I am trying to develop a profile form in Joomla so users can update their information - including changing their password.
However, as can be seen in the below example, the dots just flow beyond the viewable string in the field. Is there a way I can show the correct number of dots for the users password? For example, a user with an 8 character password:
<form>
<input type="password" name="psw" value="********">
</form>
<form>
<input type="password" name="psw" placeholder="********">
</form>
I'm getting the input field populated as this:
PS I'm aware aware of identifying password length as in this question. However, with hashing/salting for the type of site this is that it is acceptable
Updated slightly to incorporate the comments.
In the first example (with "value") what you are doing is setting the actual value of the password to a series of '*' if the form is saved. Then the Joomla password field is doing what it does which is to obfuscate the new password.
I don't know if you can use a place holder give that the field has a value (although the value is not displayed). If it would the placeholder would be something like "Enter new password". The password will be automatically obfuscated as the user types it. However if a password already exists neither a placeholder nor a value would be rendered by the field.
From what I can tell you are talking about editing the profile, in which case there is an existing password.
The Joomla password field never displays back the original password once it has been set, it just provides a blank space for the user to change passwords if desired. If a user is changing their password they should just see an empty field and then one dot for each character they type. The password field cannot show the existing password because it is hashed in the database. There is no way for the field to retrieve the actual password, only the hashed password. The only way to get the real password is for the user to type it in.
You don't say where $pass is coming from but if you are pulling it from the database it is the hashed value and then it is going to be double hashed on save.
Is there really a good reason not to use the Joomla profile edit form? Or if there is not to just copy and modify it?
Related
fairly new programmer here.
I've recently been trying to use p5.js to create a username and password form. It's worked wonderfully, at least until I needed to make the password field private (and look like a password field)
I know that there is the <input type="password"> option in HTML, but I was wondering how to incorporate this somehow into my p5.js code.
Thank you!
My code:
password = createInput();
password.position(70, 265);
The best way to answer questions like this is to read through the reference. Here is the reference for the createInput() function.
createInput([value], [type])
Parameters
value String: default value of the input box type String: type of
text, ie text, password etc. Defaults to text
So it sounds like you probably want to do something like this:
password = createInput('', 'password');
Also note that you can probably use the createElement() and attribute() function to build the element manually.
After i knew how to secure upload image Bypassing forms input fields to upload unwanted files i would like to give another example of from with 2 filed, one of them are hidden.
SQL Table (id,name,jod,number)
CREATE TABLE `users` (
`id` bigint(20) unsigned NOT NULL auto_increment,
`name` varchar(255) default '0',
`job` varchar(255) default NULL,
`number` varchar(255) default NULL
) ENGINE=MyISAM DEFAULT CHARSET=utf8;
Form Code (support member will edit own informations)
<form action="send.php" method="post" name="send" id="send">
<input type="text" name="name" id="name" value="John"/>
<input type="text" name="job" id="job" value="Plumber"/>
<input type=hidden name="number" id="number" value="1234"/>
<input type="Submit" name="Submit" value="Submit"/>
</form>
Later there was an firefox extension that can bypassing different input to the server-side bypassing checking and might case a lot of damage so here it can stop the whole process and makes you able to edit the value of hidden table number to any such as value="1" causing update information for member have that value number 1.
That extension is working as following, It can fake input data before it passed to server side.
PHP Code Send.php
if(isset($_POST['send'])){
$name = mysql_real_escape_string($_POST[name]);
$job = mysql_real_escape_string($_POST[job]);
$number = mysql_real_escape_string($_POST[number]);
$sql= "update users SET name='$name',job='$job' WHERE number='$number'";
mysql_query($sql) or die("query failed: $sql".mysql_error());
echo "Update Done";
} else {
echo "Nothing to update";
}
The question
How then to protect this simple form from such input form ? ~ Thanks
this problems really hurts cause it made my website free to be hacked :)
If the user authorization is not an option in your cause, you could try the following techniques:
Set the hidden field with a hash of the number salted with some other information
Set the hidden field with the number encrypted (possible salt could increase security here also)
Of course it would add extra steps when sending the form HTML and validating the post information, but at least it would be much harder to the attacker fake a valid number on the post. Although it would not save you if the attacker knows the encrypted/hashed number of a different user unless the salted information withing the hidden field is used wisely.
You can't control what data people submit to your server.
You have to check, on the server, to see if the user is authorised to see the information or to make the change they are asking for.
For example:
able to edit the value of hidden table number to any such as value="1" causing update information for member have that value number 1.
The process would be something like:
Is anybody allowed to edit this field? If so, then OK.
Is the request coming from an authenticated user? If not, then return an error message and a login form
Is the request coming from the user with id=1? If so, then OK
If the request coming from a user who has admin permissions? If so, then OK
Return an error message.
If you have a form and any users to edit the values, this problem is going to be there. A better approach is to authenticate the users. Allow only the users who have logged in with an account to make the changes to their respective accounts.
Also, don't use mysql_query or anything like mysql_*, they are insecure and depreciated in php5.
A hidden field cannot be secured. It's 100% impossible to prevent malicious people from editing it.
The best you can possibly do is validate its data.
For the example field, the best you can do is make sure it's actually a number.
But that doesn't help any.
What you need to do is have the OLD data sent as hidden data. ALL of it. Complete with the old id.
Then you validate both the old and new data. Make sure there's no injected sql code in them. Having done this you would have
$name
$job
$id
$old_name
$old_job
all set. Then you can.
select * from users where name="$old_name" and job="$old_job
if you get back a row, then you can
update users set name="$name", job="$job$" where id=$id
Now, even if the user changes the ID, it won't do a thing, because the select will return 0 rows, ad the edit attempt will abort.
Now if someone happens to know all three fields for someone else's entry, they can still change it. The only way around that is force authentication, and have another database tying username/password pairs to IDs.
We have a login/ registration form. I filled all the fields username, first name, last name and password.
Now I clicked on back button from browser and again clicked on forward. All information is there except password field.
Password field gets empty.
I know its a default property of password field but i need the reason.
Can anyone help on this.?
Thanks.
This is the expected behaviour, as someone could come along, click back and then use a tool to show the password behind the *'s
I'm having a lot of trouble trying to handle username / passwords from my HTML page. I've set up a basic page which uses:
<form action="myCFile.cgi" method="post">
Username: <input type="text" name="username"><br>
Password: <input type="password" name="password"><br>
<input type="submit" value="Create Account" />
This information is sent to myCFile.cgi which of course in my actual code is an exact http address. I've confirmed that the information is successfully passed to the C file. Within this file I want to be able to check if that username already exists in an .ssv file that I have created (which is in the format: username password), and if it does not, I wish to append the document with the username and password information.
My trouble comes in trying to identify exactly what information being passed is the username. When "post" is used I know it sends information in the form:
username=xyz&password=abc
What is the best way to extract the username "xyz" from the above given that I won't know the length of the username? I want to stick only to C.
Thanks for your help
use strtok_s() or non-standard strtok_r() and strcmp(). Details left as an exercise for the reader.
Also, details of URLDecode are not handled.
You can use
strchr(text, '=')
strchr(text, '&')
(see C++ referrence to locate the borders of UN and PW. Be aware that these characters are encoded if part of the password (e. g. '&' is '%26').
We are writing a user management module where the admin can change passwords for other users.
We store hashed passwords of users in DB.
The question is what field do we present to the admin user ?
There are some options:
Present the input filed with no value, and change the password only if the some value was entered
Present the input field with fixed-length string, and detect the change when the value changes
There's an option of presenting a change password button, but we prefer not to do it this way.
What option do you use and why ?
I would go with option 1.
Present the input filed with no value, and change the password only if the some value was entered
This is because its not really a "change password" option, its really a "set password" option. There is no value in showing the current hash to the admin user.
So in your update user code you just check if the password field is set, if so hash the new value and store the new hash.
Note: this is traditionally different to the way a user (including admin) changes their own password.
In that case the user is usually prompted for the value of the old password to ensure that its not someone else coming across the screen when its already logged in. But if you wanted to re-use the same screen (with a different where clause) then this is not essential - just what's normally done.
After a few minutes of brainstorming we got to the merged option, of showing fixed-size value inside the text-box and use onfocus() and onblur() events to blank the field on focus and return to the fixed size string on loose of focus when no text was entered.