mysql - PHP function only working once -
i'm trying encrypt 3 sets of data insert mysql database. first 1 working ($email). firstly post data form, make several checks (does user exist etc...). @ point encrypt email check database (already exists). if data doesn't exist, encrypt first names , surnames , insert them database. encrypt first name , surname, not correctly. email encryption works. (checked decrypting data on script).
thanks jonathan
<?php $email = $_post['emailreg']; $firstna = $_post['firstna']; $surna = $_post['surna']; $password = $_post['passreg']; $passconfirm = $_post['passconfirm']; $userpass = $email . $password; $emailsep = explode("@", $email); $domain = $emailsep[1]; $key = md5('united'); $salt = md5('united'); function encrypt($string, $key) { $string = rtrim(base64_encode(mcrypt_encrypt(mcrypt_rijndael_256, $key, $string, mcrypt_mode_ecb))); return $string; } $link = mysql_connect('xxxxxxx', 'xxxxxxx', 'xxxxxxx'); if (!$link) { die('could not connect: ' . mysql_error()); } mysql_select_db("xxxxxxx", $link); $domaincheck = mysql_query("select * xxxxxxx domain = '$domain'", $link); if($domaincheck === false) { die(mysql_error()); } $emailcheck = mysql_query("select * xxxxxxx studentemail = '".encrypt($email, $key)."'", $link); if($emailcheck === false) { die(mysql_error()); } $dorow = mysql_fetch_array($domaincheck); $emailrow = mysql_fetch_array($emailcheck); if ($password == '') { $cause = 'password blank'; include 'error.php'; }elseif ($passconfirm =='') { $cause = 'password blank'; include 'error.php'; }elseif ($password != $passconfirm) { $cause = 'password mismatch'; include 'error.php'; }elseif ($dorow['domain'] != $domain) { $cause = 'incorrect domain'; include 'error.php'; }elseif ($emailrow['studentemail'] != '') { $cause = 'user exists'; include 'error.php'; }elseif ($dorow['licensecount'] > $dorow['licensemax']) { $cause = 'insufficient licences'; include 'error.php'; }else { function hashword($string, $salt){ $string = crypt($string, '$1$' . $salt . '$'); return $string; } $userpass = hashword($userpass, $salt); $hash = md5( rand(0,1000) ); $result = mysql_query("insert `xxxxxxx`.`xxxxxxx` (`hash`, `studentemail`, `studentfirstname`, `studentsurname`, `oscopetutcount`, `siggentutcount`, `mmetertutcount`, `lprobetutcount`, `psupplytutcount`, `oscopetest`, `siggentest`, `mmetertest`, `lprobetest`, `psupplytest`, `exam`, `userpass`, `id`, `domain`, `licensecount`, `licensemax`, `licenceexpire`) values ('$hash', '".encrypt($email, $key)."', '".encrypt($firstna, $key)."', '".encrypt($surna, $key)."', '0', '0', '0', '0', '0', '0', '0', '0', '0', '0', '0', '$userpass', null, '', '0', '', null)", $link); $licenceadd = mysql_query("update xxxxxxx.xxxxxxx set licensecount = licensecount +1 domain = '$domain'", $link); if($result === false) { die(mysql_error()); } if($licenceadd === false) { die(mysql_error()); } include 'email.php'; mysql_close($link); } ?>
since question concerning security.
don't use mysql_* library. wildly vulnerable sql injection, how using it. , deprecated.
let's assume pass joe@gmail.com
in code
$domain = $emailsep[1]; // equal "gmail.com" now let's inject sql injection, because passing joe@gmail.com rather boring, isn't it.
i going have lot of fun in line of code follows:
$domaincheck = mysql_query("select * xxxxxxx domain = '$domain'", $link); and use mysqli or pdo prescribed doctors.
edit:
now question had in mind
one php file
<?php date_default_timezone_set('america/new_york'); // required here else exception below //error_reporting(e_all); //ini_set("display_errors", 1); //require '1error_2shutdown_3log.php'; // 1. err hndlr, 2. shutdown hndlr, 3. log somehow $b='<br/n>'; // great name huh ? $b2='<br/n><br/n>'; // great name huh ? echo "the time " . date("h:i:sa").$b; echo "s01".$b; try { echo "s02".$b."--------------------------------------------------------------------------".$b; //$email = $_post['emailreg']; //$firstna = $_post['firstna']; //$surna = $_post['surna']; //$password = $_post['passreg']; //$passconfirm = $_post['passconfirm']; //$userpass = $email . $password; //$emailsep = explode("@", $email); //$domain = $emailsep[1]; $email = "drewpierce747@gmail.com"; $firstna = "drew"; $surna = "pierce"; $password = "secure"; $passconfirm = "secure"; $userpass = $email . $password; $emailsep = explode("@", $email); $domain = $emailsep[1]; $key = md5('united'); // don't use md5 $salt = md5('united'); // don't use md5 function encrypt($string, $key) { $b='<br/n>'; // great name huh ? $b2='<br/n><br/n>'; // great name huh ? # come key, beyond scope of question $key = pack('h*', "bcb04b7e103a0cd8b54763051cef08bc55abe029fdebae5e1d417e2ffb2a00a3"); #32 bytes $key_size = strlen($key); echo "key size: " . $key_size . $b; # 32, big surprise # create random iv use cbc encoding # yes each time $iv_size = mcrypt_get_iv_size(mcrypt_rijndael_256, mcrypt_mode_ecb); // using ecb cuz u $iv = mcrypt_create_iv($iv_size, mcrypt_rand); echo "in encrypt() passed <b>",$string,"</b> , <b>",$key.'</b>'.$b; $rawencrypted=mcrypt_encrypt(mcrypt_rijndael_256, $key, $string, mcrypt_mode_ecb,$iv); # prepend iv available decryption $rawencrypted = $iv . $rawencrypted; $b64encrypted= base64_encode($rawencrypted); # <------- right here done # done encrypting, return $b64encrypted , done # no ######################################################################### # lifted manual page btw: http://php.net/manual/en/function.mcrypt-encrypt.php # assert can decrypt sanity check $ciphertext_dec = base64_decode($b64encrypted); # retrieves iv, iv_size should created using mcrypt_get_iv_size() $iv_dec = substr($ciphertext_dec, 0, $iv_size); # retrieves cipher text (everything except $iv_size in front) $ciphertext_dec = substr($ciphertext_dec, $iv_size); # may remove 00h valued characters end of plain text $plaintext_dec = mcrypt_decrypt(mcrypt_rijndael_256, $key, $ciphertext_dec, mcrypt_mode_ecb, $iv_dec); echo "assert ... plaintext= ".$plaintext_dec .$b; // real assert make explode, idea ######################################################################### echo "leaving encrypt() ",$b64encrypted.$b2; return $b64encrypted; } echo "about connect ...".$b; $link = mysql_connect('localhost', 'guysmiley', 'mongoose'); if (!$link) { die('could not connect: ' . mysql_error()); } mysql_select_db("so_gibberish", $link); $domaincheck = mysql_query("select * t1 domain = '$domain'", $link); if($domaincheck === false) { die(mysql_error()); } //echo "encrypt returns: ".encrypt($email, $key).$b; $emailcheck = mysql_query("select * t2 studentemail = '".encrypt($email, $key)."'", $link); if($emailcheck === false) { die(mysql_error()); } $dorow = mysql_fetch_array($domaincheck); $emailrow = mysql_fetch_array($emailcheck); // below explode, don't have them, changed echo if ($password == '') { $cause = 'password blank'; echo 'error.php'.$b; }elseif ($passconfirm =='') { $cause = 'password blank'; echo 'error.php'.$b; }elseif ($password != $passconfirm) { $cause = 'password mismatch'; echo 'error.php'.$b; }elseif ($dorow['domain'] != $domain) { $cause = 'incorrect domain'; echo 'error.php'.$b; }elseif ($emailrow['studentemail'] != '') { $cause = 'user exists'; echo 'error.php'.$b; } //elseif ($dorow['licensecount'] > $dorow['licensemax']) { # commented out cuz dont have table //$cause = 'insufficient licences'; echo 'error.php'.$b; //}else { //} function hashword($string, $salt){ $b='<br/n>'; // great name huh ? echo "in hashword()".$b; $string = crypt($string, '$1$' . $salt . '$'); return $string; } echo "s10".$b; $userpass = hashword($userpass, $salt); echo "s11".$b; echo $userpass.$b; $hash = md5( rand(0,1000) ); // don't use md5, rng (random # generator) echo "s12".$b; $sql="insert `xxxxxxx`.`xxxxxxx` (`hash`, `studentemail`, `studentfirstname`, `studentsurname`, `oscopetutcount`, `siggentutcount`, `mmetertutcount`, `lprobetutcount`, `psupplytutcount`, `oscopetest`, `siggentest`, `mmetertest`, `lprobetest`, `psupplytest`, `exam`, `userpass`, `id`, `domain`, `licensecount`, `licensemax`, `licenceexpire`) values ('$hash', '".encrypt($email, $key)."', '".encrypt($firstna, $key)."', '".encrypt($surna, $key)."', '0', '0', '0', '0', '0', '0', '0', '0', '0', '0', '0', '$userpass', null, '', '0', '', null)"; echo $sql.$b; //$result = mysql_query($sql, $link); //$licenceadd = mysql_query("update xxxxxxx.xxxxxxx set licensecount = licensecount +1 domain = '$domain'", $link); //if($result === false) { // die(mysql_error()); //} //if($licenceadd === false) { // die(mysql_error()); //} //include 'email.php'; echo "near bottom".$b; mysql_close($link); } catch (exception $e) { echo 'caught exception: ', $e->getmessage(), $b; } { echo $b."--------------------------------------------------------------------------".$b."first finally".$b; } ?> schema live when ran this
create table t1 ( id int auto_increment primary key, domain varchar(100) not null, key(domain) ); insert t1(domain) values ('gmail.com'),('yahoo.com'),('ibm.com'); -- drop table t2; create table t2 ( id int auto_increment primary key, fullname varchar(80) not null, studentemail varchar(1000) not null -- key(studentemail) ); -- truncate table t2; insert t2(fullname,studentemail) values ('drew pierce','who-knows'); the screen ouput:
the time 06:25:20pm s01 s02 -------------------------------------------------------------------------- connect ... *** begin mylogger function *** lvl: 8192 | msg:mysql_connect(): mysql extension deprecated , removed in future: use mysqli or pdo instead | file:c:\apache24\htdocs\causes_parse_error.php | ln:82 warn *** end mylogger function *** key size: 32 in encrypt() passed drewpierce747@gmail.com , ��k~:صgc��u��)���^a~/�*� assert ... plaintext= drewpierce747@gmail.com leaving encrypt() 7n7atydo4e4wvtdseucsm3jmjkipfalvrwhpwu6p5vudyjn9btnnpo1qloxb+tktwfccr/2cttcnpxrdvz5egg== error.php s10 in hashword() s11 $1$3db1a73a$i5pb3o2s6tv4uwdivvmla1 s12 key size: 32 in encrypt() passed drewpierce747@gmail.com , ��k~:صgc��u��)���^a~/�*� assert ... plaintext= drewpierce747@gmail.com leaving encrypt() uxckvauvubcopxibqpbfmzrd50bu7xswp75mapbct9udyjn9btnnpo1qloxb+tktwfccr/2cttcnpxrdvz5egg== key size: 32 in encrypt() passed drew , ��k~:صgc��u��)���^a~/�*� assert ... plaintext= drew leaving encrypt() 61b1ajtpak7hx0bfsbnxr9z0zfiukrqxczcq5d4pvyszlffieeb/2r2fvclzmobud3jwriiyfsfly4/qtxst5w== key size: 32 in encrypt() passed pierce , ��k~:صgc��u��)���^a~/�*� assert ... plaintext= pierce leaving encrypt() /jfbohee96r7sfnqxu+ujvgfv8wzl9pdss+zv8tvptjk2xrzh8pb3xjfgmwgh92w/h4aewrps8iceiojktyrgw== insert `xxxxxxx`.`xxxxxxx` (`hash`, `studentemail`, `studentfirstname`, `studentsurname`, `oscopetutcount`, `siggentutcount`, `mmetertutcount`, `lprobetutcount`, `psupplytutcount`, `oscopetest`, `siggentest`, `mmetertest`, `lprobetest`, `psupplytest`, `exam`, `userpass`, `id`, `domain`, `licensecount`, `licensemax`, `licenceexpire`) values ('a96b65a721e561e1e3de768ac819ffbb', 'uxckvauvubcopxibqpbfmzrd50bu7xswp75mapbct9udyjn9btnnpo1qloxb+tktwfccr/2cttcnpxrdvz5egg==', '61b1ajtpak7hx0bfsbnxr9z0zfiukrqxczcq5d4pvyszlffieeb/2r2fvclzmobud3jwriiyfsfly4/qtxst5w==', '/jfbohee96r7sfnqxu+ujvgfv8wzl9pdss+zv8tvptjk2xrzh8pb3xjfgmwgh92w/h4aewrps8iceiojktyrgw==', '0', '0', '0', '0', '0', '0', '0', '0', '0', '0', '0', '$1$3db1a73a$i5pb3o2s6tv4uwdivvmla1', null, '', '0', '', null) near bottom -------------------------------------------------------------------------- first basically, happy way asserts coming out, embedded ivs (initialization vectors).
writing database wasn't issue question, can see commented out area. rather, question encryption / decryption.
the recipient of cipher text can decrypt iv in prepended, , have key. if don't have key, bad.
good luck ! , change library on ... ... pdo !
Comments
Post a Comment