-
Posts
397 -
Joined
-
Last visited
Posts posted by Nodral
-
-
Refer to my previous post, you are still trying to insert $_POST['password'] into the database, rather than the hashed and salted variable, $password
-
change
$password=md5( md5($password), $salt);
to
$password=md5( md5($salt.$password));
This way you are appending the salt onto the password before double hashing it, rather than trying to use $salt as some sort of flag
-
Set them to VARCHAR(255)
-
That's becasue you're hasing it after you insert it.
Try
$editFormAction = $_SERVER['PHP_SELF']; if (isset($_SERVER['QUERY_STRING'])) { $editFormAction .= "?" . htmlentities($_SERVER['QUERY_STRING']); } if(isset($_POST['username'])){ if($_POST['username'] == ""){ //username empty die("You must enter a username"); } } else { //username not set } if(isset($_POST['password'])){ if($_POST['password'] == ""){ //username empty die("You must enter a password"); } } else { //password not set } $salt="Any random gobbldy-gook"; $password=md5( md5($password), $salt); if ((isset($_POST["MM_insert"])) && ($_POST["MM_insert"] == "form1")) { $insertSQL = sprintf("INSERT INTO users (username, password, email, fname, sname) VALUES (%s, %s, %s, %s, %s)", GetSQLValueString($_POST['username'], "text"), GetSQLValueString($password, "text"), GetSQLValueString($_POST['email'], "text"), GetSQLValueString($_POST['fname'], "text"), GetSQLValueString($_POST['sname'], "text")); mysql_select_db($database_pwnedbookv4, $pwnedbookv4); $Result1 = mysql_query($insertSQL, $pwnedbookv4) or die(mysql_error()); $insertGoTo = "loginsignup.php"; if (isset($_SERVER['QUERY_STRING'])) { $insertGoTo .= (strpos($insertGoTo, '?')) ? "&" : "?"; $insertGoTo .= $_SERVER['QUERY_STRING']; } header(sprintf("Location: %s", $insertGoTo)); }
-
Sorry, that was my bad code!!! oops
I always md5 twice, just to be on the safe side.
-
Sounds like you've missed your quotes off it.
$salt is a string which you set which will add to your users password prior to hashing.
Post your code where you've added this. Obviously you can change your salt once we've fixed it.
-
WAMP is the noise which is made when you punch someone!! lol
-
To hash and salt, take your password inputs, and prior to saving in the DB simply set it as
$salt="Any random gobbldy-gook"; $password=md5($salt(md5($password)));
This should stop anyone getting to your passwords. Then when you call back from your DB table, don't SELECT * FROM Table
Just call it back by
$salt="same random gobbldy-gook as above"; $password=md5($salt(md5($password))); $sql="SELECT id FROM table where username='$username' AND password='$password'";
Then refer to everything by user id. This way you never actually pull your usernames and passwords out of the DB, you are just referring to them for a comparrison to get records.
-
You are trying to count the result of the mysql query, rather than the arrays.
Try changing your count lines to
<?php echo "There are ". $row_Recordset1['COUNT(first_name)'] ." ". $row_Recordset1['city'] ." items." ;?>
-
So what is the best way to avoid this?
I should possibly update my cleanInput function to include this defense.
Is there a way in php to send a shotgun to the client side if they try to inject me? lol
-
So what is your question?
-
Can you post your updated code for the form and the parser so we can see what changes you've actioned.
Are you getting any error messages or just nothing feeding back to your DB?
-
If it's going to that address, you must have a GET method set. A POST would not show in the URL and if you are using GET then $_POST[] will not pick the values up.
-
And which bit do you need help with, or do you require someone to do all your homework for you?
-
Sounds good, however you're going to lose a certain percentage of your audience who do not have cookies enabled. Are you going to cater for these with a normal username/password validation? If so, surely you are just creating more work for yourself by coding 2 different ways to log in?
Have you got any code at the moment? Where are you up to? or do you want someone to just write the code for you?
-
each time you loop through the foreach you are effectively writing over the $ result variable.
instead of
$result =' <div id="topRow' . $row . '_' . $position.'" class="modRow" style="width:'.$modWidth.'px;"> <jdoc:include type="modules" name="topRow' . $row . '_' . $position.'" style="xhtml" /> </div>';
try
$result .=' <div id="topRow' . $row . '_' . $position.'" class="modRow" style="width:'.$modWidth.'px;"> <jdoc:include type="modules" name="topRow' . $row . '_' . $position.'" style="xhtml" /> </div>';
This will concatenate the next instance in the loop onto the previous one.
-
Please repost in the "Get your homework done for free" forum!!
-
I've also got this little gem in my function library which I apply to ALL user inputs before they can interact with any part of my DB or scripts
function cleanInput($input){ $input=htmlentities($input); $input=stripslashes($input); $input=strip_tags($input); $input=mysql_real_escape_string($input); return $input; }
This is good to use unless you want your users to be able to apply html formatting to any input
-
-
As php is a serverside, you would need to force the page to refresh to acheive this.
A better way is to use either Javascript or ajax.
-
This line needs a bit of concatenation and once you're connected, you don't need to redeclare it.
$q = mysql_query("select `id` from `allowed_ips` where `validate_ip` = '. $user_ip .' limit 1");
-
Use this as a seperate file saved as connect.php, then just put
include_once('connect.php');
at the top of every file where you need a connection
<?php $link = mysql_connect(localhost, 'user_name', 'password'); if (!$link) { echo'1Unable to connect to the database server.'; echo mysql_errno($link) . ": " . mysql_error($link). "\n"; exit(); } if (!mysql_set_charset('utf8', $link)) { echo'2Unable to connect to the database server.'; echo mysql_errno($link) . ": " . mysql_error($link). "\n"; exit(); } if(!mysql_select_db('db_name, $link)) { echo'3Unable to connect to the database server.'; echo mysql_errno($link) . ": " . mysql_error($link). "\n"; exit(); } ?>
-
What error do you get?
-
Sorted, just found in very small print not to use localhost and to use a designated ip address
Massive security issues!
in PHP Coding Help
Posted
Glad to be of help.
You all sorted now?