php form change sha1 password with sed and exec -
i'm working on simple password reset form, great deal of here have working. add twist , save reset password in sha1. here code:
#password file $password='something'; <?php // change password $rawpassword = (isset($_request["change_pwd"])); $salt = "lgv932q2e9dshufkdjgf927gf8hlo082"; $newpass = sha1($salt . $rawpassword); $change_pass = exec('sed -i " . escapeshellarg("s/\$password=.*/\$password=\'$newpass\'/g")." include/conf.php'); echo "$change_pass"; ?> <form method="get" action="<?php echo $_server['php_self']; ?>"> <input type="text" name="change_pwd" maxlength="41"> <input type="submit" name="submit" value="submit" /> </form>
when submit new password, doesn't change sha1 password correctly in file. instead every time password value gets changed to:
$password='356a192b7913b04c54574d18c28d46e6395428ab';
update: salted password , i'm still getting same result. (i'm wondering if there better way other using exec sed?)
okay have taken closer , found couple things consideration.
first thing use post form method , capture data in $_post array in php. appear have variable outside of php tags, output raw text browser in context in.
salting thing , making passwords harder crack. optionally (and recommended) generate random salts , attach them passwords added strength, among other benefits. remember include salt in future when hashing password again during authentication.
the following code should work @ generating new password hash, regardless if using same password.
<?php // change password if(isset($_post["change_pwd"])) { $rawpassword = $_post["change_pwd"]; $salt = sha1(microtime()."lgv932q2e9dshufkdjgf927gf8hlo082"); $newpass = sha1($salt . $rawpassword).$salt; } $change_pass = exec('sed -i ' . escapeshellarg("s/\$password=.*/\$password=\'$newpass\'/g"). ' include/conf.php'); //also helpful note php halts execution until command in exec() completes echo "$newpass"; ?> <form method="post" action="<?php echo $_server['php_self']; ?>"> <input type="text" name="change_pwd" maxlength="41"> <input type="submit" name="submit" value="submit" /> </form>
hope helps out!
Comments
Post a Comment