View Single Post

kool77 · #1 (**permalink**) Jun 3rd, 2007, 18:13

Hi

I'm having a problem with double hashing and changing the password..
my story is the user use 123456 for example to login and this password is not in double hashing form yet!
so the user go to change password section and enters his current password twice 123456 and his new password 111222333 then OK and the password became 9898eugeghdgd87d67d6 bluh bluh in the database because it is in double hashing form no body can see what it is then the user use his new password next time to login 111222333 and login successful ..

the problem is here he wants to change the password again he goes to change password and the same story again but this time he got the message "invalid previous password" because it is in hashing form and I don't know how to make it understand that the password is the same one he used to login and it's not invalid!!

NOTE: I really need to use the double hashing, I know it works without it but I want it.

see this code where I used sha1 for double hashing in change password screen, I might need it somewhere else but I don't know where

Code: Select all

$pass = sha1($_POST['psd1']);
     
     $update = "UPDATE INSTRUCTOR SET IPASSWORD = '$pass' WHERE INSID = '$userid'";
     $result= mysql_query($update);

and here in check login screen:

Code: Select all

$user = trim($_POST['User_Name']);
$pass = trim($_POST['User_Pass']);
$SQL = mysql_query(" select * from INSTRUCTOR where INSID='".$user."' and ipassword=sha1('".$pass."') ") or die (mysql_error());

here are the full codes, if you need them

Code: Select all

<?
session_start();
$userid=$_SESSION['ses_name'];
if(isset($userid)) {
 
ECHO "Welcome ".$_SESSION['ses_name']."  to change password section ";
} else {
ECHO "Sorry! you need to login to view this page. ";

include("login_form.php");

}
?>

<html>
<head>
<title>:: Change Password Screen ::</title>
</head>
<body background="logo_02.gif">
      <?
    include('DB_connectionscript.php');
    if(isset($_POST['submit']))
    {
     if($form_errors = check())
     {
      show_form($form_errors);
     }
     
     else
     
      
      
     {
      process();
     }
    }
    else
    {
     show_form();
    }
    function show_form($errors='')
    {
     print "<br/>";
     print "<br/>";
     print "<br/>";
     print "<form method='POST' action='".$_SERVER['PHP_SELF']."'>";
     print "<h3 align = 'center'>Please fill your data in the following fields:</h3><table align = 'center' border='0' dir='ltr'>";
     print "<tr>";
     print "<td colspan='2'>";
     if ($errors) {
      print "<font color='#FF0000'>";
      print "<ul><li>";
      print implode("</li><li>",$errors);
      print "</li></ul>";
     }
     print "</tr>";
     print "<tr>";
     print "<td><font size='2'> Enter your password </font> </td><td><input type='password' name='psd'></td>";
     print "</tr>";
     print "<tr>";
     print "<td><font size='2'>  Enter your new password </font></td><td><input type='password' name='psd1'></td>";
     print "</tr>";
     print "<tr>";
     print "<td><font size='2'>  Re-enter your new password </font></td><td><input type='password' name='psd2'></td>";
     print "</tr>";
     print "<tr>";
     print "<td colspan='2'>";
     print " <p align='center'>";
     print "<input type='submit' value='Submit' name='submit' dir='ltr'>";
     print "</tr>";
     print "</table>";
     print "</form>";
     print "<br/>";
     print "<br/>";
     print "<br/>";
    }
    function check()
    {
     global $userid;
                    $errors = array();
     if (!$_POST['psd'] || !$_POST['psd1'] || !$_POST['psd2'])
     {
      $errors[] ='You did not fill in a required field';
      return $errors;
     }
     $sql = ("SELECT IPASSWORD FROM INSTRUCTOR where INSID = '$userid'");
     $result = mysql_query($sql);
     $checker = mysql_fetch_row($result);
     if($checker[0] != $_POST['psd'])
     {
      $errors[] = "Invalid previous password";
      return $errors;
     }
     if (strlen($_POST['psd1']) >= 6)
     {
      if ($_POST['psd1'] != $_POST['psd2']) 
      {
       $errors[] ='New Passwords did not match.';
       return $errors;
      }
     }
     else
     {
      $errors[] ='Your new password length must be 6 or more.';
      return $errors;
     }
    }
    
    
    function process()
    {
     global $userid;
     $pass = sha1($_POST['psd1']);
     
     $update = "UPDATE INSTRUCTOR SET IPASSWORD = '$pass' WHERE INSID = '$userid'";
     $result= mysql_query($update);
     
     
     if(!$result)
     {
      print "Update ERROR:". mysql_error();
      exit();
     }
     else
     {
      echo '<META HTTP-EQUIV="Refresh" CONTENT="3;URL=admin_page.php">';
     }
    }
   
    
   ?>
</body>
</html>

checklogin.php

Code: Select all

<?
session_start();
 
include("DB_connectionscript.php");
$user = trim($_POST['User_Name']);
$pass = trim($_POST['User_Pass']);
$SQL = mysql_query(" select * from INSTRUCTOR where INSID='".$user."' and ipassword=sha1('".$pass."') ") or die (mysql_error());

if( mysql_num_rows($SQL) != "0" ){
$info = mysql_fetch_array($SQL);
 
$_SESSION['ses_name'] = "$info[INSID]";

ECHO "Login was successeful!";
echo "<br>";
echo "<a href='admin_page.php'>Control Panel Page</a>";
 
} else {
ECHO "Sorry! Check your login information ";
}
?>

Please help me I'm so tired of this .. I know I might need to use sha1 somewhere else too but I don't know where

I'm facing this problem since last week and I couldn't solve it

Thanks