In my mysql database, I've stored all the passwords using the PASSWORD()
function. Now I'm running a test and need to compare the password in my php
document to that saved in the database. I used the string
"Select name From users Where password = PASSWORD('$testPass')"
and ran mysql_query() using the string. But nothing was returned. So I
decided to run a test and try to change a password from my php page using
the string
Update users Set password = PASSWORD('$newPass') Where name = 'userName1'"
and it works fine. My database is updated properly. So my question is, why
can't I find a match using the PASSWORD function, but can still update my
table?
11  3677 
On Sat, 14 Aug 2004 22:12:24 GMT, "John Victor" <wi******@pacbell.net> wrote: In my mysql database, I've stored all the passwords using the PASSWORD()
function. Now I'm running a test and need to compare the password in my php
document to that saved in the database. I used the string
"Select name From users Where password = PASSWORD('$testPass')"
and ran mysql_query() using the string. But nothing was returned.
OK - what's in the table? What's in $testPass? Something must not match up...
So I
decided to run a test and try to change a password from my php page using
the string
Update users Set password = PASSWORD('$newPass') Where name = 'userName1'"
and it works fine. My database is updated properly. So my question is, why
can't I find a match using the PASSWORD function, but can still update my
table?
There's no connection between the two queries, so why shouldn't you be able to
update the table by the name field if the password field doesn't match your
expectations?
--
Andy Hassall / <an**@andyh.co.uk> / <http://www.andyh.co.uk>
<http://www.andyhsoftware.co.uk/space> Space: disk usage analysis tool
The fields, and variables, all just hold strings. The problem is that I'm
unable to check the password someone has typed against the encrypted
password in the table, yet I can somehow use the encrypted password to make
changes to a table.
--
John
"Andy Hassall" <an**@andyh.co.uk> wrote in message
news:8i********************************@4ax.com... On Sat, 14 Aug 2004 22:12:24 GMT, "John Victor" <wi******@pacbell.net>
wrote:In my mysql database, I've stored all the passwords using the PASSWORD()
function. Now I'm running a test and need to compare the password in my
phpdocument to that saved in the database. I used the string
"Select name From users Where password = PASSWORD('$testPass')"
and ran mysql_query() using the string. But nothing was returned.
OK - what's in the table? What's in $testPass? Something must not match
up... So I
decided to run a test and try to change a password from my php page using
the string
Update users Set password = PASSWORD('$newPass') Where name =
'userName1'"
and it works fine. My database is updated properly. So my question is,
whycan't I find a match using the PASSWORD function, but can still update my
table?
There's no connection between the two queries, so why shouldn't you be
able to update the table by the name field if the password field doesn't match
your expectations?
--
Andy Hassall / <an**@andyh.co.uk> / <http://www.andyh.co.uk>
<http://www.andyhsoftware.co.uk/space> Space: disk usage analysis tool
In article <c7*****************@newssvr27.news.prodigy.com> , John
Victor <wi******@pacbell.net> wrote: "Select name From users Where password = PASSWORD('$testPass')"
and ran mysql_query() using the string. But nothing was returned. So I
decided to run a test and try to change a password from my php page using
the string
Just a shot in the dark here and not the greatest solution, but I was
wondering what would happen if you broke things up into 2 SQL calls or
backticked your column names?
$str2Check = 'foobar';
$s_pass = "SELECT password('${str2Check}')";
$s_sql = "SELECT `name` FROM `users` WHERE `password` = '${s_pass}' ";
--
Koncept <<
"The snake that cannot shed its skin perishes. So do the spirits who are
prevented from changing their opinions; they cease to be a spirit."
-Nietzsche
On Sun, 15 Aug 2004 04:34:20 GMT, "John Victor" <wi******@pacbell.net> wrote: In my mysql database, I've stored all the passwords using the PASSWORD()
function. Now I'm running a test and need to compare the password in my
php document to that saved in the database. I used the string
"Select name From users Where password = PASSWORD('$testPass')"
and ran mysql_query() using the string. But nothing was returned.
OK - what's in the table? What's in $testPass? Something must not match
up...
So I
decided to run a test and try to change a password from my php page using
the string
Update users Set password = PASSWORD('$newPass') Where name =
'userName1'"
and it works fine. My database is updated properly. So my question is,
why
can't I find a match using the PASSWORD function, but can still update my
table?
There's no connection between the two queries, so why shouldn't you be
able to update the table by the name field if the password field doesn't match
your expectations?
The fields, and variables, all just hold strings. The problem is that I'm
unable to check the password someone has typed against the encrypted
password in the table,
Which is why I asked for examples of the contents of the variables and the
table...
yet I can somehow use the encrypted password to make
changes to a table.
Where did you demonstrate this? Your second query simply matched on the name
field, it didn't use the encrypted password anywhere in the WHERE clause.
Somewhere in your code your password variables must be holding the wrong
values, since the approach you are taking is certainly valid, e.g.:
mysql> insert into users values ('andy', password('blah'));
Query OK, 1 row affected (0.01 sec)
mysql> select * from users where password = password('blah');
+------+------------------+
| name | password |
+------+------------------+
| andy | 652f9c175d1914f9 |
+------+------------------+
1 row in set (0.01 sec)
--
Andy Hassall / <an**@andyh.co.uk> / <http://www.andyh.co.uk>
<http://www.andyhsoftware.co.uk/space> Space: disk usage analysis tool
> Somewhere in your code your password variables must be holding the wrong values, since the approach you are taking is certainly valid, e.g.:
mysql> insert into users values ('andy', password('blah'));
Query OK, 1 row affected (0.01 sec)
mysql> select * from users where password = password('blah');
+------+------------------+
| name | password |
+------+------------------+
| andy | 652f9c175d1914f9 |
+------+------------------+
1 row in set (0.01 sec)
--
Andy Hassall / <an**@andyh.co.uk> / <http://www.andyh.co.uk>
<http://www.andyhsoftware.co.uk/space> Space: disk usage analysis tool
I've tried something a little different. For clarity I removed the
variables. I was able to change a field using this statment:
Update users Set name = 'John1' Where PASSWORD('userPass')
But trying to select that field using the password function failed:
Select name From users Where password = PASSWORD('userPass')
Now, I've just noticed an error I made in the update query. It should say
Where password = PASSWORD('userPass') but I left out password =. Funny
thing is, when I fix the statement, it no longer works in my php page or as
a query when running mysql from the shell.
This is frying my brain.
--
John
On Sun, 15 Aug 2004 18:19:04 GMT, "John Victor" <wi******@pacbell.net> wrote: Somewhere in your code your password variables must be holding the wrong
values, since the approach you are taking is certainly valid, e.g.:
mysql> insert into users values ('andy', password('blah'));
Query OK, 1 row affected (0.01 sec)
mysql> select * from users where password = password('blah');
+------+------------------+
| name | password |
+------+------------------+
| andy | 652f9c175d1914f9 |
+------+------------------+
1 row in set (0.01 sec)
I've tried something a little different. For clarity I removed the
variables. I was able to change a field using this statment:
Update users Set name = 'John1' Where PASSWORD('userPass')
Why are you changing the name for a user now, I thought you were trying to set
the password?
PASSWORD('userPass') is alway true, so you've now either:
(a) Trashed your table - everyone will have name John1
(b) Ignored an error - because that should have caused a key violation
If (a) then your table's design is wrong, since you seem to be using name as a
key value, so it should be set as a key in the table.
If (b) you're making your life far more difficult than it need be if you're
ignoring errors.
But trying to select that field using the password function failed:
Select name From users Where password = PASSWORD('userPass')
You didn't set it to PASSWORD('userPass'), so again there's no demonstrated
reason why it should return anything.
Now, I've just noticed an error I made in the update query. It should say
Where password = PASSWORD('userPass') but I left out password =.
Ah ha.
Funny
thing is, when I fix the statement, it no longer works in my php page or as
a query when running mysql from the shell.
"No longer works" in what way?
Again, what's in your table? Show some examples of real data. Show some sample
code. etc.
--
Andy Hassall / <an**@andyh.co.uk> / <http://www.andyh.co.uk>
<http://www.andyhsoftware.co.uk/space> Space: disk usage analysis tool
On Sun, 15 Aug 2004 18:19:04 GMT, John Victor <wi******@pacbell.net> wrote: Somewhere in your code your password variables must be holding the
wrong
values, since the approach you are taking is certainly valid, e.g.:
mysql> insert into users values ('andy', password('blah'));
Query OK, 1 row affected (0.01 sec)
mysql> select * from users where password = password('blah');
+------+------------------+
| name | password |
+------+------------------+
| andy | 652f9c175d1914f9 |
+------+------------------+
1 row in set (0.01 sec)
--
Andy Hassall / <an**@andyh.co.uk> / <http://www.andyh.co.uk>
<http://www.andyhsoftware.co.uk/space> Space: disk usage analysis tool
I've tried something a little different. For clarity I removed the
variables. I was able to change a field using this statment:
Update users Set name = 'John1' Where PASSWORD('userPass')
But trying to select that field using the password function failed:
Select name From users Where password = PASSWORD('userPass')
Now, I've just noticed an error I made in the update query. It should
say
Where password = PASSWORD('userPass') but I left out password =. Funny
thing is, when I fix the statement, it no longer works in my php page or
as
a query when running mysql from the shell.
This is frying my brain.
I suggest that you convert password into a md5 hash and save the hash into
database. When selecting, use md5($password) in query. Such as $query =
"SELECT * FROM users WHERE password = '" . md5($password) . "'";
--
Jari Lehtinen http://www.jarilehtinen.net
On Sun, 15 Aug 2004 21:42:42 +0300, Jari Lehtinen
<jari@--no-spam--jarilehtinen.net> wrote: On Sun, 15 Aug 2004 18:19:04 GMT, John Victor <wi******@pacbell.net>
wrote:
Somewhere in your code your password variables must be holding the
wrong
values, since the approach you are taking is certainly valid, e.g.:
mysql> insert into users values ('andy', password('blah'));
Query OK, 1 row affected (0.01 sec)
mysql> select * from users where password = password('blah');
+------+------------------+
| name | password |
+------+------------------+
| andy | 652f9c175d1914f9 |
+------+------------------+
1 row in set (0.01 sec)
--
Andy Hassall / <an**@andyh.co.uk> / <http://www.andyh.co.uk>
<http://www.andyhsoftware.co.uk/space> Space: disk usage analysis tool
I've tried something a little different. For clarity I removed the
variables. I was able to change a field using this statment:
Update users Set name = 'John1' Where PASSWORD('userPass')
But trying to select that field using the password function failed:
Select name From users Where password = PASSWORD('userPass')
Now, I've just noticed an error I made in the update query. It should
say
Where password = PASSWORD('userPass') but I left out password =. Funny
thing is, when I fix the statement, it no longer works in my php page
or as
a query when running mysql from the shell.
This is frying my brain.
I suggest that you convert password into a md5 hash and save the hash
into database. When selecting, use md5($password) in query. Such as
$query = "SELECT * FROM users WHERE password = '" . md5($password) . "'";
Forgot to mention. For improved security, add a extra string when hashing,
such as:
md5($password . '398th34ghf73fHG') so it'll be harder to crack.
--
Jari Lehtinen http://www.jarilehtinen.net
The user table I'm testing right now is very simple. It only has two
fields: name and password. Example values would be 'John' and '266a88fc2c'
(which is the result of PASSWORD('pword101')).
The two tasks I now want to accomplish in the test is to simply find a name
using the PASSWORD() function, as well as find a name and change the
password. (This is just testing, it doesn't have to make sense in the real
world.)
But neither of my queries are working:
"Select name From users Where password = PASSWORD('pword101')"
"Update users Set password = PASSWORD('pword202') Where name = 'John'"
__________
John
On Mon, 16 Aug 2004 22:26:41 GMT, "John Victor" <wi******@pacbell.net> wrote: The user table I'm testing right now is very simple. It only has two
fields: name and password. Example values would be 'John' and '266a88fc2c'
(which is the result of PASSWORD('pword101')).
At last some example data!
'266a88fc2c' is not the result of PASSWORD('pword101').
mysql> select password('pword101');
+----------------------+
| password('pword101') |
+----------------------+
| 266a88fc2c3cb949 |
+----------------------+
1 row in set (0.00 sec)
This is on MySQL 4.0.18.
Have you chosen a column type that it too short to contain the password value?
The two tasks I now want to accomplish in the test is to simply find a name
using the PASSWORD() function, as well as find a name and change the
password. (This is just testing, it doesn't have to make sense in the real
world.)
But neither of my queries are working:
"Select name From users Where password = PASSWORD('pword101')"
"Update users Set password = PASSWORD('pword202') Where name = 'John'"
In an earlier post I demonstrated that this approach does work, provided you
use a long enough column.
In any case, looking through the manual to find the length of string that
PASSWORD produces finds the following warning:
"Note: The PASSWORD() function is used by the authentication system in MySQL
Server, you should not use it in your own applications. For that purpose, use
MD5() or SHA1() instead. Also see RFC 2195 for more information about handling
passwords and authentication securely in your application."
So, see the manual for appropriate column lengths for either MD5 or SHA1.
--
Andy Hassall / <an**@andyh.co.uk> / <http://www.andyh.co.uk>
<http://www.andyhsoftware.co.uk/space> Space: disk usage analysis tool
Thank you. That was the problem. My password field was too short. I
thought I was doing the query correctly. I'm so glad it was just a simple
database problem, and I wasn't losing my mind. And thanks for the PASSWORD
note. I'm going to use either md5 or sha1 instead.
John
"Andy Hassall" <an**@andyh.co.uk> wrote in message
news:5b********************************@4ax.com... On Mon, 16 Aug 2004 22:26:41 GMT, "John Victor" <wi******@pacbell.net>
wrote:The user table I'm testing right now is very simple. It only has two
fields: name and password. Example values would be 'John' and
'266a88fc2c'(which is the result of PASSWORD('pword101')).
At last some example data!
'266a88fc2c' is not the result of PASSWORD('pword101').
mysql> select password('pword101');
+----------------------+
| password('pword101') |
+----------------------+
| 266a88fc2c3cb949 |
+----------------------+
1 row in set (0.00 sec)
This is on MySQL 4.0.18.
Have you chosen a column type that it too short to contain the password
value?The two tasks I now want to accomplish in the test is to simply find a
nameusing the PASSWORD() function, as well as find a name and change the
password. (This is just testing, it doesn't have to make sense in the
realworld.)
But neither of my queries are working:
"Select name From users Where password = PASSWORD('pword101')"
"Update users Set password = PASSWORD('pword202') Where name = 'John'"
In an earlier post I demonstrated that this approach does work, provided
you use a long enough column.
In any case, looking through the manual to find the length of string that
PASSWORD produces finds the following warning:
"Note: The PASSWORD() function is used by the authentication system in
MySQL Server, you should not use it in your own applications. For that purpose,
use MD5() or SHA1() instead. Also see RFC 2195 for more information about
handling passwords and authentication securely in your application."
So, see the manual for appropriate column lengths for either MD5 or SHA1.
--
Andy Hassall / <an**@andyh.co.uk> / <http://www.andyh.co.uk>
<http://www.andyhsoftware.co.uk/space> Space: disk usage analysis tool This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics
by: Sharif Tanvir Karim |
last post by:
Can anyone send me a php.ini file that is used by almost by all hosts? My
damn computer's (winxp) mini server is messed up and I am starting over so I
am trying ot get php to behave on my system....
|
by: Philip D Heady |
last post by:
Hi, I'm validating a simple form for input via post ($PHP_SELF). Near the
end I check for username and password. I'm using simple if, elseif, else
statements.
I require them to enter password...
|
by: Ville Mattila |
last post by:
Hello readers,
I'm trying to install the latest PHP4 version from the scratch. The
configure string is following:
../configure --with-apxs2=/usr/local/apache2/bin/apxs --with-mysql
--with-curl...
|
by: aars |
last post by:
Hello all,
I am creating a user administration system where system administrator
can activate services for a user, like webspace, a mail account or a
subdomain.
I now want to create a...
|
by: chuy |
last post by:
Is there a way to recover a lost password in Mysql 4.1. I have seen many
articles and howto's on how to kill the Mysql process and then restart using
skip grant tables option. I am not trying to...
|
by: MLH |
last post by:
I'm supposed to set a password for the MySQL root user. The output of
mysql_install_db instructed me to run the following commands...
/usr/bin/mysqladmin -u root -h appserver password mynwewpasswd...
|
by: vinokarthi |
last post by:
Hi,
I couldn't connect mysql & php.I tried with many query,but no use.
If I run php,the page is blank.
I think I have problem with to create user & password in mysql.
Plz help to connect...
|
by: mktita |
last post by:
// this is a custom validator control tocheck username or password is correct or not
protected void CVC_ServerValidate(object source, ServerValidateEventArgs args)
{
string...
|
by: geetamadhavi |
last post by:
Hi All,
I have developed a php applciaiton where a new window is opening on checking the whether valid user orntot how to make that in same window after checking i have die(' not valid user ' ); i...
|
by: Charles Arthur |
last post by:
How do i turn on java script on a villaon, callus and itel keypad mobile phone
|
by: ryjfgjl |
last post by:
In our work, we often receive Excel tables with data in the same format. If we want to analyze these data, it can be difficult to analyze them because the data is spread across multiple Excel files...
|
by: emmanuelkatto |
last post by:
Hi All, I am Emmanuel katto from Uganda. I want to ask what challenges you've faced while migrating a website to cloud.
Please let me know.
Thanks!
Emmanuel
|
by: BarryA |
last post by:
What are the essential steps and strategies outlined in the Data Structures and Algorithms (DSA) roadmap for aspiring data scientists? How can individuals effectively utilize this roadmap to progress...
|
by: Hystou |
last post by:
There are some requirements for setting up RAID:
1. The motherboard and BIOS support RAID configuration.
2. The motherboard has 2 or more available SATA protocol SSD/HDD slots (including MSATA, M.2...
|
by: jinu1996 |
last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven...
|
by: Hystou |
last post by:
Overview:
Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows...
|
by: tracyyun |
last post by:
Dear forum friends,
With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each...
|
by: agi2029 |
last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing,...
| |
