SitePoint Sponsor

User Tag List

Results 1 to 6 of 6
  1. #1
    SitePoint Evangelist
    Join Date
    Apr 2009
    Location
    South Carolina
    Posts
    458
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    increasing password security broke my script

    I had my forgot password working properly, but I was concerned that I was not using a salt with the storage in MySQL.

    My original code:
    PHP Code:
            $query "SELECT sec_ques, email, user_id FROM users_tbl WHERE user_id='$u'";        
            
    $result mysql_query ($query) or trigger_error("3Security Answer was Wrong");

            if (
    mysql_affected_rows() == 1) {
                
    $row mysql_fetch_array ($resultMYSQL_NUM); 
                
    mysql_free_result($result);

                if(
    $sq == $row[0]){
                    
    $email $row[1];
                    
    $p substr md5(uniqid(rand(),1)), 310);
                    
    $query2 "UPDATE users_tbl SET pass=SHA('$p') WHERE user_id='$u'";        
                    
    $result2 mysql_query ($query2) or trigger_error("Your Password Couldn't be changed. Try later."); 
    I changed one line to read:
    $query2 = "UPDATE users_tbl SET pass=SHA('$p' . 'salt') WHERE user_id='$u'";

    That gave me this code that does not work:
    PHP Code:
            $query "SELECT sec_ques, email, user_id FROM users_tbl WHERE user_id='$u'";        
            
    $result mysql_query ($query) or trigger_error("3Security Answer was Wrong");

            if (
    mysql_affected_rows() == 1) {
                
    $row mysql_fetch_array ($resultMYSQL_NUM); 
                
    mysql_free_result($result);

                if(
    $sq == $row[0]){
                    
    $email $row[1];
                    
    $p substr md5(uniqid(rand(),1)), 310);
                    
    $query2 "UPDATE users_tbl SET pass=SHA('$p' . 'salt') WHERE user_id='$u'";        
                    
    $result2 mysql_query ($query2) or trigger_error("Your Password Couldn't be changed. Try later."); 
    I have also tried using this line:
    $query2 = "UPDATE users_tbl SET pass=SHA($p.'salt') WHERE user_id='$u'";

    My issue is that the script is showing me the results of the last line:
    $result2 = mysql_query ($query2) or trigger_error("Your Password Couldn't be changed. Try later.");
    Each day is a learning experience.

  2. #2
    Non-Member
    Join Date
    Apr 2011
    Location
    no fixed address
    Posts
    851
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by CSU-Bill View Post
    My issue is that the script is showing me the results of the last line:
    $result2 = mysql_query ($query2) or trigger_error("Your Password Couldn't be changed. Try later.");
    Have a look at the actual query that is run.
    PHP Code:
    $query2 "UPDATE users_tbl SET pass=SHA('$p' . 'salt') WHERE user_id='$u'";

    echo 
    $query2; die(); 

  3. #3
    SitePoint Evangelist
    Join Date
    Apr 2009
    Location
    South Carolina
    Posts
    458
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    It looks correct to me. This is what was echoed to the screen.

    UPDATE users_tbl SET pass=SHA('bec211292c' . 'salt') WHERE user_id='Admin209'

    I also added an echo $result2, and received an error "Undefined variable: result2" so what happened to result2?
    Each day is a learning experience.

  4. #4
    SitePoint Wizard
    Join Date
    Dec 2003
    Location
    USA
    Posts
    2,582
    Mentioned
    29 Post(s)
    Tagged
    0 Thread(s)
    The dot is not an operator in MySQL, only PHP. You want to use a + there.

  5. #5
    Non-Member
    Join Date
    Apr 2011
    Location
    no fixed address
    Posts
    851
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by CSU-Bill View Post
    It looks correct to me. This is what was echoed to the screen.

    UPDATE users_tbl SET pass=SHA('bec211292c' . 'salt') WHERE user_id='Admin209'

    I also added an echo $result2, and received an error "Undefined variable: result2" so what happened to result2?
    Then run the query is an sql window and see what errors you get. They should be obvious as pointed out by samanime.

    Also, you can't echo $result2 because it is a result set.

  6. #6
    SitePoint Evangelist
    Join Date
    Apr 2009
    Location
    South Carolina
    Posts
    458
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Great! changing the dot to a + now changes the password.

    Thanks for the help. I did not realize that I needed to be checking the MySQL syntax, and was just looking for a PHP error.

    So much to learn.
    Each day is a learning experience.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •