Pulling my hair out with a blank screen

Hello forum,

I’ve spent hours trying to figure this out.
The code won’t display anything on the page when $pwd is not empty and the correct password is entered.
I’d appreciate any help.

Thank you.

The form:
[php]echo ‘’;
echo ‘

Username: This will be your username.

Password:

The process:

[php]<?php
$user=$_POST[‘uname’];
$user=stripslashes($user);
$pwd=$_POST[‘pwd’];
$pwd=stripslashes($pwd);

if (!$pwd)
{
echo ‘No password’;
exit;
}
else
{
$pwd=sha1($pwd);
@ $db = new mysqli(‘localhost’, ‘user’, ‘pass’, ‘DB’);
if (mysqli_connect_errno())
{
echo ‘Could not connect to db.’;
exit;
}

$query = “select * FROM students WHERE student_email=’”.$user."’ AND student_pwd=’".$pwd."’";
$result= $db->query($query);
$num_results = $result->num_rows;

for ($i=0; $i <$num_results; $i++)
{
$row = $result->fetch_assoc();
$dbid=stripslashes($row[‘student_ID’]);
$dbname=stripslashes($row[‘student_name’]);
$dbemail=stripslashes($row[‘student_email’]);
$dbpwd=stripslashes($row[‘student_pwd’]);
}

echo ‘

Logged in as ‘.$dbname.’.
Email: ‘.$dbemail.’

?>[/php]

DB fields:
student_ID
student_name
student_email
student_pwd

Field data:
1
Noggin
[email protected]
da39a3ee5e6b4b0d3255bfef95601890afd80709

Hello leebut, i have checked you code. i have found every thing is fine there. I think is issues is that your trying to get record from database based on email id filled by user which is ok. But i think user is type his name as Username: which is wrong. Solution is that The Username: must be student_email id. which is store in the data base.

Username: [email protected]
Password: type your password

I hope you got it my point and it will works fine for you.
Reply your feedback.
SR

Thank you for your reply, Sarthak.

I am using [email protected] as the username to populate ‘uname’ in the form and $user in the process.

When I remove the AND part of the query, the message (real name and e-mail) is displayed. I think somewhere the password part of the query is the problem but unable to figure it out.

I echoed the $pwd hash in the process:
294b3c5bc70bc7b8cba317418b0c8b21d937cc57

The hash in the DB:
da39a3ee5e6b4b0d3255bfef95601890afd80709

Should they be the same?
Ah, I registered more users and the SHA1 hash in the DB is the same for different passwords. There must be something wrong in the registration process. It looks okay to me though.

Here’s the registration form:
[php]<?php

echo ‘

New Student

Please complete the form below to register

//Reg form

echo ‘’;
echo '

Name:

E-mail: This will be your username.

Password:

Here’s the registration process:
[php]<?php

$name=$_POST[‘student_name’];
$email=$_POST[‘student_e-mail’];
$pwd=$_POST[‘student_pwd’];

if (!get_magic_quotes_gpc())
{
$name=addslashes($name);
$email=addslashes($email);
$pwdvul=addslashes($pwd);

}
// This to be stored in the DB. add hash
$pwdsf=sha1($pwdvul);

@ $db = new mysqli(‘localhost’, ‘user, ‘pass’, ‘DB’);
if (mysqli_connect_errno())
{
echo ‘Could not connect to db.’;
exit;
}
$query = "insert into students values (’’,’".$name."’,’".$email."’,’".$pwdsf."’)";
$result = $db->query($query);
if ($result)
{
echo $db->affected_rows.’ student registered’;
}
else
echo ‘

Could not register you, please go back and try again.

Thanks again,

Lee

I removed the addslashes and stripslashes from the password variables and it now stores a different hash for each password and successfully logs in and displays the username. Hurray!

I’ve just read that SHA1 is not strong enough, so I tried crypt(), but when I log in it creates a different hash each time so it’s never going to match the stored one. How can I ensure that the hash for the entered password to log in will be the same for the one the user registered with?

Thank you,

Lee.

I found this SALT thing. I’m not sure if I’ve got it right though.

[php]$pwd=$_POST[‘student_pwd’];
$salt=‘flAgRFsEwR432F3rf3@#’;
$pwdsf=crypt($pwd, $salt);[/php]

It returns a relatively short string: fl8IzkfeeBKn.

Ah, in your REGISTRATION code that you posted, you are missing a quote after 'user, should be ‘user’,
That might be the problem…

Hello ErnieAlex,

Thank you for that. I must have done that when I changed the values. However, it’s all okay in the actual code.

I can get the output to work as intended now, but shouldn’t CRYPT() strings be longer than 14 characters?
Am I doing something wrong?

If I don’t add the $salt var I get very long strings, but it generates a new one on every log in attempt using the same password.

Thanks.

Well, I was researching your issue and found a lot on the net about it.
Looking at PHP’s info on it at: http://php.net/manual/en/function.crypt.php,
And, it seems that PHP’s CRYPT may use different versions of encryption depending on the server’s setup. If you are using PHP5.3 or so, you can use their own MD5 encryption. Some encryption routines use different size hash outputs.

To find out which one your system is using, you can echo crypt(); and it should tell you info on it.

So, find out which you are using and which PHP version you are using (echo php_info() and we can go from there. I see a lot of code online using MD5 encryption. Let us know what you have…

Hello ErnieAlex,

Thanks for pointing me back in the right direction. I think I saw something on www.php.net about SHA1 and MD5 not being strong enough.

I looked at www.php.net earlier, but I don’t always understand the structure they show. Anyway, I looked more closely at the description and examples and realised that I needed a $ prefix. I added the $prefix in the blowfish example and the $ at the end of the salt string and wallah! It’s alive!

[php]$salt=’$2a$07$gi74FUurEWqlEo42f5FmPe5$’;[/php]

returned: $2a$07$gi74FUurEWqlEo42f5FmPem/oMw0uHqW.IONwFw434sLH3pWigvVi which is more what I was expecting.

The server is running PHP 5.3.10 and MCRYPT 2.5.8

echo crypt(); returned an error for an expected value.

Thanks again,

Lee.

Glad it is solved! I will mark it so. Always a nice feeling to get somewhere… AND, always a big smile to add another routine to your list that you can use when needed. By the way, if you want to post your solved code, it might help someone else. (Only the important parts of course.) See you in the bitstream…

This is what worked. Of course, there may be a more efficient way of doing this, and may require a session to be implemented, but it’s a start.

Registration form (could be in HTML code):
[php]echo ‘’;
echo '

Name:

E-mail (This will be your username):

Password:

Process the form and add to the DB:
[php]<?php
// C O L L E C T P O S T E D F O R M V A L U E S
$name=$_POST[‘student_name’];
$email=$_POST[‘student_e-mail’];
$pwd=$_POST[‘student_pwd’];
$salt=’$2a$07$gi74FUurEWqlEo42f5FmPe5$’; // $2a$07$ and the final $ are used for blowfish encryption

if (!get_magic_quotes_gpc())
{
$name=addslashes($name);
$email=addslashes($email);
}
$pwdsf=addslashes(crypt($pwd, $salt)); // H A S H P A S S W O R D A N D S A L T - for some reason this fails in the if routine above
echo $pwdsf;

// C O N N E C T T O D B
@ $db = new mysqli(‘localhost’, ‘user’, ‘pass’, ‘DB’);
if (mysqli_connect_errno())
{
echo ‘Could not connect to db.’;
exit;
}

//A D D V A L U E S T O D B
$query = “insert into students values (’’,’”.$name."’,’".$email."’,’".$pwdsf."’)";
$result = $db->query($query);
// confirmation message
if ($result)
{
echo $db->affected_rows.’ student registered’; // F O R T E S T I N G or A D D A S U C C E S S M E S S A G E
}
else
echo ‘

Could not register you, please go back and try again.

/*Prepare an e-mail confirmation of registration
N E E D S T O B E S A N I T I S E D
*/
$query = “select * from students WHERE student_email=’”.$email."’";
$result = $db->query($query);
$num_results = $result->num_rows;

for ($i=0; $i <$num_results; $i++)
{
$row = $result->fetch_assoc();
$name=stripslashes($row[‘student_name’]);
echo '
Name: '.$name;
$mail=stripslashes($row[‘student_email’]);
echo '
Your e-mail is: '.$mail;

}
$subj = “E-mail subject”;
$mesg = ‘Thank you for registering …’;
$from = ‘From: [email protected]’;

mail($mail, $subj, $mesg, $from);
?>[/php]

Login form (could be a HTML form with PHP embedded):
[php]echo ‘’;
echo ‘

Username (registered e-mail): .

Password:

Process the form:
[php]<?php
$user=$_POST[‘uname’];
$user=stripslashes($user);
$pwd=$_POST[‘pwd’];

// C H E C K F O R P A S S W O R D E N T E R E D
if (!$pwd)
{
echo ‘No password’;
exit;
}
else
{

// P R E P A R E P A S W O R D F O R D B C O M P A R I S O N
$salt=’$2a$07$gi74FUurEWqlEo42f5FmPe5$’; // S A M E S A L T A S R E G I S T R A T I O N
$pwddump=stripslashes(crypt($pwd, $salt));

@ $db = new mysqli(‘localhost’, ‘user’, ‘pass’, ‘DB’);
if (mysqli_connect_errno())
{
echo ‘Could not connect to db.’;
exit;
}

echo $pwddump; // S H O W H A S H F O R T E S T I N G P U R P O S E S

// P U L L U S E R N A M E A N D P A S S W O R D F R O M D B T O C O M P A R E W I T H V A R I A B L E S
$query = “select * FROM students WHERE student_email=’”.$user."’ AND student_pwd=’".$pwddump."’";
$result= $db->query($query);
$num_results = $result->num_rows;

for ($i=0; $i <$num_results; $i++)
{
// A L L T A B L E R O W S L O A D E D F O R F U R T H E R U S E I N M Y C O D E
$row = $result->fetch_assoc();
$dbid=stripslashes($row[‘student_ID’]);
$dbname=stripslashes($row[‘student_name’]);
$dbemail=stripslashes($row[‘student_email’]);
$dbpwd=stripslashes($row[‘student_pwd’]);
}
if ($dbpwd != $pwddump)
{
echo ‘Wrong username or password’;
}
else
{

// R E S T O F P A G E C O D E[/php]

I hope someone finds this useful.

hello leebut, replace your below code [php] //Remove this code $num_results = $result->num_rows; for ($i=0; $i <$num_results; $i++) { // A L L T A B L E R O W S L O A D E D F O R F U R T H E R U S E I N M Y C O D E $row = $result->fetch_assoc(); $dbid=stripslashes($row['student_ID']); $dbname=stripslashes($row['student_name']); $dbemail=stripslashes($row['student_email']); $dbpwd=stripslashes($row['student_pwd']); } if ($dbpwd != $pwddump) { echo 'Wrong username or password'; } else {

// R E S T O F P A G E C O D E
[/php]
Use below code modified by me
[php]
#use belwo code
$num_results = mysql_num_rows($result);
if(count($num_results) == 0)
{
echo ‘Wrong username or password’;
}
else
{
// R E S T O F P A G E C O D E
[/php]
i hope this will helpful for you.
Reply your feedback.
SR