|
PHP - Best Way To Properly/efficiently Hash Passwords
I'll start by apologizing for the stupid decision that led to this question. A few years ago, I created a PHP/Myysql site with a login system and I created a field in the MySQL called "password" and it stored literally the exact password people entered (I know, I know).
The site has proven to have nice traffic potential, so I am going to re-vamp everything, including storing passwords properly (i.e. hashed).
My first question... Is there a way to convert regular text passwords to hashed passwords? For example, I could create a new field in the "User" table for "hashedpassword" and write a script that takes all the insecure passwords and turns them into hashed passwords. Then deleted the previous "bad" password field from the database. This would allow me to do it without the customer every knowing anything changed.
Quick googling appears to support that it IS doable rather easily, with something like...
UPDATE mytable SET password = MD5(password)If not, I guess I would have to create a thing where the first time omeone logged in after I put hashing in place, the site would force them to change their password. I'd rather not annoy the visitors if it all possible. Second question, what is the proper/recommended hashing method to use? Some people seem to poo-poo MD5. If you agree, should I use: MD5 SHA MD5 with a salt SHA with a salt Something else i never heard of NOTE: My site is a fantasy sports site, so the data involved is not overly important. Maybe a salt is overkill? Or is being overly safe never a bad thing? Lastly, don't need to address this, but if anyone can explain it like I'm 5 that would be great because i must be missing something... if you can easily turn a regular password into a hashed password, couldn't hackers easily do the reverse, which would render the hashing almost useless? I get that salting helps, but before salting (i.e. doing ONLY MD5), I don't see how hashing helped that much (if you could reverese figure out the password). What am I missing? Thanks! Greg Edited by galvin, 13 November 2014 - 09:44 AM. Similar TutorialsPHP Websockets Rate limiter (Thanks to @Kicken for the help) How do I setup let's say... no more than 5 requests per second? Any idea?
// anti flood protection
if (isset($users[$clientID]['last_session_request'])) {
if($users[$clientID]['last_session_request'] > ''.microtime(true).'' - 1){
// users will be redirected to this page if it makes requests faster than 1 seconds
echo "Limit Reached... Simmer down!";
wsClose($clientID);
}else{
}
$users[$clientID]['last_session_request'] = microtime(true);
}
Edited by Monkuar, 20 December 2014 - 03:28 PM. Since I'm new to programming I still don't know how to solve problems the most efficient way, I'd like to have your advice on this one. This is how I solved it and it works. I have my categories as input buttons (I'm planning to change it into a drop down menu later). Sort by Category: <form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post"> <input type='submit' name='All' value='All' /> <input type='submit' name='Smileys' value='Smileys' /> <input type='submit' name='Faces' value='Faces' /> <input type='submit' name='Love' value='Love' /> </form> When the input boxes are clicked the corresponding script below is being run, very simple and to a point primitive, definitely not really efficient, because if you have a lot of categories you'll end up with a lot of code and if you wanted to change one thing you'd have to change it in all the IF BLOCKS. Basically every input button has its own IF BLOCK. <?php if (isset($_POST['All']) OR (!isset($_POST['Smileys']) && !isset($_POST['Faces']) && !isset($_POST['Love']) { // Connect to the database $dbc = mysqli_connect(DB_HOST, DB_USER, DB_PASSWORD, DB_NAME); // Retrieve the score data from MySQL $query = "SELECT * FROM asciiart"; $data = mysqli_query($dbc, $query); // Loop through the array of score data, formatting it as HTML while ($row = mysqli_fetch_array($data)) { echo '<table class="asciiartTable">'; // Display the score data echo '<tr><td class="asciiart_name">'; echo '<strong>' . htmlentities($row['asciiart_name']) . '</strong><br /></td></tr>'; echo '<tr><td class="asciiart_contribution"><pre>' . htmlentities($row['asciiart_contribution']) . '</pre><br /></td></tr>'; echo '<tr><td class="asciiart_categoryDate">' . htmlentities($row['asciiart_category']) . ' | ' . date('M d, Y', strtotime ($row['created_date'])) . ' </td></tr>'; echo '</table>'; } mysqli_close($dbc); } if (isset($_POST['Smileys'])) { // Connect to the database $dbc = mysqli_connect(DB_HOST, DB_USER, DB_PASSWORD, DB_NAME); // Retrieve the chosen category from MySQL $query2 = "SELECT * FROM asciiart WHERE asciiart_category = 'Smileys'"; $data2 = mysqli_query($dbc, $query2); //Loop through the array of data while ($row2 = mysqli_fetch_array($data2)) { echo '<table class="asciiartTable">'; // Display the score data echo '<tr><td class="asciiart_name">'; echo '<strong>' . htmlentities($row2['asciiart_name']) . '</strong><br /></td></tr>'; echo '<tr><td class="asciiart_contribution"><pre>' . htmlentities($row2['asciiart_contribution']) . '</pre><br /></td></tr>'; echo '<tr><td class="asciiart_categoryDate">' . htmlentities($row2['asciiart_category']) . ' | ' . date('M d, Y', strtotime ($row2['created_date'])) . ' </td></tr>'; echo '</table>'; } mysqli_close($dbc); } if (isset($_POST['Faces'])) { // Connect to the database $dbc = mysqli_connect(DB_HOST, DB_USER, DB_PASSWORD, DB_NAME); // Retrieve the chosen category from MySQL $query3 = "SELECT * FROM asciiart WHERE asciiart_category = 'Faces'"; $data3 = mysqli_query($dbc, $query3); //Loop through the array of data while ($row3 = mysqli_fetch_array($data3)) { echo '<table class="asciiartTable">'; // Display the score data echo '<tr><td class="asciiart_name">'; echo '<strong>' . htmlentities($row3['asciiart_name']) . '</strong><br /></td></tr>'; echo '<tr><td class="asciiart_contribution"><pre>' . htmlentities($row3['asciiart_contribution']) . '</pre><br /></td></tr>'; echo '<tr><td class="asciiart_categoryDate">' . htmlentities($row3['asciiart_category']) . ' | ' . date('M d, Y', strtotime ($row3['created_date'])) . ' </td></tr>'; echo '</table>'; } mysqli_close($dbc); } if (isset($_POST['Love'])) { // Connect to the database $dbc = mysqli_connect(DB_HOST, DB_USER, DB_PASSWORD, DB_NAME); // Retrieve the chosen category from MySQL $query4 = "SELECT * FROM asciiart WHERE asciiart_category = 'Love'"; $data4 = mysqli_query($dbc, $query4); //Loop through the array of data while ($row4 = mysqli_fetch_array($data4)) { echo '<table class="asciiartTable">'; // Display the score data echo '<tr><td class="asciiart_name">'; echo '<strong>' . htmlentities($row4['asciiart_name']) . '</strong><br /></td></tr>'; echo '<tr><td class="asciiart_contribution"><pre>' . htmlentities($row4['asciiart_contribution']) . '</pre><br /></td></tr>'; echo '<tr><td class="asciiart_categoryDate">' . htmlentities($row4['asciiart_category']) . ' | ' . date('M d, Y', strtotime ($row4['created_date'])) . ' </td></tr>'; echo '</table>'; } mysqli_close($dbc); } My question is: is there a way to have just one block of script and the script automatically inserts the right INPUT BUTTON into the query in the script? Something similar to this, even though it doesn't work I'm just showing it for showcase purposes: if (isset($_POST['Smileys']) || (isset($_POST['Faces']) || (isset($_POST['Love'])) { // Connect to the database $dbc = mysqli_connect(DB_HOST, DB_USER, DB_PASSWORD, DB_NAME); // Retrieve the chosen category from MySQL $query2 = "SELECT * FROM asciiart WHERE asciiart_category = 'Smileys' || 'Faces' || 'Love'"; $data2 = mysqli_query($dbc, $query2); Notice in the query, it is looking for THAT keyword that has been PRESSED on the INPUT BUTTON. How would I be able to create a logic like this so I can create a whole chain of categories? Thanks for advice. I'm hoping to get a little feedback on what you all believe is the best way to handle this efficiently in PHP. I am working on a script that imports a large amount of data from remote feeds; this facilitates the quick deployment of real estate web sites, but has to download a large number of images to each new site. Assuming for right now that the bottleneck isn't in the method (fsock vs curl vs...) and that for each imported listing we're spending between .89439 and 17.0601 seconds on the image import process alone... what would you suggest for handling this over the space of 100-1000 occurrences? As of right now I have two ideas in mind, both fairly rudimentary in nature. The first idea is to shut the script down every 30-45 seconds, sleep for a second and fire off another asynchronous request to start the script again. The second idea is to fire off a new asynchronous to run the image imports separate from the main script. This would let the efficient ones clear out rather quickly while the slower imports would have their own process to run in. The only thing that worries me about this is the fact that 100 of these could be fired off every second. Even assuming half of them complete before the next round are fired off, they would still pile up. I came across this amazing (not) blog to allow the user to reset their password. It basically does:
User submits their email to server and requests new password.
Server gets their users_id from the DB based on their email, and emails them with a link which contains ?encrypt=md5(1290*3+USERS_ID).
When clicked, server retrieves user where md5(90*13+USERS_ID)=$_GET['encrypt'], and display a form. I think the math is a typo.
When the form is submitted, the password is changed.
What is the correct way to do this?
Hey all, I posted a few months ago trying out my first salted password and I utterly failed lol. This is a small snippet from my current attempt. Code: (php) [Select] $salt = md5(uniqid(rand())); $Pass_S = md5($pass.$salt); This is only the password and salt generation part. I'm sure the salt generation is probably too simple so please feel free to give your thoughts on that part. Also the salt is stored on the database to be pulled up later for login uses. Thanks all! Hey, I know this questions get asked a lot but here is a different version of it. What is a simple and secure method for storing data/passwords? I know there is a lot of debate in this subject but I run a browser game off my server and just want the data to be encrypted. is this good enough or is this easy to crack? Code: [Select] <?php $password = 'abcdefg'; $salt = 'whateversecrethash'; $pw_hash = md5($salt.$password); ?> or I just found this tutorial is this up to date and actually a good method? http://webhole.net/2010/10/30/php-password-encryption-with-salt/ What do I need to do to *safely* capture and store User Passwords in a Registration Form? There was a thread that I started a few months ago where someone had given a really good response talking about "Salt" and so on, but for the life of me I cannot find that info. Nonetheless, I need some help getting my head back into this topic! My Registration Form is complete, and the last thing I need to do is make sure Users enter a "Strong Password" and then I need to store that somewhere, somehow, in the most *secure* manner possible... Thanks, Debbie This is my code it's not working.
$username = $_POST['username'];
$password = $_POST['password'];
$encrypt_password = md5($password);
$email = $_POST['email'];
$usrsql = "SELECT * FROM $tbl_name WHERE username='$username' AND password='$encrypt_password'";
//--> Below is the INSERT Code
$query = "INSERT INTO `x_users` (username, password, email) VALUES ('$username', '$encrypt_password', '$email')";
$result = mysql_query($query);
if($result == 1) {
print("Thank you, your accout has been created!");
}
Can anyone tell me why the md5() function is not working?
Edited by Tom8001, 28 November 2014 - 07:49 PM. I'm incorporating a dynamic salt into my user system, but I'm not sure how to store the salt itself. The password is hashed and added to the database, but wouldn't you need to store the salt as plain text in the database in order to verify the login later? Also, I've read that using both a dynamic and static salt is good practice. If this is the case, is the static salt simply defined within the PHP? Or is there another method to storing it? Thanks for the help Hey All, I'm tryin to make a log-in system for multiple usernames and passwords, but I don't really know how many if statements i'd need for it.. I'm also a noob.. Code: [Select] <?php session_start(); $users = array("user1" =>"3202", "user2" =>"2002", "user3" =>"1061", "user4"=>"1400", "user5"=>"1001"); if($_REQUEST['username'] == "infs" && $_REQUEST['password'] == "3202"){ $_SESSION['username'] = "user1" ; $_SESSION['password'] = "3202" ; $_SESSION['username'] = "user2" ; $_SESSION['password'] = "2002" ; $_SESSION['username'] = "user5" ; $_SESSION['password'] = "1001" ; $_SESSION['username'] = "user3" ; $_SESSION['password'] = "1061" ; $_SESSION['username'] = "user4" ; $_SESSION['password'] = "1400" ; header("Location: home.php "); }else{ After checking if the matching username and password exist in my array then save them in a session... What's the best way of doing it? Hi there I have a problem here, I think I may know what it is but just wanted some guidance on this issue. I took the logic from a previous help from the people on this forum and here is my landing page: <?php // ini_set("display_errors", 1); // randomly starts a session! session_name("jeremyBasicLogin"); session_start(); if(isset($_SESSION['username'])) { // display whatever when the user is logged in: echo <<<ADDENTRY <html> <head> <title>User is now signed in:<title> </head> <body> <h1>You are now signed in!</h1> <p>You can do now what you want to do!</p> </body> </html> ADDENTRY; } else { // If anything else dont allow access and send back to original page! header("location: signin.php"); } ?> This is where the user goes to when they go to this system (not a functional system, ie it doesnt actually do anything its more for my own theory. As you wont have a session on the first turn to this page it goes to: signin.php which contains: <?php // ini_set("display_errors", 1); require_once('func.db.connect.php'); if(array_key_exists('submit',$_POST)) { dbConnect(); // connect to database anyways! // Do a procedure to log the user in: // Santize User Inputs $username = trim(stripslashes(mysql_real_escape_string($_POST['username']))); // cleans up with PHP first! $password = trim(stripslashes(mysql_real_escape_string(md5($_POST['password'])))); // cleans up with PHP first! $sql = "SELECT * FROM users WHERE username='$username' AND password='$password'"; $result = mysql_query($sql); if(mysql_num_rows($result) == 1) { session_name("jeremyBasicLogin"); session_start(); $_SESSION['is_logged_in'] = true; $_SESSION['username'] = $username; //print_r($_SESSION); // debug purposes only! $_SESSION['time_loggedin'] = time(); // this is adding to the array (have seen the output in the SESSION vars! // call function to update the time stamp in MySQL? header("location: index.php"); } else if(mysql_num_rows($result) != 1) { $message = "You typed the wrong password or Username Please retry!"; } } else { $message = ""; } // displays the login page: echo <<<LOGIN <html> <body> <h1>Example Login</h1> <form id="login" name="login" action="{$_SERVER['PHP_SELF']}" method="post"> <label for="username">Username: </label><input type="text" id="username" name="username" value="" /><br> <label for="password">Password: </label><input type="text" id="password" name="password" value="" /><br> <input type="submit" id="submit" name="submit" value="Login" /> </form> LOGIN; echo "<p>" . $message . "</p>"; echo <<<LOGIN <p>Please Login to View and Edit Your Entries</p> <p><a href="register.php">Click Here To Signup</a><p> </body> </html> LOGIN; ?> This checks through user inputs and hopefully logs them in, when Ive inserted the data into the database itself it works, if I try and login but if a user fills in this form: signup.php: <?php //ini_set("display_errors", 1); $message =''; require_once('func.db.connect.php'); if(array_key_exists('submit',$_POST)) { dbConnect(); // connect to database anyways! // do some safe protecting of the users variables, apply it to all details! $username = trim(stripslashes(mysql_real_escape_string($_POST['username']))); // cleans up with PHP first! $email = trim(stripslashes(mysql_real_escape_string($_POST['email']))); // cleans up with PHP first! $password = trim(stripslashes(mysql_real_escape_string(md5($_POST['password'])))); // does as above but also encrypts it using the md5 function! $password2 = trim(stripslashes(mysql_real_escape_string(md5($_POST['password2'])))); // does as above but also encrypts it using the md5 function! if($username != '' && $email != '' && $password != '' && $password2 != '') { // do whatever when not = to nothing/empty fields! if($password === $password2) { // do database stuff to enter users details $sql = "INSERT INTO `test`.`users` (`id` ,`username` ,`password`) VALUES ('' , '$username', MD5( '$password' ));"; $result = mysql_query($sql); if($result) { $message = 'You may now login by clicking <a href="index.php">here</a>'; } } else { // echo out a user message says they got their 2 passwords incorrectly typed: $message = 'Pleae re enter your password'; } } else { // they where obviously where empty $message = 'You missed out some required fields, please try again'; } } echo <<<REGISTER <html> <body> <h1>Register Form</h1> <p>Please fill in this form to register</p> <form id="register" name="register" action="{$_SERVER['PHP_SELF']}" method="post"> <table> <tr> <td><label for="username">Username: </label></td> <td><input type="text" id="username" name="username" value="" /></td> </tr> <tr> <td><label for="email">Email: </label></td> <td><input type="text" id="email" name="email" value="" /></td> </tr> <tr> <td><label for="password">Password: </label></td> <td><input type="text" id="password" name="password" value="" /></td> </tr> <tr> <td><label for="password">Confirm Password: </label></td> <td><input type="text" id="password2" name="password2" value="" /></td> </tr> <tr> <td><input type="submit" id="submit" name="submit" value="Register" /></td> </tr> <table> REGISTER; echo "<p>" . $message . "</p>"; echo <<<REGISTER </form> </body> </html> REGISTER; ?> As I said when the user signs up when submitting the above form, it doesnt work, keeps coming up with a different value for the password, so I am about 99% certain its the password, but I have been maticulous about copying in the sanitize function for SQL injections and it just doesnt still work, really puzzled now. Any helps appreciated, Jeremy. Guys, Having a major headache here. I need to send an enquiry using jquery and php. The user can only send an enquiry if they are logged in - so it's a one click process. On the click (which is an <a> tag) the user's data is retrieved from the database and sent to the company they are enquiring about. When the link is clicked, a jquery popup is shown to notify the user that the enquiry has been sent. This all works. However, currently the enquiry is sent when the page loads and this is what I'm having trouble with. Code: [Select] <a href="#e" onclick="openinfobox('Enquiry Sent', 1)" class="enq"></a>What I want to do is say if the URL contains #e, then send the enquiry, otherwise do nothing. I understand that the # portion of the url cannot be referenced by PHP. How on earth can I run php process to say only run this php process if there is a # in the url? I have a section on my website where the url points to www.example.com/some_page#some_element #some_element is used by javascript to load the element in question into the parent element. However i need pagination done on this loaded element. How should i go about it? would it work? obv i cant use www.example.com/some_page#some_element/page/2. Any tips or advice? Are there any PHP hashes that are extremely secure and that CANNOT be reverse-engineered?
Is a hash array the same thing as an associative array? My PHP books make no reference to this, yet I have seen the term referred to. Thanks. HI, I have a registration script where a password is made with one hash, and a user password reset page that uses another hash. I don't know how to make them the same, as every time I change them, it messes up the code and I get errors. I will comment the parts that I think need changing. Because when I try to log in with the new password that was made by the reset password script, it says "wrong username or password" because either it wasn't updated in the database, or it was updated in a bad way. Any help greatly appreciated. The password email reset code: Code: [Select] <?php define('IN_SCRIPT', true); // Start a session session_start(); ini_set ("display_errors", "1"); error_reporting(E_ALL); $host = ""; $database = ""; $username = ""; $password = ""; $tbl_name = ""; $conn = mysql_connect($host, $username, $password) or die("Could not connect: " . mysql_error()); if($conn) { mysql_select_db($database); echo "connected to database!!"; } else { echo "failed to select database"; } //this function will display error messages in alert boxes, used for login forms so if a field is invalid it will still keep the info //use error('foobar'); function error($msg) { ?> <html> <head> <script language="JavaScript"> <!-- alert("<?=$msg?>"); history.back(); //--> </script> </head> <body> </body> </html> <? exit; } //This functions checks and makes sure the email address that is being added to database is valid in format. function check_email_address($email) { // First, we check that there's one @ symbol, and that the lengths are right if (!ereg("^[^@]{1,64}@[^@]{1,255}$", $email)) { // Email invalid because wrong number of characters in one section, or wrong number of @ symbols. return false; } // Split it into sections to make life easier $email_array = explode("@", $email); $local_array = explode(".", $email_array[0]); for ($i = 0; $i < sizeof($local_array); $i++) { if (!ereg("^(([A-Za-z0-9!#$%&'*+/=?^_`{|}~-][A-Za-z0-9!#$%&'*+/=?^_`{|}~\.-]{0,63})|(\"[^(\\|\")]{0,62}\"))$", $local_array[$i])) { return false; } } if (!ereg("^\[?[0-9\.]+\]?$", $email_array[1])) { // Check if domain is IP. If not, it should be valid domain name $domain_array = explode(".", $email_array[1]); if (sizeof($domain_array) < 2) { return false; // Not enough parts to domain } for ($i = 0; $i < sizeof($domain_array); $i++) { if (!ereg("^(([A-Za-z0-9][A-Za-z0-9-]{0,61}[A-Za-z0-9])|([A-Za-z0-9]+))$", $domain_array[$i])) { return false; } } } return true; } if (isset($_POST['submit'])) { if ($_POST['forgotpassword']=='') { error('Please Fill in Email.'); } if(get_magic_quotes_gpc()) { $forgotpassword = htmlspecialchars(stripslashes($_POST['forgotpassword'])); } else { $forgotpassword = htmlspecialchars($_POST['forgotpassword']); } //Make sure it's a valid email address, last thing we want is some sort of exploit! if (!check_email_address($_POST['forgotpassword'])) { error('Email Not Valid - Must be in format of name@domain.tld'); } // Lets see if the email exists $sql = "SELECT COUNT(*) FROM users WHERE email = '$forgotpassword'"; $result = mysql_query($sql)or die('Could not find member: ' . mysql_error()); if (!mysql_result($result,0,0)>0) { error('Email Not Found!'); } //Generate a RANDOM MD5 Hash for a password//THIS IS THE POSSIBLE PROBLEM $random_password=md5(uniqid(rand())); //Take the first 8 digits and use them as the password we intend to email the user $emailpassword=substr($random_password, 0, 8); //Encrypt $emailpassword in MD5 format for the database $newpassword = md5($emailpassword); // Make a safe query $newpassword = mysql_real_escape_string($newpassword); $query = sprintf("UPDATE 'users' SET 'password' = '$newpassword' WHERE 'email' = '$forgotpassword'"); //Email out the infromation $site_name = "mysite.COM"; $site_email = "noreply@mysite.COM"; $subject = "Your New Password"; $message = "Your new password is as follows: ---------------------------- Password: $emailpassword ---------------------------- Please make note this information has been encrypted into our database This email was automatically generated."; if(!mail($forgotpassword, $subject, $message, "FROM: $site_name <$site_email>")){ die ("Sending Email Failed, Please Contact Site Admin! ($site_email)"); }else{ error('New Password Sent!.'); } } else { ?> <form name="forgotpasswordform" action="" method="post"> <table border="0" cellspacing="0" cellpadding="3" width="100%"> <caption> <div>Forgot Password</div> </caption> <tr> <td>Email Address:</td> <td><input name="forgotpassword" type="text" value="" id="forgotpassword" /></td> </tr> <tr> <td colspan="2" class="footer"><input type="submit" name="submit" value="Submit" class="mainoption" /></td> </tr> </table> </form> <? } ?> And now for the registration and password creation script Code: [Select] <?php $host = " "; $database = " "; $username = " "; $password = " "; mysql_connect($host, $username, $password) or die("Could not connect: " . mysql_error()); mysql_select_db($database); if ($_POST['form_submitted'] == '1') { ##User is registering, insert data until we can activate it $activationKey = mt_rand() . mt_rand() . mt_rand() . mt_rand() . mt_rand(); $username = mysql_real_escape_string($_POST[username]); $email = mysql_real_escape_string($_POST[email]); ////////////////////////////////////////////////////////////////////////// $username= $_POST['username']; $checkuser = mysql_query("SELECT username FROM users WHERE username='$username'"); $username_exist = mysql_num_rows($checkuser); if($username_exist > 0){ echo "I'm sorry but the username you specified has already been taken. Please pick another one."; unset($username); $sendemail='0'; } /////////////////////////////////////////////////////////////////////////////////// $email= $_POST['email']; $checkemail = mysql_query("SELECT email FROM users WHERE email='$email'"); $useremail_exist = mysql_num_rows($checkemail); if($useremail_exist > 0){ echo "I'm sorry but the email address you specified has already been taken. Please pick another one."; unset($email); $sendemail='0'; } ////////////////////////////////////////////////////////////////////////////// if ( $_POST['password'] == $_POST['password2'] && $username_exists <=0 && $useremail_exist <= 0) { $password = sha1($_POST['password']); $sql="INSERT INTO users (username, password, email, activationkey, status) VALUES ('$username', '$password', '$email', '$activationKey', 'verify')"; $sendemail = '1'; } else { echo "*Passwords do not match!"; $sendemail='0'; } if (!mysql_query($sql)) { die('Error: ' . mysql_error()); } $_POST['form_submitted'] = '0'; //make form disappear. if ($sendemail =='1') { echo "An email has been sent to $_POST[email] with an activation key. Please check your mail to complete registration."; } ##Send activation Email $to = $_POST[email]; $subject = " Registration"; $message = "Welcome to our website! verify_user.php?$activationKey\r\rIf this is an error, ignore this email and you will be removed from our mailing list.\r\rRegards,\ Team"; $headers = 'From: noreply@r.com' . "\r\n" . 'Reply-To: noreply@r.com' . "\r\n" . 'X-Mailer: PHP/' . phpversion(); mail($to, $subject, $message, $headers); } else { ##User isn't registering, check verify code and change activation code to null, status to activated on success $queryString = $_SERVER['QUERY_STRING']; $query = "SELECT * FROM users"; $result = mysql_query($query) or die(mysql_error()); /*if*/ while($row = mysql_fetch_array($result)){ if ($queryString == $row["activationkey"]){ $_POST['form_submitted'] = '2'; //make form disappear. echo "Congratulations!" . $row["username"] . " is now the proud new owner of an e.com account. Please sign in to the site at <a href='sign_in.php'>THIS LINK</a>. "; $sql=" UPDATE users SET status='activated' WHERE (id = $row[id])"; //UPDATE users SET activationkey = '', //$sql="UPDATE users SET activationkey = 'Done-$row[id]', status='activated' WHERE (id = $row[id])"; if (!mysql_query($sql)) { die('Error: ' . mysql_error()); } } } } ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <title>Untitled Document</title> <style type="text/css"> <!-- .style1 { font-size: large; font-weight: bold; } .style3 {font-size: large} --> </style> </head> <body> <?php if (!isset ($_POST['form_submitted'])){ echo (' <div align="center"><span class="style3"> Please register. </span> <table border="0"> <form action="verify_user.php" method="post" name="register"> <tr><td>Username: <input type="text" name="username" maxlength="20"></td></tr> <tr><td>Password:<input type="password" name="password" /></td><td> <tr><td>Confirm password: <input type="password" name="password2" maxlength="20"></td><td> <tr><td> Email: <input type="text" name="email" /></td></tr> <input type="hidden" name="form_submitted" value="1"/> <tr><td><input type="submit" value="Submit" /></td></tr> </form> </table> </div>'); } if ( $_POST['form_submitted'] =='2'){ echo (" You may now enter the site!");//echo nothing no form. } ?> </body> </html> What is the difference between the hash algo "tiger192,3" and "tiger192,4"? I ran fsum/HashCalc to get a TIGER hash from a string and it is different with either "tiger192,3" or "tiger192,4". I also tried using the hash as hex string input to rehash 3 or 4 times, but still cannot get an equivalent to that of "tiger192,3" or "tiger192,4"... what would be the correct way to add an MD5 has to the following POST code? $_POST['pass'] = mysql_real_escape_string($_POST ['pass']); '".$_POST ['pass']."', thanks in advance! Hello, I created a system where emails get encrypted with a random key that gets stored in a database, what are the odds of the Hashes Colliding? Part of the code: function genRandomString($num) { $length = $num; $characters = '0123456789abcdefghijklmnopqrstuvwxyz'; $string = ""; for ($p = 0; $p < $length; $p++) { $string .= $characters[mt_rand(0, strlen($characters))]; } return $string; } $Key=genRandomString(10); $email_s=hash_hmac('ripemd160', $email, $Key); Thankyou, GB. When a User changes his/her Email Address, should I generate a new Salt and Hash? (I am re-using the code I used for a Password Reset, and during that I generated a new Salt and Hash for security. I guess it can't hurt...) Thanks, Debbie |
|||||||