Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Messages - leebut

Pages: [1]
1
Beginners - Learning PHP / Re: Creating forms in php
« on: February 19, 2012, 06:06:00 PM »
I don't want to sound patronising or stupid when I ask, have you created page2.php?
You could be sending the form to a page that doesn't exist (404).

2
General PHP Help / Re: Pulling my hair out with a blank screen
« on: February 19, 2012, 05:52:10 PM »
This is what worked. Of course, there may be a more efficient way of doing this, and may require a session to be implemented, but it's a start.

Registration form (could be in HTML code):
PHP Code: [Select]
echo '<form action="newstudent_process.php" method="post">';
echo '<p><b>Name: </b><input class="input" name="student_name" type="text" size="30" tabindex="1" maxlength="50"></p>';
echo '<p><b>E-mail (This will be your username): </b><input class="input" name="student_e-mail" type="text" size="40" tabindex="2" maxlength="100"></p>';
echo '<p><b>Password: </b><input class="input" name="student_pwd" type="password" size="12" tabindex="3" maxlength="12"></p>';
echo '<input type="submit" name="submint" value="Register" tabindex="4"></p>';

Process the form and add to the DB:
PHP Code: [Select]
<?php
// C O L L E C T  P O S T E D  F O R M  V A L U E S
$name=$_POST['student_name'];
$email=$_POST['student_e-mail'];
$pwd=$_POST['student_pwd'];
$salt='$2a$07$gi74FUurEWqlEo42f5FmPe5$'// $2a$07$ and the final $ are used for blowfish encryption

if (!get_magic_quotes_gpc())
{
$name=addslashes($name);
$email=addslashes($email);
}
$pwdsf=addslashes(crypt($pwd$salt)); // H A S H  P A S S W O R D  A N D  S A L T -  for some reason this fails in the if routine above
echo $pwdsf;

// C O N N E C T  T O  D B
$db = new mysqli('localhost''user''pass''DB');
if (mysqli_connect_errno())
{
    echo 'Could not connect to db.';
    exit;
}

//A D D  V A L U E S  T O  D B
$query "insert into students values ('','".$name."','".$email."','".$pwdsf."')";
$result $db->query($query);
// confirmation message
if ($result)
{
    echo $db->affected_rows.' student registered'// F O R  T E S T I N G or  A D D  A  S U C C E S S  M E S S A G E
    }
    else
    echo '<p>Could not register you, please <a href="register.php"> go back and try again.</a></p>';

/*Prepare an e-mail confirmation of registration
  N E E D S  T O  B E  S A N I T I S E D
*/
$query "select * from students WHERE student_email='".$email."'";
$result $db->query($query);
$num_results $result->num_rows;

for ($i=0$i <$num_results$i++)
{
$row $result->fetch_assoc();
 $name=stripslashes($row['student_name']);
 echo '<br />Name: '.$name;
 $mail=stripslashes($row['student_email']);
 echo '<br />Your e-mail is: '.$mail;

}
 $subj "E-mail subject";
 $mesg 'Thank you for registering ...';
 $from 'From: name@site.com';

   mail($mail$subj$mesg$from);
?>

Login form (could be a HTML form with PHP embedded):
PHP Code: [Select]
echo '<form action="login_process.php" method="post">';
echo '<p><b>Username (registered e-mail): </b><input class="input" name="uname" type="text" size="40" tabindex="2" maxlength="100">.</p>';
echo '<p><b>Password: </b><input class="input" name="pwd" type="password" size="12" tabindex="3"></p>';
echo '<input type="submit" name="submit" value="Log in" tabindex="4"></p>';

Process the form:
PHP Code: [Select]
<?php
 $user=$_POST['uname'];
 $user=stripslashes($user);
 $pwd=$_POST['pwd'];

 // C H E C K  F O R  P A S S W O R D  E N T E R E D
 if (!$pwd)
 {
 echo 'No password';
 exit;
 }
 else
 {

// P R E P A R E  P A S W O R D  F O R  D B  C O M P A R I S O N
$salt='$2a$07$gi74FUurEWqlEo42f5FmPe5$'// S A M E  S A L T  A S  R E G I S T R A T I O N
$pwddump=stripslashes(crypt($pwd$salt)); 

 @ $db = new mysqli('localhost''user''pass''DB');
if (mysqli_connect_errno())
{
    echo 'Could not connect to db.';
    exit;
}

echo $pwddump// S H O W  H A S H  F O R  T E S T I N G  P U R P O S E S

// P U L L  U S E R N  A M E  A N D  P A S S W O R D  F R O M  D B  T O  C O M P A R  E  W I T H  V A R I A B L E S
$query "select * FROM students WHERE student_email='".$user."' AND student_pwd='".$pwddump."'";
$result$db->query($query);
$num_results $result->num_rows;

for ($i=0$i <$num_results$i++)
{
// A L L  T A B L E  R O W S  L O A D E D  F O R  F U R T H E R  U S E  I N  M Y  C O D E
$row $result->fetch_assoc();
$dbid=stripslashes($row['student_ID']);
$dbname=stripslashes($row['student_name']);
$dbemail=stripslashes($row['student_email']);
$dbpwd=stripslashes($row['student_pwd']);
}
if ($dbpwd != $pwddump)
{
echo 'Wrong username or password';
}
else
{

// R E S T  O F  P A G E  C O D E

I hope someone finds this useful.

3
General PHP Help / Re: Pulling my hair out with a blank screen
« on: February 18, 2012, 03:41:38 PM »
Hello ErnieAlex,

Thanks for pointing me back in the right direction. I think I saw something on www.php.net about SHA1 and MD5 not being strong enough.

I looked at www.php.net earlier, but I don't always understand the structure they show. Anyway, I looked more closely at the  description and examples and realised that I needed a $ prefix. I added the $prefix in the blowfish example and the $ at the end of the salt string and wallah! It's alive!

PHP Code: [Select]
$salt='$2a$07$gi74FUurEWqlEo42f5FmPe5$';

returned: $2a$07$gi74FUurEWqlEo42f5FmPem/oMw0uHqW.IONwFw434sLH3pWigvVi which is more what I was expecting.

The server is running PHP 5.3.10 and MCRYPT 2.5.8

echo crypt(); returned an error for an expected value.

Thanks again,

Lee.

4
General PHP Help / Re: Pulling my hair out with a blank screen
« on: February 18, 2012, 01:32:56 PM »
Hello ErnieAlex,


Thank you for that. I must have done that when I changed the values. However, it's all okay in the actual code.

I can get the output to work as intended now, but shouldn't CRYPT() strings be longer than 14 characters?
Am I doing something wrong?

If I don't add the $salt var I get very long strings, but it generates a new one on every log in attempt using the same password.

Thanks.

5
General PHP Help / Re: Pulling my hair out with a blank screen
« on: February 18, 2012, 09:32:20 AM »
I found this SALT thing. I'm not sure if I've got it right though.

PHP Code: [Select]
$pwd=$_POST['student_pwd'];
 $salt='flAgRFsEwR432F3rf3@#';
$pwdsf=crypt($pwd$salt);

It returns a relatively short string: fl8IzkfeeBKn.

6
General PHP Help / Re: Pulling my hair out with a blank screen
« on: February 18, 2012, 08:39:30 AM »

I removed the addslashes and stripslashes from the password variables and it now stores a different hash for each password and successfully logs in and displays the username. Hurray!

I've just read that SHA1 is not strong enough, so I tried crypt(), but when I log in it creates a different hash  each time so it's never going to match the stored one. How can I ensure that the hash for the entered password to log in will be the same for the one the user registered with?

Thank you,

Lee.

7
General PHP Help / Re: Pulling my hair out with a blank screen
« on: February 18, 2012, 06:33:43 AM »
Thank you for your reply, Sarthak.

I am using name@site.com as the username to populate 'uname' in the form and $user in the process.

When I remove the AND part of the query, the message (real name and e-mail) is displayed. I think somewhere the password part of the query is the problem but unable to figure it out.

I echoed the $pwd hash in the process:
294b3c5bc70bc7b8cba317418b0c8b21d937cc57

The hash in the DB:
da39a3ee5e6b4b0d3255bfef95601890afd80709

Should they be the same?
Ah, I registered more users and the SHA1 hash in the DB is the same for different passwords. There must be something wrong in the registration process. It looks okay to me though.

Here's the registration form:
PHP Code: [Select]
<?php

echo '<h2>New Student</h2><br />';
echo '<p>Please complete the form below to register</p>';

//Reg form

echo '<form action="newstudent_process.php" method="post">';
echo '<p><b>Name: </b><input class="input" name="student_name" type="text" size="30" tabindex="1" maxlength="50"></p>';
echo '<p><b>E-mail: </b><input class="input" name="student_e-mail" type="text" size="40" tabindex="2" maxlength="100"> This will be your username.</p>';
echo '<p><b>Password: </b><input class="input" name="student_pwd" type="password" size="12" tabindex="3" maxlength="12"></p>';
echo '<input type="submit" name="submint" value="Register" tabindex="4"></p>';
?>


Here's the registration process:
PHP Code: [Select]
<?php

$name=$_POST['student_name'];
$email=$_POST['student_e-mail'];
$pwd=$_POST['student_pwd'];

if (!get_magic_quotes_gpc())
{
$name=addslashes($name);
$email=addslashes($email);
$pwdvul=addslashes($pwd);

}
// This to be stored in the DB. add hash
$pwdsf=sha1($pwdvul);


$db = new mysqli('localhost''user, 'pass', 'DB');
if (mysqli_connect_errno())
{
    echo 'Could not connect to db.';
    exit;
}
$query = "insert into students values ('','".$name."','".$email."','".$pwdsf."')";
$result = $db->query($query);
if ($result)
{
    echo $db->affected_rows.' student registered';
    }
    else
    echo '<p>Could not register youplease <a href="register.php"go back and try again.</a></p>';
}


Thanks again,

Lee

8
General PHP Help / Pulling my hair out with a blank screen
« on: February 18, 2012, 04:39:37 AM »
Hello forum,

I've spent hours trying to figure this out.
The code won't display anything on the page when $pwd is not empty and the correct password is entered.
I'd appreciate any help.

Thank you.

The form:
PHP Code: [Select]
echo '<form action="login_process.php" method="post">';
echo '<p><b>Username: </b><input class="input" name="uname" type="text" size="40" tabindex="2" maxlength="100"> This will be your username.</p>';
echo '<p><b>Password: </b><input class="input" name="pwd" type="password" size="12" tabindex="3"></p>';
echo '<input type="submit" name="submit" value="Log in" tabindex="4"></p>';

The process:

PHP Code: [Select]
<?php
 $user=$_POST['uname'];
 $user=stripslashes($user);
 $pwd=$_POST['pwd'];
 $pwd=stripslashes($pwd);

 if (!$pwd)
 {
 echo 'No password';
 exit;
 }
 else
 {
 $pwd=sha1($pwd);
 @ $db = new mysqli('localhost''user''pass''DB');
if (mysqli_connect_errno())
{
    echo 'Could not connect to db.';
    exit;
}

$query "select * FROM students WHERE student_email='".$user."' AND student_pwd='".$pwd."'";
$result$db->query($query);
$num_results $result->num_rows;

for ($i=0$i <$num_results$i++)
{
$row $result->fetch_assoc();
$dbid=stripslashes($row['student_ID']);
$dbname=stripslashes($row['student_name']);
$dbemail=stripslashes($row['student_email']);
$dbpwd=stripslashes($row['student_pwd']);
}

echo '<h2>Logged in as '.$dbname.'.<br /> Email: '.$dbemail.'</h2>';
}

?>

DB fields:
student_ID
student_name
student_email
student_pwd

Field data:
1
Noggin
lee@test.com
da39a3ee5e6b4b0d3255bfef95601890afd80709

Pages: [1]