By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
429,116 Members | 1,319 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 429,116 IT Pros & Developers. It's quick & easy.

Insert into db using keys and MD5

P: 2
hI all,
Am hoping someone can point me in the right direction here. I have some basic code that I used to add staff members to my db with. Now I am wanting to secure the password using MD5 and am stuck terribly here,
I have a file called config.inc.php and the contents are:
Expand|Select|Wrap|Line Numbers
  1. <?php
  2.     $salt="somegreatstuff";
  3. //captcha
  4.         $publickey = "6LctuMgSAAAAADBvul3A-jipON8SydIBK3S67gdR";
  5.         $privatekey = "6LctuMgSAAAAAHM54D2yt0HX1iaIpz1Yv6Inq2nG";
  6. ?>
I include this file in my "addstaff.php" file but cannot get the password into the db in MD5 format. Everything gets inserted and my var_dump shows the password being inserted as text.
This is my current code and hope someone can show me my error which I think is around lines 18&19. Those 2 lines are code I borrowed from another of my files that use keys in the insert. As my knowledge is still very basic in php I have come unstuck...I tried placing those two line around line 31 and then on "submit" my var_dump reports that the column called "password" was being submitted twice..

Expand|Select|Wrap|Line Numbers
  1. <?php
  2.   include '../dbfunctions.php';
  3.   include '../config.inc.php';
  4.   session_start();
  5.   $link = dbConnect();
  6.  
  7.   checkStaffLogin();
  8.  
  9. $staffs = dbGetRows("staff", "id = '".$_SESSION['stid']."'");
  10. $staff = mysql_fetch_array($staffs, MYSQL_ASSOC);
  11. echo $stid;
  12. echo $staff['surname'];
  13. $coid = $staff['company_id'];
  14.  
  15.   if( isset($_POST['Submit']) ) {
  16.     $keys = "";
  17.     $values = "";
  18.     if($k=="password")
  19.     $v=md5($v.$salt);
  20.  
  21.     foreach($_POST as $k => $v) {
  22.       if( $k != "Submit" ) {
  23.         if( $keys == "" ) $keys = "`".$k."`"; else $keys .= ", `".$k."`";
  24.         if( $values == "" ) $values = "'".$v."'"; else $values .= ", '".$v."'";
  25.  
  26.       }
  27.     }
  28.  
  29.     $keys .= ", `dateadded`";
  30.     $values .= ", '".date("Y-m-d")."'";
  31.  
  32.  
  33.     $unamecheckresult = dbGetRows("staff", "username = '".$_POST['username']."'");
  34.  
  35.     $errorcode = "0";
  36.     if( mysql_num_rows($unamecheckresult) > 0 ) $errorcode = "1";
  37.     if( $_POST['username'] == "" ) $errorcode = "2";
  38.     if( $_POST['password'] == "" ) $errorcode = "3";
  39.  
  40.     $query = "INSERT INTO staff (".$keys.") VALUES (".$values.");";
  41.     if( mysql_num_rows($unamecheckresult) == 0 && $_POST['username'] != "" && $_POST['password'] != "") $result = mysql_query($query, $link) or die("Query failed : ".    $query."<br>". mysql_error());
  42.     var_dump ($query);
  43.  
  44.   } 
  45.  
  46. ?>
  47. <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
  48. <html>
  49. <head>
  50. <title>Add Staff Member</title>
  51. <link rel="shortcut icon" type="image/x-icon" href="../images/favicon.ico">
  52. <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
  53. <link href="../bb.css" rel="stylesheet" type="text/css">
  54. <script src="../usableforms1.js"></script>
  55. </head>
  56.  
  57. <body onLoad="prepareForm()">
  58. <table width="80%" border="0" cellspacing="0" cellpadding="0" align="center">
  59.   <tr> 
  60.     <td width="23"><img src="http://bytes.com/submit/images/brdr-tl.gif"></td>
  61.     <td width="0*" background="../images/brdr-t2.gif" style="background-repeat: repeat-x;"></td>
  62.     <td width="23"><img src="http://bytes.com/submit/images/brdr-tr.gif"></td>
  63.   </tr>
  64.   <tr> 
  65.     <td rowspan="2" valign="top" background="../images/brdr-l2-repeat.gif" style="background-repeat: repeat-y; background-position: left;"><img src="http://bytes.com/submit/images/brdr-l2.gif" width="23" <?php if(strpos($_SERVER['HTTP_USER_AGENT'], "MSIE") == 0) echo "style=\"height: 100%\""; ?>></td>
  66.     <td valign="top"><table width="100%" border="0" cellspacing="0" cellpadding="0">
  67.         <tr> 
  68.           <td width="174" height="81" align="center"><img src="http://bytes.com/submit/images/zululogo.gif" width="159" height="61"></td>
  69.           <td width="626" align="right" valign="bottom"><input type="button" name="Cancel2" value="Cancel" onClick="window.close(); opener.location.reload(true);"></td>
  70.         </tr>
  71.       </table>
  72.       <a href="javascript:;" onClick="if( document.getElementById('advancedbox').style.display == 'block' ) document.getElementById('advancedbox').style.display = 'none'; else document.getElementById('advancedbox').style.display = 'block';"><font size="3"><b> 
  73.       </b></font></a> <table width="100%" border="0" cellspacing="0" cellpadding="3" style="border: 1px solid #BBBBBB;">
  74.         <tr> 
  75.           <td bgcolor="#F5F5F5"><font size="3" color="#880000"><b><?php echo $company['coname']; ?>:&nbsp;Add Staff Member</b></font> </a></td>
  76.         </tr>
  77.       </table>
  78.       <br> 
  79.       <?php 
  80.   if(isset($_POST['Submit'])) {
  81.    switch( $errorcode ) {
  82.      case "0":
  83.         echo "Staff Member Succesfully Added.<br><br>
  84.             <a href=\"javascript:;\" onClick=\"window.close(); opener.location.reload(true)\">[CLOSE WINDOW]</a><br> <br> 
  85.             <td valign=\"top\" background=\"../images/brdr-r2-repeat.gif\" style=\"background-repeat: repeat-y; background-position: right;\"><img src=\"../images/brdr-r2.gif\" width=\"23\" ".(strpos($_SERVER['HTTP_USER_AGENT'], "MSIE") == 0 ? "style=\"height: 100%\"" : "")."></td>
  86.   </tr>
  87.   <tr> 
  88.     <td><img src=\"../images/brdr-bl.gif\"></td>
  89.     <td background=\"../images/brdr-b2.gif\" style=\"background-repeat: repeat-x;\"></td>
  90.     <td><img src=\"../images/brdr-br.gif\"></td>
  91.   </tr>
  92. </table>
  93. <br>
  94. </body>
  95. </html>
  96. ";
  97.         die();
  98.         break;
  99.      case "1":
  100.         echo "<font color=\"#FF0000\">The username you entered already exists, please enter an alternate username.</font><br><br>";
  101.         break;
  102.      case "2":  
  103.         echo "<font color=\"#FF0000\">Please enter a username!</font><br><br>";
  104.         break;
  105.      case "3":  
  106.         echo "<font color=\"#FF0000\">Please enter a password!</font><br><br>";
  107.         break;      
  108.     }       
  109.   }
  110. ?>
  111.       <br> <form name="form1" method="post" action="addstaff.php">
  112.         <table bgcolor="#FAFAFA" border="0" cellspacing="5" cellpadding="2" style="border: 1px solid #BBBBBB;">
  113.           <tr>
  114.             <td><b>Login Details</b></td>
  115.             <td width="213" colspan="-2"><input type="hidden" name="company_id" value="<?php echo $coid; ?>">
  116.                 <input type="hidden" name="status" value="1"></td>
  117.           </tr>
  118.           <tr>
  119.             <td colspan="2" class="small">Allocated the staff member a username and password.</td>
  120.           </tr>
  121.           <tr>
  122.             <td><b>Username:</b></td>
  123.             <td width="213" colspan="-2"><input type="text" name="username">            </td>
  124.           </tr>
  125.           <tr>
  126.             <td><b>Password:</b></td>
  127.             <td width="213" colspan="-2"><input type="password" name="password">            </td>
  128.           </tr>
  129.           <tr>
  130.             <td><b>Is an Administrator?</b></td>
  131.             <td colspan="-2">&nbsp;</td>
  132.           </tr>
  133.           <tr>
  134.             <td colspan="2"><hr></td>
  135.           </tr>
  136.           <tr>
  137.             <td><b>Title:</b></td>
  138.             <td colspan="-2"><select name="title" size="1">
  139.                 <option>Mr.</option>
  140.                 <option>Mrs.</option>
  141.                 <option>Ms.</option>
  142.                 <option>Adv.</option>
  143.                 <option>Prof.</option>
  144.                 <option>Dr.</option>
  145.             </select></td>
  146.           </tr>
  147.           <tr>
  148.             <td><b>First Name:</b></td>
  149.             <td width="213" colspan="-2"><input type="text" name="firstname" value="<?php echo $_POST['firstname']; ?>"></td>
  150.           </tr>
  151.           <tr>
  152.             <td><b>Surname:</b></td>
  153.             <td colspan="-2"><input type="text" name="surname" value="<?php echo $_POST['surname']; ?>"></td>
  154.           </tr>
  155.           <tr>
  156.             <td><b>Telephone No:</b></td>
  157.             <td colspan="-2"><input type="text" name="tel" value="<?php echo $_POST['tel']; ?>"></td>
  158.           </tr>
  159.           <tr>
  160.             <td><b>Cell Number:</b></td>
  161.             <td colspan="-2"><input type="text" name="cell" value="<?php echo $_POST['cell']; ?>"></td>
  162.           </tr>
  163.           <tr>
  164.             <td><b>E-Mail Address:</b></td>
  165.             <td colspan="-2"><input type="text" name="email" value="<?php echo $_POST['email']; ?>"></td>
  166.           </tr>
  167.  
  168.           <tr>
  169.             <td colspan="2"><hr></td>
  170.           </tr>
  171.           <tr>
  172.             <td>&nbsp;</td>
  173.             <td colspan="-2" align="right"><input type="submit" name="Submit" value="Submit">
  174.                 <input type="button" name="Cancel" value="Cancel" onClick="window.close(); opener.location.reload(true);"></td>
  175.           </tr>
  176.         </table>
  177.       </form></td>
  178.     <td rowspan="2" valign="top" background="../images/brdr-r2-repeat.gif" style="background-repeat: repeat-y; background-position: right;"><img src="http://bytes.com/submit/images/brdr-r2.gif" width="23" <?php if(strpos($_SERVER['HTTP_USER_AGENT'], "MSIE") == 0) echo "style=\"height: 100%\""; ?>></td>
  179.   </tr>
  180.   <tr>
  181.     <td valign="top">&nbsp;</td>
  182.   </tr>
  183.   <tr> 
  184.     <td><img src="http://bytes.com/submit/images/brdr-bl.gif"></td>
  185.     <td background="../images/brdr-b2.gif" style="background-repeat: repeat-x;"></td>
  186.     <td><img src="http://bytes.com/submit/images/brdr-br.gif"></td>
  187.   </tr>
  188. </table>
  189. <table><tbody id="waitingRoom"
  190.       style="display: none"></tbody></table>
  191.  
  192. <br>
  193. </body>
  194. </html>
Dec 4 '11 #1

✓ answered by omerbutt

yup he's(Dormilich) right about it ,
Expand|Select|Wrap|Line Numbers
  1. foreach($_POST as $k => $v)
bu i think that along with it this must be also the cause as the salt value is already stored into $v and then in the for each the $v is actually the text input from the post array change this
Expand|Select|Wrap|Line Numbers
  1.  if( isset($_POST['Submit']) ) {
  2.         $keys = "";
  3.         $values = "";
  4.         if($k=="password")
  5.         $v=md5($v.$salt);
  6.  
  7.         foreach($_POST as $k => $v) {
  8.           if( $k != "Submit" ) {
  9.             if( $keys == "" ) $keys = "`".$k."`"; else $keys .= ", `".$k."`";
  10.             if( $values == "" ) $values = "'".$v."'"; else $values .= ", '".$v."'";
  11.  
  12.           }
  13.         }
to this
Expand|Select|Wrap|Line Numbers
  1. if( isset($_POST['Submit']) ) {
  2.         $keys = "";
  3.         $values = "";
  4.  
  5.  
  6.         foreach($_POST as $k => $v) {
  7.             if($k=="password")
  8.             $v=md5($v.$salt);
  9.           if( $k != "Submit" ) {
  10.             if( $keys == "" ) $keys = "`".$k."`"; else $keys .= ", `".$k."`";
  11.             if( $values == "" ) $values = "'".$v."'"; else $values .= ", '".$v."'";
  12.  
  13.           }
  14.         }
and what zorgi said is related to the cause too ($k, $v and $salt they need to be defined somewhere before)

regards,
Omer Aslam

Share this Question
Share on Google+
6 Replies


zorgi
Expert 100+
P: 431
If variables $k, $v and $salt are not defined somewhere in files you included than lines 19 & 20 make no seance. PHP needs to know exactly what those variables are to use them.
Dec 5 '11 #2

Dormilich
Expert Mod 5K+
P: 8,639
firstly it is highly dangerous to uncheckedly take user input in your SQL query. anyone could write a form, post to your script and may execute whatever he likes on the DB (called SQL injection).

the other point is that you md5 the password, but you donít use it, since it is outside the foreach loop.
Dec 5 '11 #3

omerbutt
100+
P: 638
yup he's(Dormilich) right about it ,
Expand|Select|Wrap|Line Numbers
  1. foreach($_POST as $k => $v)
bu i think that along with it this must be also the cause as the salt value is already stored into $v and then in the for each the $v is actually the text input from the post array change this
Expand|Select|Wrap|Line Numbers
  1.  if( isset($_POST['Submit']) ) {
  2.         $keys = "";
  3.         $values = "";
  4.         if($k=="password")
  5.         $v=md5($v.$salt);
  6.  
  7.         foreach($_POST as $k => $v) {
  8.           if( $k != "Submit" ) {
  9.             if( $keys == "" ) $keys = "`".$k."`"; else $keys .= ", `".$k."`";
  10.             if( $values == "" ) $values = "'".$v."'"; else $values .= ", '".$v."'";
  11.  
  12.           }
  13.         }
to this
Expand|Select|Wrap|Line Numbers
  1. if( isset($_POST['Submit']) ) {
  2.         $keys = "";
  3.         $values = "";
  4.  
  5.  
  6.         foreach($_POST as $k => $v) {
  7.             if($k=="password")
  8.             $v=md5($v.$salt);
  9.           if( $k != "Submit" ) {
  10.             if( $keys == "" ) $keys = "`".$k."`"; else $keys .= ", `".$k."`";
  11.             if( $values == "" ) $values = "'".$v."'"; else $values .= ", '".$v."'";
  12.  
  13.           }
  14.         }
and what zorgi said is related to the cause too ($k, $v and $salt they need to be defined somewhere before)

regards,
Omer Aslam
Dec 5 '11 #4

P: 2
Hi all.. thanks a ton for your time. Your solutions fixed my problem and after changing the code i ended up with what Omar has outlined and now everything is hunky dory... thanks once again to you all...
I have a lot to learn regarding MD5, some say it is not secure, some say I should be on SHA and yet others are saying I should use the built in PHP/MYSL features so I ahve a lot to read up on :)
Many thanks once again...
Dec 5 '11 #5

omerbutt
100+
P: 638
Hey,
I am glad to be of some help o good luck with your R&D, please choose the correct answer so that others searching for the same problem might get some help too.
regards,

Omer Aslam
Dec 5 '11 #6

Dormilich
Expert Mod 5K+
P: 8,639
I have a lot to learn regarding MD5, some say it is not secure, some say I should be on SHA and yet others are saying I should use the built in PHP/MYSL features so I ahve a lot to read up on :)
that’s right, MD5 can be exploited (i.e. you can relatively easily find a string with the same MD5 hash).

pretty much every other algorithm is more secure, probably the most common are SHA256+ and RIPEMD160+. the PHP function that handles that is hash() resp. hash_hmac() for salted hashing.
Dec 5 '11 #7

Post your reply

Sign in to post your reply or Sign up for a free account.