php form change sha1 password with sed and exec -


i'm working on simple password reset form, great deal of here have working. add twist , save reset password in sha1. here code:

#password file $password='something';  <?php  // change password  $rawpassword = (isset($_request["change_pwd"])); $salt = "lgv932q2e9dshufkdjgf927gf8hlo082"; $newpass = sha1($salt . $rawpassword);     $change_pass = exec('sed -i " . escapeshellarg("s/\$password=.*/\$password=\'$newpass\'/g")." include/conf.php');    echo "$change_pass";  ?>  <form method="get" action="<?php echo $_server['php_self']; ?>">     <input type="text" name="change_pwd" maxlength="41">     <input type="submit" name="submit" value="submit" /> </form> 

when submit new password, doesn't change sha1 password correctly in file. instead every time password value gets changed to:

$password='356a192b7913b04c54574d18c28d46e6395428ab'; 

update: salted password , i'm still getting same result. (i'm wondering if there better way other using exec sed?)

okay have taken closer , found couple things consideration.

first thing use post form method , capture data in $_post array in php. appear have variable outside of php tags, output raw text browser in context in.

salting thing , making passwords harder crack. optionally (and recommended) generate random salts , attach them passwords added strength, among other benefits. remember include salt in future when hashing password again during authentication.

the following code should work @ generating new password hash, regardless if using same password.

<?php  // change password if(isset($_post["change_pwd"])) {     $rawpassword = $_post["change_pwd"];      $salt = sha1(microtime()."lgv932q2e9dshufkdjgf927gf8hlo082");     $newpass = sha1($salt . $rawpassword).$salt; }    $change_pass = exec('sed -i ' . escapeshellarg("s/\$password=.*/\$password=\'$newpass\'/g"). ' include/conf.php');   //also helpful note php halts execution until command in exec() completes    echo "$newpass";  ?>  <form method="post" action="<?php echo $_server['php_self']; ?>">     <input type="text" name="change_pwd" maxlength="41">     <input type="submit" name="submit" value="submit" /> </form> 

hope helps out!


Comments

Popular posts from this blog

css - Which browser returns the correct result for getBoundingClientRect of an SVG element? -

gcc - Calling fftR4() in c from assembly -

.htaccess - Matching full URL in RewriteCond -