The problem is that I change the password of an mysql-db-user and can use the old password - but that's what I want to forbid.
Example:
Old Password: "test" (encrypted in DB - how can I compare it with the new PW?)
New Password: "test" -> should give an error, because it's the same as the old PW
How can I compare the old password with the new one? Or is there an option in the Settings of the MySQL-Workbench? Many thanks in advance!
Edit:
I'm thinking of changing the passwords of the database users who are listed in mysql.user
Im not exactly sure of your workflow, but in php, you should be able to do something like
$email = $_POST['email'] /*email posted from "password change" page*/
$query = mysqli_query($db,"SELECT `password` FROM `users` WHERE `email` = '$email'");
$result = mysqli_num_rows($query);
$new_password = $_POST['new_password'] /*this is your new password*/
if( $new_password == $result['password']){
/*password is the same as previous*/
} else {
/*password is new*/
}
The code isn't tested, but should be close if it doesn't work
If FLUSH PRIVILEGES doesn't are you able to create a new database and then compare things that way?
Ok, I got it - and this is an easy solution:
First I ask for the old password of the username and compare the input with the new password the user want to set. If both are same my app throw an error. Example:
Old PW: "test"
New PW: "test" --> Error: Old PW == New PW
Maybe there's an option in the MySQL Workbench - but I didn't find something like this.
Related
Here is my scenario.
A user will login to the system. Based on the username, I need to set the database in codeigniter configuration.
I know that the line $this->load->database() in each model loads the default database.
So, after checking the username in session(assuming that the user has successfully logged in), how can I dynamically load a database?
Below is something that I am looking for:
if(username == 'foo'){
$this->load->database('database_name');
}
An example of a model function that I have written is as follows:
public function check_valid_login($username, $password){
$this->db->from('tbl_user_details');
$this->db->where('email_address', $username);
$this->db->where('password', md5($password));
$query = $this->db->get();
$rowcount = $query->num_rows();
return $rowcount ;
}
On selecting the database, how can I still use statements like $this->db->from('tbl_user_details'); and so on. i.e., I want to use $this->db itself. Is it possible to do that?
I think I found a solution.
This is the strategy that I followed: When the user tries to login, a session variable $_SESSION['dynamic_db_username'] is set with the username that is provided by the user.
The following logic is used for selecting the database dynamically. The below code is written in config/database.php
/*Dynamic database selection - begins*/
if(!empty($_SESSION['dynamic_db_username'])){
$dynamic_db_username = $_SESSION['dynamic_db_username'];
if($dynamic_db_username == 'sample#domain.com')
{
$db['default']['database'] = 'database_1';
}
elseif($dynamic_db_username == 'sample2#domain.com')
{
$db['default']['database'] = 'database_2';
}
else
{
$db['default']['database'] = 'database_1';
}
}
else
{
$db['default']['database'] = 'database_1';
}
/*End*/
Kindly review this strategy and please let me know if this is right.
in the config folder there was a file named autoload.php
open the file
find first this code below
$autoload['libraries'] = array('');
you have to put "database" in the array , changed code will be like
$autoload['libraries'] = array('database');
after that you can use your database anytime and anywhere without loading it manually .
I want my users to be able to sign in using their accounts, so I created an html form and a php file that will communicate with mySQL database.
The php code is supposed to check whether the username and password are correct and exist in the database. If so the user is granted access. I am thinking such algorithm:
<?php
//connection_start
$mysqli = new mysqli('mysql3.000webhost.com','a4305565_os','******','a4305565_users');
//check_connection
if($mysqli->connect_error){
die("Connection error (check_connection): " . $mysqli->connect_errno . " : " . $mysqli->connect_error );
exit();
}
//check_if_account_exists
$query = mysql_query("SELECT * FROM `users` where `username` = '$_POST[form_username]' AND `password` = '$_POST[form_password]'") or die(mysql_error());
$row = mysql_fetch_array($query) or die(mysql_error());
//verification
if(!empty($row['username']) AND !empty($row['password'])){
echo "SUCCESSFULLY SIGNED IN.";
}else{
die("Your are not registered yet.");
}
//Connection_end
$mysqli->close();
?>
But when I test the code on my web host, it is giving me an error on line 14 saying that I
do not have access to the database "a4305565_users" with password=NO
or something like that.
Any help please?
Your user don't have any rights on a4305565_users schema.
Edit your user privileges to give him the rights to use this schema.
Also it's kind of weird that you are creating a schema named "users", this sounds more like a table name.
And, as a word of advice, you should hash your users password, it's a very bad practice to store them in plain text.
Also, you can salt your hashes.
Look at this : https://en.wikipedia.org/wiki/Salt_(cryptography)
I'm very new to CakePHP.
I've recently taken over a project that was built in CakePHP v 1.2.4.8284.
I'm trying to change the password for the login page.
There is only one user stored in a mysql database.
fields - id, username, password(varchar 40), nacl(char(6), firstname, lastname
In phpAdmin, I've tried changing the password while using the SHA1 function, but that doesn't work.
I've even tried creating a new user, but the new user information will not work either.
I've narrowed it down to the usercontroller in the following if statement:
if ($results && $results['User']['password'] == sha1($results['User']['nacl'] . sha1($this->data['User']['password'])))
It looks like the password in the database should have sha1(nacl field) + sha1(password field).
But it is all wrapped in a sha1.
I'm not sure how the encryption is working.
Any help would be appreciated.
Thanks in advance.
Here is the complete login function.
function login()
{
$this->set('error', false);
if ($this->Session->read('user'))
{
$this->redirect('/test-folder/');
} else {
$this->User->set($this->data);
if ($this->data) {
//$results = $this->User->findByUsername($this->data['User']['username']);
$results = $this->User->find('first', array(
'conditions' => array('username' => $this->data['User']['username'])
));
if ($results && $results['User']['password'] == sha1($results['User']['nacl'] . sha1($this->data['User']['password']))) {
$this->Session->write('user', $this->data['User']['username']);
$this->Session->write('admin', $results['User']['group']);
$this->redirect('/test-folder/');
} else {
$this->set('error', true);
}
}
}
}
Get the Security.salt in Config/core.php: 'securitysaltvalue'
Take a password 'yourplainpassword'
UPDATE user SET password = SHA1( CONCAT('securitysaltvalue', 'yourplainpassword')) WHERE id = 123
According to your code, you should be able to generate a new Password with these steps:
1) Generate a Password, for example "test123"
2) Get the id of the user you want to change the password for, for example 123
3) Execute this SQL in your phpMyAdmin (Replace my demo values!!!)
UPDATE user SET password = CONCAT( SHA1(nacl), SHA1("test123")) WHERE id = 123
And please make a complete DB dump on that table before any changes. And better yet, test on some development instance.
The answer from #StefanoDP works, but the table name is 'users', not 'user'. So the command should be:
UPDATE users SET password=SHA1(CONCAT('securitysaltvalue','yourplainpassword')) WHERE id=123;
Don't forget to add the semicolon at the end of the statement.
I'm creating a login system of sorts that uses parameters from the URL.
The parameters are set no problem. I dont know what the issue is.
Here's my code:
<?php
require_once("db_const.php");
$mysqli = new mysqli("dont", "try", "to login to", "my database");
# check connection
if ($mysqli->connect_errno) {
echo "<p>MySQL error no {$mysqli->connect_errno} : {$mysqli->connect_error}</p>";
exit();
}
$username = filter_input(INPUT_GET,"username",FILTER_SANITIZE_STRING);
$password = filter_input(INPUT_GET,"password",FILTER_SANITIZE_STRING);
$sql = "SELECT * from users WHERE username LIKE '{$username}' AND password LIKE '{$password}' LIMIT 1";
$result = $mysqli->query($sql);
if (!$result->num_rows == 1) {
echo "failed";
} else {
echo "success";
}
?>
There are a few problems with your code.
The problem is the use of the LIKE function. Your usage is
SELECT * from users WHERE username LIKE '{$username}' AND password LIKE '{$password}' LIMIT 1
Like requires additional specification to find match positions and such, for example :
SELECT ... WHERE username LIKE '%{$username}%'
In the form you used, the WHERE clause if equivalent to
SELECT ... WHERE username = '{$username}'
In addition, LIKE is not recommended even (especially) with the wildcards, as 'tom' will match users 'tom' and 'tommy', and the count will certainly not be == 1.
I'll also urge you to test the query for errors
if (!$result) {
echo 'An error occurred : $mysqli->error;
}
Others have already mentioned the risk in passwing username and passwords on the URL, Please take note of their comments.
In addition, storing the password in plain form the database is not recommended for security reasons. There are plenty of resources explaining how to encrypt passwords and authenticate using the encrypted values.
Try:
$sql = "SELECT * from users WHERE username='$username' AND password='$password'";
CAUTION
Even if the above code solves your problem, It's still very dangerous as it's vulnerable for SQL injection on both username and password parameters and it can be exploited in a manner that a malicious user can bypass the login check by breaking out of the quotes and adding a condition that evaluates to true.
You can use a mysqli::prepare to get over that.
$stmt = mysqli->prepare("SELECT * from users WHERE username=? AND password=?");
$stmt->bind_param("ss", $username,$password);
$stmt->execute();
Im getting this error when Im trying to update data in the database.
this is my database.php file
<?php
$db_name = "db";
$db_server = "localhost";
$db_user = "xxxx";
$db_pass = "zzzzzzzzz";
$mysqli = new MySQLi($db_server, $db_user, $db_pass, $db_name)
or die(mysqli_error());
?>
update.php
<?php
require 'database.php';
$title = mysql_real_escape_string($_POST['title']);
$id = mysql_real_escape_string($_POST['id']);
$update_query = "UPDATE photos SET title = '$title' WHERE id='$id'";
$result = $mysqli->query($update_query) or die(mysqli_error($mysqli));
if ($result) {
echo "Success!";
echo "The title of this photo has been changed to: <strong>$title</strong>";
}
?>
The error message:
Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: Access denied for user 'ODBC'#'localhost' (using password: NO) in C:\wamp\www\myPhotosWebsite\changePhotoTitle.php on line 5
You are mixing procedural and object-oriented style calls.
Try:
$title = $mysqli->escape_string(_POST['title']); /* Call as a method */
instead of:
$title = mysql_real_escape_string($_POST['title']);
real_escape_string requires a valid connection handle, as it needs to know the connection character set.
If you call it as a procedure, you should pass the connection handle as a first param:
mysql_real_escape_string($connection_handle, $string_to_escape)
or just call it as a method as described above.
See mysqli_real_escape_string for more detail
In your mysql connect() it seems that your user name/password combination is being denied access to mysql, you might want to check your details and try again.
mysql_real_escape_string requires a database connection to operate on. Unless you pass one explicitly, that means you have to call mysql_connect() first. But you're using a MySQLi() object to get the connection instead. I don't think using MySQLi() will set the default connection mysql_ family functions. Certainly,
(using password: NO)
implies it is not getting the $db_pass.
It's best to stick to either ‘mysql’ or ‘mysqli’, rather than try to mix both. If you're using MySQLi you might want to take advantage of parameterised statements to avoid having to call $mysqli->escape_string() explicitly.
PS.
echo "The title of this photo has been changed to: <strong>$title</strong>";
$title is SQL-escaped, but not HTML-escaped. It will have unwanted backslashes in whilst not preventing HTML-injection (XSS attacks). Instead:
echo 'The title of this photo has been changed to: <strong>'.htmlspecialchars($_POST['title']).'</strong>';