|
|
Posted by Harris Kosmidhs on 12/13/06 12:52
Ric wrote:
> Harris Kosmidhs schrieb:
>> Ric wrote:
>>> Harris Kosmidhs schrieb:
>>>> Hello,
>>>> I have installed a tracker php program called Bytemoonsoon
>>>> (https://sourceforge.net/projects/bytemonsoon/). It' quite old but I
>>>> started messing with it.
>>>>
>>>> When a user sign ups the a $secret is created which is stored in the db
>>>> row of the user. An email is sent which says to go to a
>>>> confirm.php/<users_id>/<md5($secret)>
>>>>
>>>> The confirm.php gets the md5 secret (from the URL) and checks it against
>>>> the md5(<secret form the user row>) which should be identicall since the
>>>> <secret> is the same. But it's not! the md5 is different.
>>>>
>>>> Both pages are in UTf8 and the database is utf8_general_ci. Before the
>>>> select statements I do a mysql_query("set names utf8").
>>>>
>>>> Why do md5's are different? can somebody please help? thanks
>>> Well if I look in my glass bowl I can't see why:-)
>>>
>>> But if you add some debugging information you should be able to find out
>>> your self.
>>>
>>> I would track the whole creation, sending and reading of the md5 to find
>>> out where the md5 gets corrupted.
>>>
>>> for example you add an:
>>>
>>> error_log($mymd5);
>>>
>>> to your code, then visually compare the md5 here with the md5 you send
>>> to the user, then compare with the one which is in db etc.
>>
>> Of course I do that. I print out everything but that's the point, they
>> are different while the $secret is the same! My question is if this has
>> something to do with the db being utf8.
>> Just to mentioned the $secret is generated with:
>> function mksecret($len = 20) {
>> $ret = "";
>> for ($i = 0; $i < $len; $i++)
>> $ret .= chr(mt_rand(0, 255));
>> return $ret;
>> }
>
> Secret the same? How do you check if the secret is the same?
> The secret function will create some random output, which you can use to
> create an md5 then store it in db give the md5 to the user via email and
> finally check the submitted md5 against the md5 you stored in db.
> encoding settings shouldn't matter at all.
>
> You cannot use the secret to check anything, so I don't understand what
> you actually do?
>
> Post some of the code you use to generate the md5, and check against the
> stored md5.
Ok more analytically,
When user signups:
1)$secret = mksecret(); //using the above function
2)$psecret = md5($secret);
3)store the $secret in user's details (in the db)
4)print out a mail where it says:
To confirm goto: confirm.php/$id/$psecret
where $id is the newly inserted id of the user
Now in confirm.php:
1) if (!preg_match(':^/(\d{1,10})/([\w]{32})$:',
$_SERVER["PATH_INFO"], $matches))
httperr();
$id = 0 + $matches[1];
$md5 = $matches[2];
now the id and md5 are taken correctly from the URL
2) get secret form user's row and store it in $sec
3) $sec = hash_pad($row["secret"]);
if ($md5 != md5($sec)) //There's the problem
httperr();
where
function hash_pad($hash) {
return str_pad($hash, 20);
}
$md5 and md5($sec) aren't the same, while the $sec *should* be the same,
as it is stored in the db
Navigation:
[Reply to this message]
|