stormx Posted August 31, 2008 Share Posted August 31, 2008 Hello, I am currently developing a .xml php script. This is my current code: <?php $hn = 'localhost'; //replace with the mysql server address $un = 'un'; //replace with the mysql username $pw = 'pass'; //replace with the mysql password $db = 'db'; //replace with the mysql database $tb = 'users'; //replace with the mysql table $conn = mysql_connect($hn, $un, $pw); if (!$conn) { echo "Unable to connect to DB: " . mysql_error(); exit; } if (!mysql_select_db($db)) { echo "Unable to select ".$db.": " . mysql_error(); exit; } $qUser = $_GET['username']; //get username from query string $qPass = $_GET['password']; //get password from query string $salt = $qPass; $pass = $qPass; $pass1 = sha1($pass); $pass2 = md5($pass); $pass3 = md5($pass1); $pass4 = md5($pass1.$salt); // Check the database... $result = mysql_query("SELECT `id`, `service`, `password` FROM `users` WHERE `service` = '$username' AND `password` = '$pass4'"); if (mysql_num_rows($result)) { $mes = "success"; } else { $mes = "failure"; } if (!$result) { echo "Could not successfully run query ($sql) from DB: " . mysql_error(); exit; } header("Content-Type: text/xml"); echo "<?xml version=\"1.0\" encoding=\"UTF-8\" ?>\r\n"; echo ("<usage>\r\n"); echo ("<authentication>".$mes."</authentication>\r\n"); while ($row = mysql_fetch_assoc($result)) { // MySQL Select for usage plan stats $usage_sql = mysql_query("SELECT * FROM `plan` WHERE `id` = '$row[plan]'") or die("Error!"); $usage = mysql_fetch_array($usage_sql); // MySQL Select for usage stats $usage1_sql = mysql_query("SELECT * FROM `user_usage` WHERE `user_id` = '$row[id]'") or die("Error!"); $usage1 = mysql_fetch_array($usage1_sql); echo ("<username>".$row["service"]."</username>\r\n"); echo ("<onpeak_usage>".$usage1["onpeak"]."</onpeak_usage>\r\n"); echo ("<offpeak_usage>".$usage1["offpeak"]."</offpeak_usage>\r\n"); echo ("<onpeak_allow>".$usage["onpeak"]."</onpeak_allow>\r\n"); echo ("<offpeak_allow>".$row["offpeak"]."</offpeak_allow>\r\n"); } echo ("</usage>\r\n"); mysql_free_result($result); ?> The issue I'm having is the part where it coverts the password field to check it in the database: $qUser = $_GET['username']; //get username from query string $qPass = $_GET['password']; //get password from query string $salt = $qPass; $pass = $qPass; $pass1 = sha1($pass); $pass2 = md5($pass); $pass3 = md5($pass1); $pass4 = md5($pass1.$salt); // Check the database... $result = mysql_query("SELECT `id`, `service`, `password` FROM `users` WHERE `service` = '$username' AND `password` = '$pass4'"); if (mysql_num_rows($result)) { $mes = "success"; } else { $mes = "failure"; } What seems to be the issue? Cheers Link to comment https://forums.phpfreaks.com/topic/122074-cannot-get-from-mysql-database/ Share on other sites More sharing options...
cooldude832 Posted August 31, 2008 Share Posted August 31, 2008 why are u md5ing the password 4 times??? Link to comment https://forums.phpfreaks.com/topic/122074-cannot-get-from-mysql-database/#findComment-630190 Share on other sites More sharing options...
JasonLewis Posted August 31, 2008 Share Posted August 31, 2008 Why do you md5 it so many times? (What cooldude said. ) Let's make some sense of this... $salt = $qPass; $pass = $qPass; $pass1 = sha1($pass); $pass2 = md5($pass); $pass3 = md5($pass1); $pass4 = md5($pass1.$salt); Okay, so your salt is your password. Then you create another variable pass which holds the password. Next, you make a new variable, pass1, and sha1 the original pass. Next is pass2, you md5 the original pass. Then pass3 you md5 the sha1 password, so what was the point of pass2? Pass4 you ignore pass3 again and md5 the sha1 password and also add the salt which is the original password. Why? Link to comment https://forums.phpfreaks.com/topic/122074-cannot-get-from-mysql-database/#findComment-630194 Share on other sites More sharing options...
genericnumber1 Posted August 31, 2008 Share Posted August 31, 2008 Try echoing your query or adding or die(mysql_error()); at the end of your mysql_query() line to see if you have an error in your syntax. Link to comment https://forums.phpfreaks.com/topic/122074-cannot-get-from-mysql-database/#findComment-630196 Share on other sites More sharing options...
Ken2k7 Posted August 31, 2008 Share Posted August 31, 2008 $result = mysql_query("SELECT `id`, `service`, `password` FROM `users` WHERE `service` = '$username' AND `password` = '$pass4'"); $username is NOT defined. Link to comment https://forums.phpfreaks.com/topic/122074-cannot-get-from-mysql-database/#findComment-630199 Share on other sites More sharing options...
stormx Posted August 31, 2008 Author Share Posted August 31, 2008 Alright, I did this: $qUser = $_GET['username']; //get username from query string $qPass = $_GET['password']; //get password from query string $salt = $qPass; $pass = $qPass; $pass1 = sha1($pass); $pass2 = md5($pass); $pass3 = md5($pass1); $pass4 = md5($pass1.$salt); // Check the database... $result = mysql_query("SELECT * FROM ".$tb." WHERE service='".$qUser."' AND password='".$pass4."'"); if (mysql_num_rows($result)) { $mes = "success"; } else { $mes = "failure"; } It's still failing:( Link to comment https://forums.phpfreaks.com/topic/122074-cannot-get-from-mysql-database/#findComment-630205 Share on other sites More sharing options...
JasonLewis Posted August 31, 2008 Share Posted August 31, 2008 Why do you md5 it so many times? (What cooldude said. ) Let's make some sense of this... $salt = $qPass; $pass = $qPass; $pass1 = sha1($pass); $pass2 = md5($pass); $pass3 = md5($pass1); $pass4 = md5($pass1.$salt); Okay, so your salt is your password. Then you create another variable pass which holds the password. Next, you make a new variable, pass1, and sha1 the original pass. Next is pass2, you md5 the original pass. Then pass3 you md5 the sha1 password, so what was the point of pass2? Pass4 you ignore pass3 again and md5 the sha1 password and also add the salt which is the original password. Why? ^ Also.. mysql_num_rows() returns the number of results, and only false if it failed. Ensure that your query is correct and that your password protection is correct. Link to comment https://forums.phpfreaks.com/topic/122074-cannot-get-from-mysql-database/#findComment-630209 Share on other sites More sharing options...
Ken2k7 Posted August 31, 2008 Share Posted August 31, 2008 Are you sure you are encrypting the password correctly? Link to comment https://forums.phpfreaks.com/topic/122074-cannot-get-from-mysql-database/#findComment-630213 Share on other sites More sharing options...
stormx Posted August 31, 2008 Author Share Posted August 31, 2008 I managed to fix it: $qUser = $_GET['username']; //get username from query string $qPass = $_GET['password']; //get password from query string $salt = "thecoolsecuirtyteam"; $pass = $qPass; $pass1 = sha1($pass); $pass2 = md5($pass); $pass3 = md5($pass1); $pass4 = md5($pass1.$salt); I know it's not necessary to MD5 it numerous times, but adding $salt = "thecoolsecuirtyteam"; fixed it. Link to comment https://forums.phpfreaks.com/topic/122074-cannot-get-from-mysql-database/#findComment-630214 Share on other sites More sharing options...
Ken2k7 Posted August 31, 2008 Share Posted August 31, 2008 What's the point of $pass2? Link to comment https://forums.phpfreaks.com/topic/122074-cannot-get-from-mysql-database/#findComment-630215 Share on other sites More sharing options...
JasonLewis Posted August 31, 2008 Share Posted August 31, 2008 It's also strange how you md5 a string, then you don't even use it. What is the purpose of $pass2 and $pass3? Link to comment https://forums.phpfreaks.com/topic/122074-cannot-get-from-mysql-database/#findComment-630216 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.