I know that Myth-auth is not stable yet, but it's okay that's not my point.
I want to make a change password feature so I wrote this in my controller:
$oldPass=$this->request->getPost('oldPass');
$check=password_verify($oldPass, user()->password_hash);
//Myth-auth has helper to get field data in database using user()->column_name function
var_dump($check);die;
I don't know what's wrong with my code, but it returns false.
so I checked again using a hardcoded password like this:
$check=password_verify('bayusetiaji14', user()->password_hash);
//using double qoutes
$check2=password_verify("bayusetiaji14", user()->password_hash);
but it's still returning false, is this a Myth-auth bug when hashing password or anything else?
enter image description here
because they used base64 encode to manipulate string on they password, you should look on auth->src->entities->user.php
it seems that the library is using double hashes. use this
if(!password_verify(base64_encode(hash('sha384', service('request')->getPost('newPasswords'), true)), $oldpassword)){
echo 'password not match'
} else {
echo 'password matched';
}
Related
Ive got a command im testing that enables the Bot to send me a message when a specific string is passed into a Channel.
My command works fine, but the bot seems to also include the user's name into the contents as well.
I found this out by testing with my name as the string the bot is running an if statement for, and found out that even typing just Hi, or any other message triggers the if statement as my name 'Jerseyetr" is included in the contents of the message.
if (message.content.includes('jersey') || ('jerseyetr')) {
try{
console.log('it worked!');
//jersey.send('testing!');
//client.users.get("xxxxxx").send("test");
return;
//guild.member
}
catch (err){
console.log(err);
console.log('it did NOT work. Sad face');
}
}
What would be the proper way to filter out the User's name?
The problem here is that you always enter in the if, and never in the else (if there's one).
Why? Because of your condition. The OR condition || will test first the message.content.includes('jersey'). If it's true it will enter in the if, if it's false it will test the second condition. But your second condition is always true, because the string 'jerseyetr' is not empty and is considered true by Javascritps.
This page list all the things that are considered falsy. All the other value are considered true.
I guess you wanted to do this:
if (message.content.includes('jersey') || message.content.includes('jerseyetr')) {
...
}
However, the second expression isn't needed because jersey is contained in jerseyetr, so if the message contains jerseyetr, it will also contains jersey.
You'll see that Discord doesn't includes the username in the message.content but only the text of the message
Side note: if you want to test something like this in your message, you can maybe use a regexp:
/jersey/.test(message.content)
In Angular 4, I want to check for the current url and if it is equal to "/login" I need to submit a specific form. Here is the code:
let responseString=this.router.url;
console.log(responseString);
if (responseString.match("/login")==null)
this.submitForm();
The above code does not submit the form in all cases. There is something wrong with the if condition I guess.
Any clues?
For simple string-to-string equality, you can use the === operator.
For a more flexible solution I would do
reponseString.includes(“login”)
This way you’re not stuck to the format of the url. It can be a bit more flexible.
use below code for reference
if ( this.loginForm.value['username'] === this.username && this.loginForm.value['password'] === this.password) {
alert(' login successfully : ' + JSON.stringify(this.loginForm.value));
} else {
alert(' enter valid username and password ');
}
In Symfony 2.6, I am using the following method to encode my password. The password is successfully encoded and saved in the DB.
$encoder = $this->container->get('security.password_encoder');
$encodedPwd = $encoder->encodePassword($adminUser, $plainPassword);
When I try to validate the user supplied password provided in the login form as follows:
$adminUser = $this->getDoctrine()->getManager()->getRepository("AcmeUserBundle:AdminUser")->findOneBy(array('username' => $_username));
$_password = $request->request->get('_password');
$encoder = $this->container->get('security.password_encoder');
echo $encoder->isPasswordValid($adminUser, $_password))
The last line is always returning empty, which means that the password is not getting validated.
I have gotten this from Symfony documentation and have searched if anyone has encountered similar problem, but doesn't seem to find any.
Can any one please provide some insights please?
Thanks!
Sharad
Ok I found a solution like this and it is working. Hope it helps anybody encountering similar problem.
For encoding the password, I am doing the following:
$factory = $this->get('security.encoder_factory');
$encoder = $factory->getEncoder($user);
$encodedPwd = $encoder->encodePassword($plainPassword, $user->getSalt());
For validating the password, I am doing the following:
$factory = $this->get('security.encoder_factory');
$encoder = $factory->getEncoder($user);
echo $encoder->isPasswordValid($user->getPassword(), $_password, $user->getSalt())
While encoding the password, I wasn't using the salt, but it is important,
It all works now.
Thank you
Sharad
I am retrieving JSON data from an API and this is a short example of it:
{"hatenames":
{"id":6239,
"name":"hatenames",
"stat1":659,
"stat2":30,
"stat3":1414693
}
}
I am trying to insert it in the MongoDB (using MongoClient) but it won't let me put just the object directly or use a variable as a field name. If I put the var username it will just output it as username in the database field. This is what I would like to work:
collection.insert({object}
collection.insert({username:object[username]}
but it doesn't and I've been stuck on this for the past few hours. The only resolution I found was to set it and then update the field name afterwards, but that just seems lame to have to do every single time, is there no elegant or easy option that I am somehow missing?
First of all, being a programmer, you should forget about "it does not work" phrase. You should describe how it does not work with exact error messages you encounter. Not to your problem.
Just because I can easily do
db.coll.insert({"hatenames":
{"id":6239,
"name":"hatenames",
"stat1":659,
"stat2":30,
"stat3":1414693
}
})
or var a = {"hatenames":{"id":6239, "name":"hatenames", "stat1":659, "stat2":30, "stat3":1414693}}; and db.coll.insert(a),
I think that the problem is that your object is not really an object, but a string. So I suspect that you have a string returned to you back from that API. Something like '{"hatenames":{...}' and this caused a problem when you try to save it or access the properties. So try to convert it to JSON.
Try doing this:
MongoClient.connect('mongodb://127.0.0.1:27017/db_name', function(err, db) {
if(err) throw err;
someCollection = db.collection('some_collection');
});
someCollection.insert({
name: hatenames['name']
});
EDIT
For Dynamic approach, I would suggest you to play aroung this function:
Object.keys(hatenames)
this function will return keys in array.
EDIT 2
I have founded a link: Insert json file into mongodb using a variable
See, if that helps.
$model->attributes = $_GET[ 'Submission' ];
This looks really scary to me, but it's how yii assigns attributes to a model. Is this a security risk for XSS? Should it not be sanitized somehow first? I know models get validated, but is it enough from malicious input, especially if saving to the database and if you forget to sanitize output...
Massive assignment is not default 'on' . It will only be made for fields which have passed some explicit validation rule.
$model->attributes = $_GET[ 'Submission' ];
is equivalent to this code,
$model->attribute1 = $_GET['Submission']['attribute1'];
$model->attribute2 = $_GET['Submission']['attribute2'];
$model->attribute3 = $_GET['Submission']['attribute3'];
Any XSS, SQL Injection vulnerabilities present in the former will be present in later too;
To prevent against XSS, SQL Injection you can use the bundled CHtmlPurifier class which is a wrapper for HTML Purifier filter library. There are multiple ways to use CHtmlPurifier, one way to use is as a filter in the model rules, which will check for XSS strings.
If your model rules function was like this for example
public function rules(){
return array(
array('username, password, salt, email', 'required'),
array('username, password, salt, email', 'length', 'max'=>128),
array('first_name,last_name,username,email','safe','on'=>'search'),
);
}
if you use massive assignment with this rules set with $model->attributes = $_GET[ 'Submission' ];
username and email will be assigned however first_name, last_name will not be assigned to the model as they are only safe on search scenario.
You can add a rule to make them search on say create,update like this
public function rules(){
return array(
array('username, password, salt, email', 'required'),
array('username, password, salt, email', 'length', 'max'=>128),
array('first_name,last_name','safe','on'=>'create,update'),
array('first_name,last_name,username,email','safe','on'=>'search'),
);
}
This will make the safe for massive assignment, however leaving you still vulnerable to XX. To protect against XSS you can use this type of filter as a rule
public function rules(){
return array(
array('username, password, salt, email', 'required'),
array('username, password, salt, email', 'length', 'max'=>128),
array('first_name,last_name,username,email','filter'=>array($obj=new CHtmlPurifier(),'purify')),
array('first_name,last_name,username,email','safe','on'=>'search'),
);
}
Now first_name,last_name,username,email are all purified for XSS,SQL strings before being validated and massive assignment also works for all four attributes.
Tl;DR
Yii provides with you default safety feature, massive assignment only works when there is explicit model validation rule
XSS will happen independent of whether or not massive assignment is used
This is probably a decent article on secure Yii apps http://www.yiiframework.com/wiki/275/how-to-write-secure-yii-applications/
Additionally, you can filter any input through the models with their filters and rules or beforeSave() methods