开发者

Submitting to Mysql using Php with Salt&MD5

问答 作者: 
 <?php
require_once "dbcred.php";
$dbh = testdb_connect ();

/* Obliterate bad input */
$badpasses = $_POST['regpass'];
$salt = '~`!@#$%^&*()_-+=}]{[\|"><';
$secPass = md5($badpasses.$salt);

$newStudent = $dbh->exec ("INSERT IN开发者_StackOverflow社区TO Student (uname, pass, fname, lname, email, currGrade)                VALUES('$_POST[reguser]',$secPass,'$_POST[regfirst]','$_POST[reglast]','$_POST[regemail]','$_POST[regclassrank]')");

echo "Thanks for signing up!";

?>

Why is this not submitting to my mysql database anymore? The code below WAS submitting..

 <?php
require_once "dbcred.php";
$dbh = testdb_connect ();

/* Obliterate bad input */


$newStudent = $dbh->exec ("INSERT INTO Student (uname, pass, fname, lname, email, currGrade)                VALUES('$_POST[reguser]','$_POST[regpass]','$_POST[regfirst]','$_POST[reglast]','$_POST[regemail]','$_POST[regclassrank]')");

echo "Thanks for signing up!";

?>

You need to put quotes around $secpass in the query:

$newStudent = $dbh->exec ("INSERT INTO Student (uname, pass, fname, lname, email, currGrade)                VALUES('$_POST[reguser]','$secPass','$_POST[regfirst]','$_POST[reglast]','$_POST[regemail]','$_POST[regclassrank]')");

Just FYI, there are a lot of other problems with your code here. The biggest ones are that salt should be random. You can store it in the database next to the password but having different random salt for every password massively reduces the use of rainbow tables.

Secondly, and this is a much bigger problem, you need to escape your variables using mysql_real_escape_string() or by converting your database access to use PDO. Otherwise you are opening yourself up to a world of pain in the form of SQL injection attacks.

In line

$newStudent = $dbh->exec ("INSERT INTO Student (uname, pass, fname, lname, email, currGrade)                VALUES('$_POST[reguser]',$secPass,'$_POST[regfirst]','$_POST[reglast]','$_POST[regemail]','$_POST[regclassrank]')");

You forgot the quotes around $secPass. Try this code:

$newStudent = $dbh->exec ("INSERT INTO Student (uname, pass, fname, lname, email, currGrade)                VALUES('$_POST[reguser]','$secPass','$_POST[regfirst]','$_POST[reglast]','$_POST[regemail]','$_POST[regclassrank]')");

You didn't put $secPass in quotes in the query. md5 returns just a string, so it should be put in quotes if you want to store it in a string field.

继续阅读:phpsecurity

更多精彩内容

0

上一篇:

下一篇:

精彩评论

暂无评论...
登录 注册
Qedev.com
验证码 换一张
取 消

最新问答

问答排行榜

法律声明:本站内容均为网友上传,网站举办方负责审核和监督,

如存在版权或非法内容,欢迎举报,我们将尽快予以删除。

Copyright © 2018-2020 开发者. All rights reserved.

Powered by 开发者

ICP备案号: 京ICP备10032868号-9