[Massive security issues!]

Glad to be of help.

 

You all sorted now?

[Massive security issues!]

Refer to my previous post, you are still trying to insert $_POST['password'] into the database, rather than the hashed and salted variable, $password

[Massive security issues!]

change

 

$password=md5( md5($password), $salt);

 

to

$password=md5( md5($salt.$password));

 

This way you are appending the salt onto the password before double hashing it, rather than trying to use $salt as some sort of flag

[Massive security issues!]

Set them to VARCHAR(255)

[Massive security issues!]

That's becasue you're hasing it after you insert it.

 

Try

$editFormAction = $_SERVER['PHP_SELF'];
if (isset($_SERVER['QUERY_STRING'])) {
  $editFormAction .= "?" . htmlentities($_SERVER['QUERY_STRING']);
}


if(isset($_POST['username'])){
if($_POST['username'] == ""){
//username empty
die("You must enter a username");
}
} else {
//username not set
} 



if(isset($_POST['password'])){
if($_POST['password'] == ""){
//username empty
die("You must enter a password");
}
} else {
//password not set
} 

$salt="Any random gobbldy-gook";
$password=md5( md5($password), $salt);



if ((isset($_POST["MM_insert"])) && ($_POST["MM_insert"] == "form1")) {
  $insertSQL = sprintf("INSERT INTO users (username, password, email, fname, sname) VALUES (%s, %s, %s, %s, %s)",
                       GetSQLValueString($_POST['username'], "text"),
                       GetSQLValueString($password, "text"),
                       GetSQLValueString($_POST['email'], "text"),
                       GetSQLValueString($_POST['fname'], "text"),
                       GetSQLValueString($_POST['sname'], "text"));
				   
				     mysql_select_db($database_pwnedbookv4, $pwnedbookv4);
  $Result1 = mysql_query($insertSQL, $pwnedbookv4) or die(mysql_error());

  $insertGoTo = "loginsignup.php";
  if (isset($_SERVER['QUERY_STRING'])) {
    $insertGoTo .= (strpos($insertGoTo, '?')) ? "&" : "?";
    $insertGoTo .= $_SERVER['QUERY_STRING'];
  }
  header(sprintf("Location: %s", $insertGoTo));
}

[Massive security issues!]

Sorry, that was my bad code!!! oops

 

I always md5 twice, just to be on the safe side.

[Massive security issues!]

Sounds like you've missed your quotes off it.

 

$salt is a  string which you set which will add to your users password prior to hashing.

 

Post your code where you've added this.  Obviously you can change your salt once we've fixed it.

[What is LAMP, WAMP, XAMP and AMP]

WAMP is the noise which is made when you punch someone!! lol 

[Massive security issues!]

To hash and salt,  take your password inputs, and prior to saving in the DB simply set it as

$salt="Any random gobbldy-gook";
$password=md5($salt(md5($password)));

 

This should stop anyone getting to your passwords.  Then when you call back from your DB table, don't SELECT * FROM Table

Just call it back by

 

$salt="same random gobbldy-gook as above";
$password=md5($salt(md5($password)));
$sql="SELECT id FROM table where username='$username' AND password='$password'";

 

Then refer to everything by user id.  This way you never actually pull your usernames and passwords out of  the DB, you are just referring to them for a comparrison to get records.

[php mysql count help]

You are trying to count the result of the mysql query, rather than the arrays.

 

Try changing your count lines to

<?php echo  "There are ". $row_Recordset1['COUNT(first_name)'] ." ". $row_Recordset1['city'] ." items." ;?> 

[Massive security issues!]

So what is the best way to avoid this?

 

I should possibly update my cleanInput function to include this defense.

 

Is there a way in php to send a shotgun to the client side if they try to inject me? lol

[Query]

So what is your question?

[post to database]

Can you post your updated code for the form and the parser so we can see what changes you've actioned.

 

Are you getting any error messages or just nothing feeding back to your DB?

[post to database]

If it's going to that address, you must have a GET method set.  A POST would not show in the URL and if you are using GET then $_POST[] will not pick the values up.

[Problems using the array from explode]

And which bit do you need help with, or do you require someone to do all your homework for you?

[Login Script Using COOKIES Only]

Sounds good, however you're going to lose a certain percentage of your audience who do not have cookies enabled.  Are you going to cater for these with a normal username/password validation?  If so, surely you are just creating more work for yourself by coding 2 different ways to log in?

 

Have you got any code at the moment?  Where are you up to?  or do you want someone to just write the code for you?

[function only returning last pass of foreach]

each time you loop through the foreach you are effectively writing over the $ result variable.

 

instead of

$result ='         <div id="topRow' . $row . '_' . $position.'" class="modRow" style="width:'.$modWidth.'px;">         <jdoc:include type="modules" name="topRow' . $row . '_' . $position.'" style="xhtml" />         </div>';

 

try

 

$result .='         <div id="topRow' . $row . '_' . $position.'" class="modRow" style="width:'.$modWidth.'px;">         <jdoc:include type="modules" name="topRow' . $row . '_' . $position.'" style="xhtml" />         </div>';

 

This will concatenate the next instance in the loop onto the previous one.

[solve this algorithm to PHP code, SOS]

Please repost in the "Get your homework done for free" forum!!

[Massive security issues!]

I've also got this little gem in my function library which I apply to ALL user inputs before they can interact with any part of my DB or scripts

 

function cleanInput($input){
	$input=htmlentities($input);
	$input=stripslashes($input);
	$input=strip_tags($input);
	$input=mysql_real_escape_string($input);
	return $input;
}

 

This is good to use unless you want your users to be able to apply html formatting to any input

[Massive security issues!]

Check this tutorial

 

Has helped me massively

 

http://www.phpfreaks.com/tutorial/php-security

 

[How can I make this clock ticking on my website??(without refreshing the page)]

As php is a serverside, you would need to force the page to refresh to acheive this.

 

A better way is to use either Javascript or ajax.

[need help with a basic php script]

This line needs a bit of concatenation and once you're connected, you don't need to redeclare it.

 

$q = mysql_query("select `id` from `allowed_ips` where `validate_ip` = '. $user_ip .' limit 1");

 

 

[need help with a basic php script]

Use this as a seperate file saved as connect.php, then just put

 

include_once('connect.php');

at the top of every file where you need a connection

 

<?php
$link = mysql_connect(localhost, 'user_name', 'password');
if (!$link)
{
echo'1Unable to connect to the database server.';
echo mysql_errno($link) . ": " . mysql_error($link). "\n";


exit();
}

if (!mysql_set_charset('utf8', $link))
{
echo'2Unable to connect to the database server.';
echo mysql_errno($link) . ": " . mysql_error($link). "\n";


exit();
}

if(!mysql_select_db('db_name, $link))
{
echo'3Unable to connect to the database server.';
echo mysql_errno($link) . ": " . mysql_error($link). "\n";


exit();
}

?>

[need help with a basic php script]

What error do you get?

[No connection, No error]

Sorted, just found in very small print not to use localhost and to use a designated ip address