Mko

Well, the main purpose and intention I had with this code is to be able to bind params from if statements...like if a user changed their password, there would be a 's' added to the params along side a $password variable. I've looked at many places...but I've only found one POTENTIAL solution...http://www.php.net/manual/en/mysqli-stmt.bind-param.php#92283 How does that code look?

My new code looks like: $stmt = $database->stmt_init(); $query = "UPDATE table SET group = (?), username = (?)"; $types = 'is'; $vars = array("$vbulletin->GPC['user']['usergroupid']", "$vbulletin->GPC['user']['username']"); $query .= " WHERE userid = (?)"; $types .= 'i'; array_push($vars, "$vbulletin->GPC['userid']"); //Debugging echo 'Query: '.$query.'<br />'; echo 'Types: '.$types.'<br />'; echo 'Types - DATA TYPE: '.gettype($types).'<br />'; echo 'Vars: '.$vars.'<br />'; echo 'Vars - DATA TYPE: '.gettype($vars); $sql_stmt = mysqli_prepare($database, $query); call_user_func_array('mysqli_stmt_bind_param', array_merge(array($sql_stmt, $types), $vars)); mysqli_stmt_execute($sql_stmt); $database->close(); Yet, when it runs, it says this error: Query: UPDATE characters SET mgroup = (?), name = (?) WHERE id = (?) Types: isi Types - DATA TYPE: string Vars: Array Vars - DATA TYPE: array Warning: Parameter 3 to mysqli_stmt_bind_param() expected to be a reference, value given in [path]/admincp/user.php(1055) : eval()'d code on line 76 Here is like 76: call_user_func_array('mysqli_stmt_bind_param', array_merge(array($sql_stmt, $types), $vars)); So, you would suggest the following code: $stmt = $database->stmt_init(); $query = "UPDATE table SET group = (?), username = (?)"; $types = 'is'; $vars = "".$vbulletin->GPC['user']['usergroupid']."", "".$vbulletin->GPC['user']['username'].", "; $query .= " WHERE userid = (?)"; $types .= 'i'; $vars .= "".$vbulletin->GPC['userid'].""; //Debugging echo 'Query: '.$query.'<br />'; echo 'Types: '.$types.'<br />'; echo 'Types - DATA TYPE: '.gettype($types).'<br />'; echo 'Vars: '.$vars.'<br />'; echo 'Vars - DATA TYPE: '.gettype($vars); $stmt->prepare($query); $stmt->bind_param($types, $vars); $stmt->execute(); $stmt->close(); $database->close();

Hey all, I'm currently trying to create a successful MySQLi Prepared Statement. Here's what I have so far: $stmt = $database->stmt_init(); $query = "UPDATE table SET group = (?), username = (?)"; $types = 'is'; $vars = $vbulletin->GPC['user']['usergroupid'].', '.$vbulletin->GPC['user']['username'].', '; $query .= " WHERE userid = (?)"; $types .= 'i'; $vars .= $vbulletin->GPC['userid']; //Debugging echo 'Query: '.$query.'<br />'; echo 'Types: '.$types.'<br />'; echo 'Types - DATA TYPE: '.gettype($types).'<br />'; echo 'Vars: '.$vars.'<br />'; echo 'Vars - DATA TYPE: '.gettype($vars); $stmt->prepare($query); $stmt->bind_param($types, $vars); $stmt->execute(); $stmt->close(); $database->close(); As you can see, I'm trying to append values to the $query, $types, and $vars variables. After doing so, I then use them in the prepared statements. However, when I execute this code, I get this error (also contains debugging echos): Query: UPDATE table SET group = (?), username = (?) WHERE userid = (?) Types: isi Types - DATA TYPE: string Vars: 2, username, 12345 Vars - DATA TYPE: string Warning: mysqli_stmt::bind_param() [mysqli-stmt.bind-param]: Number of elements in type definition string doesn't match number of bind variables in [path]/admincp/user.php(1055) : eval()'d code on line 74 That leads me to becoming stuck. I have no idea what is causing this issue, and I am also stumped as to how to fix it :/ Any help is much appreciated! Thanks, Mark

Hey all, I currently have salts being generated. After a salt is generated, I escape the quotes and \ using mysqli_real_escape_string, and then input them into the database. However, I recently ran 100 generations to see the amount of ' " \ that were generated. http://paste2.org/p/2128924 As you can see, ' becomes \', " becomes \", and \ becomes \\. However, my question is how would these extra \ affect loading from the database? Meaning, if I have an external file that were to hash the passwords (using the salt in the database), would any error occur, or would PHP automatically remove the \ when it is being called? After the hashing is complete, would a user be able to log-in without problem, or would they be denied access because their salt contains extra \? Thanks for any and all help, Mark

My bad, sorry Anyways, thanks for that article. It's proving to be very helpful! Thanks again, Mark

Yeah, that's probably what I had intended to do, haha. Though, I'm somewhat unfamiliar with the term. Is there an explanation and example you can show me so I can build off it and understand? Thanks, Mark

Well, my main purpose is to try to do the following: -Have a user enter a secret number -Encrypt this number into the database -Use this number as another security measure for changing passwords (as in, you must enter YOUR secret number to be able to change your password) So, I'm trying to figure out how to have something encrypted into a database, from which later, I can draw information from to cross-reference what the user has inputted to say whether or not the user's input is matching or not.

Thanks for the help. Although, I'm trying to generate an encrypted password (and key) and save both these values ALL in one file. Then, in another file, I am trying to call these values from a database and decrypt them. I've tried storing the $iv value in the database, yet it doesn't seem to work. Could you help me out as to what the correct way would be to use encryption/decryption between two files using contents from a database? Thanks, Mark

Hey all, I'm currently trying to encrypt a string a user enters, and then on another file, have this string decrypted and compared. Here's what I have for creating the encryption: $pre_pro = fn_get(); $processed = mysqli_real_escape_string($database, $pre_pro); $key = $processed; $text = $_POST['string']; $pin_enc = base64_encode(mcrypt_encrypt(MCRYPT_RIJNDAEL_256, md5($key), $text, MCRYPT_MODE_CBC, md5(md5($key)))); Here's what I have for decryption: $key = $db['key']; $curr = $db['text']; $dec1 = rtrim(mcrypt_decrypt(MCRYPT_RIJNDAEL_256, md5($key), base64_decode($curr), MCRYPT_MODE_CBC, md5(md5($key))), "\0"); However, when I decrypt the string, using the values: Key: TJs:4#tq9W_f-<|56=\'E==spoAO]H String: apWWM/wTGNCqRZshaHo+XhXoD98hJr I get: Any help is very much appreciated! Thanks again, Mark

What I really need to do is be able to append new query parts to the existing query at the beginning using Prepared Statements.

Hey all, I have the following code: $db2 = new mysqli('localhost', 'root', '', 'vbulletin'); $db2->connect(); include_once("./vb_plugin.php"); $query = "UPDATE players SET mgroup = '{$vbulletin->GPC['user']['usergroupid']}', mgroup_others='{$vbulletin->GPC['user']['membergroupids']}', name='{$vbulletin->GPC['user']['username']}'"; if (!empty($vbulletin->GPC['password'])){ $salt = fetch_user_salt_new(); $hash = fetch_user_hash_new(); $query .= ", phash='{$hash}', psalt='" .$salt. "'"; } $groups = ""; if (is_array($vbulletin->GPC['user']['membergroupids'])) { foreach ($vbulletin->GPC['user']['membergroupids'] AS $key => $val){ $groups .= "{$val},"; } } $query .= ", mgroup_others='{$groups}'"; $query .= " WHERE id = {$vbulletin->GPC['userid']}"; $db2->query($query); $db2->close(); I'm wondering: a) If anyone can help me with making this code's queries into prepared statements b) If prepared statements can't be used, is this code vulnerable at all? Thanks for any help, Mark

Hey all, I'm currently wondering if there's anything that could cause a security breach while running queries concerning usernames that contain special characters. The following special characters are in question: !@#$%^&*()_- If there is, would mysqli_real_escape_string() be the best method to prepare them for being used in queries? If so, is there any downside? Are there any alternatives, too? Thanks for all the help, `Mark

Thanks! I was able to do it like this: ^[0-9a-zA-Z]+[0-9a-zA-Z_ -]*[0-9a-zA-Z]+$

Hey all, I'm getting ready to launch something, and I've built off a past Regular Expression to limit the characters able to be entered in a username. Here's my original PCRE: ^[0-9a-zA-Z_ ]*$ Now, what I really need to make sure is included in this PCRE is: -Making sure that any number is allowed (already taken care of by 0-9) -Making sure that any letter is allowed, including capital (already taken care of by a-zA-Z) -Making sure that underscores (_), dashes (-), and spaces ( ) are allowed in a Username but CAN NOT BE USED AS THE LAST CHARACTER IN A USERNAME. So, if anyone would be so kind as to modify my original PCRE to fit my specifications, I'd greatly appreciate it. Adding on to the previous, specifications, here are some lists of allowed/disallowed usernames so you can understand what I'm really trying to get at. Here's a list of some example usernames that should be ALLOWED using a revised version of this PCRE: Hello World1 Hello-World1 Hello_World1 Here's a list of some example usernames that should be DISALLOWED using a revised version of this PCRE: HelloWorld1_ HelloWorld1- HelloWorld1 (note the space after the 1) Thanks for any assistance; I appreciate it greatly! `Mark

Yeah I figured out that was it, thanks

I have this little snippet of code that runs when a user updates their password: fetch_user_salt_new(): function fetch_user_salt_new($length = 5) { $salt_a = ''; for ($i = 0; $i < $length; $i++) { $salt_a .= chr(vbrand(33, 126)); } return $salt_a; } $salt = fetch_user_salt_new(); $salt_processed = mysql_real_escape_string($salt); Now, occasionally when a user changes their password (or anything that inserts the salt into the database, such as registration), the salt length stored in the database becomes 6 or 7 instead of 5. As in, 99% of salts are only 5 digits long, but some salts are longer... The longer salts normally have odd components, such as \', \", or \\ leading to salts increasing by 1 or 2 digits in length. My idea is that mysql_real_escape_string() is putting a \ in front of quotes which is not what I intended when adding that piece of code in. By adding mysql_real_escape_string() in, I intended for quotes (' or ") to not be factors affecting the Query. Prior to instituting mysql_real_escape_string(), a ' or " would close the query and mess up the insertion of the salt. (Original Topic: http://www.phpfreaks.com/forums/index.php?topic=356368.0 ) It seemed to work but not doesn't Any help is very appreciated, Mark

$rid is defined as: $rid = (int) $_GET['id'];

I have this piece of code: if (isset($_POST['type1'])) { mysql_query("UPDATE tabke SET status = 1 WHERE id = $rid", $c2) or die(mysql_error()); } if (isset($_POST['type2'])) { mysql_query("UPDATE table SET status = 1 WHERE id = $rid", $c2) or die(mysql_error()); } if (isset($_POST['type3'])) { mysql_query("UPDATE table SET status = 1 WHERE id = $rid", $c2) or die(mysql_error()); } ?> <br /> <form method="post" action=""> <input type="hidden" name="pageid" value="plyrmgmt"> <input type="hidden" name="action" value="changeBan"> <input type="hidden" name="uid" value="<?php echo $hr_uid; ?>"> <input type="hidden" name="repid" value="<?php echo $rid; ?>"> <input type="submit" name="type1" value="Choice1" onClick="this.form.submit()"> </form> <form method="post" action=""> <input type="hidden" name="pageid" value="plyrmgmt"> <input type="hidden" name="action" value="changeMute"> <input type="hidden" name="uid" value="<?php echo $hr_uid; ?>"> <input type="hidden" name="repid" value="<?php echo $rid; ?>"> <input type="submit" name="type2" value="Choice2" onClick="this.form.submit()"> </form> <form method="post" action=""> <input type="hidden" name="pageid" value="plyrmgmt"> <input type="hidden" name="action" value="changeLock"> <input type="hidden" name="uid" value="<?php echo $hr_uid; ?>"> <input type="hidden" name="repid" value="<?php echo $rid; ?>"> <input type="submit" name="type3" value="Choice3" onClick="this.form.submit()"> </form> Now, for some reason when I click on Choice1, the query doesn't execute. Also, when I click on Choice2 or Choice3, the URL in my browser doesn't change for some odd reason...it stays the same as it was prior to clicking the Submit Button. Can anyone point out some errors I have? Thanks, Mark.

I have the following code ($c2 is my connection variable): $host = $_GET['host']; $loginQuery = mysql_query("SELECT * FROM sessions WHERE hostname LIKE '". $host ."' ORDER BY id DESC", $c2) or print(mysql_error()); In the URL, someone were to put host=127.0.0.1', they would have an error message spit out to them (something along the lines of: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''127.0.0.1'' ORDER BY id DESC' at line 1), indicating a SQL Injection exploit. How would I go about fixing this, and also preventing SQL Injection? Thanks a bunch, Mark

That works! Silly me for forgetting about that, thanks again

Basically, I have the following code ($c2 is my connection variable): $rid = $_GET['id']; $q = mysql_query("SELECT * FROM reports WHERE id = $rid", $c2) or die(mysql_error()); $report = mysql_fetch_array($q); $report is used later on to gather more information that is outputted to the user. However, if in the URL, someone were to put id=1', they would have an error message spit out to them (something along the lines of: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\'' at line 1), indicating a SQL Injection exploit. How would I go about fixing this, and also preventing SQL Injection? Thanks a bunch, Mark

So I have the following code, which is supposed to get the value selected by the user, then on submitting, will use that value in the URL. $durations = array("1", "2", "3", "4", "5", "7", "10", "10000000"); echo "Choose Duration: ";?><form method="post" action=""><select name="duration_chosen"> <? foreach($durations as $duration){ ?><option name="duration_len" value="<?php echo $duration;?>"> <? if ($duration == "10000000") { echo "Forever"; } else { echo "$duration day(s)"; } ?></option><? } ?> </select></form><? $hrs = $_GET['duration_len'] * 24; $duration_chosen = $_POST['duration_chosen']; ?> <form method="get" action="index.php"> <input type="hidden" name="duration" value="<? echo $duration_chosen; ?>"> <input type="submit" value="Accept"></form> For some reason, though, it doesn't work. Can anyone help me? Thanks, Mark

Just realized that'd work, thanks haha.

Is there any sort of method aside from the continue statement? Reason I ask is that whenever I use it, the output information becomes blank and doesn't display

So I have this code: $skill_query = mysql_query("SELECT * FROM character_stats ORDER BY character_stats.". $fields[$skill] ." DESC LIMIT 0, $end", $c2) or print(mysql_error()); $user_query = mysql_query("SELECT user.username, user.userid, character_stats.uid FROM user, character_stats WHERE character_stats.uid = user.userid ORDER BY character_stats.". $fields[$skill] ." DESC LIMIT 0, $end") or print(mysql_error()); //WHERE user.usergroupid != 6 AND characters.banned = 0 $rank = 1; while($player = mysql_fetch_array($skill_query)){ if($user['userid'] != 1){ continue; } $user = mysql_fetch_array($user_query); if($rank >= $start) output($rank, $user['username'], $user['userid'], $player['combat'], $level, number_format($exp)); $rank++; } Yet for some reason it doesn't work. I know that the if($user['userid'] != 1){ continue; } Is the reason, but how do I fix it? Basically, my goal is to display these highscores, but omit UserID 1. Thanks.