Re: [PHP-DB] Password Reset
On Wed, Feb 27, 2008 at 1:52 AM, Nasreen Laghari [EMAIL PROTECTED] wrote: Hi, I have encrypted password in database and I encrypted using MD5(). As it is a one-way Hash so I cant get password back to original text !!! What encrypting technique I used to encrypt password so if user forget, I can decrypt password and email it. There are a bunch you could use, from the sickeningly simple (ROT-13) to a key-based reversible algorithm (Blowfish/Twofish). However, your best bet would just be to generate a new, random password, and email it to the user. Then, when they successfully retrieve the new password and log in, require them to change their password. This will also allow them to go back to the password they were using, should they choose to do so. ADDED BONUS! Lesson in Terminology: ;-P Encryption: CAN be decrypted. Blowfish, Twofish, DES, et cetera. Hash:CAN NOT be de-hashed. MD5, SHA1, *nix salts, et cetera. -- /Dan Daniel P. Brown Senior Unix Geek ? while(1) { $me = $mind--; sleep(86400); } ? -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP-DB] Password Reset
generate a new password and email that to the user bastien Date: Tue, 26 Feb 2008 22:52:01 -0800 From: [EMAIL PROTECTED] To: php-db@lists.php.net Subject: [PHP-DB] Password Reset Hi, I have encrypted password in database and I encrypted using MD5(). As it is a one-way Hash so I cant get password back to original text !!! What encrypting technique I used to encrypt password so if user forget, I can decrypt password and email it. Regards Nasreen Looking for last minute shopping deals? Find them fast with Yahoo! Search. http://tools.search.yahoo.com/newsearch/category.php?category=shopping _
Re: [PHP-DB] PHP, MySQL and Lookups
On Wed, Feb 27, 2008 at 9:52 AM, Tobias Franzén [EMAIL PROTECTED] wrote: Consider this, if you have not already: What if two users happen to have the same password? It is wrong to assume that no two users will never have the same password. Doing an update like that, just based on the password column, is an accident waiting to happen. You should have a uniquely distinguished name or designation for each user, and validate the user and password combination. Also, such a designation should be unique, and keeping entries in a column unique can be enforced with MySQL. It's also safe to presume, however, that - since the OP said, Basically, what I'm trying to do is give a load of users an individual password - by individual password he means that the password *will* be the unique key. Just a thought. ;-P For all other intents and purposes, however, you're 100% correct. Using a unique auto_increment key would be your best bet. -- /Dan Daniel P. Brown Senior Unix Geek ? while(1) { $me = $mind--; sleep(86400); } ? -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP-DB] Password Reset
As every body as said, it is not a best security practice to decrypt passwords if the user forgets it. You should not provide of ways for hackers to decrypt such passwords in the event of a security incident. You better allow users to reset their passwords after providing evidence of her/his authentication. __ Miguel Guirao Aguilera, Linux+, ITIL Sistemas de Información Informática R8 Ext. 7540 -- -Original Message- -- From: Nasreen Laghari [mailto:[EMAIL PROTECTED] -- Sent: Miércoles, 27 de Febrero de 2008 12:52 a.m. -- To: php-db@lists.php.net -- Subject: [PHP-DB] Password Reset -- -- Hi, -- -- I have encrypted password in database and I encrypted using MD5(). As -- it is a one-way Hash so I cant get password back to original text !!! -- -- What encrypting technique I used to encrypt password so if user forget, -- I can decrypt password and email it. -- -- -- Regards -- -- Nasreen -- -- -- -- -- -- Looking for last minute shopping deals? -- Find them fast with Yahoo! Search. -- http://tools.search.yahoo.com/newsearch/category.php?category=shopping -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] PHP, MySQL and Lookups
Daniel Brown wrote: On Tue, Feb 26, 2008 at 8:55 AM, Henry Felton [EMAIL PROTECTED] wrote: Hi everyone, I'm just getting into PHP at the moment and was wondering; what code would I need to look at a field value entered in a form, then if that value is found in my table, enter all the other information entered in the form, to the other fields on that record. Basically, what I'm trying to do is give a load of users an individual password that they enter, with various other pieces of information such as year of birth, single/married or whatever, into a form. In MySQL I have a table with three fields, but only the password one has any data in them. A script will then took in the table to find the password entered in the form, and then append all the other information (i.e. data for the other two fields) to the particular record that holds the password value entered. Henry (AKA: Max), Try this: ? include('config.php'); // Your database configuration and connection information if($_POST) { $dob = mysql_real_escape_string($_POST['dob']); $married = mysql_real_escape_string($_POST['married']); $pass = mysql_real_escape_string($_POST['pass']); // When designing the database, call the password field `pass` (without quotes). // The word `password` is a MySQL reserved word and could cause errors. $sql = UPDATE table_name SET dob='.$dob.', married='.$married.' WHERE pass='.$pass.' LIMIT 1; mysql_query($sql) or die(Incorrect password specified. Please try again.); // If we've reached here, then we can do whatever we want to acknowledge. // Let's redirect to a thank you page, sending the variables as a GET request // to be parsed by the thank you page script. header(Location: thankyou.php?dob=.$dob.married=.$married); exit; } ? form method=post action=?=$_SERVER['PHP_SELF'];? / Password: input type=password name=pass /br / Date of birth (mm/dd/): input type=text name=dob /br / Status: input type=radio name=married value=Married /Married input type=radio name=married value=Single /Single input type=radio name=married value=Widowed /Widowed input type=radio name=married value=Divorced /Divorced input type=radio name=married value=Wishing /Wishing I Was Singlebr / input type=submit value=Process Now / /form Consider this, if you have not already: What if two users happen to have the same password? It is wrong to assume that no two users will never have the same password. Doing an update like that, just based on the password column, is an accident waiting to happen. You should have a uniquely distinguished name or designation for each user, and validate the user and password combination. Also, such a designation should be unique, and keeping entries in a column unique can be enforced with MySQL. /Tobias -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] No resultset with ocibindbyname
And here is the output of desc projekte_generisch: Name Null? Type PID NOT NULLCHAR(8) ANFANGNOT NULLVARCHAR2(8) ENDE VARCHAR2(8) LAENGENOT NULLNUMBER I believe the problem has to do with your field type for PID. When you run: select * FROM projekte_generisch where pid='u0test' Oracle either autotrims or autopads (I'm not sure which) so that 'u0test' matches PID even though PID has a fixed 8-character length. But when you use bind variables, this doesn't happen. So you'll need to use: select * FROM projekte_generisch where trim(pid)=:pid Or you can change the field definition on PID to varchar2. I tested this on one of our tables which has a char(4) primary key to verify all this: select count(*) from subject_area where subject_area = 'EE'; returns 1. But using a bind variable: declare v_sa varchar2(10); v_count number; begin v_sa := 'EE'; select count(*) into v_count from subject_area where subject_area = v_sa; dbms_output.put_line(v_count); end; returns a 0. -Roberto -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] No resultset with ocibindbyname
Hi, select * FROM projekte_generisch where trim(pid)=:pid Thanks Roberto! This solution with trim() works like a charm! Cheers, Manuel -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] No resultset with ocibindbyname
Roberto Mansfield wrote: PIDNOT NULLCHAR(8) I believe the problem has to do with your field type for PID. When you run: select * FROM projekte_generisch where pid='u0test' Oracle either autotrims or autopads (I'm not sure which) so that 'u0test' matches PID even though PID has a fixed 8-character length. But when you use bind variables, this doesn't happen. So you'll need to use: Hi Roberto, Well spotted! I can see a minor inconsistency between oci_bind_array_by_name() and the much older oci_bind_by_name() call. You can pass SQLT_AFC (i.e the CHAR type) to the former but not the latter. If anyone volunteers to write some test cases I can merge a patch to OCI8 to allow: oci_bind_by_name($s, ':bv', $bv, -1, SQLT_AFC); Chris -- Christopher Jones, Oracle Email: [EMAIL PROTECTED]Tel: +1 650 506 8630 Blog: http://blogs.oracle.com/opal/ Free PHP Book: http://tinyurl.com/f8jad -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] independent session data for multiple browser windows
On Feb 20, 2008, at 11:18 AM, Gary Wardell wrote: They'll be accessing different account records in different windows. I keep track of the current account id in the session data, as well as a number of other account-specific items. Once I was made aware of the multiple-window requirement, and started looking more closely at sessions, it seemed (from the PHP documentation) that I could start a new session, with a different name and id, and that would take care of it. In fact I CAN start sessions with independent names and ids, but their DATA doesn't seem to be completely independent. Assuming that they are interacting through forms on the pages in the different windows, why not put the UID of the record they are accessing in a hidden field in the form? Gary, Thanks for your reply. I'm beginning to think that that's what I'll have to do, although it will be a bit of work to convert. I'm surprised, though, that sessions aren't better in regards to data integrity. What I'm gathering from looking into this is that it's ok to use sessions, but you shouldn't count on reliable data from them. I don't remember seeing any caveats to that effect in the documentation on sessions, but that seems to be the case. Anyone know differently? Thanks. Charles Whitaker Technical Staff Open Door Networks
[PHP-DB] SELECT query with multiple WHERE Clause
Hi All, Thank you for increasing my knowledge about PHP/MYSQL. I am creating a SEARCH, by only using one table. The search form is same as Inserting item (search has form of all fields in table ), difference is SEARCH page doesnt have validation . Therefore user can enter information in any of field. I would like to know how to write a SELECT query which has multiple where clause with OR operator. shall we write: $query = mysql_query(SELECT * from gig WHERE Name='$name' || WHERE gig_fdate='$sdate'); OR $query = mysql_query(SELECT * from gig WHERE gigName='$gig_name' OR WHERE gig_fdate='$sdate'); OR $query = mysql_query(SELECT * from gig WHERE gigName='$gig_name' || gig_fdate='$sdate'); Regards Nasreen Looking for last minute shopping deals? Find them fast with Yahoo! Search. http://tools.search.yahoo.com/newsearch/category.php?category=shopping
Re: [PHP-DB] SELECT query with multiple WHERE Clause
$query = mysql_query(SELECT * from gig WHERE gigName='$gig_name' OR WHERE gig_fdate='$sdate'); This one. I'd suggest you get a book to help you with the basics, something like this should do (first hit in amazon, haven't actually read this particular book): http://www.amazon.com/Learning-MySQL-Seyed-Saied-Tahaghoghi/dp/0596008643/ There's lots of stuff to learn in sql. -- Postgresql php tutorials http://www.designmagick.com/ -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] SELECT query with multiple WHERE Clause
In MySQL, both OR and || are valid logical or operators. You can only have one Where clause, thus your last example is correct. --GREG On Wed, Feb 27, 2008 at 6:44 PM, Nasreen Laghari [EMAIL PROTECTED] wrote: Hi All, Thank you for increasing my knowledge about PHP/MYSQL. I am creating a SEARCH, by only using one table. The search form is same as Inserting item (search has form of all fields in table ), difference is SEARCH page doesnt have validation . Therefore user can enter information in any of field. I would like to know how to write a SELECT query which has multiple where clause with OR operator. shall we write: $query = mysql_query(SELECT * from gig WHERE Name='$name' || WHERE gig_fdate='$sdate'); OR $query = mysql_query(SELECT * from gig WHERE gigName='$gig_name' OR WHERE gig_fdate='$sdate'); OR $query = mysql_query(SELECT * from gig WHERE gigName='$gig_name' || gig_fdate='$sdate'); Regards Nasreen Looking for last minute shopping deals? Find them fast with Yahoo! Search. http://tools.search.yahoo.com/newsearch/category.php?category=shopping
Re: [PHP-DB] SELECT query with multiple WHERE Clause
Greg Bowser wrote: In MySQL, both OR and || are valid logical or operators. You can only have one Where clause, thus your last example is correct. Though in postgresql and db2 (and some other dbs) || means concatenate so stick with using the word OR in this situation otherwise you'll run into portability issues if you ever needed to move to another db. -- Postgresql php tutorials http://www.designmagick.com/ -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] SELECT query with multiple WHERE Clause
On Wed, Feb 27, 2008 at 6:44 PM, Nasreen Laghari [EMAIL PROTECTED] wrote: I am creating a SEARCH, by only using one table. The search form is same as Inserting item (search has form of all fields in table ), difference is SEARCH page doesnt have validation . Therefore user can enter information in any of field. I would like to know how to write a SELECT query which has multiple where clause with OR operator. SELECT * FROM tableName WHERE (colA LIKE '%value%' OR colB='1'); --- more --- SELECT fieldA,fieldR,fieldT,fieldX FROM tableName WHERE (colA='value' OR colB LIKE 'Hello%') AND colC='Active'; -- /Dan Daniel P. Brown Senior Unix Geek ? while(1) { $me = $mind--; sleep(86400); } ? -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] SELECT query with multiple WHERE Clause
On 27 Feb 2008, at 23:44, Nasreen Laghari wrote: Thank you for increasing my knowledge about PHP/MYSQL. The question you ask below is basic SQL syntax. Please read the MySQL manual before asking here - answers at this level are all in there. http://mysql.com/doc Oh, and once you have it working try entering ';delete * from gig;select * from gig where Name=' (including quotes) into the gig_name form field. When you get over the loss of all your data go read about sanitising your input: http://php.net/mysql_real_escape_string -Stut -- http://stut.net/ I am creating a SEARCH, by only using one table. The search form is same as Inserting item (search has form of all fields in table ), difference is SEARCH page doesnt have validation . Therefore user can enter information in any of field. I would like to know how to write a SELECT query which has multiple where clause with OR operator. shall we write: $query = mysql_query(SELECT * from gig WHERE Name='$name' || WHERE gig_fdate='$sdate'); OR $query = mysql_query(SELECT * from gig WHERE gigName='$gig_name' OR WHERE gig_fdate='$sdate'); OR $query = mysql_query(SELECT * from gig WHERE gigName='$gig_name' || gig_fdate='$sdate'); Regards Nasreen Looking for last minute shopping deals? Find them fast with Yahoo! Search. http://tools.search.yahoo.com/newsearch/category.php?category=shopping -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] SELECT query with multiple WHERE Clause
$query = mysql_query(SELECT * from gig WHERE gigName='$gig_name' or gig_fdate='$sdate'); You can not use more then one WHERE in your sql statement... And SQL accepts OR and AND.. -- Stephen Johnson c | eh The Lone Coder http://www.thelonecoder.com continuing the struggle against bad code http://www.fortheloveofgeeks.com I¹m a geek and I¹m OK! -- From: Nasreen Laghari [EMAIL PROTECTED] Date: Wed, 27 Feb 2008 15:44:23 -0800 (PST) To: php-db@lists.php.net Subject: [PHP-DB] SELECT query with multiple WHERE Clause $query = mysql_query(SELECT * from gig WHERE gigName='$gig_name' || gig_fdate='$sdate'); -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] SELECT query with multiple WHERE Clause
$query = mysql_query(SELECT * FROM gig WHERE gigName='$gig_name' OR gig_fdate='$sdate'); You only use the WHERE clause once then use parenthesis, AND and OR to create the logical conditions. If you have access to the mysql server, maybe through phpMyAdmin or something, I'd highly recommend forming your SQL statements using that, then creating your PHP once you've perfected your SQL. SQL statements can be very powerful and sometimes dangerous and it's much easier to debug the SQL when you work with it by itself and not have to worry about any PHP issues too. Assuming your MySQL server is on another server, if you have a Windows machine you can use a program like WinSQL Lite or Navicat to connection to the MySQL server (if it allows remote connections). phpMyAdmin is probably the easiest option though. -TG - Original Message - From: Nasreen Laghari [EMAIL PROTECTED] To: php-db@lists.php.net Date: Wed, 27 Feb 2008 15:44:23 -0800 (PST) Subject: [PHP-DB] SELECT query with multiple WHERE Clause Hi All, Thank you for increasing my knowledge about PHP/MYSQL. I am creating a SEARCH, by only using one table. The search form is same as Inserting item (search has form of all fields in table ), difference is SEARCH page doesnt have validation . Therefore user can enter information in any of field. I would like to know how to write a SELECT query which has multiple where clause with OR operator. shall we write: $query = mysql_query(SELECT * from gig WHERE Name='$name' || WHERE gig_fdate='$sdate'); OR $query = mysql_query(SELECT * from gig WHERE gigName='$gig_name' OR WHERE gig_fdate='$sdate'); OR $query = mysql_query(SELECT * from gig WHERE gigName='$gig_name' || gig_fdate='$sdate'); Regards Nasreen -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php