Topic: Password question

[Steve]

I'm making a point not to post in regards to the major project i took on since 99% of what im learning is found on google with ease. I'm posting this because i know some of you guys (mike) are really good in this area and security is a concern of mine.

I have created a form, and the database to go with it, for new customer registrations. The owners would like the password to be automatically generated based on the club name (required field) as well as the username (also a req field). I am not sure how to automatically generate the password. My first thought is to create a php file, for example, createpw.php (i would NOT name it that....) and generate an MD5 password in this file, and add it to the DB based on the user ID. I think best would be user clicks submit, the account is created with no pw and instantly the account ID is passed to the php file along with the club and usernames. This way the php file can create the password and no which table to submit it too.

Am i on the right track?

[ober]

I'm not sure what you're talking about with the "knowing which table to submit it to" statement.  Is the club name and username unique?  Are you checking to make sure?  I'd use SHA1, not MD5.  MD5 is too easily decrypted.

[Steve]

i thought MD5 was strong as hell?? ok noted.

I would be checking they are unique, yes. What i meant by knowing which table is if the account has already been created, when the php file submits the password to the DB it has to know where to insert it. Since each time the form is run it would go somewhere different, i would need a way to identify each submission.

[ober]

...... I'm confused.  If you're registering a new account, you're inserting a new row.  If you're updating a password, you already know the user's ID (I'd hope), so you'd just updating a row.  This should all be in the same table!

[Mike]

i thought MD5 was strong as hell?? ok noted.

The problem with MD5 is that people have a table of input strings that match to any given resulting hash.

If you are going to use hashing then I suggest you salt it.  So lets suppose the password is BillyBob.  Instead of SHA1(BillyBob) you salt it so you get something like SHA1(BillyBobManWhore).  The benefit is that if SHA1(Youngin) matches SHA1(BillyBobManWhore) it won't help because if the person puts in Youngin it'll end up as SHA1(YounginManWhore) which won't match.  You have to apply the same salt everytime so that the hashing matches but the salt can be different per user.

[Steve]

Thanks mike, ill look into that.

Ober, your right the file would just be updating a row, i was referring to how to let the script creating the password know which row to update.

[ober]

Again I'm confused... you should create the password before inserting the row.... or is there some reason you can't do that?

[Steve]

I thought if i stopped inbetween the submit form and the db to visit the phpfile and create the pw that it would be insecure.

NVM on the code im an idiot

[Steve]

I'm trying to test writing to the DB to make sure its working, and its not. And honestly i dont know why. I tried walking away thought maybe i was seeing something wrong or not at all. I tried this on 3 different hosts so i know it isnt godaddy....

Leave it to me to get stuck on something f'n simple. I have used this script countless times i always just tailor the variables to match the form and db im using...

Code: [Select]

<?php
$hostname_ASA = "xxx.secureserver.net";
$database_ASA = "asadbname";
$username_ASA = "asausername";
$password_ASA = "dbuserpw";
$ASA = mysql_pconnect($hostname_ASA, $username_ASA, $password_ASA) or trigger_error(mysql_error(),E_USER_ERROR); 

mysql_select_db("database_ASA", $ASA);

$clubgroupname = $_POST["clubgroupname"];
$type = $_POST["type"];
$address1 = $_POST["address1"];
$address2 = $_POST["address2"];
$city = $_POST["city"];
$state = $_POST["state"];
$zip = $_POST["zip"];
$ownername = $_POST["ownername"];
$phone1 = $_POST["phone1"];
$contactname1 = $_POST["contactname1"];
$phone2 = $_POST["phone2"];
$contactname2 = $_POST["contactname2"];
$url = $_POST["url"];
$url2 = $_POST["url2"];
$ismembershipreq = $_POST["ismembershipreq"];
$byob = $_POST["byob"];
$sex = $_POST["sex"];
$dresscode = $_POST["dresscode"];
$username = $_POST["username"];
$password = $_POST["password"];
$rss = $_POST["rss"];
$banner = $_POST["banner"];

mysql_query("INSERT INTO asa_registered_clubs (clubgroupname, type, address1, address2, city, state, zip, ownername, phone1, contactname1, phone2, contactname2, url, url2, ismembershipreq, byob, sex, dresscode, username, password, rss, banner) VALUES ('$clubgroupname&#8217;, &#8216;$type&#8217;, '$address1', '$address2', '$city', '$state', '$zip', '$ownername', '$phone1', '$contactname1', '$phone2', '$contactname2', '$url', '$url2', '$ismembershipreq', '$byob', '$sex', '$dresscode', '$username', '$password', '$rss', '$banner')");


mysql_close($ASA);
?>

[Mike]

Are you still having the problem with the DB going away?  If so try mysql_connect instead of mysql_pconnect.  Also check the return values of connect and select_db

[Steve]

That error stopped coming up. Now on submit it goes to the blank page (it should the php file has no redirect) but nothing shows up in the DB. And i tried mysql_connect initially. I'll try checking those

[Mike]

Try adding this at the top of the file:

Code: [Select]

ini_set('display_errors', '1');
error_reporting(E_ALL);

I would also add an echo or something at the top to confirm that there aren't syntax errors on the page.

As a matter of style I would like to point out that PHP allows line breaks within string literals.  So

Code: [Select]

mysql_query("INSERT INTO asa_registered_clubs (clubgroupname, type, address1, address2, city, state, zip, ownername, phone1, contactname1, phone2, contactname2, url, url2, ismembershipreq, byob, sex, dresscode, username, password, rss, banner) VALUES ('$clubgroupname’, ‘$type’, '$address1', '$address2', '$city', '$state', '$zip', '$ownername', '$phone1', '$contactname1', '$phone2', '$contactname2', '$url', '$url2', '$ismembershipreq', '$byob', '$sex', '$dresscode', '$username', '$password', '$rss', '$banner')");
Could be written as:

Code: [Select]

mysql_query("
INSERT INTO asa_registered_clubs
(clubgroupname, type, address1, address2, city, state, zip,
ownername, phone1, contactname1, phone2, contactname2, url, url2,
ismembershipreq, byob, sex, dresscode, username, password, rss, banner)
VALUES ('$clubgroupname', '$type', '$address1', '$address2', '$city', '$state',
'$zip', '$ownername', '$phone1', '$contactname1', '$phone2', '$contactname2',
'$url', '$url2', '$ismembershipreq', '$byob', '$sex', '$dresscode', '$username',
'$password', '$rss', '$banner')");


[Steve]

Yea i planned to clean it up when i got it working right. Its cleaned up in my script file but pasting into DW screwed it up. I added a if check for the connect and your suggestion and got no errors for the connection but alot of undefined.....but i dont see why?

Notice: Undefined index: clubgroupname in /home/content/i/y/q/iyq2havfun/html/CMDONOTOPEN/process_clubreg.php on line 17

Notice: Undefined index: type in /home/content/i/y/q/iyq2havfun/html/CMDONOTOPEN/process_clubreg.php on line 18

Notice: Undefined index: address1 in /home/content/i/y/q/iyq2havfun/html/CMDONOTOPEN/process_clubreg.php on line 19

Notice: Undefined index: address2 in /home/content/i/y/q/iyq2havfun/html/CMDONOTOPEN/process_clubreg.php on line 20

Notice: Undefined index: city in /home/content/i/y/q/iyq2havfun/html/CMDONOTOPEN/process_clubreg.php on line 21

Notice: Undefined index: state in /home/content/i/y/q/iyq2havfun/html/CMDONOTOPEN/process_clubreg.php on line 22

Notice: Undefined index: zip in /home/content/i/y/q/iyq2havfun/html/CMDONOTOPEN/process_clubreg.php on line 23

Notice: Undefined index: ownername in /home/content/i/y/q/iyq2havfun/html/CMDONOTOPEN/process_clubreg.php on line 24

Notice: Undefined index: phone1 in /home/content/i/y/q/iyq2havfun/html/CMDONOTOPEN/process_clubreg.php on line 25

Notice: Undefined index: contactname1 in /home/content/i/y/q/iyq2havfun/html/CMDONOTOPEN/process_clubreg.php on line 26

Notice: Undefined index: phone2 in /home/content/i/y/q/iyq2havfun/html/CMDONOTOPEN/process_clubreg.php on line 27

Notice: Undefined index: contactname2 in /home/content/i/y/q/iyq2havfun/html/CMDONOTOPEN/process_clubreg.php on line 28

Notice: Undefined index: url in /home/content/i/y/q/iyq2havfun/html/CMDONOTOPEN/process_clubreg.php on line 29

Notice: Undefined index: url2 in /home/content/i/y/q/iyq2havfun/html/CMDONOTOPEN/process_clubreg.php on line 30

Notice: Undefined index: ismembershipreq in /home/content/i/y/q/iyq2havfun/html/CMDONOTOPEN/process_clubreg.php on line 31

Notice: Undefined index: byob in /home/content/i/y/q/iyq2havfun/html/CMDONOTOPEN/process_clubreg.php on line 32

Notice: Undefined index: sex in /home/content/i/y/q/iyq2havfun/html/CMDONOTOPEN/process_clubreg.php on line 33

Notice: Undefined index: dresscode in /home/content/i/y/q/iyq2havfun/html/CMDONOTOPEN/process_clubreg.php on line 34

Notice: Undefined index: username in /home/content/i/y/q/iyq2havfun/html/CMDONOTOPEN/process_clubreg.php on line 35

Notice: Undefined index: password in /home/content/i/y/q/iyq2havfun/html/CMDONOTOPEN/process_clubreg.php on line 36

Notice: Undefined index: rss in /home/content/i/y/q/iyq2havfun/html/CMDONOTOPEN/process_clubreg.php on line 37

Notice: Undefined index: banner in /home/content/i/y/q/iyq2havfun/html/CMDONOTOPEN/process_clubreg.php on line 38

Notice: Undefined variable: clubgroupname’ in /home/content/i/y/q/iyq2havfun/html/CMDONOTOPEN/process_clubreg.php on line 40

Notice: Undefined variable: type’ in /home/content/i/y/q/iyq2havfun/html/CMDONOTOPEN/process_clubreg.php on line 40

Code: [Select]

<?php
ini_set('display_errors', '1');
error_reporting(E_ALL);
$hostname_ASA = "";
$database_ASA = "";
$username_ASA = "";
$password_ASA = "";
$ASA = mysql_connect($hostname_ASA, $username_ASA, $password_ASA) or trigger_error(mysql_error(),E_USER_ERROR); 

if($ASA==false){
    echo "failed to connect to database";
    exit();
}

mysql_select_db("database_ASA", $ASA);

$clubgroupname = $_POST["clubgroupname"];
$type = $_POST["type"];
$address1 = $_POST["address1"];
$address2 = $_POST["address2"];
$city = $_POST["city"];
$state = $_POST["state"];
$zip = $_POST["zip"];
$ownername = $_POST["ownername"];
$phone1 = $_POST["phone1"];
$contactname1 = $_POST["contactname1"];
$phone2 = $_POST["phone2"];
$contactname2 = $_POST["contactname2"];
$url = $_POST["url"];
$url2 = $_POST["url2"];
$ismembershipreq = $_POST["ismembershipreq"];
$byob = $_POST["byob"];
$sex = $_POST["sex"];
$dresscode = $_POST["dresscode"];
$username = $_POST["username"];
$password = $_POST["password"];
$rss = $_POST["rss"];
$banner = $_POST["banner"];

mysql_query("INSERT INTO asa_registered_clubs (clubgroupname, type, address1, address2, city, state, zip, ownername, phone1, contactname1, phone2, contactname2, url, url2, ismembershipreq, byob, sex, dresscode, username, password, rss, banner) VALUES ('$clubgroupname&#8217;, &#8216;$type&#8217;, '$address1', '$address2', '$city', '$state', '$zip', '$ownername', '$phone1', '$contactname1', '$phone2', '$contactname2', '$url', '$url2', '$ismembershipreq', '$byob', '$sex', '$dresscode', '$username', '$password', '$rss', '$banner')");


mysql_close($ASA);
?>




[Mike]

Well your first mistake is using Dreamweaver...

Do something like:

Code: [Select]

echo '<pre>'; print_r($_POST); echo '</pre>';before all of the variable assignments and make sure that the indices are present.

Oh and as it stands right now you are highly vulnerable to an injection attack.

[Steve]

once i verify its working with the db correctly i intend to add checks. I also decided to just generate and hash the pw right in this php file and assign it to $password so it can be passed on with the rest of the data.

I'll add the print checks in a few minutes and see what happens

EDIT:

If im looking at this right its not getting the data from the form. I added the print check before each assignment and got this:

Array
(
)

Notice: Undefined index: clubgroupname in /home/content/i/y/q/iyq2havfun/html/CMDONOTOPEN/process_clubreg.php on line 18
Array
(
)

Notice: Undefined index: type in /home/content/i/y/q/iyq2havfun/html/CMDONOTOPEN/process_clubreg.php on line 20
Array
(
)

Notice: Undefined index: address1 in /home/content/i/y/q/iyq2havfun/html/CMDONOTOPEN/process_clubreg.php on line 22
Array
(
)

Notice: Undefined index: address2 in /home/content/i/y/q/iyq2havfun/html/CMDONOTOPEN/process_clubreg.php on line 24
Array
(
)

Notice: Undefined index: city in /home/content/i/y/q/iyq2havfun/html/CMDONOTOPEN/process_clubreg.php on line 26
Array
(
)

Notice: Undefined index: state in /home/content/i/y/q/iyq2havfun/html/CMDONOTOPEN/process_clubreg.php on line 28
Array
(
)

Notice: Undefined index: zip in /home/content/i/y/q/iyq2havfun/html/CMDONOTOPEN/process_clubreg.php on line 30
Array
(
)

Notice: Undefined index: ownername in /home/content/i/y/q/iyq2havfun/html/CMDONOTOPEN/process_clubreg.php on line 32
Array
(
)

Notice: Undefined index: phone1 in /home/content/i/y/q/iyq2havfun/html/CMDONOTOPEN/process_clubreg.php on line 34
Array
(
)

Notice: Undefined index: contactname1 in /home/content/i/y/q/iyq2havfun/html/CMDONOTOPEN/process_clubreg.php on line 36
Array
(
)

Notice: Undefined index: phone2 in /home/content/i/y/q/iyq2havfun/html/CMDONOTOPEN/process_clubreg.php on line 38
Array
(
)

Notice: Undefined index: contactname2 in /home/content/i/y/q/iyq2havfun/html/CMDONOTOPEN/process_clubreg.php on line 40
Array
(
)

Notice: Undefined index: url in /home/content/i/y/q/iyq2havfun/html/CMDONOTOPEN/process_clubreg.php on line 42
Array
(
)

Notice: Undefined index: url2 in /home/content/i/y/q/iyq2havfun/html/CMDONOTOPEN/process_clubreg.php on line 44
Array
(
)

Notice: Undefined index: ismembershipreq in /home/content/i/y/q/iyq2havfun/html/CMDONOTOPEN/process_clubreg.php on line 46
Array
(
)

Notice: Undefined index: byob in /home/content/i/y/q/iyq2havfun/html/CMDONOTOPEN/process_clubreg.php on line 48
Array
(
)

Notice: Undefined index: sex in /home/content/i/y/q/iyq2havfun/html/CMDONOTOPEN/process_clubreg.php on line 50
Array
(
)

Notice: Undefined index: dresscode in /home/content/i/y/q/iyq2havfun/html/CMDONOTOPEN/process_clubreg.php on line 52
Array
(
)

Notice: Undefined index: username in /home/content/i/y/q/iyq2havfun/html/CMDONOTOPEN/process_clubreg.php on line 54
Array
(
)

Notice: Undefined index: password in /home/content/i/y/q/iyq2havfun/html/CMDONOTOPEN/process_clubreg.php on line 56
Array
(
)

Notice: Undefined index: rss in /home/content/i/y/q/iyq2havfun/html/CMDONOTOPEN/process_clubreg.php on line 58
Array
(
)

Notice: Undefined index: banner in /home/content/i/y/q/iyq2havfun/html/CMDONOTOPEN/process_clubreg.php on line 60

Notice: Undefined variable: clubgroupname’ in /home/content/i/y/q/iyq2havfun/html/CMDONOTOPEN/process_clubreg.php on line 63

Notice: Undefined variable: type’ in /home/content/i/y/q/iyq2havfun/html/CMDONOTOPEN/process_clubreg.php on line 63