Search Results

Search found 916 results on 37 pages for 'md5'.

Page 24/37 | < Previous Page | 20 21 22 23 24 25 26 27 28 29 30 31  | Next Page >

  • Login code sample which has been hacked via SQL Injection, although mysql_real_escape_string...

    - by artmania
    Hi friends, I use CodeIgniter, and having trouble with hacking :( is it possible to make SQL Injection to the login code below: function process_login() { $username = mysql_real_escape_string($this->input->post('username')); $password = mysql_real_escape_string(MD5($this->input->post('password'))); //Check user table $query = $this->db->getwhere('users', array('username'=>$username, 'password'=>$password)); if ($query->num_rows() > 0) { // success login data Am I using the mysql_real_escape_string wrong? or what? Appreciate helps!

    Read the article

  • PHP multiuser login class or script

    - by FFish
    I am looking for a simple but secure login script with mySQL PHP: sessions, MD5 that I can use with my exsisting database. Cookies to store password + password recovery by email. Change login/pass. I do not need registering, I register the user myself with temp login/pass. table agents agent1 agent2 table albums album1, owner: agent1 album2, owner: agent1 album3, owner: agent2 ... login.php agent1 logs in and has access to his albums: - album1 - album2 agent1 can edit his albums: edit.php?ref=album1 but NOT edit.php?ref=album3 by changing the ?ref variable

    Read the article

  • Database table copying

    - by vbNewbie
    I am trying to rectify a previous database creation with tables that contains data that needs to be saved. Instead of recreating a completely new database since some of the tables are still reusable, I need to split a table that exists into 2 new tables which I have done. Now I am trying to insert the data into the 2 new tables and because of duplicate data in the old table I am having a hard time doing this. Old table structure: ClientProjects clientId PK clientName clientProj hashkey MD5 (clientname and clientProj) new table structures: client clientId PK clientName projects queryId PK clientId PK projectName I hope this makes sense. The problem is that in the old table for example you have clients with multiple clientIds.

    Read the article

  • Password reset by email without a database table

    - by jpatokal
    The normal flow for resetting a user's password by mail is this: Generate a random string and store it in a database table Email string to user User clicks on link containing string String is validated against database; if it matches, user's pw is reset However, maintaining a table and expiring old strings etc seems like a bit of an unnecessary hassle. Are there any obvious flaws in this alternative approach? Generate a MD5 hash of the user's existing password Email hash string to user User clicks on link containing string String is validated by hashing existing pw again; if it matches, user's pw is reset Note that the user's password is already stored in a hashed and salted form, and I'm just hashing it once more to get a unique but repeatable string. And yes, there is one obvious "flaw": the reset link thus generated will not expire until the user changes their password (clicks the link). I don't really see why this would be a problem though -- if the mailbox is compromised, the user is screwed anyway.

    Read the article

  • Salting example in Zend Framework

    - by Geoffrey
    Hello all, I am pretty new to the Zend framework and looking to build an application with pretty tight password security. I have been trying to follow the user guides in relation to password salting but haven't had any luck so far. I have setup my database and table adapter (As described in the documentation on the Zend Framework site but it didn't seem to finish the example (or I am not following well enough!) I have started with: $authAdapter = new Zend_Auth_Adapter_DbTable($dbAdapter, 'users', 'username', 'password', "MD5(CONCAT('".Zend_Registry::get('staticSalt')."', ?, password_salt))" ); But from here, what is done with the password salt? I just need an example and I'll be away! Does anyone have an example or point me in the right direction?? Many thanks!

    Read the article

  • Can you figure out the password hashing scheme?

    - by Adal
    I have two passwords and two resulting hashes. I can't figure out how the hash is derived from the password. I don't know if salting is used. I don't know if the password is hashed as a integer value or as a string (possibly Unicode). Password: 6770 Hash: c12114b91a3841c143bbeb121693e80b Password: 9591 Hash: 25238d578b6a61c2c54bfe55742984c1 The hash length seems to suggest MD5. Anybody has any ideas what I could try? Note: This is not for hacking purposes. I'm trying to access a service through an API instead of it's desktop client, and I can't figure out how to compute the password hash. Currently instead of using my real password I'm sending directly the hash.

    Read the article

  • How can a hacker put a file on my server root (apache, php, 1and1)

    - by mike-sav
    Hi there, I have a site hosted on 1and1 and a couple of weeks ago I noticed a hacker had put a .php file on the server that when viewed in a browser exposed my DB schema, DB connection strings, FTP account (for file uploads using a form), etc, etc. Naturally I panicked and I wiped the server and reuploaded my files. Fortunatley I encrypt passwords using MD5 and I don't store things like credit card details, etc, etc. Now I checked my files and with all user input I use a clean function (htmlentities, sql_real_escape_string, etc, etc) that strips the input of any XSS or SQL injection. I have also made sure that the session key gets re-engineered when a user status changes (like they log into their account) to prevent session hijacking, my folder permissions are set to 755 and file permission are 644. Has anyone got any idea how this could have happened? Or if I'm missing something

    Read the article

  • simple authorisation in web api

    - by monthon1
    I want to make nice and clean api; I'm making site and I want to offer the ability to mobile apps use web API of my site. I don't want to use oAuth, becouse the mobile and embedded applications that are facing the biggest hurdle, as they may not be able to bring up and/or control the web browser. Also its a little complicate. I know, that HTTP basic authorisation is not safe, but it's so simple... I want to use it in my api. I have somee users logins and their passwords (md5-encoded) in mysql base, but how to use those data in this HTTP basic authorisation?

    Read the article

  • Checking server load with PHP and taking appropriate action

    - by teehoo
    Hi, I'm creating a project in which a server receives operations from clients to apply to a local server document. The server and client both share the same document and therefore each message the client sends contains an MD5 hash, which the server compares to after generating its own hash to ensure the server and client documents are synchronized. My question is, if the server is overloaded, could I somehow detect this in PHP, which would in turn let me decide whether I want to execute the hash generation function or not? Perhaps in the scenario defined, this is not a perfect use-case, but I'm interested in this approach in general.

    Read the article

  • PHP error can't figure it out something to do with SQL stuff I think

    - by MrEnder
    Ok the error is showing up somewhere in this here code if($error==false) { $query = pg_query("INSERT INTO chatterlogins(firstName, lastName, gender, password, ageMonth, ageDay, ageYear, email, createDate) VALUES('$firstNameSignup', '$lastNameSignup', '$genderSignup', md5('$passwordSignup'), $monthSignup, $daySignup, $yearSignup, '$emailSignup', now());"); $query = pg_query("INSERT INTO chatterprofileinfo(email, lastLogin) VALUES('$email', now())";); $_SESSION['$userNameSet'] = $email; header('Location: signup_step2.php'.$rdruri); } anyone see what I did wrong??? sorry for being so unspecific but ive been staring at it for 10 mins and I can't figure it out.

    Read the article

  • Why acegi (Spring Security) converts password to uppercase before comparing ?

    - by Tony
    One of my colleague in QA team reported a bug to me, the bug said that can't change password to lowercase, otherwise login is rejected,using number or uppercase is all fine. The login system was implemented using acegi 1.0 (now called Spring Security). This was a very strange bug,changing password is done by encrypting the user input string into MD5 string, I implemented this without using anything related acegi, I don't if the is the origin cause of the problem. When the login is rejected, through debugging, I find that, the user input is converted into uppercase by acegi when passing to the acegi comparing logic. At first, I didn't believe this, when I checkout the acegi source and debugging with it, I find it does convert both username and password to uppercase (source code line 121), Can you tell me why it does this? This can cause password encoding mismatch!

    Read the article

  • how to solve the captcha problem

    - by magna
    ho i have writen this code for my captcha. i created my captcha for contact form everything works fine but what er the number i entered in captcha box it shows invalid captcha `` <?php if(isset($_POST['norobot'])) { if(md5($_POST['norobot']) == $_SESSION['randomnr2']) { echo "Validation Success"; $_SESSION['name'] = $name ; $_SESSION['phone_no'] = $phone; $_SESSION['mailid'] = $mailid; $_SESSION['msg'] = $msg; $_SESSION['category'] = $category; header("Location:thankyou.php"); } else { $Error = 'Invalid CAPTCHA'; } } } ?> can any one say the solution. thanks

    Read the article

  • Efficiently generate a 16-character, alphanumeric string

    - by ensnare
    I'm looking for a very quick way to generate an alphanumeric unique id for a primary key in a table. Would something like this work? def genKey(): hash = hashlib.md5(RANDOM_NUMBER).digest().encode("base64") alnum_hash = re.sub(r'[^a-zA-Z0-9]', "", hash) return alnum_hash[:16] What would be a good way to generate random numbers? If I base it on microtime, I have to account for the possibility of several calls of genKey() at the same time from different instances. Or is there a better way to do all this? Thanks.

    Read the article

  • How to make a file_exist from a server to the local machine ?

    - by bahamut100
    Hi, how to test if a file exist on the current computer using the application ? I try to put the full url at my file like this, but it doesn't work : if(file_exists("C:/wamp/www/project/photo/".$nom_photo)) { echo "file exist"; $extension=pathinfo("C:/wamp/www/project/photo/".$nom_photo,PATHINFO_EXTENSION); echo "<br>"; $nom=md5($nom_photo.time().rand(0, 99999)).".".$extension; echo $nom; rename("C:/wamp/www/project/photo/".$nom_photo,"C:/wamp/www/project/photo/".$nom); echo "<br>"; } How to fix it ?

    Read the article

  • Using hash to check if page with $_POST values was refreshed

    - by Dieseltime
    When posting a form to the same PHP page, what is the correct method to find if the page was accidentally refreshed instead of submitted again? Here's what I'm using right now: $tmp = implode('',$_POST); $myHash = md5($tmp); if(isset($_SESSION["myHash"]) && $_SESSION["myHash"] == $myHash) { header("Location: index.php"); // page refreshed, send user somewhere else die(); } else { $_SESSION["myHash"] = $myHash; } // continue processing... Is there anything wrong with this solution?

    Read the article

  • How can I generate a unique ID using a hash in Perl?

    - by sganesh
    I doing message transfer program between multiple clients and server. I want to generate unique message id for every messages. that should be generated by server and return to client. For message transfer I am using hash data structure, Ex: { api => POST, username => sganesh, pass => "pass", message => "hai", time => "current_time", } I want to generate unique id using this hash. I have tried some of the ways, MD5 and freeze but this give unreadable id. I want some meaningful or readable unique id. I have thought we can use micro seconds to differentiate the id but here the problem is multiple clients. In any situation my id should be unique. Can anyone help me out of this problem? Thanks in Advance.

    Read the article

  • Finding the right version of the right JAR in a maven repository

    - by Matt McHenry
    I'm converting a build that has 71 .jar files in its global lib/ directory to use Maven. Of course, these have been pulled from the web by lots of developers over the past ten years of this project's history, and weren't always added to VCS with all the necessary version info, etc. Is there an easy, automated way to go from that set of .jar files to the corresponding <dependency/> elements for use in my pom.xml files? I'm hoping for a web page where I can submit the checksum of a jar file and get back an XML snippet. The google hits for 'maven repository search' are basically just finding name-based searches. And http://repo1.maven.org/ has no search whatsoever, as far as I can see. Update: GrepCode looks like it can find projects given an MD5 checksum. But it doesn't provide the particular details (groupId, artifactId) that Maven needs.

    Read the article

  • a query is inserted from PHPMYAdmin but not from PHP

    - by iyad al aqel
    i'm writing a php code to insert form values in a forum values $dbServer = mysql_connect("localhost" , "root", "") ; if(!$dbServer) die ("Unable to connect"); mysql_select_db("kfumWonder"); $name= $_POST['name'] ; $password= md5($_POST['password']); $email= $_POST['email'] ; $major= $_POST['major'] ; $dateOfBirth=$_POST['dateOfBirth'] ; $webSite = $_POST['website']; $joinDate= date("Y m d") ; $query = "INSERT INTO user (name, password, email, major, dob, website, join_date) Values ('$name', '$password', '$email', '$major', '$dateOfBirth', '$webSite' , '$joinDate')" ; //echo $query ; $result = mysql_query($query) ; if (! $result ) echo " no results " ; this works perfectly fine when i took the printed query and run it in PHPMyAdmin but when i run this code nothing happens , any ideas !?

    Read the article

  • hash password in SQL Server (asp.net)

    - by ile
    Is this how hashed password stored in SQL Server should look like? This is function I use to hash password (I found it in some tutorial) public string EncryptPassword(string password) { //we use codepage 1252 because that is what sql server uses byte[] pwdBytes = Encoding.GetEncoding(1252).GetBytes(password); byte[] hashBytes = System.Security.Cryptography.MD5.Create().ComputeHash(pwdBytes); return Encoding.GetEncoding(1252).GetString(hashBytes); } EDIT I tried to use sha-1 and now strings seem to look like as they are suppose to: public string EncryptPassword(string password) { return FormsAuthentication.HashPasswordForStoringInConfigFile(password, "sha1"); } // example output: 39A43BDB7827112409EFED3473F804E9E01DB4A8 Result from the image above looks like broken string, but this sha-1 looks normal.... Will this be secure enough?

    Read the article

  • Form Security (discussion)

    - by Eray Alakese
    I'm asking for brain storming and sharing experience. Which method you are using for form submiting security ? For example , for block automatically sended POST or GET datas, i'm using this method : // Generating random string <?php $hidden = substr(md5(microtime()) ,"-5"); ?> <form action="post.php" .... // assing this random string to a hidden input <input type="hidden" value="<?php echo $hidden;" name="secCode> // and then put this random string to a session variable $_SESSION["secCode"] = $hidden; **post.php** if ($_POST["secCode"] != $_SESSION["secCode"]) { die("You have to send this form, on our web site"); }

    Read the article

  • 128bit hash comparison with SSE

    - by fokenrute
    Hi, In my current project, I have to compare 128bit values (actually md5 hashes) and I thought it would be possible to accelerate the comparison by using SSE instructions. My problem is that I can't manage to find good documentation on SSE instructions; I'm searching for a 128bit integer comparison instruction that let me know if one hash is larger, smaller or equal to another. Does such an instruction exists? PS: The targeted machines are x86_64 servers with SSE2 instructions; I'm also interested in a NEON instruction for the same job.

    Read the article

  • PHP: Safe way to store decryptable passwords

    - by Jammer
    I'm making an application in PHP and there is a requirement that it must be possible to decrypt the passwords in order to avoid problems in the future with switching user database to different system. What encryption/decryption algorithm would you suggest? Is it good idea to just store the encrypted value and then compare the future authentication attempts to that value? Are the passwords still as safe as MD5/SHA1 when the private key is not available to the attacker (Hidden in USB drive for example)? I should still use salting, right? What encryption libraries should I use for PHP?

    Read the article

  • Do similar passwords have similar hashes?

    - by SLC
    Our computer system at work requires users to change their password every few weeks, and you cannot have the same password as you had previously. It remembers something like 20 of your last passwords. I discovered most people simply increment a digit at the end of their password, so "thisismypassword1" becomes "thisismypassword2" then 3, 4, 5 etc. Since all of these passwords are stored somewhere, I wondered if there was any weakness in the hashes themselves, for standard hashing algorithms used to store passwords like MD5. Could a hacker increase their chances of brute-forcing the password if they have a list of hashes of similar passwords?

    Read the article

  • Encrypting password in compiled C or C++ code

    - by Daniel
    Hello!, I know how to compile C and C++ Source files using GCC and CC in the terminal, however i would like to know if its safe to include passwords in these files, once compiled. For example.. i check user input for a certain password e.g 123, but it appears compiled C/C++ programs is possible to be decompiled. Is there anyway to compile a C/C++ source file, while keeping the source completely hidden.. If not, could anyone provide a small example of encrypting the input, then checking against the password e.g: (SHA1, MD5)

    Read the article

  • does it make sense to send password information during email communication from websites

    - by Samuel
    Most of the online sites on registration do send a link to activate the site and on any further correspondence with the end user they provide information about the site and also provide the login credentials with password in clear text (as given below) Username - [email protected] Password - mysecretpassword What would you do in such a case? From a usability perspective does it make sense to send the password information in clear text or should you just avoid sending this information. I was under the impression that most of the passwords are MD5 hashed before storing in the database and hence the service provider will not have any access to clear text passwords, is this a security violation?

    Read the article

< Previous Page | 20 21 22 23 24 25 26 27 28 29 30 31  | Next Page >