All geek questions in one place

Query creating unexpected results (sha1)

I have a form for updating user data. He publishes this page:

<?php //Update user table session_start(); include 'sql_connect_R.inc.php'; $id = mysql_real_escape_string($_POST['userID']); $password = mysql_real_escape_string($_POST['user_passwrd']); $salt = time(); $hash = sha1($password . $salt); mysql_query("UPDATE users SET user_passwrd = '$hash', stamp = '$salt', pending = 'yes' WHERE userID = '$id'"); mysql_close($con); ?>

(I edited things not related to this question)

I believe what happens when the stamp field is filled with $ salt, it gets a different value than when the $ hash is calculated. Therefore, when a user registers and checks here:

 $qry="SELECT * FROM users WHERE userlogin = '$login' AND user_passwrd = sha1(CONCAT('$password', stamp))"; $result=mysql_query($qry); $row = mysql_fetch_assoc($result); $num = mysql_num_rows($result);

When I return $ num, it returns 0. I wonder if there is a way to guarantee that the value of $ salt remains unchanged when it is used in the $ hash, and then when it updates the stamp field. Can someone help me with this or point me in the right direction? Thanks in advance. Greetings

+6
source share
3 answers

Thanks for all the comments. I want to report that I "solved" the problem. I once changed the name of the password input field and forgot to change the value of $ _POST. Of course, this did not provide the $ password value for the $ hash. Although I am confused by this, I think it is important for me to share my supervision in order to show how important it is to check ALL places where errors can occur. I could not double check everything and made incorrect assumptions about the nature of the problem. The code worked just fine, it was a loose screw in front of the keyboard that caused problems. Greetings

0
source

More ideas, so I changed my comment in response ...

It is worth noting that you use the PHP SHA1 function when storing, but mysql when retrieving. They should be the same, but first of all I would like to debug this. try using the mysql sha function to store the hash or get a record based on the login, read the salt and its hash in PHP to compare

How do you keep a timestamp? Is it possible that it was converted / rounded / trimmed / processed as a date string in some way? To test the health, take the line that you pass to the sha1 function and make sure that they are identical.

In addition to your comment, can you post a schema for the corresponding fields in the table?

+1
source

You are doing your requests wrong. You need to concatenate the variables in a string and DO NOT use single quotes. Use the quote to the left of your 1 key. This is what most MySQL read requests do. Example:

 <?php //Update user table session_start(); include 'sql_connect_R.inc.php'; $id = mysql_real_escape_string($_POST['userID']); $password = mysql_real_escape_string($_POST['user_passwrd']); $salt = time(); $hash = sha1($password . $salt); mysql_query("UPDATE `users` SET `user_passwrd` = '".$hash."', `stamp` = '".$salt."', `pending` = 'yes' WHERE `userID` = '".$id."'"); mysql_close($con); ?> $qry="SELECT * FROM `users` WHERE `userlogin` = '".$login."' AND `user_passwrd` = '".sha1(CONCAT($password, stamp))".'"; $result=mysql_query($qry); $row = mysql_fetch_assoc($result); $num = mysql_num_rows($result);

This small change should help. Sometimes db can be a little touchy. Hope this helps.

-1
source

Source: https://habr.com/ru/post/901767/

More articles:


All Articles