PHP Developers Network

A community of PHP developers offering assistance, advice, discussion, and friendship.
 
Loading
It is currently Sun Sep 15, 2019 3:35 am

All times are UTC - 5 hours




Post new topic Reply to topic  [ 2 posts ] 
Author Message
PostPosted: Thu Aug 23, 2012 4:06 pm 
Offline
Forum Newbie

Joined: Thu Aug 23, 2012 3:49 pm
Posts: 1
So im trying to write a change password script for the user control panel for my site. My server is storing passwords in the database as unsalted md5 (i know i need to salt them but one step at a time). The script ive modified was orignally used for plaintext passwords, i've modified to to md5. The problem im having is with the character count check.. The script is counting the hashed rather than the password and im not versed enough in php to understand yet where the problem lies.. When i remove the character check, it works fine except the script allows null password hashes to be written. Anyone able to lend a noob some advice?

Syntax: [ Download ] [ Hide ]
<?php {
// check the login details of the user and stop execution if not logged in
 if(!empty($_POST['username']) && !empty($_POST['password']) && !empty($_POST['password2'])) ;
 
$todo=$_POST['todo'];
$password=md5(mysql_real_escape_string($_POST['password']));
$password2=md5(mysql_real_escape_string($_POST['password2']));
/////////////////////////

if(isset($todo) and $todo=="change-password"){
$password=md5(mysql_real_escape_string($_POST['password']));

//Setting flags for checking
$status = "OK";
$msg="";

if ( strlen($password) < 3 or strlen($password) > 100 ){
$msg=$msg."Password must be more than 3 char legth and maximum 100 char lenght<BR>";
$status= "NOTOK";}                     

if ( $password <> $password2 ){
$msg=$msg."Both passwords are not matching<BR>";
$status= "NOTOK";}                                     



if($status<>"OK"){
echo "$msg<br><center><input type='button' value='Retry' onClick='history.go(-1)'></center>";
}else{ // if all validations are passed.
if(mysql_query("update users set Password='$password' where UserID='$_SESSION[UserID]'")){
echo "Thanks <br> Your password changed successfully.";
}else{echo "Sorry <br> Failed to change password Contact Site Admin";
}
}
} else ?>

<div id="stylized" class="myform">
<form id="form" method="post" action="account.php?p=settings">
<input type="hidden" name="todo" value="change-password">
<h1>Change Password:</h1>
<p>Enter details below to change your password</p>

<label>New Password
<span class="small"></span>
</label>
<input type="password" name="password" id="password" />

<label>Re-Enter Password
<span class="small"></span>
</label>
<input type="password" name="password2" id="password2" />



<button type="submit">Change Password</button>
<div class="spacer"></div>

</form>

<?php ;


echo "</div>";


   }?>


Top
 Profile  
 
PostPosted: Thu Aug 23, 2012 6:38 pm 
Offline
Spammer :|
User avatar

Joined: Wed Oct 15, 2008 2:35 am
Posts: 6617
Location: WA, USA
Don't do the hashing until just before you put it into the SQL query.

Also, don't mysql_real_escape_string() it: the hash will only contain letters and numbers.

Also, salting at this point is trivial. Do it now. Generate a random salt, hash the password with it, and when you save the password also save the salt.


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 2 posts ] 

All times are UTC - 5 hours


Who is online

Users browsing this forum: No registered users and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Jump to:  
Powered by phpBB® Forum Software © phpBB Group