Closed. This question needs debugging details. It is not currently accepting answers.
Edit the question to include desired behavior, a specific problem or error, and the shortest code necessary to reproduce the problem. This will help others answer the question.
Closed 7 years ago.
Improve this question
i am not really good at this, this is my code. it seems like strlen() is not working, can someone help me figure what is wrong? thanks. it keeps on printing that password is too short even if i put 5 or more letters
<?php
if($username)
{
if(isset($_POST['submit']))
{
$newpass =md5($_POST['newpass']);
$confirmpass = md5($_POST['confirmpass']);
if(strlen($newpass) < 5)
{
if($newpass == $confirmpass)
{
$querychange = mysql_query("UPDATE users SET password = '$newpass' WHERE username = '$username'");
session_destroy();
?> <script> alert ( "Your password has been changed!" );
window.location='login.php'; </script> <?php
}
else
{
?> <script> alert ("New passwords don't match!" ); </script> <?php
}
}
else
{
echo "<font color='red'> * new password too short";
}
}
}
?>
First of all - doing md5 to a string will return a 32-character string.
That means that any password input by user will be hashed to a string of length 32.
This means that if(strlen($newpass) < 5) will never be true and you will always see a warning.
In this string you probably want if(strlen($newpass) > 5) - see, greater.
Then you password will be processed.
So, final code can be:
if(isset($_POST['submit'])) {
if(strlen($_POST['newpass']) >= 5)
{
$newpass = md5($_POST['newpass']);
$confirmpass = md5($_POST['confirmpass']);
// do other stuff
} else {
// warn about short password
}
}
Also take into consideration that strlen on UTF-8 encoded strings may give you unexpected results.
And for passwords you must use better methods then md5. Look at password_hash, password_verify.
Related
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 6 years ago.
Improve this question
I've been practicing security-related subjects and this challenge has befuddled me. Note: I can't access any PHP source code, nor can I edit it. I'm only able to view it.
The following is given:
I have two inputs, "user" and "pass"
After 30 times the form is sent, the salt, the hashes and the final solution change. So bruteforce isn't an option (sadly!)
#The bottom of the page (not shown in the code for some reason), it echos that it found 9 users (calling the getnumberofusers() function)
I've managed to extract this:
username = root
hashed password = 551e18b35e17017742a8ce4ed27f626e
Token (possibly salt?) = 0St31ez14wOT6jTh
What I've attempted thus far with unsuccessful results:
Using SQL injection, select a known MD5 collision as password and send its counterpart as "pass", however the salt is bothering this process. Clearly I couldn't bruteforce this because after 30 attempts the salt would change.
I tried finding the entire list of users but it doesn't print the output anywhere (only errors)
This is the code we receive:
<?php
//by Mawekl
//Objective: login as root.
//Objective is NOT:
// - Blind SQLI
// - Bruteforce password/salt/id
#WARNING
#ANTI-BLIND
#for every 30 queries
#all hashes, salt
#and final solution
#will be reset.
function getnumberofusers()
{
$q = "SELECT 1 FROM `sqlinjection1`";
$r = mysql_query($q);
return 'Number of users: ' . mysql_num_rows($r);
}
function getinfo($user)
{
$q = "SELECT `id`, `password` FROM `sqlinjection1` WHERE `username`='$user'";
$r = mysql_query($q);
if(!$r)
return mysql_error();
$r = mysql_fetch_array($r);
if(!$r)
return "Username doesn't exists.";
return $r;
}
function getfullinfo($id)
{
$q = "SELECT * FROM `sqlinjection1` WHERE `id`=$id";
$r = mysql_query($q);
if(!$r)
return mysql_error();
$r = mysql_fetch_array($r);
if(!$r)
return "What the hell?!";
return $r;
}
function confirmpassword($pass, $passcorrect, $salt)
{
$pass = md5(md5(md5($pass)).$salt);
return $pass===$passcorrect;
}
function challenge($user, $pass)
{
$info = getinfo($user);
if(!is_array($info))
return $info;
$confirm = confirmpassword($pass, $info['password'], $_ENV['ST_SALT']);
if(!$confirm)
return 'Wrong password!';
$info = getfullinfo($info['id']);
if(!is_array($info))
return $info;
$returnmessage = "Welcome " . $info['username'] . "!" . PHP_EOL .
$info['welcomemessage'] . PHP_EOL;
return $returnmessage;
}
?>
Any help is appreciated, and if you have any questions I'd love to clarify my question!
now we can select the welcome message/anything else using sql
$user="1' or exp(~(select * from (select welcomemessage from sqlinjection1 where username='user1')a)) or '1'='1"
but when we found a Secret token (that i wrote up there ^) hidden in the data base and tried using it this way:
The idea: select the hashed version as password using SQL injection so the hashes match.
Here's the code:
<?php
$salt = "v5IftFb0Tx1Jhp4b";
$hashed = "";
$p = "hello";
$hashed = md5(md5(md5($p)).$salt);
echo "The Query: " . "' AND 1 = 0 UNION SELECT `id`, '$hashed' AS `password` FROM sqlinjection1 WHERE `username` = 'root';#";
?>
It echoes the query which we put in the "username" field. In the "password" field we enter "hello".
However it's not working...
but it did not work, anyone has any idea what else can we do? How can we find out what / modify the $_ENV["ST_SALT"]? as appearently its not the secret token that we found
This is my login php code but I am unable to login.
My code works until echo "2", after that is not working anymore.
include 'inc.config.php';
if(isset($_POST["submit"]))
{
$user = mysql_real_escape_string($_POST['emailid']);
$pass = md5(mysql_real_escape_string($_POST['password']));
$query=mysql_query("SELECT * FROM logsignup WHERE email='$user' AND password='$pass' ");
echo "1";
$numofrows = mysql_num_rows($query);
echo "2";
if($numofrows!=0)
{
echo "3";
while($row=mysql_fetch_assoc($query))
{
$dbusername= $row['emailid'];
$dbpassword= $row['password'];
}
if($user=$dbusername && $pass=$dbpassword)
{
echo "loggedin";
}
}
else
{
echo "invalid";
}
}
Here is inc.config.php file
$con = mysql_connect("localhost","root","");
$select=mysql_select_db("loginsignup");
Image of the database:
Update to MySQLi, as mysql_ is now deprecated. Read How do I migrate my site from mysql to mysqli? as a starter guide.
Stop using md5 as a password hashing function and instead use password_hash or a similar proven function.
if($user=$dbusername && $pass=$dbpassword) this is running the logic:
If value I get out of the database is the same as the value I put into the database.
Which is pretty pointless, it's a needlessly excessive check. It's better to count the correct number of rows returned, which will tell you exactly the same information.
You need to start using error logging, to help yourself solve your own errors, please read How to get useful error messages in PHP?
Also use MySQL EXPLAIN in (PHPMyAdmin) to help you understand wayward SQL queries.
Your password field in your screenshot looks far too short. md5 is typically 32 characters long, so what could be happening is that the SQL comparison is failing because you're comparing a long string with a shorter string. Double check.
Ensure you are using the correct Character encoding throughout your PHP and your MySQL, please read UTF-8 all the way through and convert all MySQL into utf8mb4_unicode_ci. Also get used to using PHP Multibyte string functions (may need installing).
If the above guides do not solve your problem you will at the very least have a clear path (with the error logs) to see what's going wrong and from that how to solve your issue.
<?php
`include 'inc.config.php';
if(isset($_POST["submit"]))
{
$user = mysql_real_escape_string($_POST['emailid']);
$pass = md5(mysql_real_escape_string($_POST['password']));
$sql="SELECT * FROM logsignup WHERE email='$user' AND password='$pass'";
$query=mysql_query($sql);
$numofrows = mysql_num_rows($query);
if($numofrows > 0)
{
$row=mysql_fetch_assoc($query)
$_SESSSION['EMAIL']= $row['emailid'];
$_SESSSION['USERNAME'] $row['username'];
if( $_SESSSION['EMAIL'] && $_SESSSION['EMAIL']) {
echo "valid";
}else{
echo "invalid";
}
}
}`
?>
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
Closed 8 years ago.
This question appears to be off-topic because it lacks sufficient information to diagnose the problem. Describe your problem in more detail or include a minimal example in the question itself.
Questions concerning problems with code you've written must describe the specific problem — and include valid code to reproduce it — in the question itself. See SSCCE.org for guidance.
Improve this question
I don't understand why this doesn't work? It's a register form checking if fields are filled in,password is equal to retype password, and if it doesn't already exist in database.
I get this error: Parse error: syntax error, unexpected T_STRING, expecting ',' or ';' in /home/a4550840/public_html/newreg.php on line 32
But I already put a ';' at line 32 ... I don't understand why this error occurs.
Any help is appreciated :).
EDIT: Fixed that error ^ and added the mysql_real_escape_string , but it doesn't register the information to the database for some reason?
EDIT: It works now :), took away the quotations from the query
<?php
include ('connect.php');
if ($_POST['submit']) {
$username = mysql_real_escape_string($_POST['username']);
$password = mysql_real_escape_string($_POST['password']);
$repassword = mysql_real_escape_string($_POST['repassword']);
$email = mysql_real_escape_string($_POST['email']);
if ($username && $password && $repassword && $email){
if ($password == $repassword) {
$check = mysql_query("SELECT * FROM members WHERE username='$username' ");
$countrows = mysql_num_rows($check);
if ($countrows == 0){
mysql_query("INSERT INTO members ('username','password','email') VALUES ('$username','$password','$email') ");
} else {
echo 'Username already exists';
}
} else {
echo 'Passwords don'\t match';
}
} else {
echo 'Fill in the fields';
}
} else {
echo 'Register please';
}
?>
You have a problem here:
echo 'Passwords don't match';
You need scape single quote as:
echo 'Passwords don\'t match';
or
echo "Passwords don't match";
NOTE: Your code is vulnerable to sql injection, you should use mysql_real_scape_string() before to pass yours parameters as sql query.
I suggest:
$username = mysql_real_scape_string($_POST['username']);
$password = mysql_real_scape_string($_POST['password']);
$repassword = mysql_real_scape_string($_POST['repassword']);
$email = mysql_real_scape_string($_POST['email']);
TIP: When your are testing (in dev environment) mysql querys, you should combine die(mysql_error()) at the end of line to check if you has a problem like as:
mysql_query('your sql') or die(mysql_error()).
If you have an error, this cause your app die an show the mysql error.
See this reference.
This error shows the earliest time it encounters a problem. The problem is on that line, or on a previous line. In this case you didn't escape a quote, so the parser found the rest of your string while it expected a , or ;. If you look at the colouring of your code, you'll see that more easily. The correct line would be
echo 'Passwords don\'t match';
Closed. This question is off-topic. It is not currently accepting answers.
Want to improve this question? Update the question so it's on-topic for Stack Overflow.
Closed 10 years ago.
Improve this question
This is my first login system using SESSIONS.
Just wondering, if it's safe for SQL injection?
<?php
$username = $_POST['username'];
$password = $_POST['password'];
if(isset($username, $password)) {
if(get_magic_quotes_gpc()) {
$ousername = stripslashes($username);
$uusername = mysql_real_escape_string(stripslashes($username));
$opassword = stripslashes($_POST['password']);
} else {
$uusername = mysql_real_escape_string($username);
$opassword = $password;
}
$req = mysql_query('select password,id from users where username="'.$uusername.'"');
$dn = mysql_fetch_array($req);
if($dn['password']==$opassword and mysql_num_rows($req)>0)
{
$form = false;
$_SESSION['username'] = $_POST['username'];
$_SESSION['userid'] = $dn['id'];
echo 'Logged in m8';
} else {
$form = true;
$message = 'The username or password is incorrect.';
}
} else {
$form = true;
}
if($form)
{
if(isset($message)) {
echo '<div class="message">'.$message.'</div>';
}
?>
I was getting a SQL injection before on my highscores script, so I was wondering if my simple sessions login script have any, I'm 40% there is one..
What usually causes SQL injections?
Thanks!
Although your code is okay, your idea of protection is wrong
mysql_real_escape_string does not protect from injections. It does format strings.
As long as you have your strings properly formatted, they are safe.
The problem begins when you're trying to use the same function to format non-strings - a numbers for example.
It become totally useless and your SQL - vulnerable.
So, you can keep with your current code but in the future, as soon as you will need to use another query part - you will need to format it differently. Here is a set of full rules: In PHP when submitting strings to the database should I take care of illegal characters using htmlspecialchars() or use a regular expression?
And of course do not escape password! If i have a password like wef5623'sdf - it will never let me in!
By the way, I have no idea why you're using SO much variables for just a single value - $_POST['username'], $username, $uusername, $ousername - what's all this?
i would change
$opassword = $password;
to
$opassword = mysql_real_escape_string($password);
sql injection can be done via password fields too.
Closed. This question needs details or clarity. It is not currently accepting answers.
Want to improve this question? Add details and clarify the problem by editing this post.
Closed 2 years ago.
Improve this question
Hey!
I bought and settled up my site long ago..
My site is a facebook like site where people can add their own or like others.
I thought about adding a login system so people can post with their username and make it easier to make posting-liking contests.
I already have the system itself - using this http://www.evolt.org/node/60384
I tried to add an option in the process file that when the session is 'loggedin' the code retrieves the username and in all other cases, 'Anonymous'.
Problem is it doesn't work :(
The code is:
$today = date("Ymdhis");
$rand = $today.mt_rand().mt_rand().mt_rand();
$count = '0';
$type = 'picture';
$username = '<? if($session->logged_in){ echo "$session->username" } else { echo "Anonymous" } ?>';
$sql = "INSERT INTO `like` (`rand`, `like`, `count`, `created`, `youtube`, `type`,`username`) VALUES ('$rand', '$like', 0, '$today', '$string', '$type', '$username')";
I first defined $username and then 'told' the script to INSERT the $username entry into it's field.
The problem is that when I try this in real-time,
the field shows the actual code; <? if($session->logged_in){ echo "$session->username" } else { echo "Anonymous" } ?> instead of the desired output.
Also, I've included the session.php for the login in the start of the process document.
The session.php I used along with all of the other files is available at http://www.evolt.org/node/60384 WITHOUT download.
P.S the code i used for $username is used on the main page to output the username after logged in.. I added the 'Anonymous' part myself.. which could cause it to not work..
The code you post is PHP, but gets put into your side AFTER it is parsed. So it will never 'run'.
Unless you are using some sort of templating system that parses your code twice, don't you mean this?
if($session->logged_in){
$username = $session->username;
} else {
$username = "Anonymous" ;
}
$username is a variable containing a string :
$username = '<? if($session->logged_in){ echo "$session->username" } else { echo "Anonymous" } ?>';
Everything that is in the quotes is a string, not PHP code. It won't be executed.
You need to do something like this :
if($session->logged_in){
$username = $session->username;
} else {
$username = "Anonymous";
}
Change
$username = '<? if($session->logged_in){ echo "$session->username" } else { echo "Anonymous" } ?>';
to
if($session->logged_in) $username = $session->username; else $username = "Anonymous"