yanjchan Posted July 26, 2009 Share Posted July 26, 2009 Hello. Could someone please help me with this problem I've been having... I put a value of a hashed password in a cookie and compare it in a value from a database. In my initial checks during the login process, everything turns out OK. However, in my page to page authentication script, even though I have made sure to do the exact thing (after it didn't work the first time I directly copied and pasted). When comparing the hash values from the table requested in the first string, I get one identical to the correct one. However, in my page to page script, I get a completely different value. The above was probably hard to follow (I'm not great at explaining things) So please look at the code <?php if ($_COOKIE['xsrf['.$_POST['i'].']'] != $_POST['xsrf'] || !isset($_COOKIE['xsrf['.$_POST['i'].']'])) { $errors = "It appears you have been a victim of a browser attack! Please run a virus scan before continuing online activities."; setcookie('xsrf', sha1($hash), time()-1, '/citizen/', '.ch4n.net'); header("Location: login.php?errors=$errors"); } setcookie('xsrf', sha1($hash), time()-1, '/citizen/', '.ch4n.net'); require('authent.php'); $user = mysql_escape_string(htmlentities($_POST['username'])); $pass = mysql_escape_string(htmlentities($_POST['password'])); $passwordhash = hashPassword($pass); if(table_exists("user_".$user, 's2zsl9rx_citizen')) { // Make a MySQL Connection require('c2db.php'); mysql_select_db("s2zsl9rx_citizen") or die(mysql_error()); $result = mysql_query("SELECT * FROM user_".$user."") or die(mysql_error()); $row = mysql_fetch_array( $result ); if ($row['pass'] == $passwordhash) { $value = $user.','.$passwordhash.','.hashPassword(getip()).','.hashPassword($_SERVER['HTTP_USER_AGENT']); setcookie('citizeninfo', $value, time()+3600, '/citizen/', '.ch4n.net'); mysql_close(); header("Location: game.php"); } else { $errors = 'Username and/or password are incorrect'; mysql_close(); header("Location: login.php?errors=$errors"); } } else { $errors = 'Username and/or password are incorrect'; header("Location: login.php?errors=$errors"); } ?> <?php if ($_COOKIE['xsrf['.$_POST['i'].']'] != $_POST['xsrf'] || !isset($_COOKIE['xsrf['.$_POST['i'].']'])) { $errors = "It appears you have been a victim of a browser attack! Please run a virus scan before continuing online activities."; setcookie('xsrf', sha1($hash), time()-1, '/citizen/', '.ch4n.net'); header("Location: login.php?errors=$errors"); } setcookie('xsrf', sha1($hash), time()-1, '/citizen/', '.ch4n.net'); require('authent.php'); $user = mysql_escape_string(htmlentities($_POST['username'])); $pass = mysql_escape_string(htmlentities($_POST['password'])); $passwordhash = hashPassword($pass); if(table_exists("user_".$user, 's2zsl9rx_citizen')) { // Make a MySQL Connection require('c2db.php'); mysql_select_db("s2zsl9rx_citizen") or die(mysql_error()); $result = mysql_query("SELECT * FROM user_".$user."") or die(mysql_error()); $row = mysql_fetch_array( $result ); if ($row['pass'] == $passwordhash) { $value = $user.','.$passwordhash.','.hashPassword(getip()).','.hashPassword($_SERVER['HTTP_USER_AGENT']); setcookie('citizeninfo', $value, time()+3600, '/citizen/', '.ch4n.net'); mysql_close(); header("Location: game.php"); } else { $errors = 'Username and/or password are incorrect'; mysql_close(); header("Location: login.php?errors=$errors"); } } else { $errors = 'Username and/or password are incorrect'; header("Location: login.php?errors=$errors"); } ?> Quote Link to comment https://forums.phpfreaks.com/topic/167444-mysql-values-are-magically-changing/ Share on other sites More sharing options...
.josh Posted July 26, 2009 Share Posted July 26, 2009 I see you setting a cookie with $hash as a value but I don't see where you are assigning anything to $hash. I also see lots of setcookies but nowhere where you actually retrieve it. Is that in hashPassword() or an include? Quote Link to comment https://forums.phpfreaks.com/topic/167444-mysql-values-are-magically-changing/#findComment-882933 Share on other sites More sharing options...
yanjchan Posted July 26, 2009 Author Share Posted July 26, 2009 That works perfectly find. It's merely deleting the value for the xsrf cookie set in a previous form. Quote Link to comment https://forums.phpfreaks.com/topic/167444-mysql-values-are-magically-changing/#findComment-882953 Share on other sites More sharing options...
yanjchan Posted July 26, 2009 Author Share Posted July 26, 2009 Update: It appears that it's the same value being returned... every time. Quote Link to comment https://forums.phpfreaks.com/topic/167444-mysql-values-are-magically-changing/#findComment-882975 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.