Search the Community

Showing results for tags 'password'.



More search options

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


Forums

  • W3Schools
    • General
    • Suggestions
    • Critiques
  • HTML Forums
    • HTML/XHTML
    • CSS
  • Browser Scripting
    • JavaScript
    • VBScript
  • Server Scripting
    • Web Servers
    • Version Control
    • SQL
    • ASP
    • PHP
    • .NET
    • ColdFusion
    • Java/JSP/J2EE
    • CGI
  • XML Forums
    • XML
    • XSLT/XSL-FO
    • Schema
    • Web Services
  • Multimedia
    • Multimedia
    • FLASH

Calendars

  • Community Calendar

Group


AIM


MSN


Website URL


ICQ


Yahoo


Jabber


Skype


Location


Interests


Languages

Found 11 results

  1. I have a security question. Though I have gone through OWASP docs I still need to place specific things in the right perspective. It is actually quite brief regarding examples. But regarding security, I have to admit that I dont know much about how hackers are operating. What I know is that javascript can be included and mysql injection can be done if you don't escape well. I have a piece of regex to allow as much characters as possible for password input. So also the <> the dot . and the semi-colon ; and the string. After forcing the user to use the right characters the password is encrypted with blowfish. Im actually not sure what happens, because if you encrypt malicious code, you can finally make it work again when you decrypt it. Probably its naive to ask online for hacking examples, because then you inform hackers. Maybe if you cant make up any risky situation, you can give a recommendation for which characters should be avoided for a password input. All input is encryted with password_verify / Blowfish. Then prepared OOP queries store the variable in the database. regex: $var='/[!@#$%^&*()\-_=+{};:,<.>]/'; then the preg_replace does: if(preg_match_all($var,$pas_inp, $o)<2) { echo '<br><br>input should contain at least 2 special chars , try again'; return FALSE; } How risky (in which possible situations) is the use of: < > . ; $ & regarding javascript, mysql injection and other possible hacks. (sorry it is a very open question, but to avoid problems I have to start somewhere)
  2. Hello internet, Recently I have been working with curl sessions and scrapping data from webpages. I have been fairly successful until I tried to access data from pages that are username and password protected. I have the username and password so that's not an issue - but I am not able to get the data on the page. Any thoughts? $username='usr1'; $password='pswd1'; $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, 'somelink'); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); curl_setopt($ch, CURLOPT_HTTPAUTH, CURLAUTH_ANY); curl_setopt($ch, CURLOPT_USERPWD, $username.":".$password); $out = curl_exec($ch); if(curl_exec($ch) === false) { echo 'Curl error: ' . curl_error($ch); } echo $out; curl_close($ch);
  3. Hi, I'm new to writting code & looking to write a couple of secure web pages. One where you can log in & out securely using a password. Then a second where you can upload & download some files or folders. Any help on where to start, what code (asp/etc) & what best method(s) of encryption I should use? Thanks for any help or advice. Old Guy.
  4. Hi, I am using the php code as mentioned below to remove the verification email of the new user in my website which is powered by wordpress. However, once the user registers he gets the user name and password on the website screen. I would like to disable this and display "Your password has been sent to your registered email id". I want to user to check his email for the password. <?php /* Plugin Name: Remove Email Verification Plugin URI: Description: This plugin automatically activates user and blog signups, effectively disabling the need for the user to respond to an email Author: Barry at clearskys.net (Incsub) Version: 1.0.3 Author URI: */ /* Copyright 2007-2009 Incsub (http://incsub.com) This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License (Version 2 - GPLv2) as published by the Free Software Foundation. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ // Remove existing filters - we need to do this in the whitelist_options filter because there isn't another action between // the built in MU one and the saving, besides which we need to add our new_admin_email field to the list anyway. add_filter('whitelist_options', 'remove_mu_option_hooks'); // Blog signup - autoactivate add_filter( 'wpmu_signup_blog_notification', 'activate_on_blog_signup', 10, 7 ); // User signup - autoactivate add_filter( 'wpmu_signup_user_notification', 'activate_on_user_signup', 10, 4 ); // End activation message display add_action( 'signup_finished', 'activated_signup_finished', 1 ); // Change internal confirmation message - user-new.php add_filter('gettext', 'activated_newuser_msg', 10, 3); //Remove BP activation emails. add_filter('wp_mail', 'remove_bp_activation_emails'); function remove_bp_activation_emails($data) { if ( strstr($data['message'], 'To activate your user, please click the following link') || strstr($data['message'], 'To activate your blog, please click the following link') ) { unset( $data ); $data['message'] = ''; $data['to'] = ''; $data['subject'] = ''; } return $data; } function remove_mu_option_hooks($whitelist_options) { global $wp_filter; if(has_action('update_option_new_admin_email', 'update_option_new_admin_email')) { remove_action('update_option_new_admin_email', 'update_option_new_admin_email', 10, 2); // Add our own replacement action add_action('pre_update_option_new_admin_email', 'custom_update_option_new_admin_email', 10, 2); } $whitelist_options['general'][] = 'new_admin_email'; return $whitelist_options; } function custom_update_option_new_admin_email($new_value, $old_value) { global $current_site; // Update the correct fields update_option('admin_email', $new_value); // Return the old value so that the new_admin_email option isn't set return $old_value; } function activate_on_blog_signup($domain, $path, $title, $user, $user_email, $key, $meta) { global $current_site; // Rather than recreate the wheel, just activate the blog immediately $result = wpmu_activate_signup($key); if ( is_wp_error($result) ) { if ( 'already_active' == $result->get_error_code() || 'blog_taken' == $result->get_error_code() ) { $signup = $result->get_error_data(); ?> <h2><?php _e('Congratulations! Your new blog is ready!'); ?></h2> <?php if( $signup->domain . $signup->path != '' ) { } } else { ?> <h2><?php _e('An error occurred during the signup'); ?></h2> <?php echo '<p>'.$result->get_error_message().'</p>'; } } else { extract($result); $url = get_blogaddress_by_id( (int) $blog_id); $user = new WP_User( (int) $user_id); ?> <h2><?php _e('Congratulations! Your new blog is ready!'); ?></h2> <div id="signup-welcome"> <p><span class="h3"><?php _e('Username:'); ?></span> <?php echo $user->user_login ?></p> <p><span class="h3"><?php _e('Password:'); ?></span> <?php echo $password; ?></p> </div> <?php if( !empty($url) ) : ?> <p class="view"><?php printf(__('You're all set up and ready to go. <a href="%1$s">View your site</a> or <a href="%2$s">Login</a>'), $url, $url . 'wp-login.php' ); ?></p> <?php else: ?> <?php endif; } // Now we need to hijack the sign up message so it isn't displayed ob_start(); return false; // Returns false so that the activation email isn't sent out to the user } function activate_on_user_signup($user, $user_email, $key, $meta) { global $current_site, $current_blog; // Output buffer in case we need to email instead of output $html = ''; // Rather than recreate the wheel, just activate the user immediately $result = wpmu_activate_signup($key); if ( is_wp_error($result) ) { if ( 'already_active' == $result->get_error_code() || 'blog_taken' == $result->get_error_code() ) { $signup = $result->get_error_data(); $html .= '<h2>' . __('Hello, your account has been created!') . "</h2>n"; if( $signup->domain . $signup->path == '' ) { } else { } } else { $html .= '<h2>' . __('An error occurred during the signup') . "</h2>n"; $html .= '<p>'.$result->get_error_message().'</p>'; } } else { extract($result); $user = new WP_User( (int) $user_id); $html = '<h2>' . sprintf(__('Hello %s, your account has been created!'), $user->user_login ) . "</h2>n"; $html .= '<div id="signup-welcome">'; $html .= '<p><span class="h3">' . __('Username:') . '</span>' . $user->user_login . '</p>'; $html .= '<p><span class="h3">' . __('Password:') . '</span>' . $password . '</p>'; $html .= '</div>'; } // Check if we are passed in an admin area if(!is_admin() || !(isset($_POST['_wp_http_referer']) && strstr($_POST['_wp_http_referer'], 'user-new.php'))) { echo $html; } // Now we need to hijack the sign up message so it isn't displayed ob_start(); return false; // Returns false so that the activation email isn't sent out to the user } //Invitation email sent to new user. A confirmation link must be clicked before their account is created. function activated_newuser_msg($transtext, $normtext, $domain) { switch ($normtext) { // Plugin page text that we want to remove case 'Invitation email sent to new user. A confirmation link must be clicked before their account is created.': $transtext = __('The new user has been created and an email containing their account details has been sent to them.'); break; case 'If you change this we will send you an email at your new address to confirm it. <strong>The new address will not become active until confirmed.</strong>': $transtext = ''; break; } return $transtext; } function activated_signup_finished() { // Flush the activation buffer ob_end_clean(); } ?> remove verification email.txt
  5. How to grant access to only selected passcode? And to need to login into Disqus profile ( http://disqus.com/ ). 1.- So I give user a passcode that he than uses to access member-only stuff (so, it's a closed site) 2.- and later on he uses his/her Disqus profile to be part of community. 3.-and to have pc/ device remember that passcode was already inputted (like on Steam where you have to give you pc/ device a name) Thank you
  6. How to grant access to only selected passcode? And to need to login into Disqus profile ( http://disqus.com/ ). 1.- So I give user a passcode that he than uses to access member-only stuff (so, it's a closed site) 2.- and later on he uses his/her Disqus profile to be part of community. 3.-and to have pc/ device remember that passcode was already inputted (like on Steam where you have to give you pc/ device a name) Thank you
  7. I'm trying to write a little password encryption tool (mostly as a learning experience - but I may end up using it too ). And the encryption and decryption functions I wrote seem to work just fine (see crypt_test.php below). But, for some reason when I try to decrypt a result from a MySql database it doesn't seem to work (see db.php below). Not sure if it's some sort of weird data type issue? Or something else entirely. Code is below... maybe somebody can point me in the right direction. :/ Edit: Seems the encryption function creates a whole different string each execution, which is why the test worked but the db stuff doesn't. Guessing it has something to do with MCRYPT_RAND... help still appreciated though. Thanks ahead of time. crypt.php <?php function encrypt($s) { $key = pack('H*', "-"); //took out keys for forum post $key_size = strlen($key); $iv_size = mcrypt_get_iv_size(MCRYPT_RIJNDAEL_128, MCRYPT_MODE_CBC); $iv = mcrypt_create_iv($iv_size, MCRYPT_RAND); $s_utf8 = utf8_encode($s); $cipher = mcrypt_encrypt(MCRYPT_RIJNDAEL_128, $key, $s_utf8, MCRYPT_MODE_CBC, $iv); $cipher = $iv . $cipher; $cipher_base64 = base64_encode($cipher); return $cipher_base64; } function decrypt($s) { $key = pack('H*', "-"); //took out keys for forum post $key_size = strlen($key); $iv_size = mcrypt_get_iv_size(MCRYPT_RIJNDAEL_128, MCRYPT_MODE_CBC); $iv = mcrypt_create_iv($iv_size, MCRYPT_RAND); $cipher_dec = base64_decode($s); $iv_dec = substr($cipher_dec, 0, $iv_size); $cipher_dec = substr($cipher_dec, $iv_size); $decipher_utf8 = mcrypt_decrypt(MCRYPT_RIJNDAEL_128, $key, $cipher_dec, MCRYPT_MODE_CBC, $iv_dec); $decipher_utf8 = str_replace("0", "", $decipher_utf8); return $decipher_utf8; }?> crypt_test.php <?php include('crypt.php'); $p = "password"; $c = encrypt($p); $d = decrypt($c); echo $p.'<br />'; echo $c.'<br />'; echo $d.'<br />'; //works just fine?> db.php <?php include_once('crypt.php'); function connect() { $con = mysql_connect('-', '-', '-'); if(!$con) die('Could not connect: ' . mysql_error()); mysql_select_db('-', $con); } function login($user, $pass) { connect(); $user = mysql_real_escape_string($user); $pass = mysql_real_escape_string($pass); $sql = "SELECT uid, password FROM Accounts WHERE username='$user'"; $result = mysql_query($sql); if($row = mysql_fetch_array($result)) { echo $pass . " : "; echo $row['password'] . " : "; echo decrypt($row['password']); //garbled nonsense if($pass == decrypt($row['password'])) return $row['uid']; } return -1; } function register($user, $pass, $email) { connect(); $user = mysql_real_escape_string($user); $pass = mysql_real_escape_string($pass); $pass = encrypt($pass); $email = mysql_real_escape_string($email); $sql = "INSERT INTO Accounts (username, password, email) VALUES ('$user', '$pass', '$email')"; mysql_query($sql); }?>
  8. Before I begin, I tried to do some research about this subject (the Search field seems its broken and through google was a little bit painful) in the forum, so I'd like to apologise if I'm repeating it once again. I have read some articles about hashing passwords saying that md5 and sha1 are no longer safe and should use better hashing algorithms, how to hash passwords properly by avoiding double hashing, hashing with different algorithms etc etc, so I 've come up with some questions/spots that I haven't cleared them out completely. 1. Doing just this is consinder no safe, although md5 and sha1 cannot be reversed: $password=md5('my_sercretpassword123'); //for instance my password is my_sercretpassword123 although its a bad practice$password=sha1('my_sercretpassword123'); My first question is If I use one of these, using a salt isn't consider safe? eg: $password= 'my_sercretpassword123';$salt = 'lorem_ipsumd0l0rs1t@m3tc0ns3ct3tur@d1p1sc1ng3lit';$password = md5($password.$hash); //same with sha1 If anyone manages to crack this hash, will get the string 'my_sercretpassword123lorem_ipsumd0l0rs1t@m3tc0ns3ct3tur@d1p1sc1ng3lit', which isn't the actual password, right? 2. Supposing the 1st option note is not approved, then I guess I have use a better hashing algorithm like whirlpool or sha256, sha512 ect etc. So If I apply the same functionality like this: $password= 'my_sercretp@ssword123';$salt = 'lorem_ipsumd0l0rs1t@m3tc0ns3ct3tur@d1p1sc1ng3lit';$hashed_password = $password.$hash;$hashed_password = hash('whirlpool',$hashed_password); is it safe enough or I have better come with something more difficult?? I tried to google for some tutorials on this, just to get some ideas, but most of them, if not all, use plain md5 or sha1. Could you give me some examples or ideas on that?
  9. I have been developing a php web site. I have been trying to follow suggested best practices. I am running ubuntu minimalist install, and installed the following packages: nginx php5 php5-fpm postgresql phppgadmin php5-gd I have nginx up and running instead of apache.I have done some basic configuration for nginx.got my vhost setup and linked. and I am now able to browse my php pages on my local test machine running ubuntu. I have created my postgre database, and have a user setup. So I am to the point that I wanted to create a page to register/login/change password. I searched and found http://stackoverflow...asswords-safely it was posted back in 2010, it links to this guide using phpass: http://www.openwall....Users-Passwords The guide/tutorial was created using Mysql, I have been swapping out functions to their equivalent postgresql functions using the postgresql documentation. I modified the guide to the point that I can create new users in my postgre database. When I got to the point "How to authenticate existing users" I hit a snag. mysql version from guide: } else { $hash = '*'; // In case the user is not found($stmt = $db->prepare('select pass from users where user=?'))|| fail('MySQL prepare', $db->error);$stmt->bind_param('s', $user)|| fail('MySQL bind_param', $db->error);$stmt->execute()|| fail('MySQL execute', $db->error);$stmt->bind_result($hash)|| fail('MySQL bind_result', $db->error);if (!$stmt->fetch() && $db->errno)fail('MySQL fetch', $db->error); if ($hasher->CheckPassword($pass, $hash)) {$what = 'Authentication succeeded';} else {$what = 'Authentication failed';}unset($hasher);} my version: } else { $hash = '*'; // In case the user is not foundpg_prepare($dbconn, "quser", 'SELECT pass FROM users WHERE pk_users=$1') or fail('pg_prepare failed ',pg_last_error($dbconn));$hashx = pg_execute($dbconn, "quser", array($user)) or fail('pg_execute failed ',pg_last_error($dbconn));$hash = pg_fetch_result($hashx, 1, 'pass'); if (!$hash && pg_last_error($dbconn))fail('pg_execute failed.2 ',pg_last_error($dbconn)); if ($hasher->CheckPassword($pass, $hash)) {$what = 'Authentication succeeded';} else {$what = 'Authentication failed';$op = 'fail'; // Definitely not 'change'} I think it has to do with bind_result($hash) I used $hashx = pg_execute() I assumed it would take the results of pg_execute() and store it in the $hashx variable, and I thought that was what bind_result($hash) was doing in the mysql example. here is the error from the server logs: 2013/02/15 19:01:12 [error] 16860#0: *1 FastCGI sent in stderr: "PHP message: PHP Warning: pg_fetch_result(): Unable to jump to row 1 on PostgreSQL result index 5 in ..../testing.com/public/inc/user-man.php on line 91" while reading response header from upstream, client: 192.168.1.150, server: testing.com, request: "POST /inc/user-man.php HTTP/1.1", upstream: "fastcgi://unix:/var/run/php5-fpm.sock:", host: "testing.com", referrer: "http://testing.com/inc/user-man.html" Also if anyone has any input weather or not this is still best practice for user registration/password security, please let me know. In addition to having a good user/password system I know that I am going to need to recheck my configuration for both nginx and postgresql to make sure everthing is locked down and secure, as well as user permissions, I have not looked for any info/guides on any of this yet. Thanks so much for any responses, I appreciate it.
  10. Hi guys, I have been asked to set up an affiliate site but the content is supplied as an XML feed which is protect by a username & password. Please can someone help me with the code that will allow me to access this secure feed without having to login every time? I have PHP experience but obviously at a basic level! Many ThanksNathan
  11. Hello internet.I used a series of password protect html pages to direct the user to a page only if the password is correct. However, it appears they can just type in the web-address of the destination page and it will load. I want that page to be password protected but I can type it in and it will load. How do I prevent this?