Jump to content

Tom8001

Members
 View Profile  See their activity

  • Posts

    205

  • Joined

  • Last visited

 Content Type 

Everything posted by Tom8001

  1. Tom8001
    Hello, how would i code a script that finds certain words or characters in a thread on my forum and then redirect the user? Thanks!
  2. Tom8001
    I dont understand how i can get rid of the vulnerability in the url you can change the username and token and take over accounts with my current code i don't understand how i can prevent this
  3. Tom8001
    Thanks, the password is able to be reset now, but i have a field in the database called 'hash' and i have the query to update it with the hashed token but it does not change, Here is my new updated code: <?php require('./includes/connect.php'); $encodedToken = $_GET['token']; $token = hex2bin($encodedToken); $tokenHash = hash('sha256', $rawToken); $username = $_GET['s']; $stmt = $handler->prepare("UPDATE users SET hash = :hash WHERE username = :u"); $stmt->bindParam(':u', $username, PDO::PARAM_STR, 255); $stmt->bindParam(':hash', $tokenHash, PDO::PARAM_STR, 255); $stmt->execute(); if($stmt) { echo ' <form action="" method="POST"> <h3>New Password: </h3> <input type="password" name="newpass" placeholder="New Password" required /><br> <h3>Confirm Password: </h3> <input type="password" name="confpass" placeholder="Confirm Password" required /><br> <input type="submit" name="update" value="Update Password"> </form> '; } else { echo "Invalid token"; exit; } if($_POST['update']) { $newpass = $_POST['newpass']; $confpass = $_POST['confpass']; if($confpass == $newpass) { $enc_password = password_hash($confpass, PASSWORD_BCRYPT); $stmt = $handler->prepare("UPDATE users SET password = :cpass WHERE username = :u"); $stmt->bindParam(':u', $username, PDO::PARAM_STR, 255); $stmt->bindParam(':cpass', $enc_password, PDO::PARAM_STR, 255); $stmt->execute(); if($stmt) { echo "Your password has been reset!"; echo '<meta http-equiv="refresh" content="0;login.php">'; } else { echo "Error"; exit; } } } ?>
  4. Tom8001
    I don't see what you mean about not inserting the token hash in the query string?
  5. Tom8001
    $encodedToken = $_GET['token']; $token = hex2bin($encodedToken); $tokenHash = hash('sha256', $token); $username = $_GET['s']; $stmt = $handler->prepare("UPDATE users SET reset = ".$tokenHash." WHERE username = :u"); $stmt->bindParam(':u', $username, PDO::PARAM_STR, 255); $stmt->execute(); Fatal error: Call to a member function prepare() on a non-object I get this error when clicking the reset link in the email, it says on line 10 which is the update query
  6. Tom8001
    I read it on a stack overflow thread somewhere, And i don't know the token is what doesn't make sense to me.
  7. Tom8001
    Hi, This is my forgot password code so far. <?php require('./includes/connect.php'); error_reporting(E_ALL | E_NOTICE); ini_set('display_errors', 1); if($_SERVER['REQUEST_METHOD'] == "POST") { $email = $_POST['email']; $email = htmlentities($email, ENT_QUOTES); $stmt = $handler->prepare("SELECT email FROM users WHERE email = :email"); $stmt->bindParam(':email', $email, PDO::PARAM_STR, 255); $stmt->execute(); if($stmt) { $fetch = $stmt->fetch(); if($email == $fetch['email']) { $stmt = $handler->prepare("SELECT username FROM users WHERE email = :email"); $stmt->bindParam(':email', $email, PDO::PARAM_STR, 255); $stmt->execute(); $row = $stmt->fetch(); $username = $row['username']; $token = mcrypt_create_iv(MCRYPT_RAND); $headers = "Password Reset"; $body = "Hi, ".$username."!, You have recently requested to reset your password. ".PHP_EOL." \n If you did not make this request please forget this email. ".PHP_EOL." To reset your password please click this link: <a href='http://ps3modding.co.uk/forgot_password.php?token=$token'></a>"; } else { echo "The E-Mail Address entered was Not Found."; } } } ?> What i am wondering is because your not ment to store the token in the database how do you check to see if it is valid? Is it done by $_COOKIE?, Thanks
  8. Tom8001
    Sorry i'm still fairly new to PHP i don't understand what to do about the token am i ment to use the rand() function?
  9. Tom8001
    What i don't understand is when they request to reset their password, I will be hashing the password using password_hash but how am i ment to let them see the password in the email in plaint text? Edit: Sorry we posted at the same time
  10. Tom8001
    I was thinking to just reset the password when the form is submitted and then query the database for the new password, decrypt it and send it via email?
  11. Tom8001
    I am currently using password_hash and password_verify in my code, I am unsure can i decrypt the password?
  12. Tom8001
    Thanks, I will take a look at other threads.
  13. Tom8001
    Hi, how can i create a Forgotten password script? I know security can be a real issue with this if the code isn't written correctly.
  14. Tom8001
    Thanks, yeah i got confused with the query's , Thanks everyone for the help it's much appreciated.
  15. Tom8001
    Thanks, I'm not getting errors now but it says the old password is incorrect function chgPwd() { require('connect.php'); $username = $_SESSION['username']; $password = $_POST['password']; $npassword = $_POST['npassword']; $cpassword = $_POST['cpassword']; $sql = $handler->prepare("SELECT password FROM users WHERE password = :p"); $sql->bindParam(':p', $password, PDO::PARAM_STR, 255); $sql->execute(); $fetch = $sql->fetch(); if($cpassword !== $cpassword) { echo "Passwords do not match!"; } if(password_verify($password, $fetch['password'])) { $pass_isok = 1; } else { $pass_isok = 0; } if($pass_isok == 1) { $enc_password = password_hash($cpassword, PASSWORD_BCRYPT); $sql = "UPDATE users SET password = '$enc_password' WHERE username = '$username'"; $sql->execute(); if($sql >= 1) { echo "Password updated successfully!"; } else { echo "Error. Password could not be updated at this time, If this persists please contact support."; } } else { echo "Your old password is incorrect!"; } } That's the code updated
  16. Tom8001
    Fatal error: Call to a member function bindParam() on string in C:\xampp\htdocs\adminpanel\includes\functions.php on line 48 And this is on localhost Thats what i got from error reporting, As for the apache error log i got the following, [Mon Oct 19 21:51:58.437261 2015] [ssl:warn] [pid 5092:tid 240] AH01909: www.example.com:443:0 server certificate does NOT include an ID which matches the server name [Mon Oct 19 21:51:58.990292 2015] [core:warn] [pid 5092:tid 240] AH00098: pid file C:/xampp/apache/logs/httpd.pid overwritten -- Unclean shutdown of previous Apache run? [Mon Oct 19 21:51:59.359309 2015] [ssl:warn] [pid 5092:tid 240] AH01909: www.example.com:443:0 server certificate does NOT include an ID which matches the server name [Mon Oct 19 21:52:07.623749 2015] [mpm_winnt:notice] [pid 5092:tid 240] AH00455: Apache/2.4.10 (Win32) OpenSSL/1.0.1i PHP/5.6.3 configured -- resuming normal operations [Mon Oct 19 21:52:07.624749 2015] [mpm_winnt:notice] [pid 5092:tid 240] AH00456: Apache Lounge VC11 Server built: Jul 17 2014 11:50:08 [Mon Oct 19 21:52:07.624749 2015] [core:notice] [pid 5092:tid 240] AH00094: Command line: 'c:\\xampp\\apache\\bin\\httpd.exe -d C:/xampp/apache' [Mon Oct 19 21:52:07.661750 2015] [mpm_winnt:notice] [pid 5092:tid 240] AH00418: Parent: Created child process 6096 [Mon Oct 19 21:52:08.682801 2015] [ssl:warn] [pid 6096:tid 252] AH01909: www.example.com:443:0 server certificate does NOT include an ID which matches the server name [Mon Oct 19 21:52:09.227829 2015] [ssl:warn] [pid 6096:tid 252] AH01909: www.example.com:443:0 server certificate does NOT include an ID which matches the server name [Mon Oct 19 21:52:09.423839 2015] [mpm_winnt:notice] [pid 6096:tid 252] AH00354: Child: Starting 150 worker threads.
  17. Tom8001
    <form id="RegisterForm" name="RegisterForm" method="post"> You haven't added an action <form id="RegisterForm" name="RegisterForm" action="" method="post">
  18. Tom8001
    Hi i am coding a user settings panel and i have a functions.php file, which contains the change password code, However when the form is submitted a 500 internal error is displayed. here is the code: Html Form <?php require('/includes/functions.php'); require('/includes/connect.php'); isLoggedIn(); $username = $_SESSION['username']; if($_SERVER['REQUEST_METHOD'] == "POST") { if($_POST['chgPwd']) { chgPwd(); } } ?> <html> <title>User CP - <?php echo $username; ?></title> <body> <center> <font color='#ff0000'> <h1>Change your password</h1> <form action="" method="POST"> Current password: <input type="password" name="password" placeholder="Current password" required /><br> New Password: <input type="password" name="npassword" placeholder="New password" required /><br> Confirm Password: <input type="password" name="cpassword" placeholder="Confirm password" required /><br> <br><input type="submit" name="chgPwd" value="Update Password" /> </form> </font> Change Password Code function chgPwd() { require('connect.php'); $username = $_SESSION['username']; $password = $_POST['password']; $npassword = $_POST['npassword']; $cpassword = $_POST['cpassword']; $sql = "SELECT password FROM users WHERE password = :p"; $sql->bindParam(':p', $password, PDO::PARAM_STR, 255); $sql->execute(); $fetch = $handler->fetch(); if($cpassword !== $cpassword) { echo "Passwords do not match!"; } if(password_verify($password, $fetch['password'])) { $pass_isok = 1; } else { $pass_isok = 0; } if($pass_isok == 1) { $enc_password = password_hash($cpassword, PASSWORD_BCRYPT); $sql = "UPDATE users SET password = '$enc_password' WHERE username = '$username'"; $sql->execute(); if($sql) { echo "Password updated successfully!"; } else { echo "Error. Password could not be updated at this time, If this persists please contact support."; } } else { echo "Your old password is incorrect!"; } }
  19. Tom8001
    I changed my code to this <?php require('/includes/functions.php'); require('/includes/connect.php'); error_reporting(E_ALL | E_NOTICE); session_start(); if($_SERVER['REQUEST_METHOD'] == "POST") { $username = $_POST['username']; $password = $_POST['password']; $username = htmlspecialchars($username, ENT_QUOTES); $username = htmlentities($username, ENT_QUOTES); if(empty($username) || empty($password)) { die("You must enter your <b>username</b> and <b>password</b>"); } $user_stmt = $handler->prepare(' SELECT password, rank, active FROM users WHERE username = :username '); $user_stmt->execute([ 'username' => $username, 'password' => $password, ]); //This is line 37 $user_data = $user_stmt->fetch(); if ($user_data) { if (password_verify($password, $user_data['password'])) { echo 'The password is correct'; } else { echo 'Incorrect password.'; } } if($$user_stmt->rowCount()) { $row = $sql->fetch(); if($row['active'] == 0) { die("<h3>Your account has been banned.</h3>"); } if($row['rank'] == 1) { $_SESSION['rank'] = $row['rank']; $_SESSION['username'] = $username; $_SESSION['loggedIn'] = 1; echo '<meta http-equiv="refresh" content="0;admin.php">'; } else if($row['rank'] == 0) { $_SESSION['rank'] = $row['rank']; $_SESSION['username'] = $username; $_SESSION['loggedIn'] = 1; echo '<meta http-equiv="refresh" content="0;user.php">'; } $_SESSION['rank'] = 0; $_SESSION['username'] = $username; $_SESSION['loggedIn'] = 1; echo '<meta http-equiv="refresh" content="0;user.php">'; } else { die("<h3>Login Failed.</h3>"); } } ?> I am getting this error Fatal error: Uncaught exception 'PDOException' with message 'SQLSTATE[HY093]: Invalid parameter number: number of bound variables does not match number of tokens' on line 37
  20. Tom8001
    Thank you, Both
  21. Tom8001
    Thanks, I'm a bit confused though, $sql = $handler->prepare("SELECT username, password, rank, active FROM users WHERE username = :username AND password = :p"); $sql->bindParam(':username', $username, PDO::PARAM_STR, 255); $sql->bindParam(':p', $password, PDO::PARAM_STR, 255); $sql->execute(); $password = password_verify($password, ); How do i compare it to the database hash?
  22. Tom8001
    Hi, i am trying to make a login with which encrypts passwords using password_hash(), when i use it on the register script and it inserts the hashed password and then goes to check the password when logging in the hash changes. Login Script <?php require('/includes/functions.php'); require('/includes/connect.php'); error_reporting(E_ALL | E_NOTICE); session_start(); if($_SERVER['REQUEST_METHOD'] == "POST") { $username = $_POST['username']; $password = $_POST['password']; $username = htmlspecialchars($username, ENT_QUOTES); $username = htmlentities($username, ENT_QUOTES); if(empty($username) || empty($password)) { die("You must enter your <b>username</b> and <b>password</b>"); } $enc_password = password_hash($password, PASSWORD_BCRYPT); $sql = $handler->prepare("SELECT username, password, rank, active FROM users WHERE username = :username AND password = :password"); $sql->bindParam(':username', $username, PDO::PARAM_STR, 255); $sql->bindParam(':password', $enc_password, PDO::PARAM_STR, 255); $sql->execute(); if(password_verify(':password', $enc_password)) { echo "The passwords match"; } else { echo "The passwords do not match"; } if($sql->rowCount()) { $row = $sql->fetch(); if($row['active'] == 0) { die("<h3>Your account has been banned.</h3>"); } if($row['rank'] == 1) { $_SESSION['rank'] = $row['rank']; $_SESSION['username'] = $username; $_SESSION['loggedIn'] = 1; echo '<meta http-equiv="refresh" content="0;admin.php">'; } else if($row['rank'] == 0) { $_SESSION['rank'] = $row['rank']; $_SESSION['username'] = $username; $_SESSION['loggedIn'] = 1; echo '<meta http-equiv="refresh" content="0;user.php">'; } $_SESSION['rank'] = 0; $_SESSION['username'] = $username; $_SESSION['loggedIn'] = 1; echo '<meta http-equiv="refresh" content="0;user.php">'; } else { die("<h3>Login Failed.</h3>"); } } ?> Register Script <?php require('/includes/functions.php'); require('/includes/connect.php'); if($_SERVER['REQUEST_METHOD'] == "POST") { $username = $_POST['username']; $email = $_POST['email']; $password = $_POST['password']; $cpassword = $_POST['cpassword']; $username = htmlspecialchars($username, ENT_QUOTES); $username = htmlentities($username, ENT_QUOTES); if(empty($username) || empty($email) || empty($password) || empty($cpassword)) { die("You must enter all fields!"); } if($cpassword !== $password) { die("Passwords do not match!"); } if (filter_var($email, FILTER_VALIDATE_EMAIL)) { } else { die("You must enter a valid E-Mail Address!"); } $enc_password = password_hash($password, PASSWORD_BCRYPT); $sql = $handler->prepare("INSERT INTO `users` (`username`, `email`, `password`) VALUES (:u, :e, )"); $sql->bindParam(':u', $username, 255); $sql->bindParam(':e', $email, 255); $sql->bindParam(':p', $enc_password, 255); $sql->execute(); if($sql->rowCount()) { echo "Your account has been created!, Redirecting.."; echo "<meta http-equiv='refresh' content='0;login.php'>"; } else { die("Your account could not be created!"); } } ?>
  23. Tom8001
    Never mind sorry i figured it out.
  24. Tom8001
    I'm trying to Search .txt file for specific word, anyone know how i can do this? Thanks.
  25. Tom8001
    Tired, Been in a car for 6 hours from holiday :\
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.