Jump to content

lovephp

Members
  • Posts

    530
  • Joined

  • Last visited

lovephp's Achievements

Advanced Member

Advanced Member (4/5)

1

Reputation

7

Community Answers

  1. wow it was this simple , really appreciate it alot Jacques
  2. can i upload the sciprt in here to show you guys?
  3. Jacques1 i will bind them but how am i suppose to verify the password? the password password_verify() required 2 parameters
  4. Heyya guy, another issue i ran into now, i need to make change password but it just wont work. here is the part i try to verify. example of password is $2y$10$2QsvMvranDkaB7XYCMIFIOfNWRczae5tpFmqXGmUCVQrFw26dg6wK $stmt = "SELECT password, memberID FROM members WHERE memberID = '".$uid ."'"; $stmt = $db->prepare($stmt); $stmt->execute(); $row = $stmt->fetch(); if(password_verify($uid,$row['password']) == 0){ $error[] = 'Old password is incorrect.'; }else if($_POST['newpassword'] == ''){ $error[] = 'New password is required.'; }else if(strlen($_POST['newpassword']) < 6){ $error[] = 'New password is too short. (6 Chars)'; }else if(strlen($_POST['confirmpassword']) < 6){ $error[] = 'Confirm password was too short. (6 Chars)'; }else if($_POST['newpassword'] != $_POST['confirmpassword']){ $error[] = 'Passwords do not match.'; } the password.php script is <?php if (!defined('PASSWORD_BCRYPT')) { define('PASSWORD_BCRYPT', 1); define('PASSWORD_DEFAULT', PASSWORD_BCRYPT); } Class Password { public function __construct() {} function password_hash($password, $algo, array $options = array()) { if (!function_exists('crypt')) { trigger_error("Crypt must be loaded for password_hash to function", E_USER_WARNING); return null; } if (!is_string($password)) { trigger_error("password_hash(): Password must be a string", E_USER_WARNING); return null; } if (!is_int($algo)) { trigger_error("password_hash() expects parameter 2 to be long, " . gettype($algo) . " given", E_USER_WARNING); return null; } switch ($algo) { case PASSWORD_BCRYPT : // Note that this is a C constant, but not exposed to PHP, so we don't define it here. $cost = 10; if (isset($options['cost'])) { $cost = $options['cost']; if ($cost < 4 || $cost > 31) { trigger_error(sprintf("password_hash(): Invalid bcrypt cost parameter specified: %d", $cost), E_USER_WARNING); return null; } } // The length of salt to generate $raw_salt_len = 16; // The length required in the final serialization $required_salt_len = 22; $hash_format = sprintf("$2y$%02d$", $cost); break; default : trigger_error(sprintf("password_hash(): Unknown password hashing algorithm: %s", $algo), E_USER_WARNING); return null; } if (isset($options['salt'])) { switch (gettype($options['salt'])) { case 'NULL' : case 'boolean' : case 'integer' : case 'double' : case 'string' : $salt = (string)$options['salt']; break; case 'object' : if (method_exists($options['salt'], '__tostring')) { $salt = (string)$options['salt']; break; } case 'array' : case 'resource' : default : trigger_error('password_hash(): Non-string salt parameter supplied', E_USER_WARNING); return null; } if (strlen($salt) < $required_salt_len) { trigger_error(sprintf("password_hash(): Provided salt is too short: %d expecting %d", strlen($salt), $required_salt_len), E_USER_WARNING); return null; } elseif (0 == preg_match('#^[a-zA-Z0-9./]+$#D', $salt)) { $salt = str_replace('+', '.', base64_encode($salt)); } } else { $buffer = ''; $buffer_valid = false; if (function_exists('mcrypt_create_iv') && !defined('PHALANGER')) { $buffer = mcrypt_create_iv($raw_salt_len, MCRYPT_DEV_URANDOM); if ($buffer) { $buffer_valid = true; } } if (!$buffer_valid && function_exists('openssl_random_pseudo_bytes')) { $buffer = openssl_random_pseudo_bytes($raw_salt_len); if ($buffer) { $buffer_valid = true; } } if (!$buffer_valid && is_readable('/dev/urandom')) { $f = fopen('/dev/urandom', 'r'); $read = strlen($buffer); while ($read < $raw_salt_len) { $buffer .= fread($f, $raw_salt_len - $read); $read = strlen($buffer); } fclose($f); if ($read >= $raw_salt_len) { $buffer_valid = true; } } if (!$buffer_valid || strlen($buffer) < $raw_salt_len) { $bl = strlen($buffer); for ($i = 0; $i < $raw_salt_len; $i++) { if ($i < $bl) { $buffer[$i] = $buffer[$i] ^ chr(mt_rand(0, 255)); } else { $buffer .= chr(mt_rand(0, 255)); } } } $salt = str_replace('+', '.', base64_encode($buffer)); } $salt = substr($salt, 0, $required_salt_len); $hash = $hash_format . $salt; $ret = crypt($password, $hash); if (!is_string($ret) || strlen($ret) <= 13) { return false; } return $ret; } /** * Get information about the password hash. Returns an array of the information * that was used to generate the password hash. * * array( * 'algo' => 1, * 'algoName' => 'bcrypt', * 'options' => array( * 'cost' => 10, * ), * ) * * @param string $hash The password hash to extract info from * * @return array The array of information about the hash. */ function password_get_info($hash) { $return = array('algo' => 0, 'algoName' => 'unknown', 'options' => array(), ); if (substr($hash, 0, 4) == '$2y$' && strlen($hash) == 60) { $return['algo'] = PASSWORD_BCRYPT; $return['algoName'] = 'bcrypt'; list($cost) = sscanf($hash, "$2y$%d$"); $return['options']['cost'] = $cost; } return $return; } /** * Determine if the password hash needs to be rehashed according to the options provided * * If the answer is true, after validating the password using password_verify, rehash it. * * @param string $hash The hash to test * @param int $algo The algorithm used for new password hashes * @param array $options The options array passed to password_hash * * @return boolean True if the password needs to be rehashed. */ function password_needs_rehash($hash, $algo, array $options = array()) { $info = password_get_info($hash); if ($info['algo'] != $algo) { return true; } switch ($algo) { case PASSWORD_BCRYPT : $cost = isset($options['cost']) ? $options['cost'] : 10; if ($cost != $info['options']['cost']) { return true; } break; } return false; } /** * Verify a password against a hash using a timing attack resistant approach * * @param string $password The password to verify * @param string $hash The hash to verify against * * @return boolean If the password matches the hash */ public function password_verify($password, $hash) { if (!function_exists('crypt')) { trigger_error("Crypt must be loaded for password_verify to function", E_USER_WARNING); return false; } $ret = crypt($password, $hash); if (!is_string($ret) || strlen($ret) != strlen($hash) || strlen($ret) <= 13) { return false; } $status = 0; for ($i = 0; $i < strlen($ret); $i++) { $status |= (ord($ret[$i]) ^ ord($hash[$i])); } return $status === 0; } } what is it i am doing wrong? i get incorrect old password
  5. Ah ucstring is a function to Capitalize the first word. thanks requinix solved my problem appreciate it. oh and yes i also use function noHTML($input, $encoding = 'UTF-8') { return htmlentities($input, ENT_QUOTES | ENT_HTML5, $encoding); } on most of the places, i will keep your advice in mind.
  6. or is this a better solution <IfModule mod_rewrite.c> RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR] RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR] RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2}) RewriteRule .* index.php [F,L] </IfModule>
  7. hey ya guys, first of all a very happy new year to all. ok my following code is prone to XSS how could this be prevented? <?php function updateDataArray($value) { if(preg_match("#[a-z]#i", $value)) { return str_replace("-", " ", $value); } return $value; } if(!empty($_GET)){ echo '<br/>'; foreach ($_GET as $key => $value) { $key = str_replace('_', ' ', $key); echo '<small><b>'.ucstring($key). ':</b> ' .ucstring(updateDataArray($value)). ', </small>'; } echo '<br/>'; } ?>
  8. Like mac_gyver said it's all in the session, if you need further help post ur coding here.
  9. for that create a table as comments store id, product id, user id, post text, post date. thats all you need. i believe you already have the table ready so where is the issue?
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.