[johnki]

Okay, so today I realized that whereas I thought that the site was working well, I really screwed some things up. My first issue was that I wasn't setting condition equals operators to ==, and instead was setting them to =, so it would ignore the condition, and in the case of my login form, people were allowed to log in with any password.

Now that that's fixed, my issue is that the passwords I saved are encrypted, and I can't seem to find a way to make them match up.

I was using:

if($row['password'] == hash('encryptiontype','$_POST[pass]')){
#some login stuff...
#apologies for not divulging what type of encryption I'm using. I read some articles on security that said to be 
#paranoid, and I'll be damned if I ignore that. :P/>
}

But now that I realized I screwed up, and whereas I thought it was working, it turns out now that it's fixed, it isn't working at all. In this particular situation, there are two conditions that tell how to set the cookies, which means I need an if, elseif, else->die.

Then I have situation two, where I have a change password script. This is what I've got:

$prepassword = mysql_real_escape_string($_POST['password']);
$password = hash('encryptiontype','$prepassword');
#another if statement
while($row = mysql_fetch_array($result))
		{
			if($password != $row['password']){
			echo "<font style='color:white'>The password entered did not match our database.</font>";
			}else{
			mysql_query("UPDATE user SET password = '$newpass' WHERE username = '$user'");
			echo "<font style='color:white'>Password successfully changed.</font>";
			}
		}

(After looking over this code to figure out what bits needed posted, I realized that I wasn't encrypting the new passwords before being saved. Oops. Guess it's a good thing it's not WAI yet. )

I mean, I don't know what's wrong. It could be something as simple as not using stripslashes before checking it against the database, or it could be something more complex that I'm totally missing.

Thanks in advance!

[johnki]

Oh man, I was so worried about my passwords issue that I completely forgot about the other one.

For my shoutbox, I'm trying to query two databases. The way it's set up right now, I can pull everything from the shoutbox DB (the names and emails are saved by cookie) EXCEPT an image url name (probably completely irrelevant what the data is, they're all just text strings).

Anyways, I initialized my connections at the top. I left most of it as-is, until I needed the DB connection to save to a variable, then I set a NEW mysql_select_db() for the second connection and attempted to query the relevant data, save to a variable, and then set the first connection back by mysql_select_db().

I've come to the conclusion that I'm probably doing that horribly wrong, because the database change was set before the shoutbox called on posts, and it completely broke it.

[johnki]

Alright, for the password issue, I tried having it send the hashed password to a registration email for a test and running that password directly against the db password, against the db password with slashes stripped. Nothing. I also tried running a non-hashed entered password against the db password, which did nothing.

There's got to be something critical I'm missing.

EDIT: Cool, the edit button showed up for the first time.

This post has been edited by johnki: 04 November 2011 - 11:40 PM

[Dormilich]

johnki, on 05 November 2011 - 05:46 AM, said:

For my shoutbox, I'm trying to query two databases. The way it's set up right now, I can pull everything from the shoutbox DB (the names and emails are saved by cookie) EXCEPT an image url name (probably completely irrelevant what the data is, they're all just text strings).

Anyways, I initialized my connections at the top. I left most of it as-is, until I needed the DB connection to save to a variable, then I set a NEW mysql_select_db() for the second connection and attempted to query the relevant data, save to a variable, and then set the first connection back by mysql_select_db().

question: are that two different databases (ain’t that impractical?) or two database tables on the same database.

[JackOfAllTrades]

$password = hash('encryptiontype','$prepassword');

Read up on strings and quotes, particularly noting this section:

Quote

Note: Unlike the double-quoted and heredoc syntaxes, variables and escape sequences for special characters will not be expanded when they occur in single quoted strings.

Emphasis mine.

[johnki]

@dormilich: Two databases, yeah. It might be impractical but it's the way I had set it up before realizing I had wanted to link the two. I figured since people link things like Wiki accounts and forum accounts with site accounts that it wouldn't be too much of an issue.

@JackOfAllTrades: Thanks. I'll take a look at that and see what I need to do to get it to work. I used to have it hash the $_POST directly (when being run against the $row's entry), and that didn't seem to change much, so I'm more than a bit unsure of how to get it functioning.

This post has been edited by johnki: 05 November 2011 - 10:44 AM

[JackOfAllTrades]

You need to hash the received password string. '$prepassword' is the actual string '$prepassword', not the contents of the variable $prepassword.

[Dormilich]

if it were two table on the same database, you could have used a JOIN …

[johnki]

JackOfAllTrades, on 05 November 2011 - 10:58 AM, said:

You need to hash the received password string. '$prepassword' is the actual string '$prepassword', not the contents of the variable $prepassword.

Ah, so in other words, just remove the quotes and it should work?

Dormilich, on 05 November 2011 - 10:58 AM, said:

if it were two table on the same database, you could have used a JOIN …

Yeah, I was reading up a bit, and one solution I found on StackOverflow was to create two database connections and selections at the top, and then call on them using

mysql_query('SELECT * FROM this', $connection);

but I also think it was assumed that the databases were on the same host, as the same post talked about how a "true" variable at the end of a mysql_connect() could denote a second connection to the same provider. Since my hosting provider right now is GoDaddy, and they automatically set up databases for me, all of the databases are on different subdomains of their database provider.

EDIT: Re-reading that, it looks like that's not true, and that that method could work regardless of where the databases were. Might try that once I can test it out after my password issue is fixed.

This post has been edited by johnki: 05 November 2011 - 11:34 AM

[johnki]

Alright, taking the above knowledge in, here's what I attempted to do:

$pass = $_POST['pass'];

$result = mysql_query("SELECT * FROM user WHERE username='$_POST[user]'");

while($row = mysql_fetch_array($result))
	{
$dbpw = stripslashes($row['password']);
		if($dbpw == hash('encryption',$pass) && $_POST[rememberpass] == 1)
		{}
}

So now that I've tried that and a ton of different combinations of things that I can't seem to get to work (still goes to the error message about an error logging in, which means the script is running [and always has been], it just won't log you in correctly), I'm wondering if there's something wrong with my signup script, which is:

#connection variables
$con = mysql_connect($host,$user,$pass);
if (!$con)
	{
	die('Could not connect to the database: ' . mysql_error());
	}
	
mysql_select_db("database", $con);

if ($_POST[password] != $_POST[confirmpass])
	{
	die('<font style="color:white">Your passwords did not match.</font>');
	}

$username = htmlspecialchars(mysql_real_escape_string($_POST[username]));
$prepassword = htmlspecialchars(mysql_real_escape_string($_POST[password]));
$password = hash('encryptiontype','$prepassword');
$email = htmlspecialchars(mysql_real_escape_string($_POST[email]));
$firstname = htmlspecialchars(mysql_real_escape_string($_POST[firstname]));
$lastname = htmlspecialchars(mysql_real_escape_string($_POST[lastname]));

$sql="INSERT INTO user (username, password, email, firstname, lastname) VALUES ('$username','$password','$email','$firstname','$lastname')";

if (!mysql_query($sql,$con))
	{
	die('ERROR: ' . mysql_error());
	}
echo "<font style='color:white'>Successfully registered!</font>";

mysql_close($con);

#and then some confirmation email stuff that's all working correctly
?>

After looking at it, it looks like my password hashing has fallen victim to the '$prepassword' thing. Though, out of curiousity, I DID try running the password as "$prepassword" which still returned the error message...

On a sidenote, the two database queries thing worked! Now I just have to get my avatar urls working correctly.

[johnki]

johnki, on 05 November 2011 - 03:58 PM, said:

On a sidenote, the two database queries thing worked! Now I just have to get my avatar urls working correctly.

(Edit button disappeared while I was working on a fix)

I stand corrected. The query runs, but instead of returning the default value set for the avatar column in the table (I haven't managed to get an upload avatar script working correctly yet...), which is 0, it's returning "Resource ID #n" where n starts at 5 and goes to, I think 11.

This is even odder to me because the profile script returns the correct value and shows the correct .

I think it might have to do with putting the query INSIDE a while loop that's extracting from the other table though...if someone could confirm my suspicions that, would be great.

$query = "SELECT * FROM shouts ORDER BY `id` DESC LIMIT 8;";
	
	$result = @mysql_query("$query",$connect) or die('<p class="error">There was an unexpected error grabbing shouts from the database.</p>');
	
	?><ul><?
	
	while ($row = mysql_fetch_array($result)) {
		
		$urlname = stripslashes($row['name']);
		$query2 = mysql_query("SELECT avatar FROM user WHERE username='$urlname'", $connect2) or die('<p class="error">There was an unexpected error grabbing an avatar from the database.</p>');
		$imgurl = $query2;
		$profile = "<a href='profile.php?id=" . $urlname . "'>" . $urlname . "</a>";
		$eemail = stripslashes($row['email']);
		$epost = stripslashes($row['post']);
		$avurl = "/img/avatar/" . $imgurl . ".jpg";
		
		echo('<li><div class="meta"><img src="' . $avurl . '" alt="Avatar" title="' . $imgurl . '" /><p>'.$profile.'</p></div><div class="shout"><p>'.$epost.'</p></div></li>');
	
	}

This post has been edited by johnki: 05 November 2011 - 04:19 PM

[Dormilich]

johnki, on 06 November 2011 - 12:17 AM, said:

The query runs, but instead of returning the default value set for the avatar column in the table […], which is 0, it's returning "Resource ID #n" where n starts at 5 and goes to, I think 11.

if you echo out what you get from mysql_query(), that is the correct value, because this function returns a resource and not a value. even for single values you have to (mysql_)fetch it.

[johnki]

Dormilich, on 06 November 2011 - 01:05 AM, said:

if you echo out what you get from mysql_query(), that is the correct value, because this function returns a resource and not a value. even for single values you have to (mysql_)fetch it.

Ah, yeah, I did skip over the mysql_fetch. Thanks for catching that and explaining to me why that didn't work.

EDIT: Did a mysql_fetch directly on $query2, to which it's returning nothing. I thought that would work, since the query brings up the avatar column directly.

Any idea on the password situation?

This post has been edited by johnki: 06 November 2011 - 01:41 AM

[Dormilich]

what I’d do is checking if the hash creation works, i.e. for a given password compare a) the value in the DB (e.g. by a separate DB client (phpMyAdmin)) the hash created in PHP (var_dump()) and if those don’t match then you can pretty much delete your DB hashes.

[johnki]

Debugged it today. Turns out the only issue with passwords was that my password column in the database wasn't large enough to support the type of encryption I chose. Extended the column to varchar(255) and it works fine now.

EDIT: As a side-note, after adding the second connection to my shoutbox at the top for the avatar retrieval, it breaks the entire posting process, while somehow not breaking shout retrieval, and still returning a null value where it's supposed to return 0.

This post has been edited by johnki: 07 November 2011 - 06:05 PM