andy_b_1502 Posted June 6, 2012 Share Posted June 6, 2012 Hi all, I am using update to SET fields in mySQL table, my question is; do i have to update hash/salt as well as password or can i just update password as hash and salt are unique? The path goes like this: index.php > login.php > view01.php?id= > view02.php > ^ <<< < < <back to view01.php view01.php: <?PHP session_start(); if(!isset($_SESSION['id']) || !isset($_SESSION['valid_user']) || $_SESSION['valid_user'] != "yes") { $_SESSION = array(); session_destroy(); header("Location: index.php"); exit(); } include ('php only scripts/db.php'); $id = $_GET['id']; $query ="SELECT * FROM companies WHERE id = '$id'"; $result = mysql_query($query) or die(mysql_error()); $row = mysql_fetch_array($result); ?> <!DOCTYPE html> <head> <title>Removalspace.com</title> <style type="text/css"> <!-- body { background-image: url(styles/downloaded%20styles/todo/todo/images/bg.png); } --> </style> <link href="styles/downloaded styles/todo/todo/css/style.css" rel="stylesheet" type="text/css" /> <link rel="stylesheet" type="text/css" href="styles/downloaded styles/todo/todo/css/style9.css" /> <link rel="stylesheet" type="text/css" href="styles/downloaded styles/todo/todo/css/demo.css" /> <link href='http://fonts.googleapis.com/css?family=Terminal+Dosis' rel='stylesheet' type='text/css' /> <style type="text/css"> <!-- .Stile1 {color: #333333} --> </style> <script type="text/javascript"> var _gaq = _gaq || []; _gaq.push(['_setAccount', 'UA-31656176-1']); _gaq.push(['_trackPageview']); (function() { var ga = document.createElement('script'); ga.type = 'text/javascript'; ga.async = true; ga.src = ('https:' == document.location.protocol ? 'https://ssl' : 'http://www') + '.google-analytics.com/ga.js'; var s = document.getElementsByTagName('script')[0]; s.parentNode.insertBefore(ga, s); })(); </script> </head> <body> <!--start container --> <div id="container"> <header> <nav> <div id="logo"><a href="index.php"><img src="images/header2.png" alt="Logo here" width="219" height="161" /></a> </div> <div id="search-top"><img src="styles/downloaded styles/todo/todo/images/quote-right.png" alt="images" /><span class="cursive">Enter your postcode here</span><img src="styles/downloaded styles/todo/todo/images/quote-left.png" alt="images" /> <form method="post" action="search.php"> <input type="text" name="strSearch" onFocus="if(this.value=='Search Area')this.value='';" onBlur="if(this.value=='')this.value='Search Area';" value="Search Area" id="search-field"/> <input type="submit" value="" id="search-btn"/> </form> </div> <div id="nav_social"><a href="http://www.facebook.com/pages/Removalspace/181434181939226"><img src="styles/downloaded styles/todo/todo/images/facebook_32.png" alt="Become a fan" width="32" height="32" /></a><a href="#"><img src="styles/downloaded styles/todo/todo/images/twitter_32.png" alt="Follows on Twitter" /></a><a href="id=183427956&trk=tab_pro"><img src="styles/downloaded styles/todo/todo/images/linkedin_32.png" alt="Linked in" /></a><a href="contact.php"><img src="styles/downloaded styles/todo/todo/images/email_32.png" alt="Contact" width="32" height="32" /></a><!-- Place this tag where you want the +1 button to render --> <g:plusone size="small" annotation="inline"></g:plusone> <!-- Place this render call where appropriate --> <script type="text/javascript"> (function() { var po = document.createElement('script'); po.type = 'text/javascript'; po.async = true; po.src = 'https://apis.google.com/js/plusone.js'; var s = document.getElementsByTagName('script')[0]; s.parentNode.insertBefore(po, s); })(); </script> </div> </nav> </header> <p><figure><a href="removals.php">Search Removals</a></figure> |</p> <p><figure><a href="storage.php">Search Storage</a></figure> |</p> <p><figure><a href="register00.php">Add Listing</a></figure> |</p> <p><figure><a href="about.php">About</a></figure> |</p> <p><figure><a href="contact.php">Contact</a></figure> |</p> <p><figure><a href="login00.php">Login</a></figure></p> <div class="content"> <!--star main --> <main></main> <!--end main --> <!--start middle --> <middle> <div class="section_slogan"><table> <tr> <td valign="top"><div class="abox"> <figure> <fcapion> <h1><img src="images/thumbs/<?PHP echo $row['upload']; ?>" alt="logo"/></h1> </fcaption></figure></div></td> <td valign="top"> <div class="abox"> <figure> <fcapion> <h1><?PHP echo $row['street1'] . "<br>" . $row['street2'] . "<br>" . $row['city'] . "," . $row['postcode'] . "<br>phone: " . $row['phone'] . "<br>email: " . $row['email'] . "<br>website: " . $row['website'] ; ?></h1> </fcaption></figure> </div> </td> </tr> <tr> <td><div class="abox"> <figure> <fcapion> <h1><?PHP echo nl2br($row['premiumuser_description']); ?></h1> </fcaption></figure> </div></td> </tr></table> <?PHP /* create an email validation function */ function validateEmailAddress($email) { return filter_var($email, FILTER_VALIDATE_EMAIL) && preg_match('/@.+\./', $email); } /** * CALLBACK - determine if the provided postcode is valid. * * @param string $postcode * @return bool TRUE if valid, FALSE otherwise * @author George Edwards */ function is_valid_uk_postcode($postcode) { $pattern = "/^([A-PR-UWYZ0-9][A-HK-Y0-9][AEHMNPRTVXY0-9]?[ABEHMNPRVWXY0-9]? {1,2}[0-9][ABD-HJLN-UW-Z]{2}|GIR 0AA)$/"; if (preg_match($pattern, $postcode)) { return TRUE; } $this->validation->set_message('is_valid_uk_postcode', 'That is not a valid %s.'); return FALSE; } /* FUNCTION TO CREATE SALT */ function createSalt() { $string = md5(uniqid(rand(), true)); return substr($string, 0, 3); } /* check if form was submitted */ if (isset($_POST['Submit'])){ $error_message = ""; /* This is the directory where images will be saved */ $target = "/home/users/web/b109/ipg.removalspacecom/images/COMPANIES/"; $target = $target . basename( $_FILES['upload']['name']); /* include validation script */ include ('php only scripts/validation.php'); $uploadDir = 'images/COMPANIES'; /* main picture folder */ $max_height = 450; /* largest height you allowed; 0 means any */ $max_width = 450; /* largest width you allowed; 0 means any */ $max_file = 2000000; /* set the max file size in bytes */ $image_overwrite = 1; /* 0 means overwite; 1 means new name */ /* add or delete allowed image types */ $allowed_type01 = array( "image/gif", "image/pjpeg", "image/jpeg", "image/png", "image/x-png", "image/jpg"); $do_thumb = 1; /* 1 make thumbnails; 0 means do NOT make */ $thumbDir = "/images/thumbs"; /* thumbnail folder */ $thumb_prefix = ""; /* prefix for thumbnails */ $thumb_width = 90; /* max thumb width */ $thumb_height = 70; // max thumb height //Writes the photo to the server if(move_uploaded_file($_FILES['upload']['tmp_name'], $target)) { /* HERE IS WHERE WE WILL DO THE ACTUAL RESIZING */ /* THESE SIX PARAMETERS MAY BE CHANGED TO SUIT YOUR NEEDS */ $upload = $_FILES['upload']['name']; $o_path ="images/COMPANIES/"; $s_path = "images/thumbs/"; $file = $upload; $save = $file; $t_w = 200; $t_h = 150; /* DO NOT CHANGE THIS NEXT LINE */ Resize_Image($save,$file,$t_w,$t_h,$s_path,$o_path); }else{ //Gives and error if its not $error_message .= "Sorry, there was a problem uploading your file."; } /* PREPARE DATA FOR INSERTION INTO TABLE */ //Writes the information to the database if(strlen(trim($error_message)) <1){ $salt = createsalt(); $username = trim($_POST['username']); $password = trim($_POST['password']); $hash = hash('sha256', $salt, $password); $approved = 0; $company_name = mysql_real_escape_string(trim($_POST['company_name'])); $website = mysql_real_escape_string(trim($_POST['website'])); $contact_name = mysql_real_escape_string(trim($_POST['contact_name'])); $location = mysql_real_escape_string(trim($_POST['location'])); $postcode = mysql_real_escape_string(trim($_POST['postcode'])); $street1 = mysql_real_escape_string(trim($_POST['street1'])); $street2 = mysql_real_escape_string(trim($_POST['street2'])); $city = mysql_real_escape_string(trim($_POST['city'])); $phone = mysql_real_escape_string(trim($_POST['phone'])); $phone2 = mysql_real_escape_string(trim($_POST['phone2'])); $email = mysql_real_escape_string(trim($_POST['email'])); $premiumuser_description = mysql_real_escape_string(trim($_POST['premiumuser_description'])); $salt = mysql_real_escape_string($salt); $upload = mysql_real_escape_string($upload); $query ="INSERT INTO `companies` (company_name, what_services, website, contact_name, location, postcode, street1, street2, city, phone,phone2, email, premiumuser_description, username, password, salt, approved, upload) VALUES ('$company_name', '$what_services', '$website', '$contact_name', '$location', '$postcode', '$street1', '$street2', '$city', '$phone', '$phone2', '$email', '$premiumuser_description', '$username', '$hash', '$salt', '$approved', '$upload')"; $result = mysql_query($query) or die(mysql_error()); if ($result) { } /* at this point we can send an email to the admin as well as the user. DO NOT send the user's password to ANYONE!!!! */ } }//if (isset($_POST['submit'])) ?> <?php if (!empty($error_message)){ echo $error_message; } ?> <hr> <form action="view02.php" method="get" enctype="multipart/form-data" class="cursive"> <table width="316" border="0"> <tr> <td colspan="2"><h1>Edit Your details </h1><p>fill out the form with your details...</p></td> </tr> <tr> <td> </td> <td><p> </p> <p>Click submit to update...</p><p> </p></td> </tr> <tr> <td> </td> <td><p> </p><p></p><p><input type="hidden" name="id" value="<?php echo $row['id']; ?>"/><p> </p></td> </tr> <tr> <td>Website:</td> <td><p> </p><p><input name="website" type="text" id="website" /></p> <p> </p></td> </tr> <tr> <td>Primary Number:</td> <td><p> </p><p><input name="phone" type="text" id="phone" /></p> <p> </p></td> </tr> <tr> <td>Secondary Number:</td> <td><p> </p> <p><input name="phone2" type="text" id="phone2" /></p> <p> </p></td> </tr> <tr> <td>Company Description:</td> <td><p><em>Write a description of what your company does, the services it offers and any additional information here.</em> </p> <p><textarea rows="10" cols="100" name="premiumuser_description" id="premiumuser_description"></textarea></p> <p> </p></td> </tr> <tr> <td>Username:</td> <td><p> </p> <p><input name="username" type="text" id="username" /></p> <p> </p></td> </tr> <tr> <td>Password:</td> <td><p> </p> <p><input name="password" type="text" id="password" /></p> <p> </p></td> </tr> <tr> <td> </td> </tr> <tr> <td colspan="2"><input type="submit" name="submit" value="submit" /></td> </tr> </table> </form> </div> </middle> </div> <!--end middle --> <!--start footer --> <footer> <div id="footer"></div> </footer> <!--end footer --> </div> <!--end container --> <!-- Free template distributed by http://freehtml5templates.com --> </body> <script type="text/javascript" src="http://ajax.googleapis.com/ajax/libs/jquery/1.6.4/jquery.min.js"></script> </html> view02.php: <?PHP session_start(); include ('php only scripts/db.php'); $setArray = array(); $setstr = ''; $id = intval($_GET['id']); if (isset($_GET['website']) && $_GET['website']) { $website = mysql_real_escape_string($_GET['website']); $setArray[] = "website = '$website'"; } if (isset($_GET['phone']) && $_GET['phone']) { $phone = mysql_real_escape_string($_GET['phone']); $setArray[] = "phone = '$phone'"; } if (isset($_GET['phone2']) && $_GET['phone2']) { $phone2 = mysql_real_escape_string($_GET['phone2']); $setArray[] = "phone2 = '$phone2'"; } if (isset($_GET['premiumuser_description']) && $_GET['premiumuser_description']) { $premiumuser_description = mysql_real_escape_string($_GET['premiumuser_description']); $setArray[] = "premiumuser_description = '$premiumuser_description'"; } if (isset($_GET['username']) && $_GET['username']) { $website = mysql_real_escape_string($_GET['username']); $setArray[] = "username = '$username'"; } if (isset($_GET['password']) && $_GET['password']) { $website = mysql_real_escape_string($_GET['password']); $setArray[] = "password = '$password'"; } if (count($setArray) > 0) { $setstr = join (', ', $setArray); $query = "UPDATE companies SET $setstr WHERE id = $id"; mysql_query($query); } header("Location: view01.php?id=" . $id); exit(0); ?> I have already used update to update the password but what about salt/hash iv'e got? Many thanks in advance Quote Link to comment https://forums.phpfreaks.com/topic/263766-update-set-password/ Share on other sites More sharing options...
andy_b_1502 Posted June 6, 2012 Author Share Posted June 6, 2012 i have just tried this out (changed the password of my log in) it seems i do need to update everything password, hash and salt. how should i write the update query? something like: if (isset($_GET['password']) && $_GET['password']) { $password= mysql_real_escape_string($_GET['password']); $setArray[] = "password = '$password'"; } if (isset($_GET['hash']) && $_GET['hash']) { $hash= mysql_real_escape_string($_GET['hash']); $setArray[] = "hash= '$hash'"; } little help if any of you guys have any? Quote Link to comment https://forums.phpfreaks.com/topic/263766-update-set-password/#findComment-1351680 Share on other sites More sharing options...
Skewled Posted June 6, 2012 Share Posted June 6, 2012 I would just use SHA: SHA('$password') Then for the update you just apply SHA('$password') to update the password in the database. <?php if (isset($_GET['password']) && $_GET['password']) { // These are the same so you'd need to make them different if your comparing the password to ensure they entered it correctly ex: $_GET['password1'] for another field in your form $password= mysql_real_escape_string($_GET['password']); // This is fine if the 2 values above are first compared $setArray[] = "password = SHA('$password')"; // If they are compared and validation checks out then just do the query to update the password here.. } ?> EDIT: $query ="INSERT INTO `companies` (company_name, what_services, website, contact_name, location, postcode, street1, street2, city, phone,phone2, email, premiumuser_description, username, password, salt, approved, upload) VALUES ('$company_name', '$what_services', '$website', '$contact_name', '$location', '$postcode', '$street1', '$street2', '$city', '$phone', '$phone2', '$email', '$premiumuser_description', '$username', 'SHA($password)', '$salt', '$approved', '$upload')"; Quote Link to comment https://forums.phpfreaks.com/topic/263766-update-set-password/#findComment-1351690 Share on other sites More sharing options...
andy_b_1502 Posted June 6, 2012 Author Share Posted June 6, 2012 will that still work though as when the user registers it uses hash/salt for passwords? I'll test it now, thanks. Quote Link to comment https://forums.phpfreaks.com/topic/263766-update-set-password/#findComment-1351693 Share on other sites More sharing options...
Skewled Posted June 6, 2012 Share Posted June 6, 2012 And I just realized I didn't answer your question grr. I am using update to SET fields in mySQL table, my question is; do i have to update hash/salt as well as password or can i just update password as hash and salt are unique? If they are unique and compared on a login.php type script then yes you will need to generate both of them just like it's done at sign up time. function createSalt() { $string = md5(uniqid(rand(), true)); return substr($string, 0, 3); } $hash = hash('sha256', $salt, $password); But from the login side I don't know how it's being compared. Quote Link to comment https://forums.phpfreaks.com/topic/263766-update-set-password/#findComment-1351696 Share on other sites More sharing options...
andy_b_1502 Posted June 6, 2012 Author Share Posted June 6, 2012 that works perfectly! i was just a bit confused there, many thanks!!! Quote Link to comment https://forums.phpfreaks.com/topic/263766-update-set-password/#findComment-1351697 Share on other sites More sharing options...
Skewled Posted June 6, 2012 Share Posted June 6, 2012 Your most welcome bud! Quote Link to comment https://forums.phpfreaks.com/topic/263766-update-set-password/#findComment-1351698 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.