-
Posts
530 -
Joined
-
Last visited
Posts posted by lovephp
-
-
Kindly have a look at this script
-
The password script is odd as well. This defines a class, but you're using functions. So the whole script is just dead code which isn't used in the application (at least not in the parts you've shown).
can i upload the sciprt in here to show you guys?
-
You're trying to verify the user ID against the password hash. How is this supposed to work?
You're also injecting that ID straight into the query string, which circumvents the entire prepared statement. You need a parameter.
Jacques1 i will bind them but how am i suppose to verify the password? the password password_verify() required 2 parameters
-
Heyya guy,
another issue i ran into now, i need to make change password but it just wont work. here is the part i try to verify. example of password is $2y$10$2QsvMvranDkaB7XYCMIFIOfNWRczae5tpFmqXGmUCVQrFw26dg6wK
$stmt = "SELECT password, memberID FROM members WHERE memberID = '".$uid ."'"; $stmt = $db->prepare($stmt); $stmt->execute(); $row = $stmt->fetch(); if(password_verify($uid,$row['password']) == 0){ $error[] = 'Old password is incorrect.'; }else if($_POST['newpassword'] == ''){ $error[] = 'New password is required.'; }else if(strlen($_POST['newpassword']) < 6){ $error[] = 'New password is too short. (6 Chars)'; }else if(strlen($_POST['confirmpassword']) < 6){ $error[] = 'Confirm password was too short. (6 Chars)'; }else if($_POST['newpassword'] != $_POST['confirmpassword']){ $error[] = 'Passwords do not match.'; }
the password.php script is
<?php if (!defined('PASSWORD_BCRYPT')) { define('PASSWORD_BCRYPT', 1); define('PASSWORD_DEFAULT', PASSWORD_BCRYPT); } Class Password { public function __construct() {} function password_hash($password, $algo, array $options = array()) { if (!function_exists('crypt')) { trigger_error("Crypt must be loaded for password_hash to function", E_USER_WARNING); return null; } if (!is_string($password)) { trigger_error("password_hash(): Password must be a string", E_USER_WARNING); return null; } if (!is_int($algo)) { trigger_error("password_hash() expects parameter 2 to be long, " . gettype($algo) . " given", E_USER_WARNING); return null; } switch ($algo) { case PASSWORD_BCRYPT : // Note that this is a C constant, but not exposed to PHP, so we don't define it here. $cost = 10; if (isset($options['cost'])) { $cost = $options['cost']; if ($cost < 4 || $cost > 31) { trigger_error(sprintf("password_hash(): Invalid bcrypt cost parameter specified: %d", $cost), E_USER_WARNING); return null; } } // The length of salt to generate $raw_salt_len = 16; // The length required in the final serialization $required_salt_len = 22; $hash_format = sprintf("$2y$%02d$", $cost); break; default : trigger_error(sprintf("password_hash(): Unknown password hashing algorithm: %s", $algo), E_USER_WARNING); return null; } if (isset($options['salt'])) { switch (gettype($options['salt'])) { case 'NULL' : case 'boolean' : case 'integer' : case 'double' : case 'string' : $salt = (string)$options['salt']; break; case 'object' : if (method_exists($options['salt'], '__tostring')) { $salt = (string)$options['salt']; break; } case 'array' : case 'resource' : default : trigger_error('password_hash(): Non-string salt parameter supplied', E_USER_WARNING); return null; } if (strlen($salt) < $required_salt_len) { trigger_error(sprintf("password_hash(): Provided salt is too short: %d expecting %d", strlen($salt), $required_salt_len), E_USER_WARNING); return null; } elseif (0 == preg_match('#^[a-zA-Z0-9./]+$#D', $salt)) { $salt = str_replace('+', '.', base64_encode($salt)); } } else { $buffer = ''; $buffer_valid = false; if (function_exists('mcrypt_create_iv') && !defined('PHALANGER')) { $buffer = mcrypt_create_iv($raw_salt_len, MCRYPT_DEV_URANDOM); if ($buffer) { $buffer_valid = true; } } if (!$buffer_valid && function_exists('openssl_random_pseudo_bytes')) { $buffer = openssl_random_pseudo_bytes($raw_salt_len); if ($buffer) { $buffer_valid = true; } } if (!$buffer_valid && is_readable('/dev/urandom')) { $f = fopen('/dev/urandom', 'r'); $read = strlen($buffer); while ($read < $raw_salt_len) { $buffer .= fread($f, $raw_salt_len - $read); $read = strlen($buffer); } fclose($f); if ($read >= $raw_salt_len) { $buffer_valid = true; } } if (!$buffer_valid || strlen($buffer) < $raw_salt_len) { $bl = strlen($buffer); for ($i = 0; $i < $raw_salt_len; $i++) { if ($i < $bl) { $buffer[$i] = $buffer[$i] ^ chr(mt_rand(0, 255)); } else { $buffer .= chr(mt_rand(0, 255)); } } } $salt = str_replace('+', '.', base64_encode($buffer)); } $salt = substr($salt, 0, $required_salt_len); $hash = $hash_format . $salt; $ret = crypt($password, $hash); if (!is_string($ret) || strlen($ret) <= 13) { return false; } return $ret; } /** * Get information about the password hash. Returns an array of the information * that was used to generate the password hash. * * array( * 'algo' => 1, * 'algoName' => 'bcrypt', * 'options' => array( * 'cost' => 10, * ), * ) * * @param string $hash The password hash to extract info from * * @return array The array of information about the hash. */ function password_get_info($hash) { $return = array('algo' => 0, 'algoName' => 'unknown', 'options' => array(), ); if (substr($hash, 0, 4) == '$2y$' && strlen($hash) == 60) { $return['algo'] = PASSWORD_BCRYPT; $return['algoName'] = 'bcrypt'; list($cost) = sscanf($hash, "$2y$%d$"); $return['options']['cost'] = $cost; } return $return; } /** * Determine if the password hash needs to be rehashed according to the options provided * * If the answer is true, after validating the password using password_verify, rehash it. * * @param string $hash The hash to test * @param int $algo The algorithm used for new password hashes * @param array $options The options array passed to password_hash * * @return boolean True if the password needs to be rehashed. */ function password_needs_rehash($hash, $algo, array $options = array()) { $info = password_get_info($hash); if ($info['algo'] != $algo) { return true; } switch ($algo) { case PASSWORD_BCRYPT : $cost = isset($options['cost']) ? $options['cost'] : 10; if ($cost != $info['options']['cost']) { return true; } break; } return false; } /** * Verify a password against a hash using a timing attack resistant approach * * @param string $password The password to verify * @param string $hash The hash to verify against * * @return boolean If the password matches the hash */ public function password_verify($password, $hash) { if (!function_exists('crypt')) { trigger_error("Crypt must be loaded for password_verify to function", E_USER_WARNING); return false; } $ret = crypt($password, $hash); if (!is_string($ret) || strlen($ret) != strlen($hash) || strlen($ret) <= 13) { return false; } $status = 0; for ($i = 0; $i < strlen($ret); $i++) { $status |= (ord($ret[$i]) ^ ord($hash[$i])); } return $status === 0; } }
what is it i am doing wrong? i get incorrect old password
-
Depends what "ucstring" does
htmlspecialchars. Make sure your pages are using the same encoding as PHP's default_charset (or vice versa) and you can
htmlspecialchars($key) htmlspecialchars(updateDataArray($value))
If you were outputting into a '-quoted attribute or similar then you'd need to include the ENT_QUOTES flag. But you're not.Ah ucstring is a function to Capitalize the first word. thanks requinix solved my problem appreciate it.
oh and yes i also use
function noHTML($input, $encoding = 'UTF-8') { return htmlentities($input, ENT_QUOTES | ENT_HTML5, $encoding); }
on most of the places, i will keep your advice in mind.
-
or is this a better solution
<IfModule mod_rewrite.c> RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR] RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR] RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2}) RewriteRule .* index.php [F,L] </IfModule>
-
hey ya guys, first of all a very happy new year to all.
ok my following code is prone to XSS how could this be prevented?
<?php function updateDataArray($value) { if(preg_match("#[a-z]#i", $value)) { return str_replace("-", " ", $value); } return $value; } if(!empty($_GET)){ echo '<br/>'; foreach ($_GET as $key => $value) { $key = str_replace('_', ' ', $key); echo '<small><b>'.ucstring($key). ':</b> ' .ucstring(updateDataArray($value)). ', </small>'; } echo '<br/>'; } ?>
-
oh ok done did it thanks
-
the OP's code is actually setting a default value of 1, if there is no page get parameter, validating the value as an integer (within php's integer range), and is limiting the value between 1 and the total number of pages.
don't copy or use code unless you understand it. this bit of code is repetitive and unnecessarily bespoke/hard-coded, and isn't using the correct entity version of an & for links on a page.
your code still has a number of unnecessary and problematic things in it, which i am betting you have been informed of most of them in previous threads -
1) use the correct input variables where you expect the data to be. use $_GET, not $_REQUEST.2) i don't know what your clean() function code is, but i'm betting it isn't effective and is best left out.3) the try/catch block will catch errors with the prepare/execute methods. this means that there was a sql syntax error or wrong bound parameters. this does not mean that the query ran, but didn't match anything. there's no need for a local try/catch block unless you are specifically handling a type of query error in your code, such as a duplicate key error from and INSERT/UPDATE query.4) the global keyword only has meaning when used inside a function definition and even there it indicates bad coding. don't use global $var_name;5) the code to build the WHERE term for the sql query statement should not be repeated. build the term in a variable, then use that variable each place it is needed.6) the external data you are putting into the WHERE term needs to be handled using a prepared query with bound input parameters.7) the $start and $end variables are not used in the posted code and should be removed.the sql query statements should be built in a php variable, this supports debugging (you can echo/log the statement, though the pdo statement object has a queryString property you can use) and it leads to writing general purpose code.9) you need to set the default fetch mode in your connection code, so that you don't need to specify it every time you run a query.10) the pdostatement object is already traversable. you don't need and shouldn't be applying the new IteratorIterator() to it.11) for queries that will return a set of data, just fetch all the data using the fetchAll() method. you can then use count() on the data to find how many rows the query matched (the ->rowCount() method doesn't work with SELECT queries for all database types, so, using fetchAll()/count() will work regardless of which type of database you are using.)12) to produce the pagination output, you need to test how many pages were calculated, not if the data retrieval query returned any rows (there's a condition that's mentioned in the code where you would need to produce the pagination links even if the data retrieval query didn't match any data)13) your <span> tags are reusing the same id='...' value, which is invalid. if you are doing something unique with each span (which is doubtful), you would need to use unique id values. if you are not doing anything with the span, don't include it in the markup.the following example code shows how you might do this. this code adds the following features -1) shows how to do a data driven design, where you define somewhere (an array or database table) a set of data that general purpose code operates on. this eliminates repeating block after block of same functioning code. this also has the benefit of helping to implement DRY (Don't Repeat Yourself) programming, since it eliminates the repetitive logic.2) it implements the suggestion of leaving a particulate field out of the sql query statement when it is the 'ALL' choice or when the choice isn't present at all in the $_GET parameters.3) shows how you would apply http_build_query() when building each link.// define the possible search fields - this is used to produce a data driven/dynamic design, where you don't write out block after block of code that only differs in the value it operates on $search_fields = array('title','name','description'); $and_terms = array(); // WHERE terms to be AND'ed $params = array(); // bound input parameters for a prepared query foreach($search_fields as $field) { if(isset($_GET[$field]) && $_GET[$field] != 'ALL') // only if the field is set and it's not 'ALL' { // add the search field to the WHERE terms $and_terms[] = "$field = :$field"; $params[] = array(":$field",$_GET[$field],PDO::PARAM_STR); } } $where_term = ''; if(!empty($and_terms)) { $where_term = "WHERE " . implode(' AND ', $and_terms); } // get the total matching rows $query = "SELECT COUNT(*) FROM table $where_term"; // note: the following logic should be in a general purpose prepared query method that you extend the PDO class with if(empty($params)) { // no bound inputs, just execute the query $stmt = $db->query($query); } else { // there are bound inputs, produce a prepared query, bind the inputs, and execute the query $stmt = $db->prepare($query); foreach($params as $param) { $stmt->bindValue($param[0],$param[1],$param[2]); } $stmt->execute(); } $total = $stmt->fetchColumn(); // calculate total number of pages $pages = ceil($total / $per_page); // limit the page number $page = min($pages, filter_input(INPUT_GET, 'page', FILTER_VALIDATE_INT, array( 'options' => array( 'default' => 1, 'min_range' => 1, ), ))); // calculate starting row for LIMIT $offset = ($page - 1) * $per_page; // add limit values to the array of bound parameters $params[] = array(':per_page',$per_page, PDO::PARAM_INT); $params[] = array(':offset',$offset, PDO::PARAM_INT); // query for the data $query = "SELECT * FROM table $where_term ORDER BY id DESC LIMIT :per_page OFFSET :offset"; // note: the following logic should be in a general purpose prepared query method that you extend the PDO class with if(empty($params)) { // no bound inputs, just execute the query $stmt = $db->query($query); } else { // there are bound inputs, produce a prepared query, bind the inputs, and execute the query $stmt = $db->prepare($query); foreach($params as $param) { $stmt->bindValue($param[0],$param[1],$param[2]); } $stmt->execute(); } $result = $stmt->fetchAll(); if(!count($result)) { // query didn't return any row(s) - this doesn't mean there isn't any matching data, just that the query for the requested LIMIT range didn't return anything (there's a race condition, where if data gets deleted between the COUNT() query and the data retrieval query, queries for data near the end can return nothing) echo '<p>Nothing found.</p>'; } else { // query matched one or more row(s), display the data foreach ($result as $row) { echo $row['id']; } } // if there are any pages, display the pagination if($pages) { echo '<div id="pagination"> <div id="pagiCount">'; $q = $_GET; // get a copy of any existing $_GET parameters - do this once before the start of your pagination links $prevlink = ''; if($page > 1) // not on the first page { $q['page'] = 1; $qs = http_build_query($q,'','&'); $prevlink = "<a href='?$qs' title='First page'>First</a> "; $q['page'] = $page - 1; $qs = http_build_query($q,'','&'); $prevlink .= "<a href='?$qs' title='Previous page'><<</a>"; } $nextlink = ''; if($page < $pages) // not on the last page { $q['page'] = $page + 1; $qs = http_build_query($q,'','&'); $nextlink = "<a href='?$qs' title='Next page'>>></a> "; $q['page'] = $pages; $qs = http_build_query($q,'','&'); $nextlink .= "<a href='?$qs' title='Last page'>Last</a></span>"; } echo "<div id='paging'><p><small>$prevlink Page $page of $pages $nextlink </small></p></div>"; echo '</div></div>'; }
back again to bug
all is ok but just one thing i need in the sql queries to be added by default like the followin
$query = "SELECT COUNT(*) FROM table $where_term AND show ='Yes'";
also with the other query
like
$query = "SELECT * FROM table $where_term AND show = 'Yes' ORDER BY id DESC LIMIT :per_page OFFSET :offset";
all i want in the queries to have the show = 'Yes' in it so that it gets records only with the ones where show = 'Yes'
-
If $profileimage == 0 than path to your default image.jpg
-
Please mark the topic as solved it your issue is solved
-
i tried to do that but i didn't know how to get user id and pruduct id from their tables to the new table, can you explain that to me ?
Like mac_gyver said it's all in the session, if you need further help post ur coding here.
-
no i don't have that table, so you want me to create a table and in that table will be the product id from products table and user id from users table?
You would need these i believe
id
product_id
member_id
comments
date
-
for that create a table as comments store id, product id, user id, post text, post date. thats all you need.
i believe you already have the table ready so where is the issue?
-
That depends on what you want them to post? A blog, forum or what? U create a mysql table posts with auto increment of id then store users id to a field and whatsoever fields of your choice.
-
Something like this it should be
if($record["rstatus"] == "0"){ echo 'waiting'; }elseif($record["rstatus"] == "1"){ echo 'shipping'; } else { echo 'delivered'; }
Its just an example, you can use elseif to add more.
-
Post the code please within proper tags . That's more convenient than to be downloading files.
-
Its ok no iasue guess i could not explain it well.
Thanks
-
Well in my classified post page im stopping users for an hour till they can make another post, the current nextpost var displays the time an hour from post the original post time. I do i make it reverse as in 130 seconds remaining until you make your next post.flood? anti clock?
Whatever are you trying to say?
I hope you get my point?
-
Classified post i don't want users to post non stop thts why i added this to make users wait for an hour till they can make another post
-
hey all hope all good? well am back after sometime with an issue. well i got my anti flood working ok but what i need is instead of showing time i need to show backward countdown seconds types for next post. my current code which i wrote looks like this what must i do to get anti clock seconds till 1hours is over?
$stmt = "SELECT * FROM floodcontrol WHERE memberID = :memberID AND time >= DATE_SUB(NOW(), INTERVAL 1 HOUR)"; $stmt = $db->prepare($stmt); $stmt->bindParam(':memberID', $uid, PDO::PARAM_STR); $stmt->execute(); $f = $stmt->fetch(); $floodcontrol = $stmt->rowCount(); $nextpost = date("H:i:s A", strtotime($f['time'].' +1 hour'));
regards
-
Ginjerjm did i do something wrong by referring that? I just thought it would be of his help
-
Google for addthis and use their apiHello everyone,
I have a system I was up there Articles
Now I put next to each article of the Facebook share button
I want to put it I'll share it will share my business as my
Something that know how to do it?
Thanks
-
Happy friendship day to all
unable to verify old password
in PHP Coding Help
Posted · Edited by lovephp
wow it was this simple , really appreciate it alot Jacques