mysql - PHP function only working once -


i'm trying encrypt 3 sets of data insert mysql database. first 1 working ($email). firstly post data form, make several checks (does user exist etc...). @ point encrypt email check database (already exists). if data doesn't exist, encrypt first names , surnames , insert them database. encrypt first name , surname, not correctly. email encryption works. (checked decrypting data on script).

thanks jonathan

<?php  $email = $_post['emailreg']; $firstna = $_post['firstna']; $surna = $_post['surna']; $password = $_post['passreg']; $passconfirm = $_post['passconfirm']; $userpass = $email . $password; $emailsep = explode("@", $email); $domain = $emailsep[1];   $key = md5('united'); $salt = md5('united');  function encrypt($string, $key) {     $string = rtrim(base64_encode(mcrypt_encrypt(mcrypt_rijndael_256, $key, $string, mcrypt_mode_ecb)));     return $string; }    $link = mysql_connect('xxxxxxx', 'xxxxxxx', 'xxxxxxx');  if (!$link) {     die('could not connect: ' . mysql_error()); }  mysql_select_db("xxxxxxx", $link);  $domaincheck = mysql_query("select * xxxxxxx domain = '$domain'", $link); if($domaincheck === false) {      die(mysql_error()); }  $emailcheck = mysql_query("select * xxxxxxx studentemail = '".encrypt($email, $key)."'", $link); if($emailcheck === false) {      die(mysql_error()); }  $dorow = mysql_fetch_array($domaincheck); $emailrow = mysql_fetch_array($emailcheck);   if ($password == '') { $cause = 'password blank'; include 'error.php'; }elseif ($passconfirm =='') { $cause = 'password blank'; include 'error.php'; }elseif ($password != $passconfirm) { $cause = 'password mismatch'; include 'error.php'; }elseif ($dorow['domain'] != $domain) { $cause = 'incorrect domain'; include 'error.php'; }elseif ($emailrow['studentemail'] != '') { $cause = 'user exists'; include 'error.php'; }elseif ($dorow['licensecount'] > $dorow['licensemax']) { $cause = 'insufficient licences'; include 'error.php'; }else {  function hashword($string, $salt){     $string = crypt($string, '$1$' . $salt . '$');     return $string; }     $userpass = hashword($userpass, $salt);   $hash = md5( rand(0,1000) );     $result = mysql_query("insert `xxxxxxx`.`xxxxxxx` (`hash`, `studentemail`, `studentfirstname`, `studentsurname`, `oscopetutcount`, `siggentutcount`, `mmetertutcount`, `lprobetutcount`, `psupplytutcount`, `oscopetest`, `siggentest`, `mmetertest`, `lprobetest`, `psupplytest`, `exam`, `userpass`, `id`, `domain`, `licensecount`, `licensemax`, `licenceexpire`) values ('$hash', '".encrypt($email, $key)."', '".encrypt($firstna, $key)."', '".encrypt($surna, $key)."', '0', '0', '0', '0', '0', '0', '0', '0', '0', '0', '0', '$userpass', null, '', '0', '', null)", $link);  $licenceadd = mysql_query("update xxxxxxx.xxxxxxx set licensecount = licensecount +1 domain = '$domain'", $link);  if($result === false) {      die(mysql_error());  }  if($licenceadd === false) {      die(mysql_error());  }  include 'email.php';      mysql_close($link);  }  ?>

since question concerning security.

don't use mysql_* library. wildly vulnerable sql injection, how using it. , deprecated.

let's assume pass joe@gmail.com

in code

$domain = $emailsep[1];   // equal "gmail.com"

now let's inject sql injection, because passing joe@gmail.com rather boring, isn't it.

i going have lot of fun in line of code follows:

$domaincheck = mysql_query("select * xxxxxxx domain = '$domain'", $link);

please read this , this.

and use mysqli or pdo prescribed doctors.

edit:

now question had in mind

one php file

<?php     date_default_timezone_set('america/new_york'); // required here else exception below     //error_reporting(e_all);     //ini_set("display_errors", 1);     //require '1error_2shutdown_3log.php';  // 1. err hndlr, 2. shutdown hndlr, 3. log somehow       $b='<br/n>';    // great name huh ?     $b2='<br/n><br/n>'; // great name huh ?     echo "the time " . date("h:i:sa").$b;     echo "s01".$b;     try {             echo "s02".$b."--------------------------------------------------------------------------".$b;             //$email = $_post['emailreg'];         //$firstna = $_post['firstna'];         //$surna = $_post['surna'];         //$password = $_post['passreg'];         //$passconfirm = $_post['passconfirm'];         //$userpass = $email . $password;         //$emailsep = explode("@", $email);         //$domain = $emailsep[1];          $email = "drewpierce747@gmail.com";         $firstna = "drew";         $surna = "pierce";         $password = "secure";         $passconfirm = "secure";         $userpass = $email . $password;         $emailsep = explode("@", $email);         $domain = $emailsep[1];          $key = md5('united');   // don't use md5         $salt = md5('united');  // don't use md5          function encrypt($string, $key) {             $b='<br/n>';    // great name huh ?             $b2='<br/n><br/n>'; // great name huh ?              # come key, beyond scope of question             $key = pack('h*', "bcb04b7e103a0cd8b54763051cef08bc55abe029fdebae5e1d417e2ffb2a00a3"); #32 bytes             $key_size =  strlen($key);             echo "key size: " . $key_size . $b; # 32, big surprise              # create random iv use cbc encoding             # yes each time             $iv_size = mcrypt_get_iv_size(mcrypt_rijndael_256, mcrypt_mode_ecb);    // using ecb cuz u             $iv = mcrypt_create_iv($iv_size, mcrypt_rand);                        echo "in encrypt() passed <b>",$string,"</b> , <b>",$key.'</b>'.$b;              $rawencrypted=mcrypt_encrypt(mcrypt_rijndael_256, $key, $string, mcrypt_mode_ecb,$iv);             # prepend iv available decryption             $rawencrypted = $iv . $rawencrypted;             $b64encrypted= base64_encode($rawencrypted); # <------- right here done              # done encrypting, return $b64encrypted , done             # no              #########################################################################             # lifted manual page btw: http://php.net/manual/en/function.mcrypt-encrypt.php             # assert can decrypt sanity check             $ciphertext_dec = base64_decode($b64encrypted);              # retrieves iv, iv_size should created using mcrypt_get_iv_size()             $iv_dec = substr($ciphertext_dec, 0, $iv_size);              # retrieves cipher text (everything except $iv_size in front)             $ciphertext_dec = substr($ciphertext_dec, $iv_size);              # may remove 00h valued characters end of plain text             $plaintext_dec = mcrypt_decrypt(mcrypt_rijndael_256, $key, $ciphertext_dec, mcrypt_mode_ecb, $iv_dec);              echo  "assert ... plaintext= ".$plaintext_dec .$b;             // real assert make explode, idea              #########################################################################              echo "leaving encrypt() ",$b64encrypted.$b2;             return $b64encrypted;         }          echo "about connect ...".$b;         $link = mysql_connect('localhost', 'guysmiley', 'mongoose');         if (!$link) {             die('could not connect: ' . mysql_error());         }         mysql_select_db("so_gibberish", $link);          $domaincheck = mysql_query("select * t1 domain = '$domain'", $link);         if($domaincheck === false) {              die(mysql_error());         }          //echo "encrypt returns: ".encrypt($email, $key).$b;         $emailcheck = mysql_query("select * t2 studentemail = '".encrypt($email, $key)."'", $link);         if($emailcheck === false) {              die(mysql_error());         }          $dorow = mysql_fetch_array($domaincheck);         $emailrow = mysql_fetch_array($emailcheck);          // below explode, don't have them, changed echo         if ($password == '') {         $cause = 'password blank'; echo 'error.php'.$b;         }elseif ($passconfirm =='') {         $cause = 'password blank'; echo 'error.php'.$b;         }elseif ($password != $passconfirm) {         $cause = 'password mismatch'; echo 'error.php'.$b;         }elseif ($dorow['domain'] != $domain) {         $cause = 'incorrect domain'; echo 'error.php'.$b;         }elseif ($emailrow['studentemail'] != '') {         $cause = 'user exists'; echo 'error.php'.$b;         }         //elseif ($dorow['licensecount'] > $dorow['licensemax']) { # commented out cuz dont have table         //$cause = 'insufficient licences'; echo 'error.php'.$b;         //}else {         //}          function hashword($string, $salt){             $b='<br/n>';    // great name huh ?             echo "in hashword()".$b;             $string = crypt($string, '$1$' . $salt . '$');             return $string;         }          echo "s10".$b;         $userpass = hashword($userpass, $salt);         echo "s11".$b;         echo $userpass.$b;          $hash = md5( rand(0,1000) );    // don't use md5, rng (random # generator)          echo "s12".$b; $sql="insert `xxxxxxx`.`xxxxxxx` (`hash`, `studentemail`, `studentfirstname`, `studentsurname`, `oscopetutcount`, `siggentutcount`, `mmetertutcount`, `lprobetutcount`, `psupplytutcount`, `oscopetest`, `siggentest`, `mmetertest`, `lprobetest`, `psupplytest`, `exam`, `userpass`, `id`, `domain`, `licensecount`, `licensemax`, `licenceexpire`)  values ('$hash', '".encrypt($email, $key)."', '".encrypt($firstna, $key)."', '".encrypt($surna, $key)."', '0', '0', '0', '0', '0', '0', '0', '0', '0', '0', '0', '$userpass', null, '', '0', '', null)";          echo $sql.$b;         //$result = mysql_query($sql, $link);          //$licenceadd = mysql_query("update xxxxxxx.xxxxxxx set licensecount = licensecount +1 domain = '$domain'", $link);          //if($result === false) {          //    die(mysql_error());          //}          //if($licenceadd === false) {          //    die(mysql_error());          //}          //include 'email.php';           echo "near bottom".$b;          mysql_close($link);        } catch (exception $e) {         echo 'caught exception: ',  $e->getmessage(), $b;     } {         echo $b."--------------------------------------------------------------------------".$b."first finally".$b;     } ?>

schema live when ran this

create table t1 (   id int auto_increment primary key,     domain varchar(100) not null,     key(domain) ); insert t1(domain) values ('gmail.com'),('yahoo.com'),('ibm.com');  -- drop table t2; create table t2 (   id int auto_increment primary key,     fullname varchar(80) not null,     studentemail varchar(1000) not null     -- key(studentemail) ); -- truncate table t2; insert t2(fullname,studentemail) values ('drew pierce','who-knows');

the screen ouput:

the time 06:25:20pm s01 s02 -------------------------------------------------------------------------- connect ...   *** begin mylogger function *** lvl: 8192 | msg:mysql_connect(): mysql extension deprecated , removed in future: use mysqli or pdo instead | file:c:\apache24\htdocs\causes_parse_error.php | ln:82 warn *** end mylogger function ***  key size: 32 in encrypt() passed drewpierce747@gmail.com , ��k~:صgc��u��)���^a~/�*� assert ... plaintext= drewpierce747@gmail.com leaving encrypt() 7n7atydo4e4wvtdseucsm3jmjkipfalvrwhpwu6p5vudyjn9btnnpo1qloxb+tktwfccr/2cttcnpxrdvz5egg==  error.php s10 in hashword() s11 $1$3db1a73a$i5pb3o2s6tv4uwdivvmla1 s12 key size: 32 in encrypt() passed drewpierce747@gmail.com , ��k~:صgc��u��)���^a~/�*� assert ... plaintext= drewpierce747@gmail.com leaving encrypt() uxckvauvubcopxibqpbfmzrd50bu7xswp75mapbct9udyjn9btnnpo1qloxb+tktwfccr/2cttcnpxrdvz5egg==  key size: 32 in encrypt() passed drew , ��k~:صgc��u��)���^a~/�*� assert ... plaintext= drew leaving encrypt() 61b1ajtpak7hx0bfsbnxr9z0zfiukrqxczcq5d4pvyszlffieeb/2r2fvclzmobud3jwriiyfsfly4/qtxst5w==  key size: 32 in encrypt() passed pierce , ��k~:صgc��u��)���^a~/�*� assert ... plaintext= pierce leaving encrypt() /jfbohee96r7sfnqxu+ujvgfv8wzl9pdss+zv8tvptjk2xrzh8pb3xjfgmwgh92w/h4aewrps8iceiojktyrgw==  insert `xxxxxxx`.`xxxxxxx` (`hash`, `studentemail`, `studentfirstname`, `studentsurname`, `oscopetutcount`, `siggentutcount`, `mmetertutcount`, `lprobetutcount`, `psupplytutcount`, `oscopetest`, `siggentest`, `mmetertest`, `lprobetest`, `psupplytest`, `exam`, `userpass`, `id`, `domain`, `licensecount`, `licensemax`, `licenceexpire`) values ('a96b65a721e561e1e3de768ac819ffbb', 'uxckvauvubcopxibqpbfmzrd50bu7xswp75mapbct9udyjn9btnnpo1qloxb+tktwfccr/2cttcnpxrdvz5egg==', '61b1ajtpak7hx0bfsbnxr9z0zfiukrqxczcq5d4pvyszlffieeb/2r2fvclzmobud3jwriiyfsfly4/qtxst5w==', '/jfbohee96r7sfnqxu+ujvgfv8wzl9pdss+zv8tvptjk2xrzh8pb3xjfgmwgh92w/h4aewrps8iceiojktyrgw==', '0', '0', '0', '0', '0', '0', '0', '0', '0', '0', '0', '$1$3db1a73a$i5pb3o2s6tv4uwdivvmla1', null, '', '0', '', null) near bottom  -------------------------------------------------------------------------- first

basically, happy way asserts coming out, embedded ivs (initialization vectors).

writing database wasn't issue question, can see commented out area. rather, question encryption / decryption.

the recipient of cipher text can decrypt iv in prepended, , have key. if don't have key, bad.

good luck ! , change library on ... ... pdo !


-

Comments

Post a Comment

Popular posts from this blog

c# - Binding a comma separated list to a List<int> in asp.net web api -

the default binder in web api expecst http://url.com/webapi/report/?pageids=3243&pageids=2365 to bind public ihttpactionresult report(list<int> pageids){ // exciting webapi code} i wish bind http://url.com/webapi/report/?pageids=3243,2365 as running out of space in url get . i have created class public class commaseparatedmodelbinder : system.web.http.modelbinding.imodelbinder { public bool bindmodel(httpactioncontext actioncontext, modelbindingcontext bindingcontext) { //binding in here } } and registered in webapiconfig.cs var provider = new simplemodelbinderprovider( typeof(list<int>), new commaseparatedmodelbinder()); config.services.insert(typeof(modelbinderprovider), 0, provider); i have altered method signature use model binder so public ihttpactionresult report( [modelbinder] list<int> pageids){ // exciting webapi code} however break point in binder not being
Read more

Delphi 7 and decode UTF-8 base64 -

in delphi 7, have widestring encoded base64(that received web service widestring result) : pd94bwwgdmvyc2lvbj0ims4wij8+dqo8c3ryaw5nptiq2lpyqjwvc3ryaw5npg== when decoded it, result not utf-8: <?xml version="1.0"?> <string>طھط³طھ</string> but when decoded base64decode.org, result true : <?xml version="1.0"?> <string>تست</string> i have use encddecd unit decodestring function. the problem have using decodestring . function, in delphi 7, treats decoded binary data being ansi encoded. , problem text utf-8 encoded. to continue encddecd unit have couple of options. can switch decodestream . instance, code produce utf-8 encoded text file data: {$apptype console} uses classes, encddecd; const data = 'pd94bwwgdmvyc2lvbj0ims4wij8+dqo8c3ryaw5nptiq2lpyqjwvc3ryaw5npg=='; var input: tstringstream; output: tfilestream; begin input := tstringstream.create(data); try output := tfilestream.
Read more

html - Is there any way to exclude a single element from the style? (Bootstrap) -

so, have img logo, overlaid on div styled background-image: url("...") , , both elements inside 2 div classes .to-color , .to-overlay respectively, black transparent overlay. is there way exclude logo style given these 2 classes? here's jsfiddle example: link html , css example: - html - <div class="to-color"> <div class="to-overlay"> <div class="respo"> <div class="row"> <div class="col-xs-4 col-xs-offset-4 text-center"> <img src="http://ansonalex.com/wp-content/uploads/2011/06/google-logo-768x260.png" alt="..." class="img-responsive"> </div> </div> </div> </div> </div> - css - .to-color { background-color: #000; } .to-overlay { opacity : 0.5; } .respo { background-image: url("https://source.unsplash.com/category/objects/1600x900"); background-position: center center;
Read more