logging in

z_boarder914

z_boarder914

Active member
just something i noticed about logging in.

If you type your password twice it still allows you to log in?? wierd

Somehow my password was automatically stored and occasionally i type it again (after it has showed up) without looking and hit enter. One time other than hit stop i thought id just browse as a guest as i was feeling lazy. But i logged in.

This a security bug??

I had a life once..... but then i started boarding
 
neet neet gimme a beat

Sam 'Beefy Tits' Caylor

^^^^^^^^^^^^^^

The Secretary Of Defense for the Execution Committee of the Secret NS.com Council

The Official Fat Kid of NS.com With The Matt Harvey Seal Of Approval

800Club Member.

°°°Viva La Donate°°°

°°°Viva La Resistance°°°
 
The encryption algoryth only takes the first 8 characters you type in. So you could type your password, then an essay about the industrial revolution and it'd let you in.

Matt

 
what if your password was less than 8 characters? say it was

qwerty

and you typed qwertyuio

wouldnt that then cause a login error?

I had a life once..... but then i started boarding
 
Yes if it's less than 8 characters adding an essay about the industrial revolution at the end would in fact cause an error.

Matt

 
i dunno if it helps but for my login i use the password(); function in my script, doesnt seem to cause any errors

I had a life once..... but then i started boarding
 
hmmm, it used to be there, but heres an example for you. its the login script for my site:

$result = mysql_query('SELECT * FROM auth WHERE username = '' . addslashes($HTTP_POST_VARS'username') . '' AND password = password('' . addslashes($HTTP_POST_VARS'password') . '')');



$valid_login = mysql_num_rows($result);

if ($valid_login != '1') {

header ('location: logon.php?error=invalid');

} else {

session_start();

session_register('username');

if ($LogonWhere == 'photos') {

header ('Location: photo_index.php');

} elseif ($LogonWhere == 'forums') {

header ('Location: forum.php');

} else {

header ('location: home.php');

}

}

although, passwords have to be encoded using that function first otherwise they dont work. Here is the script i use to register a user:

//Add to auth table

$insert_sql = 'INSERT INTO auth (username, password, email)

VALUES ('$chosenusername', password('' . addslashes($rowpassword) . ''), '$rowemail')';

$create_query = mysql_query('$insert_sql', $db);

you may want to check this thread out. ITs where i asked how to do it and this is these are the replies i got:
http://www.phpbuilder.com/board/showthread.php?s=&threadid=10237073

i dunno if it is any use tho

hope it helps you in ANY way as youve helped me alot so far!

I had a life once..... but then i started boarding
 
yup, we're just superior thats all!

well, i suppose thats debateable in my case:S

I had a life once..... but then i started boarding
 
That's interesting... never seen that before.

You're missing something huge in PHP though.. you don't need to use the HTTP_VARS or whatever variable like you did back with perl.. PHP does it for you! So this line:

$result = mysql_query('SELECT * FROM auth WHERE username = '' . addslashes($HTTP_POST_VARS'username') . '' AND password = password('' . addslashes($HTTP_POST_VARS'password') . '')');

Can be turned into this:



$result = mysql_query('SELECT * FROM auth WHERE username = '$username' AND password = password($password)');

From your example, password is a MySQL function which is why it didn't show up on the PHP site.

Matt

 
cheers harvey, i do know that. Its just i got that script from a forum and it worked so I didnt want to change ANY of it incase i screwed it up! I'm still to much of a newbie to go do crazy stuff!

I had a life once..... but then i started boarding
 
crazy PHP people...

Official Executioner of the Execution Committee of the Secret NS.com Council

BEWARE Non-Donators! You have been warned!
 
it's not php...it's des encryption built into php as a simple function.

des takes 64 bit chunks (that's why it uses your first 8 characters...well not really; it all depends on how big your ascii coding is) and encrypts it to a 56 bit key.

why does it only take the first 8 characters??? the first 8 characters deal is the classic unix password hashing function, not des.

so harvey, you're just using the built in php des function (or did i misread what you wrote a while ago)

------------------------------

I always say what I feel and that is a promise, nothing in life is above being honest - 311

from chaos comes clarity, I tell ya what you appare to me, you ought to know glycerin tears don't fool me, i tell ya delusions plaguing everybody - 311
 
Yes I'm using the built in des function, called encrypt() in php... I don't get it. What were you referring to? We're talking about the function password() in MySQL that encrypts passwords...

Matt

 
which part didn't you follow???

i'm just curious as to why it's chopping off at 8 characters b/c the only time i've ever known something to chop off at 8 characters is with the unix loggin where it compares hashes of 8 characters. i'll just read up on the encrypt function and if password is a php function (i don't know, i haven't written php for a while), then that too. i gotta go to work...see ya

------------------------------

I always say what I feel and that is a promise, nothing in life is above being honest - 311

from chaos comes clarity, I tell ya what you appare to me, you ought to know glycerin tears don't fool me, i tell ya delusions plaguing everybody - 311
 
You must log in or register to reply here.
Back
Top