|
Posted by Ric on 12/13/06 13:11
Harris Kosmidhs schrieb:
> Ric wrote:
>> Harris Kosmidhs schrieb:
>>> Ric wrote:
>>>> Harris Kosmidhs schrieb:
>>>>> Hello,
>>>>> I have installed a tracker php program called Bytemoonsoon
>>>>> (https://sourceforge.net/projects/bytemonsoon/). It' quite old but I
>>>>> started messing with it.
>>>>>
>>>>> When a user sign ups the a $secret is created which is stored in
>>>>> the db
>>>>> row of the user. An email is sent which says to go to a
>>>>> confirm.php/<users_id>/<md5($secret)>
>>>>>
>>>>> The confirm.php gets the md5 secret (from the URL) and checks it
>>>>> against
>>>>> the md5(<secret form the user row>) which should be identicall
>>>>> since the
>>>>> <secret> is the same. But it's not! the md5 is different.
>>>>>
>>>>> Both pages are in UTf8 and the database is utf8_general_ci. Before the
>>>>> select statements I do a mysql_query("set names utf8").
>>>>>
>>>>> Why do md5's are different? can somebody please help? thanks
>>>> Well if I look in my glass bowl I can't see why:-)
>>>>
>>>> But if you add some debugging information you should be able to find
>>>> out
>>>> your self.
>>>>
>>>> I would track the whole creation, sending and reading of the md5 to
>>>> find
>>>> out where the md5 gets corrupted.
>>>>
>>>> for example you add an:
>>>>
>>>> error_log($mymd5);
>>>>
>>>> to your code, then visually compare the md5 here with the md5 you send
>>>> to the user, then compare with the one which is in db etc.
>>>
>>> Of course I do that. I print out everything but that's the point, they
>>> are different while the $secret is the same! My question is if this has
>>> something to do with the db being utf8.
>>> Just to mentioned the $secret is generated with:
>>> function mksecret($len = 20) {
>>> $ret = "";
>>> for ($i = 0; $i < $len; $i++)
>>> $ret .= chr(mt_rand(0, 255));
>>> return $ret;
>>> }
>>
>> Secret the same? How do you check if the secret is the same?
>> The secret function will create some random output, which you can use to
>> create an md5 then store it in db give the md5 to the user via email and
>> finally check the submitted md5 against the md5 you stored in db.
>> encoding settings shouldn't matter at all.
>>
>> You cannot use the secret to check anything, so I don't understand what
>> you actually do?
>>
>> Post some of the code you use to generate the md5, and check against the
>> stored md5.
>
>
> Ok more analytically,
> When user signups:
> 1)$secret = mksecret(); //using the above function
> 2)$psecret = md5($secret);
> 3)store the $secret in user's details (in the db)
> 4)print out a mail where it says:
> To confirm goto: confirm.php/$id/$psecret
> where $id is the newly inserted id of the user
>
> Now in confirm.php:
> 1) if (!preg_match(':^/(\d{1,10})/([\w]{32})$:',
> $_SERVER["PATH_INFO"], $matches))
> httperr();
> $id = 0 + $matches[1];
> $md5 = $matches[2];
> now the id and md5 are taken correctly from the URL
> 2) get secret form user's row and store it in $sec
> 3) $sec = hash_pad($row["secret"]);
> if ($md5 != md5($sec)) //There's the problem
> httperr();
woa that is not efficient and I doubt that this should work at all.
Notes below
>
> where
> function hash_pad($hash) {
> return str_pad($hash, 20);
> }
>
> $md5 and md5($sec) aren't the same, while the $sec *should* be the same,
> as it is stored in the db
What advantage do you have by storing the secret in db, instead of the md5?
Just store the md5 then send the md5, the user sends back the md5 and
you just have to compare the md5 in db and the received md5 without the
overhead of haspad etc.:
$md5 != md5($sec) //you have to do an extra call here
normally you ceck md5's by :
$md5_user === $md5_from_db , note the "==="
[Back to original message]
|