 |
Account Login
|
 |
|
Latest Articles
|
|
|
IRC Channel
|
|
|
Associates
|
|
|
Associates
|
|
|
 |
|
|
|
|
02-14-2008, 09:57 PM
|
#21 (permalink)
|
|
The Contributor
Join Date: Jan 2008
Posts: 87
Thanks: 49
|
I think I'm nearly done now, thanks everyone for your input so far:
PHP Code:
<?php
//Database Structure
//Setting username and password
$username="";
$password="";
$database="scotlandbands";
//Start connection to database
$connection = mysql_connect($localhost, $username, $password) or die ('<strong>MySQL Error:</strong>'.mysql_error());
mysql_select_db($database) or die ('<strong>MySQL Error:</strong>'.mysql_error());
//setting variables
$reg_username = mysql_real_escape_string($_POST['reg_username']);
$md5reg_password = mysql_real_escape_string($_POST['reg_password']);
$reg_pass_conf = mysql_real_escape_string($_POST['reg_pass_conf']);
$reg_email = mysql_real_escape_string($_POST['reg_email']);
//Error array
$errors = array();
//Check if the following exist
//If no username display error
if(!$reg_username) {
$errors[] = "Username is not defined!";
}
//If no password display error
if(!$reg_password) {
$errors[] = "Password is not defined!";
}
//if no password and no password comfirmation display error
if($reg_password) {
if(!$reg_pass_conf) {
$errors[] = "Confirmation password is not defined!";
}
}
//if no email display error
if(!$reg_email) {
$errors[] = "Email is not defined!";
}
//If passwords do not mach display error
if ($reg_password && $reg_pass_conf) {
if ($reg_password != $reg_pass_conf) {
$errors[] = "Passwords do not match!";
}
}
//Split errors up and show them
if (count($errors) > 0) {
foreach($errors AS $error) {
echo $error . "<br>\n";
}
} else {
//creating a query that inserts the data into the database
$query = 'INSERT INTO users SET user_name = "'.($reg_username).'",
email = "'.($reg_email).'",
user_pass = "'.md5($reg_password).'",
user_pass_conf = "'.($reg_pass_conf).'"';
//execcute a query on a MySQL database
$result = mysql_query($query);
//Message
echo "Thank you for registering, you can now log in";
}
?>
I'm still having problems with MD5 encryption. Could someone please look over that and check that I'm using it properly?
Also, would I have to create a piece of code on every page the user visits, checking if they are logged in or not? Otherwise they could visit the page if they knew the URL, without logging in.
Last edited by StevenF : 02-15-2008 at 01:03 AM.
|
|
|
|
|
02-15-2008, 01:11 AM
|
#22 (permalink)
|
|
The Acquainted
Join Date: Nov 2007
Posts: 154
Thanks: 31
|
It looks like you edited your post as I was responding here. I'll have to take a look at your use of MD5 again. Remember, the idea is to store an MD5 hashed value of the password, and then check that against an MD5 hashed value of the password input during login. So if your `user_pass` field is storing something like: 74add9df670c36b147c19dd93a27d8d0, your login script has to pass the same hash value to the query to match it.
Have you checked your `users` table manually to actually see what's being stored there? Gotta do it when troubleshooting a script that interacts with the database!
Quote:
Originally Posted by StevenF
I had a problem when trying to load a new page if the password is correct, still now sure how to do that correctly. I was using the header function, but it kept loading the page specified in the header function instead of the index page.
|
pseudocode example:
PHP Code:
if ( result == 1 ) {
// one match found, redirect to the index
// implement session data / `logins` table data storage
// redirect
header('Location: http://www.yoursite.com/index.php');
exit();
} else {
// either no match (or more than one, let's hope not)
// wipe out any potential session data
$_SESSION= array();
// redirect to error page or login page again
header('Location: http://www.yoursite.com/login.php');
exit();
}
Quote:
Originally Posted by StevenF
Would I have to create a piece of code on every page the user visits, checking if they are logged in or not? Otherwise they could visit the page if they knew the URL, without logging in.
|
Yes. Something like (more pseudocode example)
PHP Code:
<?php
// top of script
// start session, naturally
session_start();
// db defaults, read connection settings, connect, etc
// check session data
if ( !isset($_SESSION['userID'])
&& !isset($_SESSION['login_token']) ) {
// no proper session data set
// automatically unset session data & redirect
$_SESSION= array();
header('Location: http://www.yoursite.com/login.php');
exit();
} else {
// potentially viable session login data
// run SQL query against the `logins` table, matching:
// `userID` | `login_token` | `session_id`
if ( !login_verify ) {
// no login data match
// unset session data, redirect
$_SESSION= array();
header('Location: http://www.yoursite.com/login.php');
exit();
}
// anything else is assumed to be properly logged in
// begin "relogin process"
session_regenerate_id();
$sessID= session_id();
// update `logins` table data
$updateLogin= "
REPLACE INTO logins
(userID,login_token,session_id,login_dt)
VALUES
(
{$_SESSION['userID']},'{$_SESSION['login_token']}'
,'{$sessID}', NOW()
)
";
@mysql_query($updateLogin);
}
// continue with the script
That's the basic gist. Check for session login data values, redirect if they don't exist. Next, check for the valid login data against the `logins` table. Note you might set the login_dt (date-time) value in the session as well and check for session / login expiry times, etc. Store all that in a function and make it easy on yourself on every script that needs a login check.
__________________
I reject your reality, and substitute my own.
|
|
|
|
|
The Following User Says Thank You to SOCK For This Useful Post:
|
|
|
02-15-2008, 01:19 AM
|
#23 (permalink)
|
|
The Contributor
Join Date: Jan 2008
Posts: 87
Thanks: 49
|
Thanks a lot Sock, I really appreciate your help! 
I have been checking the passwords, and they are indeed being stored like you posted. As far as I'm aware, I've done it correct.
I'm pulling the data from the password field and encrypting it:
PHP Code:
$md5reg_password = mysql_real_escape_string($_POST['reg_password']);
I then added it to the INSERT query:
PHP Code:
user_pass = "'.md5($reg_password).'",
I'll have an in depth look over the pseudocode tomorrow. Thanks again  |
|
|
|
|
02-15-2008, 01:24 AM
|
#24 (permalink)
|
|
The Acquainted
Join Date: Nov 2007
Posts: 154
Thanks: 31
|
Quote:
Originally Posted by StevenF
PHP Code:
//creating a query that inserts the data into the database
$query = '
INSERT INTO users SET
user_name = "'.($reg_username).'"
, email = "'.($reg_email).'"
, user_pass = "'.md5($reg_password).'"
, user_pass_conf = "'.($reg_pass_conf).'"
';
|
It looks like you're storing the correct value. Remember, MD5 is also a MySQL function, you can do it inline in the query without having to break it up to perform a PHP function.
Otherwise, that bit about storing the $reg_pass_conf value bothers me. Is that the plain text password?
Quote:
Originally Posted by StevenF
I'm still having problems with MD5 encryption. Could someone please look over that and check that I'm using it properly?
|
See my other post. Check the value in the database, echo out the query string on both scripts (registration / login) to check the values going into the database.
__________________
I reject your reality, and substitute my own.
|
|
|
|
|
02-15-2008, 10:32 AM
|
#25 (permalink)
|
|
The Frequenter
Join Date: Nov 2007
Location: Netherlands
Posts: 460
Thanks: 49
|
If you have yet to find out why MD5 is not working properly, maybe you can increase the security of your login script by reading this topic on talkPHP;
MD5 or SHA1?
And of course, Adam's article on SALTs.
TalkPHP - Cryptography's Sodium Chloride
__________________
"Life is a bitch, take that bitch on a ride"
|
|
|
|
|
The Following User Says Thank You to ReSpawN For This Useful Post:
|
|
|
02-15-2008, 11:04 AM
|
#26 (permalink)
|
|
The Prestige
Join Date: Sep 2007
Location: Sweden, Stockholm
Posts: 1,080
Thanks: 115
|
Actually, you should go with SHA1, because it's safer for passwords..
Or, perhaps use md5 more than one time, like vB does:
Code:
md5(md5($pass), md5($salt))
__________________
|
|
|
|
|
The Following User Says Thank You to Tanax For This Useful Post:
|
|
|
02-15-2008, 12:20 PM
|
#27 (permalink)
|
|
The Contributor
Join Date: Jan 2008
Posts: 87
Thanks: 49
|
There's something going on here. I've encrypted the password like above:
PHP Code:
$md5reg_password = mysql_real_escape_string($_POST['reg_password']);
Then again in the query:
PHP Code:
user_pass = "'.md5($reg_password).'",
When I try to login with a password that's been encrypted, it doesn't work. If I do the following:
PHP Code:
echo $reg_password
The password will show as it should - plain text. Now, If I remove both of the md5 stuff, then register and try to login with them it works fine.  |
|
|
|
|
02-15-2008, 12:32 PM
|
#28 (permalink)
|
|
The Prestige
Join Date: Oct 2007
Location: Manchester, UK
Posts: 854
Thanks: 32
|
Looks to me like your SQL is a bit squiffy.
PHP Code:
$query = '
INSERT INTO users SET
user_name = "'.($reg_username).'"
, email = "'.($reg_email).'"
, user_pass = "md5($reg_password).'"
, user_pass_conf = "'.($reg_pass_conf).'"
';
should be more like
PHP Code:
$query = 'INSERT INTO users SET
user_name = "'.$reg_username.'",
email = "'.$reg_email.'",
user_pass = "md5('.$reg_password.')",
user_pass_conf = "'.$reg_pass_conf.'"';
anyway my advice for hasing values would be to use the PHP hash() function
__________________
mysql> SELECT * FROM `users` WHERE `users`.`clue` > 0;
Empty set (0.00 sec)
|
|
|
|
|
The Following User Says Thank You to sketchMedia For This Useful Post:
|
|
|
02-15-2008, 12:39 PM
|
#29 (permalink)
|
|
The Contributor
Join Date: Jan 2008
Posts: 87
Thanks: 49
|
Deleted because sketchMedia deleted his/her post :)
|
|
|
|
|
02-15-2008, 12:42 PM
|
#30 (permalink)
|
|
The Prestige
Join Date: Oct 2007
Location: Manchester, UK
Posts: 854
Thanks: 32
|
see my post above, im low on coffee atm and im at work lol i didnt read the full topic sorry
__________________
mysql> SELECT * FROM `users` WHERE `users`.`clue` > 0;
Empty set (0.00 sec)
|
|
|
|
|
02-15-2008, 12:48 PM
|
#31 (permalink)
|
|
The Contributor
Join Date: Jan 2008
Posts: 87
Thanks: 49
|
I used to have mysql_real_escape_string on the query, that's why I had the brackets. I tweaked the md5 line you wrote, because it wasn't working properly. I now have:
PHP Code:
$query = 'INSERT INTO users SET user_name = "'.$reg_username.'",
email = "'.$reg_email.'",
user_pass = "'.md5($reg_password).'",
user_pass_conf = "'.md5($reg_pass_conf).'"';
Query is fine now, it's just not logging in with the encoded password.
EDIT: What about the login script, would I need to add the md5 function in there somewhere? |
|
|
|
|
02-15-2008, 01:16 PM
|
#32 (permalink)
|
|
The Contributor
Join Date: Jan 2008
Posts: 87
Thanks: 49
|
Success!
Stupid me. On the login script, I forgot the bring the decrypted password back, I was doing:
PHP Code:
$get = mysql_query("SELECT count(userID) FROM users WHERE user_name = '$user' AND user_pass = '$pass'");
$result = mysql_result($get,0);
And now:
PHP Code:
$get = mysql_query("SELECT count(userID) FROM users WHERE user_name = '$user' AND user_pass = md5('$pass')");
$result = mysql_result($get,0);
Sorry for my stupidity, I'm new to all this :) And thank you everyone for your help, greatly appreciate it.
Now I just need to read up about sessions  |
|
|
|
|
02-15-2008, 02:25 PM
|
#33 (permalink)
|
|
The Frequenter
Join Date: Nov 2007
Location: Netherlands
Posts: 460
Thanks: 49
|
SESSIONS are kinda simple if you fully understand the workings of an array. SESSIONS (if I am correct, need to brush up as well) are simply superglobals which can be called upon on every page, where you want it to.
I learned a LOT from [inline]Tizag.com[/u]. It's really a great site and they offer flat, easy insight into every commonly used function of PHP. The SESSIONS as well of course.
PHP Tutorial - Session
__________________
"Life is a bitch, take that bitch on a ride"
|
|
|
|
|
The Following User Says Thank You to ReSpawN For This Useful Post:
|
|
|
02-15-2008, 03:13 PM
|
#34 (permalink)
|
|
The Acquainted
Join Date: Nov 2007
Posts: 154
Thanks: 31
|
Quote:
Originally Posted by StevenF
There's something going on here. I've encrypted the password like above:
PHP Code:
$md5reg_password = mysql_real_escape_string($_POST['reg_password']);
Then again in the query:
PHP Code:
user_pass = "'.md5($reg_password).'",
|
Two important things here: - The first assignment is not 'encrypting' the value, it's simply escaping it.
- More importantly, $md5reg_password != $reg_password
As to the comments whether to use SHA1 or MD5, etc. It's all relative. MD5 is fine for a 'test' login system. Use a CHAR(32) column and store the hash value. IIRC, I already mentioned the plausibility of using other hash types in this thread.
The important factor is continuity in the application, as it appears you've found. Hash the password, store the hash. Hash the password, compare against the stored hash.
BTW, here's my take on the SQL statement
PHP Code:
$query = "INSERT INTO users SET
user_name = '{$reg_username}'
, email = '{$reg_email}'
, user_pass = MD5('{$reg_password}')
, user_pass_conf = '{$reg_pass_conf}'
";
Simplify your life. Don't escape the string, use double quotes and allow them to evaluate the variable values. Use MySQL's MD5() (or SHA1() function) inside the statement. As with everything, take it for what it's worth. ;)
__________________
I reject your reality, and substitute my own.
|
|
|
|
|
The Following User Says Thank You to SOCK For This Useful Post:
|
|
|
Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
|
|
|
| Thread Tools |
Search this Thread |
|
|
|
| Display Modes |
 Linear Mode
|
Posting Rules
|
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
HTML code is Off
|
|
|
|
Join the friendly bunch on IRC...
