Ok so here's my problem, I am trying to use information from my database to create a change password script for a secondary account. However the password for the main account is hashed in md5. No matter what I try I cannot get the base64/md5 code to match up when doing a comparison.
This is the code I use to enter the information into the database for the second account.
$nametrim = StrToLower(Trim($ya_username));
$pwdtrim = StrToLower(Trim($user_password));
$Salt = base64_encode(md5($nametrim.$pwdtrim, true));
$result2 = $db->sql_query("call adduser('$nametrim', '$Salt', '0', '0', '0', '$rmad', '$ya_user_email', '0', '0', '0', '0', '0', '0', '0', '', '', '$Salt')") or die ("Can't execute query.");
The main account and secondary account register fine, no problems there, the problem comes with my change password script when trying to recreate the base64 code.
$unametrim = StrToLower(Trim($uname));
$unamemd5 = md5($unametrim);
$Salt1 = base64_encode($unamemd5.$upass);
I should note that $upass is already in MD5 when pulled from the database, hence the reason I only MD5'd the username. No matter what I try I cannot get them to match at all.
Here is the rest of my change password page as a reference, hopefully someone can help me with this problem.
<?php
/****************************************************************************/
/* Generated by Module Creator - By Disipal Designs (www.disipal.net) */
/* PHP-Nuke Tools v4.00 */
/****************************************************************************/
if (!defined('MODULE_FILE')) {
die ("You can't access this file directly...");
}
require_once("mainfile.php");
$module_name = basename(dirname(__FILE__));
get_lang($module_name);
include("header.php");
define('INDEX_FILE', true);
global $userinfo, $db;
$fname=substr(strrchr($_SERVER['PHP_SELF'],'/'), -(strlen(strrchr($_SERVER['PHP_SELF'],'/')) -1));
$uname = $userinfo['username'];
$upass = $userinfo['user_password'];
$unametrim = StrToLower(Trim($uname));
$unamemd5 = md5($unametrim);
$Salt1 = base64_encode($unamemd5.$upass);
$result = $db->sql_query("SELECT * FROM users WHERE name='$unametrim'") or ("Can't execute query.");
$row = $db->sql_fetchrow($result);
$uid = $row['ID'];
$aname = $row['name'];
$passwd = $row['passwd'];
$passwd2 = $row['passwd2'];
$ipno = $row['idnumber'];
$rmad = $_SERVER['REMOTE_ADDR'];
OpenTable();
echo "<p align='center'><b><u>Change Game Account Password</u></b></p>";
if (isset($_POST['upass'])) {
$funame=$_POST['uname'];
$fpasswd=$_POST['pass1'];
$fpasswd2=$_POST['pass2'];
$fupass=$_POST['upass'];
$encryptpass = md5($fupass);
$encryptpasswd = md5($fpasswd);
$encryptpasswd2 = md5($fpasswd2);
$nametrim = StrToLower(Trim($funame));
$pwdtrim = StrToLower(Trim($fupass));
$Salt = base64_encode(md5($nametrim.$pwdtrim, true));
if ($fpasswd == $fpasswd2) {
$db->sql_query("CALL changePasswd ($result->quoteSmart'$nametrim', '$Salt')");
$db->sql_query("CALL changePasswd2 ($result->quoteSmart'$nametrim', '$Salt')");
echo "<p align=\"center\"><b>Game account password has been changed successfully</b></p>";
echo "<form method=\"POST\" action=\"modules.php?name=Change_PW\"><p align=\"center\"><input type=\"submit\" name=\"submit\" value=\"Continue\"></p></form>";
}
}
if (isset($_POST['passwd1'])) {
$funame=$_POST['uname'];
$fpasswd=$_POST['passwd1'];
$fpasswd2=$_POST['passwd2'];
$fupass=$_POST['upass'];
$encryptpass1 = md5($fupass);
$encryptpasswd = md5($fpasswd);
$encryptpasswd2 = md5($fpasswd2);
$nametrim = StrToLower(Trim($funame));
$pwdtrim = StrToLower(Trim($fpasswd));
$Salt = base64_encode(md5($nametrim.$pwdtrim, true));
if (empty($fpasswd) || empty($fpasswd2)){
echo "<p align=\"center\"><b>You cannot leave the password field blank</b></p>";
echo "<form method=\"POST\" action=\"modules.php?name=Change_PW\"><p align=\"center\"><input type=\"submit\" name=\"submit\" value=\"Continue\"></p></form>";
} else {
if ($encryptpasswd == $encryptpasswd2) {
$db->sql_query("CALL changePasswd ($result->quoteSmart'$nametrim', '$Salt')");
$db->sql_query("CALL changePasswd2 ($result->quoteSmart'$nametrim', '$Salt')");
echo "<p align=\"center\"><b>Game account password has been changed successfully</b></p>";
echo "<form method=\"POST\" action=\"modules.php?name=Change_PW\"><p align=\"center\"><input type=\"submit\" name=\"submit\" value=\"Continue\"></p></form>";
} else {
echo "<p align=\"center\"><b>Passwords did not match, please try again</b></p>";
echo "<form method=\"POST\" action=\"modules.php?name=Change_PW\"><p align=\"center\"><input type=\"submit\" name=\"submit\" value=\"Continue\"></p></form>";
}
}
}
if (isset($_POST['upass']) || isset($_POST['passwd1'])) {
} else {
if ($passwd != $Salt1) {
echo "<p align=\"center\"><b>Your game account password does not match your web account.</b><br>Update game account password to match web account?</p>";
echo "<p align=\"center\"><form method=\"POST\" action=\"modules.php?name=Change_PW\">
<input type=\"hidden\" name=\"uname\" value=\"".$uname."\">
<input type=\"hidden\" name=\"upass\" value=\"".$upass."\">
<input type=\"hidden\" name=\"pass1\" value=\"".$passwd."\">
<input type=\"hidden\" name=\"pass2\" value=\"".$passwd2."\">
<p align=\"center\"><input type=\"submit\" name=\"submit\" value=\"Update Password\"></p>
</form></p>";
} else {
if (isset($_POST['passwd1'])) {
echo "<form method=\"POST\" action=\"modules.php?name=Change_PW\"><p align=\"center\"><input type=\"submit\" name=\"submit\" value=\"Continue\"></p>";
} else {
echo "<p align=\"center\"><form method=\"POST\" action=\"modules.php?name=Change_PW\">
<input type=\"hidden\" name=\"uname\" value=\"".$uname."\">
<p align=\"center\">New Password:<br><input type=\"password\" name=\"passwd1\"\"></p>
<p align=\"center\">Confirm Password:<br><input type=\"password\" name=\"passwd2\"\"></p>
<p align=\"center\"><input type=\"submit\" name=\"submit\" value=\"Change Password\"></p>
</form></p>";
}
}
}
echo "Test Area<br>Salt: $Salt1<br>Passwd: $passwd<br>unametrim: $unametrim<br>unamemd5: $unamemd5<br>upass: $upass";
CloseTable();
include("footer.php");
?>
Any ideas on what I can do here, been working on this for ages and haven't been able to figure out how to get it working properly.
It looks like you will need to rethink your entire approach to whatever it is you are actually trying to accomplish, because what you appear to be attempting to do is fundamentally impossible due to the nature of MD5 or any cryptographic hash function.
When you only have a cryptographic hash of a value and not the original value, it's impossible, for all practical purposes, to do anything further with the value.
I should note that $upass is already in MD5 when pulled from the database, hence the reason I only MD5'd the username. No matter what I try I cannot get them to match at all.
That's be cause there's nothing meaningful that you can combine with md5('foo') to get the same result as md5('foobar'). Hashes can't be concatenated, just like they can't be reversed.
md5('foo') = acbd18db4cc2f85cedef654fccc4a4d8
md5('bar') = 37b51d194a7513e45b56f6524f2d51f2
md5('foobar') = 3858f62230ac3c915f300c664312c63f
You don't show the code where the salt value is actually or where in the database it is stored, but it presumably has to be stored somewhere or it would be rather pointless to have assuming it's a salt in the usual sense... so the thing for you to do would be to simply fetch and reuse it, because it's impossible to regenerate it if you don't have the plain-text version of the password in hand.
Of course, the fact that there's a salt in here somewhere suggests that the password may not even be what's represented in the md5 value you think is the password. The point of a salt is that you store an md5 of (thing you want to secure + salt) so that if you have a security breach, then the thing you stored isn't easily looked up in a table like the one this site has. (They aren't "decoding" MD5 -- that's impossible. They have tables of hashes and the values that generated those hashes. The three md5 values I used as examples are terrible passwords, of course, but that site has those three in its lookup tables already... passwords stored as MD5 without a salt are much more easily cracked).
The only other option I see that you have, after asking the user if they want to change one password to the other would be to actually require that they "confirm" their main password, which gives you a chance to get your hands on the plain-text version of the password, which you should, of course, validate as authentic before acting on it.
Related
I have a password protected webpage with one password. But, I want to use multiple passwords on that webpage... I'm very new to PHP...
So, can anyone give me some advice on how to do this!
Thanks in Advance!
here is the code I'm using:
<?php
$password = "anything";
?>
on that code, I want to use "anything" & also use "mypass" as password same time!
I just use this code for multiplying the pass. but, won't work!
<?php
$password = "anything" + "mypass";
?>
& the full code is:
<?php
if (isset($_POST["password"]) && ($_POST["password"]=="$password")) {
?>
### anything to hide before password given!
<?php
}
else
{
if (isset($_POST['password']) || $password == "") {
print "<p align=\"center\"><font color=\"red\"><b>Wrong Password !!!</b><br>Please enter the correct Password</font></p>";}
print "<form method=\"post\"><p align=\"center\"><b>Please enter the Password</b><br/><br/>";
print "<b>Password </b><input class=\"box\" name=\"password\" type=\"password\" maxlength=\"10\"><input class=\"button\" value=\"Download\" type=\"submit\"></p></form>";
}
?>
use an array of passwords. btw
== and === is vulnerable to timing attacks, use hash_equals instead, but even hash_equals is vulnerable to timing attacks if the length of the 2 inputs is not equal, so hash the passwords before comparing them, to pad the length. something like
$authed=false;
if (isset($_POST["password"])){
$passwords=array('pass1','pass2','pass3');
$u=hash('md5',(string)$_POST["password"],true); // using a weak (and fast) CS hash is not a problem, because we're only using it to pad the length so we're not vulnerable to a timing attack.
foreach($passwords as $pass){
if(hash_equals($u,hash('md5',$pass,true))){
$authed=true;
break;
}
}
}
// here $authed is true if a correct password was supplied
once try:
$password = "anything";
$password = $password . "mypass";
//anythingmypass
if (isset($_POST["password"]) && $_POST["password"] != $password) {
print '<p align="center"><font color="red"><b>Wrong Password !!!</b><br>Please enter the correct Password</font></p>';
} else if (isset($_POST['password']) && $_POST['password']==$password) {
echo "password correct";
}
print '<form method="post"><p align="center"><b>Please enter the Password</b><br/><br/>';
print '<b>Password </b><input class="box" name="password" type="password" maxlength="' . strlen($password).'"><input class="button" value="Download" type="submit"></p></form>';
I think you want to do this
$passwordList = ['password','secretPassword','anything'];
if (isset($_POST["password"]) && in_array($_POST["password"], $passwordList)) {
// do protected stuff here
}
BUT. THERE IS A BIG BUT
NEVER EVER STORE PASSOWRDS IN CODE. Use a database for this.
I recommend you to follow there tutorials from Laracasts to get more familiar with PHP
This may sound really broken but essentially my intentions are for in php1, have a name for example validate to match a regex, if it fails to meet the conditions it will then redirect to php2 where there awaits a form where a user can retype it and submit it back to php1 where it will do the checks again. Then finally in the first php, if everything works ok it will echo it back.
Also how would i expand it so multiple things such as credit cards etc. can be validated too?
Thanks
php1
if (isset ($_POST["CardHolder"])) {
cardholder = $_POST["CardHolder"];
cardholder = sanitise_input($cardholder);
if (!preg_match("/^[a-zA-Z\s]{1,40}$/", $cardholder)) {
$errMsg .= "First name can only contain alpha characters, please re-enter";
$newcardholder = $_POST["newcardholder"];
$cardholder = $newcardholder;
}
else {
$cardholder = $_POST["CardHolder"];
}
if ($errMsg != "") {
header("Location: fix_order.php?errMsg=".$errMsg)
}
php2 (fix_order.php)
if (isset ($_GET["errMsg"])){
$cardholder = $_GET["errMsg"];
echo "<form action='process_order.php' method='post'>"
."<p><label>$cardholder:</label>"
."<input type='text' name='newcardholder'/></p>"
."<p><input type='submit' value='Submit'/>";
"</form>";
}
When calling header("Location:...") you need to give the full and absolute URL.
so header("Location: fix_order.php") will not work.
I am trying to check if a user has taken a quiz before and if he/she has, I want them to be not able to take the quiz again. I implemented the code to do this by using cookies and for some reason my code refuses to stop a user from taking the quiz again. I've been staring at this for a very long time now so help would be nice!
Notes: $_SESSION["index"] is set to 0 initially from a previous page and $_COOKIE['quizTakers"] is an empty array initially. Each Question comes one at a time.
<?php
session_start();
#get array of quizTakers from cookie
$addUser = unserialize($_COOKIE['quizTakers']);
$userN = $_SESSION['username'];
#check if user has taken quiz already and make sure you only check once and not after every question submit
if(count($addUser) != 0 && intval($_SESSION["index"]) == 0 ){
foreach ($addUser as $user) {
if( strcmp($userN,$user) ){
echo "You already took the quiz! <br \>";
echo "<form action=\"changeUser.php\" method=\"post\"> Go Back: <input type=\"submit\"><br \> </form>";
exit();
}
}
array_push($addUser, $userN);
setcookie('quizTakers', serialize($addUser), time()+86400);
echo "loop was entered <br />";
}
#if array is empty(this is should execute the every first time someone takes the quiz
elseif (count($addUser) == 0) {
#add user to array if this is first person taking a quiz yo
array_push($addUser, $userN);
setcookie('quizTakers', serialize($addUser), time()+86400);
echo "cookie added line 29 <br/>";
}
$indexTemp = intVal($_SESSION["index"]);
if(isset($_SESSION["notFirstIndex"])){
#get array of correct answers
$correctAns = $_SESSION["correctAnswers"];
#get particular answer at current index
$currentCorrectAns = intval($correctAns[$indexTemp]) +1;
$userAns = intval($_POST['ans']);
echo "The User picked: ".$userAns." and the correct Answer was: ".$currentCorrectAns."<br/>";
if($userAns == intVal($currentCorrectAns)){
echo " you were correct! <br />";
$_SESSION["totalCorrect"] += 1;
}
else{
echo "you were wrong";
$_SESSION["totalIncorrect"] +=1;
}
}
elseif(!isset($_SESSION['notFirstIndex'])){
echo "Welcome to your quiz, $userN <br />";
echo "You havent answered any questions yet! <br />";
}
?>
<!DOCTYPE html>
<html>
<HR>
</html>
<?php
#When questions are over show results
if($_SESSION["numQuestions"] == $indexTemp){
$_SESSION["index"] = 0;
echo "Your Results are: <br /> ";
echo "Total Questions: ".$_SESSION["numQuestions"]."<br/>";
echo "Total Correct: ".$_SESSION["totalCorrect"]."<br/>";
echo "Total Incorrect: ".$_SESSION["totalIncorrect"]."<br/>";
$percentage = (intval($_SESSION["totalCorrect"]) / intval($_SESSION["numQuestions"])) * 100 ;
echo "Percentage Rightht: $percentage % <br/ >";
echo "<form action=\"process.php\" method=\"post\"> Back to Main screen: <input type=\"submit\"><br \> </form>";
$takers = unserialize($_COOKIE['quizTakers']);
echo $takers[0];
if(count($takers) == 1){
echo "<br />";
echo "You were the first Quiz Taker: <br />";
echo "Total Takers: 1 <br />";
echo "Number Right: ".$_SESSION["totalCorrect"]."<br/>";
echo "Number Incorrect: ".$_SESSION["totalIncorrect"]."<br/>";
echo "Average: $percentage % <br/ >";
exit();
}
exit();
}
$filename = $_SESSION["quizOfTheDay"];
$quizStuff = file($filename);
$ctr =1;
$questionInfo = $quizStuff[$indexTemp];
$questionParse = explode("#", $questionInfo);
#$_SESSION["correctAns"] = $questionParse[2];
#echo $_SESSION["correctAns"]." from line 56 <br />";
$_SESSION['notFirstIndex'] = "true";
$answerChoices = explode(":",$questionParse[1]);
echo "$questionParse[0]? <br />";
?>
<!DOCTYPE html>
<html>
<form action="questions.php" method="post">
<?php
foreach ($answerChoices as $answerChoice) {
echo "<input type='radio' name='ans' id='q1' value=".$ctr."> <label for='q1'>".$answerChoice."</label> <br />";
$ctr +=1;
}
$_SESSION["index"] = $indexTemp +1;
?>
<input type="submit" name="submit" value="GO!">
</form>
</html>
Before the cookie is set, $_COOKIE['quizTakers'] doesn't exist, and when you call unserialize() on this you set $addUsers to false. Then when you try to do array_push($addUser, $userN);, this fails because $addUser isn't an array, so $addUser is still false. Then you put this into the cookie.
The next time the user runs the script, you read false from the cookie, and the username isn't found in this, so you don't stop the user from taking the quiz again.
You're making this much more complicated than it needs to be. You don't need to put an array into the cookie, because cookies aren't shared by all the users. Just set a cookie to a simple string and test whether the cookie is set.
if (isset($_COOKIE['took_quiz'])) {
echo "You already took the quiz! <br \>";
echo "<form action=\"changeUser.php\" method=\"post\"> Go Back: <input type=\"submit\"><br \> </form>";
exit();
}
setcookie('took_quiz', 'true', time()+86400);
As others pointed out, users can get around this by clearing cookies. So if you need something more secure, you need to implement a login system and use a database or file to track which users have already taken the quiz.
I have not read your code, but did you foundamentally understand the concept of a cookie/session?
A cookie will store data at the browser and sends it everytime the website is requested. A session, will store the data on the server, but will store a cookie a the clients side to identify the user on subsequent requests.
So the user can simple wipe the cookies (in both cases) and the server does not know, that this user has ever taken the quiz.
What you can try is a combination of IP address and browser metric, but beware that IP adresses can change (very quick ;) )
Cookies could be erased by the user and you wouldn't know if they did your quiz or not .
You may need to force people to register to gain access to your quiz if you want a permanent way to know if they completed them or not as cookies can easily be wiped.
I hope you are doing great. I have within my project a login functionality. when I try to login. It gives me this strange error that I did not write within my login.php script. I wrote it somewhere else and did not make an import to it. I hope you guys can help me identify the problem.
Thanks in Advance. Cheers,
Some useful pieces of my code:
Login.php Script:
<?php
include_once 'Header.php';
?>
<style>
#container {
height: 92vh;
}
</style>
<div id="container">
<br>
<?php
$_SESSION['logged'] = null;
//in this page we do things slightly differently - the code for validation and displaying messages is done
//before we display the form
echo '<div id = "div_1"><h1>Login</h1>';
//display the form
echo '<div id="div_2"><div id="div_2">
<form action="Login.php" method="post">
<label>Email<br>
<span class="small">enter your Email</span>
</label>
<input type="text" name="Email" value=""/>
<label><br>Password<br>
<span class="small">enter your password</span>
</label>
<input type="password" name="Password" />
<button type="submit" name="submit" value="Login" />Log in</button>
<input type ="hidden" name="submitted" value="1">
</form>
</div>
</div>';
if (isset($_POST['submitted'])) {
//require_once is similar to 'include' but ensures the code is not copied multiple times
require_once('LoginFunctions.php');
$name3 = $_POST['Email'];
$pwd3 = $_POST['Password'];
echo $name3;
echo $pwd3;
//list() is a way of assigning multiple values at the same time
//checkLogin() function returns an array so list here assigns the values in the array to $check and $data
list($check, $data) = checkLogin($_POST['Email'], $_POST['Password']);
if ($check) {
setcookie('FName', $data['FName'], time() + 900); //cookie expires after 15 mins
setcookie('LName', $data['LName'], time() + 900);
//
//use session variables instead of cookies
//these variables should now be available to all pages in the application as long as the users session exists
$_SESSION['FName'] = $data['FName'];
$_SESSION['LName'] = $data['LName'];
$_SESSION['Email'] = $data['Email'];
//to enable $_SESSION array to be populated we always need to call start_session() - this is done in header.php
//print_r is will print out the contents of an array
print_r($_SESSION);
//
//Redirect to another page
$url = absolute_url('Index.php'); //function defined in Loginfunctions.php to give absolute path for required page
$_SESSION['logged'] = TRUE;
echo $_SESSION['logged'];
//this version of the header function is used to redirect to another page
echo "<script>setTimeout(\"location.href = '" . $url . "';\",10000);</script>"; //since we have entered correct login details we are now being directed to the home page
exit();
} else {
$errors = $data;
}
}
//create a sopace between the button and the error messages
//echo'<div class="spacer"></div>';
if (!empty($errors)) {
echo '<br/> <p class="error">The following errors occurred: <br />';
//foreach is a simplified version of the 'for' loop
foreach ($errors as $err) {
echo "$err <br />";
}
echo '</p>';
}
//this is the end of the <div> that contains the form
echo '</div>';
/* */
?>
</div>
<?php
include 'Footer.php';
?>
My loginFunctions.php class:
<?php
function absolute_url($page = 'Index.php')
{
//header('Location: http:\\localhost');
//exit(); //terminates the script
$url = 'http://' . $_SERVER['HTTP_HOST'] . dirname($_SERVER['PHP_SELF']);
$url = rtrim($url, '/\\');
$url .= '/' . $page;
return $url;
}
function checkLogin($Email = '', $password = '')
{
$errors = array();
if(empty($Email))
$errors[] = 'You must enter a Email';
if(empty($password))
$errors[] = 'You must enter a password';
if(empty($errors))
{
////set up database econnection
include 'DBConn.php';
$db = new DBConn();
$dbc = $db->getDBConnection();
$q = "select Email, FName, LName from Users_1 where Email = '$Email' and Password = '$password'";
$r = mysqli_query($dbc, $q);
if($r)
{
if(mysqli_affected_rows($dbc) != 0)
{
$row = mysqli_fetch_array($r, MYSQLI_ASSOC);
return array(true, $row);
}
else
{
$errors[] = 'Passwords do not match';
}
}
else{
echo '<p class="error"> Oh dear. There was a database error</p>';
echo '<p class = "error">' . mysqli_error($dbc) .'</p>';
}
}
return array(false, $errors);
}
?>
mysqli_affected_rows is used for returning rows affected by insert, update and delete operation. For select statement you must use mysqli_num_rows
if($r) {
if(mysqli_num_rows($r) != 0){
$row = mysqli_fetch_array($r, MYSQLI_ASSOC);
return array(true, $row);
}else {
$errors[] = 'Passwords do not match';
}
}
For better security: you can use password_hash() function to make your password stronger and later match the hash you saved in the field (Password- datatype would be varchar with a length of 255). You match this hash using password_verify() function which has two parameters: the string that user typed and the hash saved in the database.
For example:
echo password_hash("rasmuslerdorf", PASSWORD_DEFAULT)."\n";
will print:
$2y$10$.vGA1O9wmRjrwAVXD98HNOgsNpDczlqm3Jq7KnEd1rVAGv3Fykk1a
When a user login using rasmuslerdorf as password, you query the database and match the stored hash password $2y$10$.vGA1O9wmRjrwAVXD98HNOgsNpDczlqm3Jq7KnEd1rVAGv3Fykk1a with rasmuslerdorf using password_verify :
$q= mysqli_query($dbc, "SELECT Password FROM `Users_1`
WHERE `Email` = '$Email' and `Password` = '$password'");
$res = mysqli_fetch_assoc($q);
$hash = $res['Password'];
if (password_verify('rasmuslerdorf', $hash)) {
echo 'Password is valid!';
} else {
echo 'Invalid password.';
}
This is a fairly non-technical answer but it contains my advice based on my own experience.
When I was just learning html and had no real idea about php or javascript, I would spend hours trying to figure out how logins worked.
After a while I found out about php and javascript, and I had a friends php login script to go on.
I managed to get a database working, however the signup did not which is why I posted this question.
Eventually I got the login working, however my limited knowledge meant that I could have been storing peoples (and friends) private information such as passwords that they use elsewhere, on a website that could have had a major flaw.
Now don't get me wrong, I am not saying don't do this I am simply saying DO YOUR RESEARCH. Take time watching videos like this:
https://www.youtube.com/watch?v=8ZtInClXe1Q
How NOT to Store Passwords! - Computerphile
and then spend some more time doing database queries that don't involve passwords.
Once you have a good understanding of how to use queries and feel confident doing them, begin researching hashing methods in php.
Please take a look into:
Salting your passwords where you essentially add random
characters to the password that is being hashed so that you cant use
a hashing table to reverse a hashed password.
SQL Injection where people use the input (name field or any other field) on your form to change the syntax of your question, and essentially add code to your website. This is dangerous because then they can (depending on what permissions the user has) drop tables, drop databases, select *, and many other harmful things. This topic is also mentioned in the video mentioned before about "How NOT to Store Passwords!".
Do more research (don't only use that link it does not contain everything)...when you are storing peoples information you can never be too safe. Don't think of these tips as overkill, think of them as a responsibility to your users, that they can TRUST that nothing will happen to their password!
Good luck!
I'm currently creating a website for a local sports union, so far I have created numerous pages, one of them being a table with the members and their information. Each member has a checkbox that contains the email address as a value. I should add that at the moment the members information is viewed in members.php, but the file that gets the information (The code you can see below) is from backend file fetch.php.
What I want is that when you check multiple checkboxes and press 'Send Mail', it should open a mailto:?bcc=mail1,mail2 etc.
if(mysqli_num_rows($result))
{
echo "<form method=\"post\">";
// Printing user information etc.
echo "<td><input name=\"email[]\" type=\"checkbox\" class=\"email-cb\" value=\"$email\"></td>";
echo "<tr><td><input type=\"submit\" value=\"Send Mail\"></td></tr>";
echo "</form>"
}
First of when you press the submit button (Or Send Mail if you like), it should simply do Send Mail
I have been working on this for a while and can't seem to find a solution, anyways I came up with this method to atleast extract emails (I think this is correct).
if(isset($_POST['email']) && is_array($_POST['email']))
{
foreach($_POST['email'] as $email)
{
$emailList = "mailto:?bcc=" . implode(',', $_POST['email']);
}
}
Change $_POST['fruit'] to $_POST['email'], and you don't need the loop, because the post data is already an array.:
if(isset($_POST['email']) && is_array($_POST['email']))
{
$emailList = "mailto:?bcc=" . implode(',', $_POST['email']);
}
What does $_POST['fruit']?? Maybe you are looking for this:
if(isset($_POST['email']) && is_array($_POST['email']))
{
foreach($_POST['email'] as $email)
{
$bccList .= $email.',';
}
$emailList = "mailto:?bcc=" . $bccList;
}