runnerjp Posted May 20, 2007 Share Posted May 20, 2007 ."$url = 'http://www.runnerselite.com/website/activate.php?hash=".md5($userid)."&key="($key); then on the activate.php UPDATE users SET status = 1 WHERE (userid= "'.md5($_GET['userid']).'") AND (key = '($_GET['key'].') ?> is this correct ??? tried it and does not seme to work Quote Link to comment Share on other sites More sharing options...
PC Nerd Posted May 20, 2007 Share Posted May 20, 2007 hmmm, um try and echo out your actual query variables..... see if its working or actually adding the brackets to the string..... i think its better practice to use string concatination eg "string"."string" etc, so id recommend you try that. gdlk Quote Link to comment Share on other sites More sharing options...
MadTechie Posted May 20, 2007 Share Posted May 20, 2007 try "UPDATE users SET status = '1' WHERE userid= '".md5($_GET['hash']."' AND key = '".$_GET['key']."'" Quote Link to comment Share on other sites More sharing options...
BlackenedSky Posted May 20, 2007 Share Posted May 20, 2007 You're sending the user id to the page via the variable "hash" not "userid", and it's already md5'd in your URL. hash=".md5($userid) md5($_GET['userid']) Also is userid stored as an md5 in your table? If so why? It adds in extra overhead using it encrypted when there is no need usually. Passwords yes, usernames not really. Quote Link to comment Share on other sites More sharing options...
runnerjp Posted May 20, 2007 Author Share Posted May 20, 2007 ahh wait im getting Parse error: syntax error, unexpected '(' for this ."$url = 'http://www.runnerselite.com/website/activate.php?hash=".md5($userid)."&key="($key); Quote Link to comment Share on other sites More sharing options...
MadTechie Posted May 20, 2007 Share Posted May 20, 2007 ."$url = 'http://www.runnerselite.com/website/activate.php?hash=".md5($userid)."&key=($key)"; Quote Link to comment Share on other sites More sharing options...
runnerjp Posted May 20, 2007 Author Share Posted May 20, 2007 Parse error: syntax error, unexpected T_STRING <? UPDATE users SET status = '1' WHERE userid= '".md5($_GET['hash']."' AND key = '".$_GET['key']."' ?> You're sending the user id to the page via the variable "hash" not "userid", and it's already md5'd in your URL. hash=".md5($userid) md5($_GET['userid']) Also is userid stored as an md5 in your table? If so why? It adds in extra overhead using it encrypted when there is no need usually. Passwords yes, usernames not really. i used id as id no 1..2...3...4...5..6...7...8...9 i hased them as i belive its safer to do this as i have found if people find id numbers they seem to be able to mess around with code Quote Link to comment Share on other sites More sharing options...
MadTechie Posted May 20, 2007 Share Posted May 20, 2007 missed the last " <? UPDATE users SET status = '1' WHERE userid= '".md5($_GET['hash']."' AND key = '".$_GET['key']."'" ?> Quote Link to comment Share on other sites More sharing options...
seb hughes Posted May 20, 2007 Share Posted May 20, 2007 Parse error: syntax error, unexpected T_STRING <? UPDATE users SET status = '1' WHERE userid= '".md5($_GET['hash']."' AND key = '".$_GET['key']."' ?> You're sending the user id to the page via the variable "hash" not "userid", and it's already md5'd in your URL. hash=".md5($userid) md5($_GET['userid']) Also is userid stored as an md5 in your table? If so why? It adds in extra overhead using it encrypted when there is no need usually. Passwords yes, usernames not really. i used id as id no 1..2...3...4...5..6...7...8...9 i hased them as i belive its safer to do this as i have found if people find id numbers they seem to be able to mess around with code If your code was secure. then other people wouldn't be able to mess aroudn with the code. Quote Link to comment Share on other sites More sharing options...
runnerjp Posted May 20, 2007 Author Share Posted May 20, 2007 ok now i get Parse error: syntax error, unexpected ';' for WHERE userid= '".md5($_GET['hash']."' AND key = '".$_GET['key']."'" and also i dont see the problem with hashing ID to make them more secure? Quote Link to comment Share on other sites More sharing options...
MadTechie Posted May 20, 2007 Share Posted May 20, 2007 ADD THE ; at the end Theirs a Ton of holes in the code you have posted.. even the short code above has a secuity hole Oh i give! Quote Link to comment Share on other sites More sharing options...
runnerjp Posted May 20, 2007 Author Share Posted May 20, 2007 ; sorry i did actually try adding it before i posted this... sorry shud mentioned that wats the security hole in code above Quote Link to comment Share on other sites More sharing options...
seb hughes Posted May 20, 2007 Share Posted May 20, 2007 ; sorry i did actually try adding it before i posted this... sorry shud mentioned that wats the security hole in code above People are able to do SQL injection and probs do XSS on it tooo. Quote Link to comment Share on other sites More sharing options...
runnerjp Posted May 20, 2007 Author Share Posted May 20, 2007 but by blockin all charateristics but letters and numbers this can be stopped yes ( nd also even with "UPDATE users SET status = '1' WHERE userid= '".md5($_GET['hash']."' AND key = '".$_GET['key']."'"; i still get the error Parse error: syntax error, unexpected ';' in /home/runnerse/public_html/website/activate.php on line 3 Quote Link to comment Share on other sites More sharing options...
MadTechie Posted May 20, 2007 Share Posted May 20, 2007 "UPDATE users SET status = '1' WHERE userid= '".md5($_GET['hash'])."' AND key = '".$_GET['key']."'"; Quote Link to comment Share on other sites More sharing options...
runnerjp Posted May 20, 2007 Author Share Posted May 20, 2007 ahh good call didt see ) was missed ok after viewing it and stuff iv noticed that when the email is sent its not getting the random key! function randomkeys($length){ $pattern="1234567890abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ"; for($i=0; $i<$length; $i++) $key.=$pattern{rand(0,61)}; return $key; which is inserted into the database $key so ."$url = 'http://www.runnerselite.com/website/activate.php?hash=".md5($userid)."&key=($key)"; should get the username and the key.... but it only gets the user name. Quote Link to comment Share on other sites More sharing options...
MadTechie Posted May 20, 2007 Share Posted May 20, 2007 try <?php $length = 8; echo substr(md5(mt_rand( 0,65536)),0,$length); ?> its kinda simple but random! Quote Link to comment Share on other sites More sharing options...
runnerjp Posted May 20, 2007 Author Share Posted May 20, 2007 yes but the code actually makes the random code its just that "&key=($key)"does not pick it up Quote Link to comment Share on other sites More sharing options...
runnerjp Posted May 20, 2007 Author Share Posted May 20, 2007 tY25fNtD3qxLMvc27EyLiZ0xwS7dDy --- this was the key that was made Quote Link to comment Share on other sites More sharing options...
seb hughes Posted May 20, 2007 Share Posted May 20, 2007 yes but the code actually makes the random code its just that "&key=($key)"does not pick it up Why do you have $key in ()? Quote Link to comment Share on other sites More sharing options...
runnerjp Posted May 20, 2007 Author Share Posted May 20, 2007 well i tired &key=$key and that does not work and im sure u have to put it in () Quote Link to comment Share on other sites More sharing options...
MadTechie Posted May 20, 2007 Share Posted May 20, 2007 post that section of code. As a note PHP Cookbook by O'Reilly isn't bad Quote Link to comment Share on other sites More sharing options...
runnerjp Posted May 20, 2007 Author Share Posted May 20, 2007 ."$url = 'http://www.runnerselite.com/website/activate.php?hash=".($usename)."$key"; iv changed it so it matches the user name with the key now! but it still does not work Quote Link to comment Share on other sites More sharing options...
MadTechie Posted May 20, 2007 Share Posted May 20, 2007 post that section of code. As a note PHP Cookbook by O'Reilly isn't bad Quote Link to comment Share on other sites More sharing options...
runnerjp Posted May 20, 2007 Author Share Posted May 20, 2007 post wat section of code :S i thought i did Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.