HDFilmMaker2112 Posted June 21, 2011 Share Posted June 21, 2011 For some reason the below is directing me back to my change password form and telling me the current password is entered incorrectly. That is triggered by this if statement - if($current!=$mypassword2) kam3(); is my hashing function. <?php session_start(); $myusername2=$_SESSION['myusername2']; $mypassword2=$_SESSION['mypassword2']; require_once 'db_select.php'; require_once 'func.php'; $current=kam3(sanitize($_POST['current'])); $new=sanitize($_POST['new']); $new_confirm=sanitize($_POST['new_confirm']); if($current!=$mypassword2){ header("location:index.php?usercp=password&p=0"); } elseif($new!=$new_confirm){ header("location:index.php?usercp=password&c=0"); } elseif($current==$mypassword2 && $new==$new_confirm){ $new=kam3($new); $sql="UPDATE $tbl_name SET password='$new' WHERE username='$myusername2' AND password='$mypassword2'"; $result=mysql_query($sql); unset($_SESSION['mypassword2']); unset($_SESSION['myusername2']); if(mysql_affected_rows($result)==1){ $_SESSION['mypassword2']=$new; $_SESSION['myusername2']=$myusername2; header("location:./index.php?usercp=password&c=1"); } else{ echo "Could Not Update Password."; } } ?> The initial log-in script looks like this: <?php require_once 'db_select.php'; require_once 'func.php'; // username and password sent from form $myusername=sanitize($_POST['username']); $mypassword=kam3(sanitize($_POST['password'])); $check_details="SELECT * FROM $tbl_name WHERE username='$myusername' AND password='$mypassword'"; $details_result=mysql_query($check_details); // Mysql_num_row is counting table row $count_details=mysql_num_rows($details_result); // If result matched $myusername and $mypassword, table row must be 1 row if($count_details==1){ session_start(); $_SESSION['myusername2']=$myusername; $_SESSION['mypassword2']=$mypassword; header("location:index.php?usercp"); } else{ if($usernamec!=$myusername || !isset($myusername) || $passwordc!=$mypassword){ $u2="0"; } header('Location:./index.php?u2='.$u2.''); } ?> The log-in works fine, it's just when I get to my change password page, it's telling me the password is entered incorrectly. Quote Link to comment Share on other sites More sharing options...
HDFilmMaker2112 Posted June 21, 2011 Author Share Posted June 21, 2011 Now I'm getting: Warning: mysql_affected_rows() expects parameter 1 to be resource, boolean given in /home/zyquo/public_html/makethemoviehappen.com/password_check.php on line 27 Could Not Update Password. Quote Link to comment Share on other sites More sharing options...
Ollifi Posted June 21, 2011 Share Posted June 21, 2011 If you put just mysql_affected_rows() So take off the $result Quote Link to comment Share on other sites More sharing options...
HDFilmMaker2112 Posted June 21, 2011 Author Share Posted June 21, 2011 Alright, that fixed the change password script, but now I can't log-in with the newly changed password... <?php session_start(); $myusername2=$_SESSION['myusername2']; $mypassword2=$_SESSION['mypassword2']; require_once 'db_select.php'; require_once 'func.php'; $current=kam3(sanitize($_POST['current'])); $new=sanitize($_POST['new']); $new_confirm=sanitize($_POST['new_confirm']); if($current!=$mypassword2){ header("location:index.php?usercp=password&p=0"); } elseif($new!=$new_confirm){ header("location:index.php?usercp=password&c=0"); } elseif($current==$mypassword2 && $new==$new_confirm){ $new=kam3($new); $sql="UPDATE $tbl_name SET password='$new' WHERE username='$myusername2' AND password='$mypassword2'"; $result=mysql_query($sql); unset($_SESSION['mypassword2']); unset($_SESSION['myusername2']); if(mysql_affected_rows()==1){ $_SESSION['mypassword2']=$new; $_SESSION['myusername2']=$myusername2; header("location:./index.php?usercp=password&c=1"); } else{ echo "Could Not Update Password."; } } ?> <?php require_once 'db_select.php'; require_once 'func.php'; // username and password sent from form $myusername=sanitize($_POST['username']); $mypassword=kam3(sanitize($_POST['password'])); $check_details="SELECT * FROM $tbl_name WHERE username='$myusername' AND password='$mypassword'"; $details_result=mysql_query($check_details); // Mysql_num_row is counting table row $count_details=mysql_num_rows($details_result); // If result matched $myusername and $mypassword, table row must be 1 row if($count_details==1){ session_start(); $_SESSION['myusername2']=$myusername; $_SESSION['mypassword2']=$mypassword; header("location:index.php?usercp"); } else{ $u2="0"; header('Location:./index.php?u2='.$u2.''); } ?> Quote Link to comment Share on other sites More sharing options...
HDFilmMaker2112 Posted June 21, 2011 Author Share Posted June 21, 2011 I checked the generated hashes and for some reason there different... The one in the database is not the same as the one generated when you type your password into the log-in form. Quote Link to comment Share on other sites More sharing options...
HDFilmMaker2112 Posted June 21, 2011 Author Share Posted June 21, 2011 Tried removing the sanitize() function but still no luck. Quote Link to comment Share on other sites More sharing options...
TeNDoLLA Posted June 21, 2011 Share Posted June 21, 2011 So how you have inserted the passwords in to the db? And what does this kam3()-function do? Quote Link to comment Share on other sites More sharing options...
HDFilmMaker2112 Posted June 21, 2011 Author Share Posted June 21, 2011 Right now the password is generated by my forgot password page, then logged-in and changed via the change password form. I manually create users for this website, so eventually the user generation will be built into the admin panel, it's just not there yet. function md5s($string) { $salt = md5($string."%*k~'_@"); $string = md5("$salt$string$salt"); return $string; } function kam3($string){ return hash('sha512',(md5s(cipher($string)))); } Quote Link to comment Share on other sites More sharing options...
TeNDoLLA Posted June 21, 2011 Share Posted June 21, 2011 Don't really think you will achieve anything doing multiple times md5/sha on the hash. Just do it once with the salt. Also there's another new function called 'chiper()' that I dont know what it does. I just don't get it if u saved the password to the database using kam3($pw) and then if you compare to user submitted password and run it also through kam3() - how it can be different. Try echoing in different parts the hash and see where it goes all wrong. Quote Link to comment Share on other sites More sharing options...
HDFilmMaker2112 Posted June 21, 2011 Author Share Posted June 21, 2011 it's not working no matter what hashing method I use... my own, or an existing one... Quote Link to comment Share on other sites More sharing options...
TeNDoLLA Posted June 21, 2011 Share Posted June 21, 2011 Here is a simple test code I tried, and IT HAS TO work if you do it like this: // Salt for passwords. $salt = '%431sdiUE-'; // And now save this password to database for a user. $password = 'test'; $password = md5($password . $salt); // Then try login with the pass 'test' and the user u saved it for. if (md5($_POST['password'] . $salt) === $password) { // $password is fetched from db after you saved it. // All should be good. } Quote Link to comment Share on other sites More sharing options...
KevinM1 Posted June 21, 2011 Share Posted June 21, 2011 What does $mypassword2 contain? Why are you calling kam3 on only the current password and not the new one? In any event, TeNDoLLA is right - you're not improving your security by calling md5 so many times. Also, a salt value should be unique to each password. The easiest solution would be to generate a timestamp when a user registers with your site. Use that as your salt (it's of sufficient length, and is unique for each user). Append and hash. Quote Link to comment Share on other sites More sharing options...
TeNDoLLA Posted June 21, 2011 Share Posted June 21, 2011 Btw. a bit off topic but anyways, if you create unique salt for each user, you apparently must store somewhere the salt for every user. Where do you keep these salts stored? Quote Link to comment Share on other sites More sharing options...
KevinM1 Posted June 21, 2011 Share Posted June 21, 2011 Btw. a bit off topic but anyways, if you create unique salt for each user, you apparently must store somewhere the salt for every user. Where do you keep these salts stored? In the database itself, as part of each user row, with a column name of Date Registered. Really, if your db is compromised, you have far more important things to worry about than whether your salt values are compromised. Quote Link to comment Share on other sites More sharing options...
KevinM1 Posted June 21, 2011 Share Posted June 21, 2011 That said, I'd do it differently for an e-commerce site. Separate password table, at the least, if not separate password db, and a better hash algorithm than MD5 or SHA1. Quote Link to comment Share on other sites More sharing options...
HDFilmMaker2112 Posted June 22, 2011 Author Share Posted June 22, 2011 Alright, well I just tried SHA512 wrapping the MD5S and that is working: function kam3($string){ return hash('sha512',(md5s($string))); } My issue is with the cipher(); which doesn't make much sense since it's just a substitution cipher. It's takes an "a" and turns it into a "c".... function cipher($str){ require_once 'llib.php'; require_once 'nlib.php'; $new_str = ''; foreach (str_split($str) as $char) { $new_str .= $number[$letter[$char]]; } return $new_str; } Quote Link to comment Share on other sites More sharing options...
HDFilmMaker2112 Posted June 22, 2011 Author Share Posted June 22, 2011 I'll include a chunk of my "libraries" for the cipher: $letter['']="00"; $letter['b']="01"; $letter['d']="02"; $letter['f']="03"; $letter['h']="04"; $letter['j']="05"; $letter['l']="06"; $letter['n']="07"; $letter['p']="08"; $letter['r']="09"; $letter['t']="10"; $letter['v']="11"; $letter['x']="12"; $number['00']=" "; $number['01']="0"; $number['02']="1"; $number['03']="2"; $number['04']="3"; $number['05']="4"; $number['06']="5"; $number['07']="6"; $number['08']="7"; $number['09']="8"; $number['10']="9"; $number['11']="a"; $number['12']="b"; Quote Link to comment Share on other sites More sharing options...
HDFilmMaker2112 Posted June 22, 2011 Author Share Posted June 22, 2011 I just checked the cipher by itself and it's working fine... They're all working fine independently.... It should be taking the initial string ciphering it, hashing it with a salted MD5 and then hashing that hash with SHA512. The cipher works by itself, and the SHA512 of the MD5s Hash works. It's just not working when I try to add the Cipher as the first step. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.