www.webdeveloper.com
Results 1 to 13 of 13

Thread: Login form not working? sha1 problem?

  1. #1
    Join Date
    Oct 2011
    Location
    Hamilton, Ontario
    Posts
    84

    Login form not working? sha1 problem?

    I don't know what exactly the problem is here, but I'm using xampp to run these scripts... it connects to the server, inputs the information just fine into the database with the registration script and everything works fine in these php codes except that after I run this php code to register:
    Code:
    <?php include_once("scripts/global.php");
    $message = '';
    if(isset($_POST['username'])){
    	$username = $_POST['username'];
    	$fname = $_POST['fname'];
    	$lname = $_POST['lname'];
    	$email = $_POST['email'];
    	$pass1 = $_POST['pass1'];
    	$pass2 = $_POST['pass2'];
    	//error handling
    	if((!$username)||(!$fname)||(!$lname)||(!$email)||(!$pass1)||(!$pass2)){
    		$message = 'Please insert all fields in the form below';
    	}else{
    		if($pass1 != $pass2){
    			$message = 'Your passwords must match!';
    		}else{
    			//securing the data
    			$username = preg_replace("#[^0-9a-z]#i","",$username);
    			$fname = preg_replace("#[^0-9a-z]#i","",$fname);
    			$lname = preg_replace("#[^0-9a-z]#i","",$lname);
    			$pass1 = sha1($pass1);
    			$email = mysql_real_escape_string($email);
    			
    			//check for duplicates
    			$user_query = mysql_query("SELECT username FROM members WHERE username='$username' LIMIT 1") or die("Could not check username");
    			$count_username = mysql_num_rows($user_query);
    			
    			$email_query = mysql_query("SELECT email FROM members WHERE email='$email' LIMIT 1") or die("Could not check email");
    			$count_email = mysql_num_rows($email_query);
    			
    			if($count_username > 0){
    				$message = 'Your username is already in use';
    			}else if($count_email > 0){
    				$message = 'Your email is already in use';	
    			}else{
    				//insert members
    				$ip_address = $_SERVER['REMOTE_ADDR'];
    				$query = mysql_query("INSERT INTO members (username, firstname, lastname, email, password, ip_address, sign_up_date)VALUES ('$username','$fname','$lname','$email','$pass1','$ip_address',now())") or die("Could not insert your information");
    				$member_id = mysql_insert_id();
    				mkdir('users/'.$member_id,0755);
    				$message = 'You have now been registered!';
    			}
    				
    		}
    	}
    }
    ?>
    I used this code to enable logins but it keeps coming back with "The information your provided is not correct" when i try to login.. I used the same information logging in as I did to register... not sure what's wrong

    Code:
    <?php include_once("scripts/global.php");
    $message = '';
    if(isset($_POST['email'])){
    	$email=$_POST['email'];
    	$pass=$_POST['pass'];
    	$remember=$_POST['remember'];
    	
    	//error handling
    	if((!$email)||(!$pass)){
    		$message = 'Please enter both email and password fields!';
    	}else{
    		//secure data
    		$email = mysql_real_escape_string($email);
    		$pass = sha1($pass);
    		$query = mysql_query("SELECT * FROM members WHERE email='$email' AND password='$pass' LIMIT 1") or die ('Could not check.');
    		$count_query = mysql_num_rows($query);
    		if ($count_query == 0){
    			$message = "The information your provided is not correct";
    		}else{
    			//start the session
    			$_SESSION['pass'] = $pass;
    			while($row = mysql_fetch_array($query)){
    				$username = $_row['username'];
    				$id = $_row['id'];	
    			}
    			$_SESSION['username'] = $username;
    			$_SESSION['id'] = $id;
    			
    			if($remember == 'yes'){
    				//create cookies
    				setcookie('id_cookie', $id, time()+60*60*24*100,"/");
    				setcookie('pass_cookie', $pass, time()+60*60*24*100,"/");	
    			}
    			
    			header('Location: home.php');
    		}
    	}
    		
    }
    
    ?>

  2. #2
    Join Date
    Aug 2004
    Location
    Ankh-Morpork
    Posts
    19,614
    I don't see a session_start() anywhere?

    Also, do you realize that Bill O'Reilly, Billy Bob Thornton, and Chris Evert-Lloyd would (silently) have their names changed to Bill OReilly, BillyBob Thornton, and Chris EvertLloyd when entered into your database? Is that really desirable/needed?
    "Please give us a simple answer, so that we don't have to think, because if we think, we might find answers that don't fit the way we want the world to be."
    ~ Terry Pratchett in Nation

    eBookworm.us

  3. #3
    Join Date
    Oct 2011
    Location
    Hamilton, Ontario
    Posts
    84
    oh, I'm kind of new to php, I did this by watching a tutorial video... and everything works fine except it won't recognize my username and password after i 'register' and i 'login'... what am I missing besides SESSION_START()?

  4. #4
    Join Date
    Aug 2004
    Location
    Ankh-Morpork
    Posts
    19,614
    So when you say it's not working, what are the exact symptoms? Are you getting the "The information your provided is not correct" message, or is it something else? For debugging purposes, it's often useful to output the actual query being used, e.g.:
    PHP Code:
        }else{
            
    //secure data
            
    $email mysql_real_escape_string($email);
            
    $pass sha1($pass);
    // put the query into a variable first:
            
    $sql "SELECT * FROM members WHERE email='$email' AND password='$pass' LIMIT 1";
            
    $query mysql_query($sql) or die ('Could not check.');
            
    $count_query mysql_num_rows($query);
            if (
    $count_query == 0){
                
    $message "The information your provided is not correct";
                
    // debug only, delete this or change to error_log() later:
                
    die("<pre>$sql</pre>"); // now we can see what we sent to the DB
                // end debug
            
    }else{ 
    "Please give us a simple answer, so that we don't have to think, because if we think, we might find answers that don't fit the way we want the world to be."
    ~ Terry Pratchett in Nation

    eBookworm.us

  5. #5
    Join Date
    Mar 2007
    Location
    localhost
    Posts
    2,500
    me thinks NogDog, he is missing two or possibly three things, the mysql_real_escape_string() from his query to make ready the query string and not the $email variable string, instead he is prepping the strings and not the actual query string. Also the curly braces {} from the string that he is using and depending on the server settings, he may need back ticks for the field names.

    not this
    PHP Code:
    $email mysql_real_escape_string($email);
            
    $pass sha1($pass);
    // put the query into a variable first:
            
    $sql "SELECT * FROM members WHERE email='$email' AND password='$pass' LIMIT 1"
    but this
    PHP Code:
    $pass sha1($pass);
    // put the query into a variable first:
            
    $sql mysql_real_escape_string("SELECT * FROM members WHERE email='{$email}' AND password='{$pass}' LIMIT 1"); 
    Yes, I know I'm about as subtle as being hit by a bus..(\\.\ Aug08)
    Yep... I say it like I see it, even if it is like a baseball bat in the nutz... (\\.\ Aug08)
    I want to leave this world the same way I came into it, Screaming, Incontinent & No memory!
    I laughed that hard I burst my colostomy bag... (\\.\ May03)
    Life for some is like a car accident... Mine is like a motorway pile up...

    Problems with Vista? :: Getting Cryptic wid it. :: The 'C' word! :: Whois?

  6. #6
    Join Date
    Aug 2004
    Location
    Ankh-Morpork
    Posts
    19,614
    No, you don't want to escape the entire query string, as then you'd be escaping the quotes you want to be actual quotes (and whatever else it escapes).

    However, what we really should be doing here is using MySQLi (or PDO) and making use of prepared statements with bound parameters.
    PHP Code:
    $pdo = new PDO($dsn$dbUser$dpPass);
    $sql $sql "SELECT * FROM members WHERE email=:email AND password=:password LIMIT 1";
    $stmt $pdo->prepare($sql);
    if(
    $stmt == false) {
      throw new 
    Exception($pdo->errorInfo());
    }
    $stmt->bindParam(':email'$email);
    $stmt->bindParam(':password'$pass);
    if(
    $stmt->exec() == false) {
      throw new 
    Exception($stmt->errorInfo());

    No more messing around with various "escape" functions.
    "Please give us a simple answer, so that we don't have to think, because if we think, we might find answers that don't fit the way we want the world to be."
    ~ Terry Pratchett in Nation

    eBookworm.us

  7. #7
    Join Date
    Oct 2011
    Location
    Hamilton, Ontario
    Posts
    84
    I had the edit this reply cause I changed a few things... my code now looks like this:
    Code:
    <?php include_once("scripts/global.php");
    $message = '';
    if(isset($_POST['email'])){
    	$email=$_POST['email'];
    	$pass=$_POST['pass'];
    	$remember=$_POST['remember'];
    	
    	//error handling
    	if((!$email)||(!$pass)){
    		$message = 'Please enter both email and password fields!';
    	}else{
    		//secure data
    		$email = mysql_real_escape_string($email);
    		$pass = sha1($pass);
    		$query = mysql_query("SELECT * FROM members WHERE email='$email' AND password='$pass' LIMIT 1") or die ('Could not check.');
    		$count_query = mysql_num_rows($query);
    		if ($count_query == 0){
    			$message = "The information your provided is not correct";
    			die("<pre>$query</pre>");
    		}else{
    			//start the session
    			$_SESSION['pass'] = $pass;
    			while($row = mysql_fetch_array($query)){
    				$username = $_row['username'];
    				$id = $_row['id'];	
    			}
    			$_SESSION['username'] = $username;
    			$_SESSION['id'] = $id;		
    	   if($remember == 'yes'){
    		//create cookies
    		setcookie('id_cookie', $id, time()+60*60*24*100,"/");
    	 	setcookie('pass_cookie', $pass, time()+60*60*24*100,"/");	
    	   }		
    	header('Location: home.php');
       }
     }		
    }
    that's for login.php
    then for home.php it looks like this
    Code:
    <?php include_once("scripts/global.php");
    if($logged == 0){
    	header('Location: index.php');	
    	exit();
    }
    
    ?>
    <!DOCTYPE html>
    <head>
    <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
    <title>Welcome to PlayTip</title>
    <link href='css/global.css' rel='stylesheet' type='text/css'/>
    </head>
    
    <body>
    
    <div class='container center'>
        <h1>Welcome to PlayTip</h1>
        This is the logged in display.
        <a href='logout.php'>Logout here.</a>
    </div>
    
    </body>
    </html>
    and global.php looks like this
    Code:
    <?php
    session_start();
    include_once("connect.php");
    
    //checking if sessions are set
    if(isset($_SESSION['username'])){
    	$session_username=$_SESSION['username'];
    	$session_pass=$_SESSION['pass'];
    	$session_id=$_SESSION['id'];
    	
    	//check if member exists
    	$query = mysql_query("SELECT * FROM members WHERE id='$session_id' AND password='$session_pass' LIMIT 1") or die('Could not check member');
    	$count_count = mysql_num_rows($query);
    	if($count_count > 0){
    		//logged in stuff here
    		$logged = 1;
    	}else{
    		header('Location: logout.php');
    		exit();
    	}
    }else if(isset($_COOKIE['id_cookie'])){
    	$session_id = $_COOKIE['id_cookie'];
    	$session_pass = $_COOKIE['id_pass'];
    
    	//check if member exists
    	$query = mysql_query("SELECT * FROM members WHERE id='$session_id' AND password='$session_pass' LIMIT 1") or die('Could not check member');
    	$count_count = mysql_num_rows($query);
    	if($count_count > 0){
    		while($row = mysql_fetch_array($query)){
    			$session_username = $row['username'];
    		}
    		//create sessions
    		$_SESSION['username'] = $session_username;
    		$_SESSION['id'] = $session_id;
    		$_SESSION['pass'] = $session_pass;
    		//logged in stuff here
    		$logged = 1;
    	}else{
    		header('Location: logout.php');
    		exit();
    	}
    }else{
    	//if the user is no logged in
    	$logged = 0;
    }
    
    
    ?>
    and it reroutes me to index.php instead of home.php
    Last edited by thewebiphyer; 07-24-2013 at 01:42 PM.

  8. #8
    Join Date
    Oct 2011
    Location
    Hamilton, Ontario
    Posts
    84
    still no responses? I took another look at the code and thought that maybe when the browser navigates to home.php it is automatically rerouting to index.php because for some weird reason $logged is set to 0, but I don't see why that would be the case. help?

  9. #9
    Join Date
    Mar 2007
    Location
    localhost
    Posts
    2,500
    Why do you need to create and test a variable for if a person is logged in? It would be simpler to just initialize a session on each page, check for a user session existing and have done with that rather than tracking variables that may or may not have been set.

    PHP Code:
    <?php
    session_start
    ();
    include_once(
    "connect.php");

    // are we logged in? if not, send user to login...
    if( !isset($_SESSION['username'])) header("Location: dologin.php");

    // we have a session set, so we must be logged in... so verify that the login is real
    $query mysql_query(sprintf"SELECT * FROM members WHERE id='%s' AND password='%s' LIMIT 1;--",
    mysql_real_escape_string($_SESSION['id']),mysql_real_escape_string($_SESSION['pass']) ));

    // the login returns zero rows, its not real, go get them to log in
    if( mysql_num_rows($query) == header("Location: dologin.php");

    //... if all OK, go home!!!
    header("Location: home.php");

    ?>
    The above is an example on cutting away all the clutter, you have too much clutter and IMHO the above example would be better way of tackling the login issue. As for the rest of your scripts, my advice is to take the scripts back to the bare bones.
    Yes, I know I'm about as subtle as being hit by a bus..(\\.\ Aug08)
    Yep... I say it like I see it, even if it is like a baseball bat in the nutz... (\\.\ Aug08)
    I want to leave this world the same way I came into it, Screaming, Incontinent & No memory!
    I laughed that hard I burst my colostomy bag... (\\.\ May03)
    Life for some is like a car accident... Mine is like a motorway pile up...

    Problems with Vista? :: Getting Cryptic wid it. :: The 'C' word! :: Whois?

  10. #10
    Join Date
    Oct 2011
    Location
    Hamilton, Ontario
    Posts
    84
    wow...i guess that would be simpler.. I'll give it a shot and let you know if it works thanks for the suggestion

  11. #11
    Join Date
    Mar 2007
    Location
    localhost
    Posts
    2,500
    I should add that cutting down on code should have one exception and that is the $_FILES, $_POST and $_GET inputs, these are hack points that require these inputs to be sanitized in to safe variables that are then used in place of them.

    When sanitize I chose to call my inputs $safe_POST['inputname'], example in your script would be...

    PHP Code:
    // use a whitelist to control what inputs are acceptable 
    $whitelist = array("email","pass","remember");

    // make an array to store the sanitized data
    $safe_POST = array();

    // the sanitizing loop
    foreach( $whitelist as $key )
        
    $safe_POST[$key] = santizingfunction$_POST[$key]);

    // you now have an array with sanitized data that you know is safe to use. 
    If you want instant variables to use after santizing, you can use the PHP function called extract() that will turn an array in to variables, eg.
    PHP Code:
     extract$safe_POST ); 
    will return variables names $email with the value of the data of $safe_POST['email'] and others named likewise, you should look up how this function is used on php,net

    The sanitizingfunction() would be whatever takes your fancy but ideally will remove slashes and HTML code that is designed to break scripts and to hack databases.
    Yes, I know I'm about as subtle as being hit by a bus..(\\.\ Aug08)
    Yep... I say it like I see it, even if it is like a baseball bat in the nutz... (\\.\ Aug08)
    I want to leave this world the same way I came into it, Screaming, Incontinent & No memory!
    I laughed that hard I burst my colostomy bag... (\\.\ May03)
    Life for some is like a car accident... Mine is like a motorway pile up...

    Problems with Vista? :: Getting Cryptic wid it. :: The 'C' word! :: Whois?

  12. #12
    Join Date
    Oct 2011
    Location
    Hamilton, Ontario
    Posts
    84
    I tried what you said an added that script to the beginning of each page, but whenever I try to load any of the pages, it just gets stuck in a redirect loop and doesn't load anything... i think I may just have to find some good php tutorial videos and go back from the very basics and maybe i'll find out why things aren't working

  13. #13
    Join Date
    Mar 2007
    Location
    localhost
    Posts
    2,500
    You need to look at what scripts are "Including" other scripts and the examples I give are for example, they are not a working result. You would need to take the principle and work with your existing program structure.
    Yes, I know I'm about as subtle as being hit by a bus..(\\.\ Aug08)
    Yep... I say it like I see it, even if it is like a baseball bat in the nutz... (\\.\ Aug08)
    I want to leave this world the same way I came into it, Screaming, Incontinent & No memory!
    I laughed that hard I burst my colostomy bag... (\\.\ May03)
    Life for some is like a car accident... Mine is like a motorway pile up...

    Problems with Vista? :: Getting Cryptic wid it. :: The 'C' word! :: Whois?

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
HTML5 Development Center



Recent Articles