Page 1 of 2

checking my understanding

Posted: Sun May 27, 2007 6:49 pm
by m2babaey
Hi
There were 3 posts in feyd's SHA256. That someone here advised me to use it for encrypting users' passwords in the database. (please tell me if i am wrong). now should I save all that 3 posts in 1 file and include it, shouldn't i?
Then I should use the following code:

Code: Select all

$pass=$_POST['password'];
$pass=SHA256::hash($pass,hex);
mysql_query("INSERT ....VALUES(...,$pass,...);
right?
Then when I want to check if users have entered correct password, again i use this:

Code: Select all

$pass=$_POST['password']
$pass=SHA256::hash($pass,hex)
$realpass = mysql_query("SELECT pass FROM database where username=$_POST['username]"); 
if $pass==$realpass{
//show user panel
}
Please tell me if i am somewhere wrong

Posted: Sun May 27, 2007 6:59 pm
by superdezign
Aside from not escaping $_POST['username'], looks fine to me.

What seems to be the problem?

Posted: Sun May 27, 2007 7:08 pm
by bdlang
That was me, I believe.

You've got the general idea. I'm not certain if all three scripts shown in that post are to be put together into one script or not; you want to read that thread again, and at the top there is a link to a demo page where you can download a sha256.zip file with the appropriate script in it.

Make sure you wrap all string data headed towards the database in quotes, e.g.

Code: Select all

mysql_query("INSERT ....VALUES(...,'$pass',...);
I'm not sure if this was just a quick example or if you expect this to work:

Code: Select all

$pass=$_POST['password']
$pass=SHA256::hash($pass,hex)
$realpass = mysql_query("SELECT pass FROM database where username=$_POST['username]");
if $pass==$realpass{
//show user panel
}
You've got a problem with that script, aside from the missing semicolons and forgetting to wrap that data in quotes as well - mysql_query() will not retrieve the data for you, it only performs the query and returns a MySQL Result resource if successful. You have to then use one of the functions meant to fetch data based on that resource, in this case I'd use mysql_result().

You also want to make sure you validate and escape the username to avoid SQL injection or other problems. At the very least use mysql_real_escape_string() on any data headed towards the database.

Typically you'd pass the password value along with the username to validate a user, e.g.

Code: Select all

if ( !empty($_POST['username']) && !empty($_POST['password']) ) {
    // further validation here, escape data using mysql_real_escape_string(), etc
    // you wind up with two variables, $cleanUsername and $cleanPassword
    // the SQL statement
    $sql= "SELECT ID FROM userTable WHERE username= '$cleanUsername' AND password= '$cleanPassword'";
    // the query
    $result= mysql_query($sql);
    // check the number of records returned, we must have exactly 1 to match the user 
    if ( mysql_num_rows($result) == 1 ) {
        // log the user in, redirect, etc
    } else {
        // there were either 0 records, no match or more than 1 record, bad bad bad
        // show an error message, redirect, etc
    }
}

Posted: Sun May 27, 2007 7:14 pm
by superdezign
bdlang wrote:Typically you'd pass the password value along with the username to validate a user
Really? I never do. It allows more possibility for SQL injection and, whenever I teach it to others (or if I ever were to somehow forget to type mysql_real_escape_string), I tell them to do it the way that he's doing it. This way, you're not vulnerable to an injected OR or something.

Posted: Mon May 28, 2007 4:01 am
by m2babaey
I should have opened this thread in php security. but..
thanks for your replies. yes there was error and you pointed to them.
now 2 other questions:
1. where should i upload the mysql-connect file in my host?
2. there are functions for avoiding bad queries. which of them is the best?( if i want the users to post articles)

Posted: Mon May 28, 2007 8:27 am
by m2babaey
I'm not clear on how to use feyd's work yet.
I downloaded the zip file and it seemed it was the demo. so I saved all the codes in the 3 posts in 1 file and included it in a file named testhash.php with the code below to hash m2babaey:

Code: Select all

<?php
include('hash_sha256.php');
$pass=m2babaey;
$pass=sha256::($pass,hex);
echo "$pass";
?>
When I called for testhash.php I got this error in my browser:
Parse error: parse error, expecting `T_STRING' or `T_VARIABLE' or `'$'' in g:\programs(2)\easyphp1-8\www\ha\testhash.php on line 4

Posted: Mon May 28, 2007 8:35 am
by superdezign
m2babaey wrote:I'm not clear on how to use feyd's work yet.
I downloaded the zip file and it seemed it was the demo. so I saved all the codes in the 3 posts in 1 file and included it in a file named testhash.php with the code below to hash m2babaey:

Code: Select all

<?php
include('hash_sha256.php');
$pass=m2babaey;
$pass=sha256::($pass,hex);
echo "$pass";
?>
When I called for testhash.php I got this error in my browser:
Parse error: parse error, expecting `T_STRING' or `T_VARIABLE' or `'$'' in g:\programs(2)\easyphp1-8\www\ha\testhash.php on line 4
Sounds like your local PHP parser doesn't handle constants correctly. I'm not sure though... I've no idea what is on line 4 of testhash.php.
Which PHP version are you using...?

Posted: Mon May 28, 2007 8:37 am
by feyd
You're missing the method "hash" after the scope operator.

Posted: Mon May 28, 2007 8:40 am
by superdezign
feyd wrote:You're missing the method "hash" after the scope operator.
That DID look odd, but he said that you wrote it, so I figured if anyone could make it do something funky like run a function without calling one, it'd be feyd.

Posted: Mon May 28, 2007 11:32 am
by m2babaey
Which PHP version are you using...?
as you see in the error, i'm using easyphp1-8
I've no idea what is on line 4 of testhash.php.
i'm not sure if you were asking anything but line for is:
$pass=sha256::($pass,hex);
You're missing the method "hash" after the scope operator.
what is "scope operator" and what is the method "hash"? these are new to me. (as i'm new to php too :lol: )
so i still need help. thanks for your replies :roll:

Posted: Mon May 28, 2007 12:50 pm
by superdezign
m2babaey wrote:
Which PHP version are you using...?
as you see in the error, i'm using easyphp1-8
EasyPHP 1-8 is... Not a PHP version. But that's beside the point.
m2babaey wrote:
I've no idea what is on line 4 of testhash.php.
i'm not sure if you were asking anything but line for is:
$pass=sha256::($pass,hex);
You're missing the method "hash" after the scope operator.
what is "scope operator" and what is the method "hash"? these are new to me. (as i'm new to php too :lol: )
so i still need help. thanks for your replies :roll:
Yeah... I'll assume that you just.. never learned the terminology? Maybe?

A method is a function. The scope operator is (). The method "hash" is a method named "hash."
Those concepts are for more than just PHP, so remember them. :-p

Posted: Mon May 28, 2007 1:37 pm
by bdlang
superdezign wrote: The scope operator is ().
I think you meant :: as in sha256::hash().

To further clarify, a method is a class function, and in this specific case, you're calling the hash() method statically without having to instantiate an sha256 object first. The operator :: defines this as a static method call.

PHP Manual : Classes & Objects (PHP 4) : scope resolution operator

Posted: Mon May 28, 2007 1:43 pm
by superdezign
bdlang wrote:
superdezign wrote: The scope operator is ().
I think you meant ::
:oops:

Makes more sense. :-p I thought feyd said before, not after, and I'm like "That's called the 'scope operator?' I thought it was something else and those were parameters... Ehh, go with the flow."

Damned flow.

Posted: Tue May 29, 2007 1:57 pm
by m2babaey
Thanks. now it seems there is just 1 small thing:
I used the code above again, repeat it here"

Code: Select all

<?php
include('hash_sha256.php');
$pass=m2babaey;
$pass=sha256::hash($pass,hex);
echo "$pass";
?>
And see the result in the browser:
Notice: Use of undefined constant m2babaey - assumed 'm2babaey' in g:\programs(2)\easyphp1-8\www\ha\testhash.php on line 3

Notice: Use of undefined constant hex - assumed 'hex' in g:\programs(2)\easyphp1-8\www\ha\testhash.php on line 4
b536fed7f611f093082368fd7b744168892b4907f65dd6d0e58f3c138e5807d8

You see. it has hashed m2babaey correctly. but what should i have done for defining m2babaey correctly so didn't face the "Notice:"?
thanks
Also 1 question remain unanswered. I place the mysql connection function in one file and include it where ever I needed to connect to database. where should i upload that file to be unaccessable when php fails to run so visitors won't see my password?

Posted: Tue May 29, 2007 2:03 pm
by superdezign
m2babaey wrote:Thanks. now it seems there is just 1 small thing:
I used the code above again, repeat it here"
<?php
include('hash_sha256.php');
$pass=m2babaey;
$pass=sha256::hash($pass,hex);
echo "$pass";
?>
And see the result in the browser:
Notice: Use of undefined constant m2babaey - assumed 'm2babaey' in g:\programs(2)\easyphp1-8\www\ha\testhash.php on line 3

Notice: Use of undefined constant hex - assumed 'hex' in g:\programs(2)\easyphp1-8\www\ha\testhash.php on line 4
b536fed7f611f093082368fd7b744168892b4907f65dd6d0e58f3c138e5807d8
The first notice is telling you that you didn't put quotes around "m2babaey."
The second notice is looking for the hex constant which, I'll assume, is also supposed to be a string, or is in the hash_sha256 file....? :?:
m2babaey wrote:Also 1 question remain unanswered. I place the mysql connection function in one file and include it where ever I needed to connect to database. where should i upload that file to be unaccessable when php fails to run so visitors won't see my password?
Visitors can't see PHP code. No worries. If you want to hide errors, turn them off (which I'm sure you'll do when the site is live, right?)