Web Hosting Talk : Web Hosting Main Forums : Programming Discussion : php to mysql help

[musicman153]

Hey all you geniuses,

I'm trying to sat up a simple sign in and registration script on a site. I write html but php and mysql are a major challenge to me. I set up a database with fields for username and password. I can create and install a signup form. every time I add the rest of the code (using http://php.about.com/od/finishedphp1...login_code.htm and upload the page it comes up blank, no errors or anything just a plain white page.

Also wondering,
I know I have to create another page with a form for registration. will this require another database?

Thanks

[phpcoder]

Quote:

every time I add the rest of the code (using http://php.about.com/od/finishedphp1...login_code.htm and upload the page it comes up blank, no errors or anything just a plain white page.

Which code are you attempting to add - and where are you adding the code specifically?

Quote:

I know I have to create another page with a form for registration. will this require another database?

No

[robputt796]

Hi,

Instead of using the code in the tutorial try this:

Sorry about lack of indentation, not sure how todo it on WHT, also signup.php will be posted after I've eaten breakfast, but here is the login script.

I have opted for MySQLi, or MySQL Improved for PHP over the traditional MySQL classes for PHP, it makes stuff a little easier to understand as it cuts a few steps out ;-). Hopefully the stuff below should make sense. You should most probably adapt the script below to use SHA1 / SALT etc... at least to hide the passwords in the database tables.

login.php - Gets username and password from the post of a form and checks against the DB to see if it exists...

PHP Code:

<?php
//Start sessions so we can track the users status later.
session_start();

//Get the variables from the user login form.
$username = $_POST['username'];
$password = $_POST['password'];

//Check to make sure the user has entered values on the form.
if (!isset($username) || !isset($password)) {
echo "Please fill out the entire form before trying to login";
} else {

//Connect to the database, select the rows with the given username and password.
$DB = mysqli_connect("localhost","mysql_username","mysql_password","mysql_dbname");
$SQL="SELECT * FROM USERS WHERE USERNAME='$username' AND PASSWORD='$password'";
$RESULT = mysqli_query($DB, $SQL);

//If there aren't exactly 1 rows then the user either doesn't exist or exists more than once so hence should not be logged in.
if (mysqli_num_rows($RESULT) != 1) {
echo "Login Failed";

//Else the user exists, create a token in the session and then forward the user to the users only page.
} else {
$_SESSION['loggedin'] = "true";
$_SESSION['username'] = $username
header("location: my_user_portal.php");
}
}

//Close the sessions, this keeps them active on the server, and does not remove the data but clears the connection for this particular script hence saving resource as the server doesn't wait until the session has timed out.
session_close();
?>

Signup.php, forms and a little "is the user logged in script" coming after breakfast ;-).

[oscardog1991]

Hey,

At the top of the page you get a blank on add in (right at the top, in PHP tags):

Code:

ini_set('display_errors', 1);

This should then give you some sort of useful error message. Paste it here

[musicman153]

Thanks for the suggestions, will try to implement them today.

[BMurtagh]

Quote:

//Get the variables from the user login form.
$username = $_POST['username'];
$password = $_POST['password'];

You need to sanitize your variables' data before executing your SQL otherwise you will be prone to SQL injections, etc. Sanitizing is checking the input from the user to be legit(non-harmful) data to be used by your system

http://www.google.com/search?q=php+s...utf-8&oe=utf-8

[musicman153]

Quote:

Originally Posted by BMurtagh

You need to sanitize your variables' data before executing your SQL otherwise you will be prone to SQL injections, etc. Sanitizing is checking the input from the user to be legit(non-harmful) data to be used by your system

http://www.google.com/search?q=php+s...utf-8&oe=utf-8

Ya kind of lost me here about sanitizing. Right now I'm getting the job done by using the tutorials on youtube. So far everything is working as it should. I was ready to hire some help today but the silly people didn't get back to me and the login has to be functional tonight so I had no choice but to take a crash course in phpmysql. I guess I was meant to learn it.

[musicman153]

Been writing it all by hand as every script I found did not work. Now I'm having trouble and need to debug. Can anyone see whats wrong with this?

Code:

<?php

$username = $_POST['username'];
$password = $_POST['password'];

if ($username&&password)
{

$connect = mysql_connect("localhost", "root", "******") or die ("couldn't connect!");
mysql_select_db("users") or die ("Couldn't find DB!");


 
$query = mysql_query("SELECT * FROM users WHERE username='username'")

$numrows = mysql_num_rows(query);

 
if ($numrows!=0)
{
 

{
 while ($row + mysql_fetch_assoc($query))
{
  $dbusername = $row['username'];
  $dbusername = $row['password'];
  }


  if ($username==$dbusername&&$password==$dbpassword)
{
   echo "you're in!";

}
  else

   echo "incorrect pessword!";


else
  die("that user dosen't exist!");

echo $numrows;

}

else
   die("Please enter user name and password!");


?>

[sea otter]

Quote:

Originally Posted by musicman153

Been writing it all by hand as every script I found did not work. Now I'm having trouble and need to debug. Can anyone see whats wrong with this?

Well...there are a few syntax errors, some inefficient code, and a couple of glaring security holes. But I'd also like to point out that if every script you tried didn't work, you might have some problem with your infrastructure, that is, with how PHP and/or Apache are configured.

Syntax errors:

• In your sql query, you have single quotes around username and you left off the $. You also haven't sanitized the variable, so your database is open to a sql injection attack. You also left the semicolon off the end of the function call.
  
• The conditional term of your while loop doesn't make sense. You are adding the return value to a row variable, instead of doing first an assignment and then a check to see if the value was false.
  
• In the body of the while loop, you assign the returned password and also the returned username to the same $dbusername variable. Probably not what you intended.

As for inefficiencies, you've got some unnecessarily clunky looping, variable setting, and comparisons.

Lastly, besides the sql injection vulnerability mentioned above, you really shouldn't store passwords in plaintext. Security is complicated -deciding on whether/how/why to salt/hash/encrypt the password is too involved to cover here, but plaintext is a really bad idea.

Here's your code corrected and streamlined:

PHP Code:

$username = $_POST['username'];
$password = $_POST['password'];

// put validation test up front to avoid nesting entire body of code
if (!$username || !password)
    die("Please enter user name and password!");


// connect and use correct database
$connect = mysql_connect("localhost", "root", "******") or die ("couldn't connect!");
mysql_select_db("users") or die("Couldn't find DB!");

// retrieve the user's password
$query = mysql_query("SELECT password FROM users WHERE username='" . mysql_real_escape_string($password) . "'") 
        or die("SQL query failed");

// You should only get one row; no need for a loop.
// Whether we get back false or 0, it's still a "fail", so ! is a valid test here
if (!($row = mysql_fetch_assoc($query)))
    die ("User not found");
    
// compare passwords    
if ($password === $row['password'])
   echo "you're in!";
else
   echo "incorrect password!"; 


[musicman153]

Thanks Sea Otter for taking the time to do this.

Much appreciated.

[sea otter]

No problem, and good luck

[ionisis]

Sea Otter is right, and it also sounds like you were generating a fatal error, and are using an output buffer or error suppressor.

[alcaeus]

Question for Sea Otter really, is deciding to encrypt a password complex, or just use mcrypt_encrypt and mcrypt_decrypt? Or am I being naive?

[ionisis]

Neither. You should either use md5() or password() on a password BEFORE it gets stored into the mysql server. MD5() is recommended, because it can also be evaluated in php, whereas password() is a native MySQL function (not php). Sha1 may also be an option. Also you should be pulling data only if the username AND password match (don't pull the password from the database, because if there's an error, php may EXPOSE the user's data that you pulled, including the password), and if the data is null, that means that the username does not exist, or the password is incorrect.

[sea otter]

Quote:

Originally Posted by alcaeus

Question for Sea Otter really, is deciding to encrypt a password complex, or just use mcrypt_encrypt and mcrypt_decrypt? Or am I being naive?

Security is like drugs -the further down the rabbit hole you go, the more paranoid you get.

In an ideal world, yeah, you'd use mcrrypt() functions along with salting and hashing (and store the hash with the password and verify it every time you pull the password from the database). This also allows you to not only store encrypted passwords, but also provide a password retrieval system.

HOWEVER...mycrypt and hashing is computationally expensive. An active site with many users would bog down pretty quickly. So then you start to think, maybe I should run a password checking daemon on a separate machine, whose only job is to store and verify passwords? And it only gets better from there. And there are discussions that the Rijndael 256 bit algorithm is actually worse than the 128 bit one for a variety of esoteric reasons. And on and on.

Also, assuming even the best crypto algorithms, where and how do you store the salt and the key? If they're just sitting there in your PHP file, well, if anyone gains access to that, there goes all your fancy encryption. So do you store them encrypted as well, perhaps in a flat file accessible only to root? And if so, how would you access that from PHP securely. It's all enough to drive you mad.

So...just the way they say in the hosting forum here that "there is no best hosting, only the best hosting for you," so it goes with cryptography. You need to look at how secure you want to be, what kind of traffic you've got, what kind of hardware, what you're protecting. And none of this addresses anything beyond password storage. You need to protect yourself from session hijacking, stale sessions, session files visible to others on the server (in shared hosting environments) etc.

And lastly, DO NOT use md5(), as suggested by ionisis. It's easily cracked, and there are already lots of rainbow tables out there as well, meaning all you have to do is look up the hash, not even try and crack it. At the very least, if you *must* encrypt via a hash, use either the hash() or mhash() functions with a strong algorithm and a dual salt.

Whew. I'm done