Increasing password security broke my script

PHP
1

I had my forgot password working properly, but I was concerned that I was not using a salt with the storage in MySQL.

My original code:


		$query = "SELECT sec_ques, email, user_id FROM users_tbl WHERE user_id='$u'";		
		$result = mysql_query ($query) or trigger_error("3Security Answer was Wrong");

		if (mysql_affected_rows() == 1) {
			$row = mysql_fetch_array ($result, MYSQL_NUM); 
			mysql_free_result($result);

			if($sq == $row[0]){
				$email = $row[1];
				$p = substr ( md5(uniqid(rand(),1)), 3, 10);
				$query2 = "UPDATE users_tbl SET pass=SHA('$p') WHERE user_id='$u'";		
				$result2 = mysql_query ($query2) or trigger_error("Your Password Couldn't be changed. Try later.");

I changed one line to read:
$query2 = “UPDATE users_tbl SET pass=SHA(‘$p’ . ‘salt’) WHERE user_id=‘$u’”;

That gave me this code that does not work:


		$query = "SELECT sec_ques, email, user_id FROM users_tbl WHERE user_id='$u'";		
		$result = mysql_query ($query) or trigger_error("3Security Answer was Wrong");

		if (mysql_affected_rows() == 1) {
			$row = mysql_fetch_array ($result, MYSQL_NUM); 
			mysql_free_result($result);

			if($sq == $row[0]){
				$email = $row[1];
				$p = substr ( md5(uniqid(rand(),1)), 3, 10);
				$query2 = "UPDATE users_tbl SET pass=SHA('$p' . 'salt') WHERE user_id='$u'";		
				$result2 = mysql_query ($query2) or trigger_error("Your Password Couldn't be changed. Try later.");

I have also tried using this line:
$query2 = “UPDATE users_tbl SET pass=SHA($p.‘salt’) WHERE user_id=‘$u’”;

My issue is that the script is showing me the results of the last line:
$result2 = mysql_query ($query2) or trigger_error(“Your Password Couldn’t be changed. Try later.”);

2

Have a look at the actual query that is run.


$query2 = "UPDATE users_tbl SET pass=SHA('$p' . 'salt') WHERE user_id='$u'";

echo $query2; die();
3

It looks correct to me. This is what was echoed to the screen.

UPDATE users_tbl SET pass=SHA(‘bec211292c’ . ‘salt’) WHERE user_id=‘Admin209’

I also added an echo $result2, and received an error “Undefined variable: result2” so what happened to result2?

4

The dot is not an operator in MySQL, only PHP. You want to use a + there.

5

Then run the query is an sql window and see what errors you get. They should be obvious as pointed out by samanime.

Also, you can’t echo $result2 because it is a result set.

6

Great! changing the dot to a + now changes the password.

Thanks for the help. I did not realize that I needed to be checking the MySQL syntax, and was just looking for a PHP error.

So much to learn. :slight_smile: