp1-8
I've no idea what is on line 4 of testhash.php.
i'm not sure if you were asking anything but line for is:
$pass=sha256::($pass,hex);
You're missing the method "hash" after the scope operator.
what is "scope operator" and what is the method "hash"? these are new to me. (as i'm new to php too :lol: )
so i still need help. thanks for your replies :roll:
User avatar
superdezign
DevNet Master
Posts: 4135
Joined: Sat Jan 20, 2007 11:06 pm

Post by superdezign »

m2babaey wrote:
Which PHP version are you using...?
as you see in the error, i'm using easyphp1-8
EasyPHP 1-8 is... Not a PHP version. But that's beside the point.
m2babaey wrote:
I've no idea what is on line 4 of testhash.php.
i'm not sure if you were asking anything but line for is:
$pass=sha256::($pass,hex);
You're missing the method "hash" after the scope operator.
what is "scope operator" and what is the method "hash"? these are new to me. (as i'm new to php too :lol: )
so i still need help. thanks for your replies :roll:
Yeah... I'll assume that you just.. never learned the terminology? Maybe?

A method is a function. The scope operator is (). The method "hash" is a method named "hash."
Those concepts are for more than just PHP, so remember them. :-p
bdlang
Forum Contributor
Posts: 395
Joined: Tue May 16, 2006 8:46 pm
Location: Ventura, CA US

Post by bdlang »

superdezign wrote: The scope operator is ().
I think you meant :: as in sha256::hash().

To further clarify, a method is a class function, and in this specific case, you're calling the hash() method statically without having to instantiate an sha256 object first. The operator :: defines this as a static method call.

PHP Manual : Classes & Objects (PHP 4) : scope resolution operator
User avatar
superdezign
DevNet Master
Posts: 4135
Joined: Sat Jan 20, 2007 11:06 pm

Post by superdezign »

bdlang wrote:
superdezign wrote: The scope operator is ().
I think you meant ::
:oops:

Makes more sense. :-p I thought feyd said before, not after, and I'm like "That's called the 'scope operator?' I thought it was something else and those were parameters... Ehh, go with the flow."

Damned flow.
m2babaey
Forum Contributor
Posts: 364
Joined: Sun May 20, 2007 9:26 am

Post by m2babaey »

Thanks. now it seems there is just 1 small thing:
I used the code above again, repeat it here"

Code: Select all

<?php
include('hash_sha256.php');
$pass=m2babaey;
$pass=sha256::hash($pass,hex);
echo "$pass";
?>
And see the result in the browser:
Notice: Use of undefined constant m2babaey - assumed 'm2babaey' in g:\programs(2)\easyphp1-8\www\ha\testhash.php on line 3

Notice: Use of undefined constant hex - assumed 'hex' in g:\programs(2)\easyphp1-8\www\ha\testhash.php on line 4
b536fed7f611f093082368fd7b744168892b4907f65dd6d0e58f3c138e5807d8

You see. it has hashed m2babaey correctly. but what should i have done for defining m2babaey correctly so didn't face the "Notice:"?
thanks
Also 1 question remain unanswered. I place the mysql connection function in one file and include it where ever I needed to connect to database. where should i upload that file to be unaccessable when php fails to run so visitors won't see my password?
Last edited by m2babaey on Tue May 29, 2007 2:03 pm, edited 1 time in total.
User avatar
superdezign
DevNet Master
Posts: 4135
Joined: Sat Jan 20, 2007 11:06 pm

Post by superdezign »

m2babaey wrote:Thanks. now it seems there is just 1 small thing:
I used the code above again, repeat it here"
<?php
include('hash_sha256.php');
$pass=m2babaey;
$pass=sha256::hash($pass,hex);
echo "$pass";
?>
And see the result in the browser:
Notice: Use of undefined constant m2babaey - assumed 'm2babaey' in g:\programs(2)\easyphp1-8\www\ha\testhash.php on line 3

Notice: Use of undefined constant hex - assumed 'hex' in g:\programs(2)\easyphp1-8\www\ha\testhash.php on line 4
b536fed7f611f093082368fd7b744168892b4907f65dd6d0e58f3c138e5807d8
The first notice is telling you that you didn't put quotes around "m2babaey."
The second notice is looking for the hex constant which, I'll assume, is also supposed to be a string, or is in the hash_sha256 file....? :?:
m2babaey wrote:Also 1 question remain unanswered. I place the mysql connection function in one file and include it where ever I needed to connect to database. where should i upload that file to be unaccessable when php fails to run so visitors won't see my password?
Visitors can't see PHP code. No worries. If you want to hide errors, turn them off (which I'm sure you'll do when the site is live, right?)
Post Reply