Search the Community

I need new pair of eyes to look at this and tell me what's wrong with it. All I am trying to do is have a simple form that submits data to database. It works without the "token". With the token code added, it won't let process. I even did var_dump and the session and the $_post code doesn't match. Here's the code. Btw, session_start() and the database connection are in the init.php file. <?php require_once 'init.php'; $token = mcrypt_create_iv(16, MCRYPT_DEV_URANDOM); $_SESSION['token'] = $token; if(isset($_POST['register'], $_POST['token'])) { if($_POST['token'] === $_SESSION['token']) { $email = trim($_POST['email']); $password = trim($_POST['password']); if(empty($email)) { $error = 'Email is required!'; } else if(empty($password)) { $error = 'Password is required!'; } else if(strlen($password) < 6) { $error = 'Password must be at least 6 characters long!'; } else { $findUser = $db->prepare("SELECT email FROM users WHERE email = :email"); $findUser->bindParam(':email', $email); $findUser->execute(); $resultFind = $findUser->fetchAll(PDO::FETCH_ASSOC); if(count($resultFind) > 0) { $error = 'The email already exists! Please try a different email!'; } else { //Hash the password as we do NOT want to store our passwords in plain text. $passwordHash = password_hash($passward, PASSWORD_BCRYPT, array("cost" => 12)); $insertUser = $db->prepare("INSERT INTO users(email, password) VALUES(:email, :password)"); $insertUser->bindParam(':email', $email); $insertUser->bindParam(':password', $passwordHash); $resultInsert = $insertUser->execute(); if($resultInsert == false) { $error = 'There was a problem creating your account. Please try again later!'; } else { $success = 'Your account has been created.'; unset($_SESSION['token']); } } } } else { $error = 'The tokens do not match!'; } } ?> <h1>Sign up</h1> <form action="" method="post"> <fieldset> <input type="email" name="email" value="<?php echo $email; ?>" placeholder="Email" /> </fieldset> <fieldset> <input type="password" name="password" placeholder="Password" /> </fieldset> <fieldset> <input type="hidden" name="token" value="<?php echo $token; ?>" /> <input type="submit" name="register" value="Sign up" /> </fieldset> </form>

Hi everybody ! I have this current problem .. I need to login into a website via cUrl .. website : www.v-tac [dot] ro/ Now based on the headers and based on the input fields I wrote a php function, but I hit a wall with the token . HEADERS : username=username&password=password&Submit=Conectare&option=com_users&task=user.login&return=aW5kZXgucGhwP0l0ZW1pZD0yMTY%3D&0dbf64fe20e2395a7d72ed5b64b3cf7c=1 FORM FIELDS - copy paste - this is the login form <fieldset class="userdata"> <p id="form-login-username"> <label for="modlgn-username">Nume Utilizator</label> <input id="modlgn-username" type="text" name="username" class="inputbox" size="18"> </p> <p id="form-login-password"> <label for="modlgn-passwd">Parola</label> <input id="modlgn-passwd" type="password" name="password" class="inputbox" size="18"> </p> <p id="form-login-remember"> <label for="modlgn-remember">Retine utilizator</label> <input id="modlgn-remember" type="checkbox" name="remember" class="inputbox" value="yes"> </p> <input type="submit" name="Submit" class="button" value="Conectare"> <input type="hidden" name="option" value="com_users"> <input type="hidden" name="task" value="user.login"> <input type="hidden" name="return" value="aW5kZXgucGhwP0l0ZW1pZD0yMTY="> <input type="hidden" name="11b09608b3184e6258012d44846c81ed" value="1"> </fieldset> And this is the function I wrote to do the cUrl login : function login_to_website($targetURL){ global $browser_user_agent; if(empty($targetURL)) { return; } if(empty($login_url)) { $login_url = $targetURL; } $url = $login_url; $login_user = "loginusername"; $login_password = "loginpassword"; $thetoken = "this-is-my-problem-the-token-from-the-hidden-input"; $post_data = array(); $post_data['username'] = "$login_user"; $post_data['password'] = "$login_password"; $post_data['Submit'] = "Conectare"; $post_data['option'] = "com_users"; $post_data['task'] = "user.login"; $post_data['return'] = "aW5kZXgucGhwP0l0ZW1pZD0yMTY%3D"; $post_data[$thetoken] = "1"; $postthis = http_build_query($post_data); $login = curl_init(); curl_setopt($login, CURLOPT_COOKIEJAR, dirname(__FILE__) . "/cookie.tmpz"); curl_setopt($login, CURLOPT_COOKIEFILE, dirname(__FILE__) . "/cookie.tmpz"); curl_setopt($login, CURLOPT_VERBOSE, true); curl_setopt($login, CURLOPT_URL, $url); curl_setopt($login, CURLOPT_USERAGENT, random_user_agent()); curl_setopt($login, CURLOPT_FOLLOWLOCATION, TRUE); curl_setopt($login, CURLOPT_RETURNTRANSFER, TRUE); curl_setopt($login, CURLOPT_POST, TRUE); $timeout = 5; curl_setopt( $login, CURLOPT_CONNECTTIMEOUT, $timeout ); curl_setopt( $login, CURLOPT_TIMEOUT, $timeout ); curl_setopt( $login, CURLOPT_MAXREDIRS, 10 ); curl_setopt($login, CURLOPT_POSTFIELDS, $postthis); // POST vars curl_setopt($login, CURLOPT_HEADER, 0); // debug headers sent - 1 $data = curl_exec ($login); curl_setopt($login, CURLOPT_URL, $targetURL); $datax = curl_exec ($login); return $datax; // close cURL resource, and free up system resources curl_close($login); } The problem is this the last array input. the token is generated each time the page is loaded, located on the page as an input hidden field . So the question is how do I get a fresh token that will work ? Also I have tried to get the token with a xpath extract like this : $htmlx = file_get_contents('http://www.v-tac.ro'); $htmlx = mb_convert_encoding($htmlx, 'UTF-8', mb_detect_encoding($htmlx)); //make sure this is utf8 if(!strlen($htmlx)) {echo "No HTML here . stoping execution ."; return;} $doc = new DomDocument; @$doc->loadHTML($htmlx); $xpath = new DOMXPath($doc); echo $xpath->query('//fieldset[@class="userdata"]/input[5]')->item(0)->getAttribute("name"); $thetoken = $xpath->query('//fieldset[@class="userdata"]/input[5]')->item(0)->getAttribute("name"); Help !?

Hello I am looking to create an expiring token for use with our password reset system. We want tokens to be valid for a set period, let's say 24hrs. Currently we md5 the username and userid, and send this as a token to the users registered email... It's OK, but means that token is valid indefinitely. I am not keen on adding more fields to the database to store the time the request was made, so wondered if anyone had a suggestion? Is there a way I can encrypt a token including a timestamp and then decrypt it to separate the elements out to check the timestamp? Thanks