Re: [PHP] Passwords suddenly not working
Dave M G wrote:
PHP List,
I have a few scripts that have been around for a while. In one, is a
simple login function:
$query = SELECT * FROM forum_members WHERE memberName = ' . $username
. ' AND passwd = MD5(' . $password . ');
$result = mysql_query($query);
This was working fine, but recently I haven't been able to log in. I
think the only thing that has changed is that on my hosting service,
they recently upgraded to PHP 5.1.6. (MySQL is 4.1.21, but I think it's
been that for quite a while)
Perhaps you have error reporting turned off. Errors or warnings may be
generated but not displayed. Add the following to the top of your
program to temporarily see the error messages:
error_reporting(E_ALL);
Also check in php.ini to make sure that
You may also want to see if any MySQL errors are being generated. Try
the following code:
$result = mysql_query($query)
or die(Query failed: .mysql_error());
With this code, if the query fails, the program will stop and an error
message will be displayed.
You also may want to display $query before you execute it to see what,
exactly, is being executed.
Janet
Is there any potential for PHP 5.1.6 to handle things different when it
comes to MySQL queries, post data, or anything? I thought it might be
that I still had $HTTP_POST_VARS for some of my variables, but I changed
them all to $_POST, and it still doesn't work.
I don't get any errors or anything. My own code is not very
sophisticated for error reporting. But I'm not getting any PHP syntax
errors of any kind. If I run the SQL code by itself at an SQL command
prompt, I get results back, so I don't think the SQL is failing.
Are there any gotchas in the upgrade that I might be missing? I can't
think of anything else that could be a culprit (though of course I'm
open to suggestions).
Any advice would be much appreciated.
--
Dave M G
Ubuntu 6.06 LTS
Kernel 2.6.17.7
Pentium D Dual Core Processor
PHP 5, MySQL 5, Apache 2
--
Janet Valade -- janet.valade.com
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Passwords?
Chris W. Parker wrote: Jochem Maas mailto:[EMAIL PROTECTED] on Sunday, March 06, 2005 5:24 AM said: that said you still don't want this file or this string to get into the hands of evilhaxors - best to keep this file (one with the encrypted pwd in it) outside of the docroot. Why encode it at all then? If someone is smart/crafty enough to actually hack the server and gain access to the file which contains the password you're trying to protect is the least of your problems. a, make it as hard as possible. do everything you can to make the hack harder. b, a webmaster may have perms to admin the server but maybe should not have access to the 'app' via its interface as a 'super user' c, it allows you to send a hash of the password over the wire (rather than not encrypting or encrypting the password on the server) and check that. d, it sets the bar just high enough (for my clients at least) that nobody will attempt to try and change the passwd. if it was plaintext then you could just replace it, if its a hash then you have to generate a hash in order to replace the 'super user' pwd. but yes, if someone 'owns' you box then you have bigger problems :-) Chris. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Passwords?
Jochem Maas mailto:[EMAIL PROTECTED] on Sunday, March 06, 2005 5:24 AM said: that said you still don't want this file or this string to get into the hands of evilhaxors - best to keep this file (one with the encrypted pwd in it) outside of the docroot. Why encode it at all then? If someone is smart/crafty enough to actually hack the server and gain access to the file which contains the password you're trying to protect is the least of your problems. Chris. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Passwords?
Hi Rory You can use crypt to encode a password, let say you want the password to be my password, create a new php file : echo crypt(my password); then you get a unique encoded string something like 'ABC12Fdfi654sdfkfpr67UPL' copy it and delete the php file in your password validation file write : $enc_pass = 'ABC12Fdfi654sdfkfpr67UPL'; if (@crypt($_POST['pass'], $enc_pass) == $enc_pass) /* password is o.k. */ Now even if someone will see the php script he won't knew your password Hope I've helped yaron -Original Message- From: rory walsh [mailto:[EMAIL PROTECTED] Sent: Sunday, March 06, 2005 1:35 PM To: php-general@lists.php.net Subject: [PHP] Passwords? I want to create a simple as possible password script, how secure is it to have the password actually appear in the script? I only need one password so I thought that this would be more straightforward than having a file which contains the password. I am not using any database. Actually this leads me to another question, is there anyway people can view your script without having access to your server that is? Cheers, Rory. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Passwords?
On Sun, 06 Mar 2005 11:34:39 +, rory walsh [EMAIL PROTECTED] wrote: I want to create a simple as possible password script, how secure is it to have the password actually appear in the script? I only need one password so I thought that this would be more straightforward than having a file which contains the password. I am not using any database. Actually this leads me to another question, is there anyway people can view your script without having access to your server that is? Cheers, Rory. If the password is stored in between the ? and ? tags, then it shouldn't get sent to the browser unless you specifically send it there. However, there are sometimes security problems in web servers, which would mean that attackers were able to see the source of your script, and therefore the password. For example: files called .php might get processed properly, but if the attacker requests filename.PHP, it might just send him the file in plain text. Best thing is to use 'include' or 'require' to get the password from another file which doesn't sit on a part of the filesystem that's accessible over the web. Or, you could password-protect the script you're including with .htpasswd / .htaccess protection. -- AdamT Justify my text? I'm sorry, but it has no excuse. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Passwords?
[EMAIL PROTECTED] wrote: Hi Rory You can use crypt to encode a password, let say you want the password to be my password, create a new php file : echo crypt(my password); then you get a unique encoded string something like 'ABC12Fdfi654sdfkfpr67UPL' copy it and delete the php file in your password validation file write : $enc_pass = 'ABC12Fdfi654sdfkfpr67UPL'; if (@crypt($_POST['pass'], $enc_pass) == $enc_pass) /* password is o.k. */ I use the same technique to provide a 'superuser' login to intranets/cms - a login which nobody can change/break (+ it works even if lots of stuff is broken because it only relies on a hardcoded string). personally I use sha1() iso of crypt() - no idea which is better. that said you still don't want this file or this string to get into the hands of evilhaxors - best to keep this file (one with the encrypted pwd in it) outside of the docroot. Now even if someone will see the php script he won't knew your password Hope I've helped yaron -Original Message- From: rory walsh [mailto:[EMAIL PROTECTED] Sent: Sunday, March 06, 2005 1:35 PM To: php-general@lists.php.net Subject: [PHP] Passwords? I want to create a simple as possible password script, how secure is it to have the password actually appear in the script? I only need one password so I thought that this would be more straightforward than having a file which contains the password. I am not using any database. Actually this leads me to another question, is there anyway people can view your script without having access to your server that is? Cheers, Rory. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Passwords?
Cheers, I'll give your suggestions a go. Jochem Maas wrote: [EMAIL PROTECTED] wrote: Hi Rory You can use crypt to encode a password, let say you want the password to be my password, create a new php file : echo crypt(my password); then you get a unique encoded string something like 'ABC12Fdfi654sdfkfpr67UPL' copy it and delete the php file in your password validation file write : $enc_pass = 'ABC12Fdfi654sdfkfpr67UPL'; if (@crypt($_POST['pass'], $enc_pass) == $enc_pass) /* password is o.k. */ I use the same technique to provide a 'superuser' login to intranets/cms - a login which nobody can change/break (+ it works even if lots of stuff is broken because it only relies on a hardcoded string). personally I use sha1() iso of crypt() - no idea which is better. that said you still don't want this file or this string to get into the hands of evilhaxors - best to keep this file (one with the encrypted pwd in it) outside of the docroot. Now even if someone will see the php script he won't knew your password Hope I've helped yaron -Original Message- From: rory walsh [mailto:[EMAIL PROTECTED] Sent: Sunday, March 06, 2005 1:35 PM To: php-general@lists.php.net Subject: [PHP] Passwords? I want to create a simple as possible password script, how secure is it to have the password actually appear in the script? I only need one password so I thought that this would be more straightforward than having a file which contains the password. I am not using any database. Actually this leads me to another question, is there anyway people can view your script without having access to your server that is? Cheers, Rory. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Passwords?
On Sunday 06 March 2005 21:03, AdamT wrote: If the password is stored in between the ? and ? tags, then it shouldn't get sent to the browser unless you specifically send it there. For *any* php code it is best to use ?php ? tags. These tags will work on *all* php enabled webservers. The short tags ? ? is an optional setting on the webserver and hence may not be enabled in which case your code *will* be displayed as-is. -- Jason Wong - Gremlins Associates - www.gremlins.biz Open Source Software Systems Integrators * Web Design Hosting * Internet Intranet Applications Development * -- Search the list archives before you post http://marc.theaimsgroup.com/?l=php-general -- New Year Resolution: Ignore top posted posts -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Passwords and SSH port forwarding (was: Alternative to phpMyAdmin)
Works just fine ... as does postgres -- ssh -N -2 -f -C -c blowfish -L3306:yourdatabase.server.here:3306 [EMAIL PROTECTED] or the other usual tricks work too ... like going through a firewall (fyi ... clear text on the *other* side of the firewall): ssh -N -2 -f -C -c blowfish -L3306:db_behind_thefirewall:3306 [EMAIL PROTECTED] The only oddity is that you will have to use the local host *address* 127.0.0.1 to connect from the mysql client as it normally looks for a local socket if you use 'localhost', so your connection will be: mysql -h 127.0.0.1 for postgres examples, change the port numbers (3306) to 5432 On Fri, Jul 13, 2001 at 06:39:51PM -0400, Egan wrote: On Fri, 13 Jul 2001 12:28:37 -0400, Matthew Loff [EMAIL PROTECTED] wrote: Does mysql-front encrypt the password before it travels the net? It does support the compressed client/server protocol, which would make it harder to intercept-- but encryption is not an option yet on the client. I don't suppose there's any way on Win32 to use an SSH tunnel, is there? I use SSH port forwarding to protect FTP passwords into my server. Getting FTP to work with SSH port forwarding was more tricky than POP or SMTP, but it can be done. Also, the FTP server itself can be an obstacle to making it work, depending on how it's configured. Funny that, after figuring it out the first time, now it doesn't seem so tricky after all. It might work with MySQL, but I have not tried it. Egan -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED] -- Hank Marquardt [EMAIL PROTECTED] http://web.yerpso.net Web Database Development in PHP, MySQL/PostgreSQL Small Office Networking Solutions - Debian GNU/Linux FreeBSD PHP Instructor - HTML Writers Guild http://www.hwg.org *** PHP II The Cool Stuff starts July 16, 2001 *** http://www.hwg.org/services/classes/p181.1.html -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
RE: [PHP] Passwords and SSH port forwarding (was: Alternative to phpMyAdmin)
Excellent tip, Hank! I didn't know SSH tunneling was that easy, I haven't had the necessity to use SSH at all yet. -Original Message- From: Hank Marquardt [mailto:[EMAIL PROTECTED]] Sent: Friday, July 13, 2001 6:42 PM To: Egan Cc: [EMAIL PROTECTED] Subject: Re: [PHP] Passwords and SSH port forwarding (was: Alternative to phpMyAdmin) Works just fine ... as does postgres -- ssh -N -2 -f -C -c blowfish -L3306:yourdatabase.server.here:3306 [EMAIL PROTECTED] or the other usual tricks work too ... like going through a firewall (fyi ... clear text on the *other* side of the firewall): ssh -N -2 -f -C -c blowfish -L3306:db_behind_thefirewall:3306 [EMAIL PROTECTED] The only oddity is that you will have to use the local host *address* 127.0.0.1 to connect from the mysql client as it normally looks for a local socket if you use 'localhost', so your connection will be: mysql -h 127.0.0.1 for postgres examples, change the port numbers (3306) to 5432 On Fri, Jul 13, 2001 at 06:39:51PM -0400, Egan wrote: On Fri, 13 Jul 2001 12:28:37 -0400, Matthew Loff [EMAIL PROTECTED] wrote: Does mysql-front encrypt the password before it travels the net? It does support the compressed client/server protocol, which would make it harder to intercept-- but encryption is not an option yet on the client. I don't suppose there's any way on Win32 to use an SSH tunnel, is there? I use SSH port forwarding to protect FTP passwords into my server. Getting FTP to work with SSH port forwarding was more tricky than POP or SMTP, but it can be done. Also, the FTP server itself can be an obstacle to making it work, depending on how it's configured. Funny that, after figuring it out the first time, now it doesn't seem so tricky after all. It might work with MySQL, but I have not tried it. Egan -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED] -- Hank Marquardt [EMAIL PROTECTED] http://web.yerpso.net Web Database Development in PHP, MySQL/PostgreSQL Small Office Networking Solutions - Debian GNU/Linux FreeBSD PHP Instructor - HTML Writers Guild http://www.hwg.org *** PHP II The Cool Stuff starts July 16, 2001 *** http://www.hwg.org/services/classes/p181.1.html -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
RE: [PHP] Passwords?
I have some field error checking going on ... and when a user (say) doesn't fill in a field correctly, my error page comes up telling them. They then must click on their browsers back button and make the changes. Now -- I have a password field, and when they click back, they are forced to re-enter their password -- this is annoying. My questions are: 1. Is there a way to make this stop happening? 2. Instead of the user clicking on their browsers back button, can I add a URL that provides the same functionality -- that will work in IE and Netscape? Why don't you have the form do it's own error checking. That way, if there are errors, the form displays again and you won't lose any values... Chris
RE: [PHP] Passwords?
This link a href=javascript:history.go(-1)Back/a will work on javascript enabled machines... the truly failsafe way is to stuff their data in a session or in the database and pass an id back to the original script. You can also make your form to fill out a seperate file, which your first script includes, and if there is a data error just include it in the second script and make sure all the your form fields have something like input type=text name=password value=$password --- Toolshed Computer Productions - Professional PHP Hosting Hosting - Dedicated Servers - Design - Programming http://www.toolshed51.com -Original Message- From: Jason Caldwell [mailto:[EMAIL PROTECTED]] Sent: Tuesday, May 22, 2001 3:28 PM To: [EMAIL PROTECTED] Subject: [PHP] Passwords? I have some field error checking going on ... and when a user (say) doesn't fill in a field correctly, my error page comes up telling them. They then must click on their browsers back button and make the changes. Now -- I have a password field, and when they click back, they are forced to re-enter their password -- this is annoying. My questions are: 1. Is there a way to make this stop happening? 2. Instead of the user clicking on their browsers back button, can I add a URL that provides the same functionality -- that will work in IE and Netscape? Thanks Jason -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] Passwords?
At 22.05.2001 23:27, you wrote: I have some field error checking going on ... and when a user (say) doesn't fill in a field correctly, my error page comes up telling them. They then must click on their browsers back button and make the changes. Now -- I have a password field, and when they click back, they are forced to re-enter their password -- this is annoying. My questions are: 1. Is there a way to make this stop happening? 2. Instead of the user clicking on their browsers back button, can I add a URL that provides the same functionality -- that will work in IE and Netscape? echo a href=\.$HTTP_REFERER.\back/a; Should work in IE and Netscape, however not all browsers pass a REFERER so you might be left with a dead link... -- Andreas D Landmark / noXtension An Englishman never enjoys himself, except for a noble purpose. -- A. P. Herbert -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
