Jump to content

Recommended Posts

For some reason the below is directing me back to my change password form and telling me the current password is entered incorrectly. That is triggered by this if statement - if($current!=$mypassword2)

 

kam3(); is my hashing function.

 

<?php
session_start(); 
$myusername2=$_SESSION['myusername2'];
$mypassword2=$_SESSION['mypassword2'];

require_once 'db_select.php';
require_once 'func.php';

$current=kam3(sanitize($_POST['current']));
$new=sanitize($_POST['new']);
$new_confirm=sanitize($_POST['new_confirm']);

if($current!=$mypassword2){
header("location:index.php?usercp=password&p=0");
}

elseif($new!=$new_confirm){
header("location:index.php?usercp=password&c=0");
}

elseif($current==$mypassword2 && $new==$new_confirm){
$new=kam3($new);
$sql="UPDATE $tbl_name SET password='$new' WHERE username='$myusername2' AND password='$mypassword2'";
$result=mysql_query($sql);
unset($_SESSION['mypassword2']);
unset($_SESSION['myusername2']);
if(mysql_affected_rows($result)==1){
$_SESSION['mypassword2']=$new;
$_SESSION['myusername2']=$myusername2;
header("location:./index.php?usercp=password&c=1");
}
else{
echo "Could Not Update Password."; 
}
}
?>

 

The initial log-in script looks like this:

 

<?php
require_once 'db_select.php';
require_once 'func.php';

// username and password sent from form 
$myusername=sanitize($_POST['username']); 
$mypassword=kam3(sanitize($_POST['password'])); 

$check_details="SELECT * FROM $tbl_name WHERE username='$myusername' AND password='$mypassword'";
$details_result=mysql_query($check_details);


// Mysql_num_row is counting table row
$count_details=mysql_num_rows($details_result);

// If result matched $myusername and $mypassword, table row must be 1 row
if($count_details==1){
session_start();
$_SESSION['myusername2']=$myusername;
$_SESSION['mypassword2']=$mypassword;
header("location:index.php?usercp");
}

else{ 
if($usernamec!=$myusername || !isset($myusername) || $passwordc!=$mypassword){  
$u2="0";  
} 
header('Location:./index.php?u2='.$u2.''); 
} 

?>

 

The log-in works fine, it's just when I get to my change password page, it's telling me the password is entered incorrectly.

Now I'm getting:

 

 

Warning: mysql_affected_rows() expects parameter 1 to be resource, boolean given in /home/zyquo/public_html/makethemoviehappen.com/password_check.php on line 27

Could Not Update Password.

Alright, that fixed the change password script, but now I can't log-in with the newly changed password...

 

<?php
session_start(); 
$myusername2=$_SESSION['myusername2'];
$mypassword2=$_SESSION['mypassword2'];

require_once 'db_select.php';
require_once 'func.php';

$current=kam3(sanitize($_POST['current']));
$new=sanitize($_POST['new']);
$new_confirm=sanitize($_POST['new_confirm']);

if($current!=$mypassword2){
header("location:index.php?usercp=password&p=0");
}

elseif($new!=$new_confirm){
header("location:index.php?usercp=password&c=0");
}

elseif($current==$mypassword2 && $new==$new_confirm){
$new=kam3($new);
$sql="UPDATE $tbl_name SET password='$new' WHERE username='$myusername2' AND password='$mypassword2'";
$result=mysql_query($sql);
unset($_SESSION['mypassword2']);
unset($_SESSION['myusername2']);
if(mysql_affected_rows()==1){
$_SESSION['mypassword2']=$new;
$_SESSION['myusername2']=$myusername2;
header("location:./index.php?usercp=password&c=1");
}
else{
echo "Could Not Update Password."; 
}
}
?>

 

<?php
require_once 'db_select.php';
require_once 'func.php';

// username and password sent from form 
$myusername=sanitize($_POST['username']); 
$mypassword=kam3(sanitize($_POST['password'])); 

$check_details="SELECT * FROM $tbl_name WHERE username='$myusername' AND password='$mypassword'";
$details_result=mysql_query($check_details);


// Mysql_num_row is counting table row
$count_details=mysql_num_rows($details_result);

// If result matched $myusername and $mypassword, table row must be 1 row
if($count_details==1){
session_start();
$_SESSION['myusername2']=$myusername;
$_SESSION['mypassword2']=$mypassword;
header("location:index.php?usercp");
}

else{ 
$u2="0";  
header('Location:./index.php?u2='.$u2.''); 
} 

?>

Right now the password is generated by my forgot password page, then logged-in and changed via the change password form. I manually create users for this website, so eventually the user generation will be built into the admin panel, it's just not there yet.

 

function md5s($string) {
    $salt = md5($string."%*k~'_@");
    $string = md5("$salt$string$salt");
   
    return $string; 
}

function kam3($string){
return hash('sha512',(md5s(cipher($string))));
}

Don't really think you will achieve anything doing multiple times md5/sha on the hash. Just do it once with the salt. Also there's another new function called 'chiper()' that I dont know what it does. I just don't get it if u saved the password to the database using kam3($pw) and then if you compare to user submitted password and run it also through kam3() - how it can be different. Try echoing in different parts the hash and see where it goes all wrong.

Here is a simple test code I tried, and IT HAS TO work if you do it like this:

 

// Salt for passwords.
$salt = '%431sdiUE-';

// And now save this password to database for a user.
$password = 'test';
$password = md5($password . $salt);

// Then try login with the pass 'test' and the user u saved it for.
if (md5($_POST['password'] . $salt) === $password)
{
// $password is fetched from db after you saved it.
// All should be good.
}

 

What does $mypassword2 contain?  Why are you calling kam3 on only the current password and not the new one?

 

In any event, TeNDoLLA is right - you're not improving your security by calling md5 so many times.  Also, a salt value should be unique to each password.

 

The easiest solution would be to generate a timestamp when a user registers with your site.  Use that as your salt (it's of sufficient length, and is unique for each user).  Append and hash.

Btw. a bit off topic but anyways, if you create unique salt for each user, you apparently must store somewhere the salt for every user. Where do you keep these salts stored?

 

In the database itself, as part of each user row, with a column name of Date Registered.  Really, if your db is compromised, you have far more important things to worry about than whether your salt values are compromised.

Alright, well I just tried SHA512 wrapping the MD5S and that is working:

 

function kam3($string){
return hash('sha512',(md5s($string)));
}

 

My issue is with the cipher(); which doesn't make much sense since it's just a substitution cipher. It's takes an "a" and turns it into a "c"....

 

function cipher($str){
require_once 'llib.php';
require_once 'nlib.php';
$new_str = '';
foreach (str_split($str) as $char) {
    $new_str .= $number[$letter[$char]];
}
return $new_str;
}

I'll include a chunk of my "libraries" for the cipher:

 

 

$letter['']="00";
$letter['b']="01";
$letter['d']="02";
$letter['f']="03";
$letter['h']="04";
$letter['j']="05";
$letter['l']="06";
$letter['n']="07";
$letter['p']="08";
$letter['r']="09";
$letter['t']="10";
$letter['v']="11";
$letter['x']="12";

$number['00']=" ";
$number['01']="0";
$number['02']="1";
$number['03']="2";
$number['04']="3";
$number['05']="4";
$number['06']="5";
$number['07']="6";
$number['08']="7";
$number['09']="8";
$number['10']="9";
$number['11']="a";
$number['12']="b";

I just checked the cipher by itself and it's working fine...

 

They're all working fine independently....

 

It should be taking the initial string ciphering it, hashing it with a salted MD5 and then hashing that hash with SHA512.

 

The cipher works by itself, and the SHA512 of the MD5s Hash works. It's just not working when I try to add the Cipher as the first step.

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.