hosted by liquidweb


Go Back   Web Hosting Talk : Web Hosting Main Forums : Programming Discussion : php to mysql help
Reply

Forum Jump

php to mysql help

Reply Post New Thread In Programming Discussion Subscription
 
Send news tip View All Posts Thread Tools Search this Thread Display Modes
  #1  
Old 06-10-2011, 12:55 AM
musicman153 musicman153 is offline
Web Hosting Magician
 
Join Date: Feb 2011
Location: Nirvana
Posts: 1,391

php to mysql help


Hey all you geniuses,

I'm trying to sat up a simple sign in and registration script on a site. I write html but php and mysql are a major challenge to me. I set up a database with fields for username and password. I can create and install a signup form. every time I add the rest of the code (using http://php.about.com/od/finishedphp1...login_code.htm and upload the page it comes up blank, no errors or anything just a plain white page.

Also wondering,
I know I have to create another page with a form for registration. will this require another database?

Thanks

__________________
www.websitemagick.com "Add a little Magick to your Website"
IwebNews.net



Sponsored Links
  #2  
Old 06-10-2011, 03:16 AM
phpcoder phpcoder is offline
Web Hosting Master
 
Join Date: Apr 2002
Location: Philadelphia
Posts: 2,276
Quote:
every time I add the rest of the code (using http://php.about.com/od/finishedphp1...login_code.htm and upload the page it comes up blank, no errors or anything just a plain white page.
Which code are you attempting to add - and where are you adding the code specifically?

Quote:
I know I have to create another page with a form for registration. will this require another database?
No

  #3  
Old 06-10-2011, 04:50 AM
robputt796 robputt796 is offline
WHT Addict
 
Join Date: Jul 2007
Location: UK
Posts: 130
Hi,

Instead of using the code in the tutorial try this:

Sorry about lack of indentation, not sure how todo it on WHT, also signup.php will be posted after I've eaten breakfast, but here is the login script.

I have opted for MySQLi, or MySQL Improved for PHP over the traditional MySQL classes for PHP, it makes stuff a little easier to understand as it cuts a few steps out ;-). Hopefully the stuff below should make sense. You should most probably adapt the script below to use SHA1 / SALT etc... at least to hide the passwords in the database tables.

login.php - Gets username and password from the post of a form and checks against the DB to see if it exists...
PHP Code:
<?php
//Start sessions so we can track the users status later.
session_start();

//Get the variables from the user login form.
$username $_POST['username'];
$password $_POST['password'];

//Check to make sure the user has entered values on the form.
if (!isset($username) || !isset($password)) {
echo 
"Please fill out the entire form before trying to login";
} else {

//Connect to the database, select the rows with the given username and password.
$DB mysqli_connect("localhost","mysql_username","mysql_password","mysql_dbname");
$SQL="SELECT * FROM USERS WHERE USERNAME='$username' AND PASSWORD='$password'";
$RESULT mysqli_query($DB$SQL);

//If there aren't exactly 1 rows then the user either doesn't exist or exists more than once so hence should not be logged in.
if (mysqli_num_rows($RESULT) != 1) {
echo 
"Login Failed";

//Else the user exists, create a token in the session and then forward the user to the users only page.
} else {
$_SESSION['loggedin'] = "true";
$_SESSION['username'] = $username
header
("location: my_user_portal.php");
}
}

//Close the sessions, this keeps them active on the server, and does not remove the data but clears the connection for this particular script hence saving resource as the server doesn't wait until the session has timed out.
session_close();
?>
Signup.php, forms and a little "is the user logged in script" coming after breakfast ;-).


Last edited by robputt796; 06-10-2011 at 04:57 AM.
Sponsored Links
  #4  
Old 06-10-2011, 04:55 AM
oscardog1991 oscardog1991 is offline
Newbie
 
Join Date: Jun 2011
Posts: 14
Hey,

At the top of the page you get a blank on add in (right at the top, in PHP tags):

Code:
ini_set('display_errors', 1);
This should then give you some sort of useful error message. Paste it here

  #5  
Old 06-10-2011, 07:35 AM
musicman153 musicman153 is offline
Web Hosting Magician
 
Join Date: Feb 2011
Location: Nirvana
Posts: 1,391
Thanks for the suggestions, will try to implement them today.

__________________
www.websitemagick.com "Add a little Magick to your Website"
IwebNews.net

  #6  
Old 06-10-2011, 05:41 PM
BMurtagh BMurtagh is offline
Aspiring Evangelist
 
Join Date: Apr 2002
Posts: 445
Quote:
//Get the variables from the user login form.
$username = $_POST['username'];
$password = $_POST['password'];
You need to sanitize your variables' data before executing your SQL otherwise you will be prone to SQL injections, etc. Sanitizing is checking the input from the user to be legit(non-harmful) data to be used by your system

http://www.google.com/search?q=php+s...utf-8&oe=utf-8

  #7  
Old 06-10-2011, 08:13 PM
musicman153 musicman153 is offline
Web Hosting Magician
 
Join Date: Feb 2011
Location: Nirvana
Posts: 1,391
Quote:
Originally Posted by BMurtagh View Post
You need to sanitize your variables' data before executing your SQL otherwise you will be prone to SQL injections, etc. Sanitizing is checking the input from the user to be legit(non-harmful) data to be used by your system

http://www.google.com/search?q=php+s...utf-8&oe=utf-8
Ya kind of lost me here about sanitizing. Right now I'm getting the job done by using the tutorials on youtube. So far everything is working as it should. I was ready to hire some help today but the silly people didn't get back to me and the login has to be functional tonight so I had no choice but to take a crash course in phpmysql. I guess I was meant to learn it.

__________________
www.websitemagick.com "Add a little Magick to your Website"
IwebNews.net

  #8  
Old 06-10-2011, 09:47 PM
musicman153 musicman153 is offline
Web Hosting Magician
 
Join Date: Feb 2011
Location: Nirvana
Posts: 1,391
Been writing it all by hand as every script I found did not work. Now I'm having trouble and need to debug. Can anyone see whats wrong with this?

Code:
<?php

$username = $_POST['username'];
$password = $_POST['password'];

if ($username&&password)
{

$connect = mysql_connect("localhost", "root", "******") or die ("couldn't connect!");
mysql_select_db("users") or die ("Couldn't find DB!");


 
$query = mysql_query("SELECT * FROM users WHERE username='username'")

$numrows = mysql_num_rows(query);

 
if ($numrows!=0)
{
 

{
 while ($row + mysql_fetch_assoc($query))
{
  $dbusername = $row['username'];
  $dbusername = $row['password'];
  }


  if ($username==$dbusername&&$password==$dbpassword)
{
   echo "you're in!";

}
  else

   echo "incorrect pessword!";


else
  die("that user dosen't exist!");

echo $numrows;

}

else
   die("Please enter user name and password!");


?>

__________________
www.websitemagick.com "Add a little Magick to your Website"
IwebNews.net

  #9  
Old 06-11-2011, 11:00 PM
sea otter sea otter is offline
the cloud is a lie
 
Join Date: May 2004
Location: NYC
Posts: 793
Quote:
Originally Posted by musicman153 View Post
Been writing it all by hand as every script I found did not work. Now I'm having trouble and need to debug. Can anyone see whats wrong with this?
Well...there are a few syntax errors, some inefficient code, and a couple of glaring security holes. But I'd also like to point out that if every script you tried didn't work, you might have some problem with your infrastructure, that is, with how PHP and/or Apache are configured.

Syntax errors:
  • In your sql query, you have single quotes around username and you left off the $. You also haven't sanitized the variable, so your database is open to a sql injection attack. You also left the semicolon off the end of the function call.
  • The conditional term of your while loop doesn't make sense. You are adding the return value to a row variable, instead of doing first an assignment and then a check to see if the value was false.
  • In the body of the while loop, you assign the returned password and also the returned username to the same $dbusername variable. Probably not what you intended.

As for inefficiencies, you've got some unnecessarily clunky looping, variable setting, and comparisons.

Lastly, besides the sql injection vulnerability mentioned above, you really shouldn't store passwords in plaintext. Security is complicated -deciding on whether/how/why to salt/hash/encrypt the password is too involved to cover here, but plaintext is a really bad idea.

Here's your code corrected and streamlined:

PHP Code:
$username $_POST['username'];
$password $_POST['password'];

// put validation test up front to avoid nesting entire body of code
if (!$username || !password)
    die(
"Please enter user name and password!");


// connect and use correct database
$connect mysql_connect("localhost""root""******") or die ("couldn't connect!");
mysql_select_db("users") or die("Couldn't find DB!");

// retrieve the user's password
$query mysql_query("SELECT password FROM users WHERE username='" mysql_real_escape_string($password) . "'"
        or die(
"SQL query failed");

// You should only get one row; no need for a loop.
// Whether we get back false or 0, it's still a "fail", so ! is a valid test here
if (!($row mysql_fetch_assoc($query)))
    die (
"User not found");
    
// compare passwords    
if ($password === $row['password'])
   echo 
"you're in!";
else
   echo 
"incorrect password!"

  #10  
Old 06-12-2011, 12:21 AM
musicman153 musicman153 is offline
Web Hosting Magician
 
Join Date: Feb 2011
Location: Nirvana
Posts: 1,391
Thanks Sea Otter for taking the time to do this.

Much appreciated.

__________________
www.websitemagick.com "Add a little Magick to your Website"
IwebNews.net

  #11  
Old 06-12-2011, 12:57 AM
sea otter sea otter is offline
the cloud is a lie
 
Join Date: May 2004
Location: NYC
Posts: 793
No problem, and good luck

  #12  
Old 06-13-2011, 02:44 AM
ionisis ionisis is offline
Newbie
 
Join Date: Jun 2011
Posts: 18
Sea Otter is right, and it also sounds like you were generating a fatal error, and are using an output buffer or error suppressor.

  #13  
Old 06-13-2011, 05:29 AM
alcaeus alcaeus is offline
Temporarily Suspended
 
Join Date: Jun 2011
Location: UK
Posts: 28
Question for Sea Otter really, is deciding to encrypt a password complex, or just use mcrypt_encrypt and mcrypt_decrypt? Or am I being naive?

  #14  
Old 06-13-2011, 12:53 PM
ionisis ionisis is offline
Newbie
 
Join Date: Jun 2011
Posts: 18
Neither. You should either use md5() or password() on a password BEFORE it gets stored into the mysql server. MD5() is recommended, because it can also be evaluated in php, whereas password() is a native MySQL function (not php). Sha1 may also be an option. Also you should be pulling data only if the username AND password match (don't pull the password from the database, because if there's an error, php may EXPOSE the user's data that you pulled, including the password), and if the data is null, that means that the username does not exist, or the password is incorrect.

  #15  
Old 06-13-2011, 05:08 PM
sea otter sea otter is offline
the cloud is a lie
 
Join Date: May 2004
Location: NYC
Posts: 793
Quote:
Originally Posted by alcaeus View Post
Question for Sea Otter really, is deciding to encrypt a password complex, or just use mcrypt_encrypt and mcrypt_decrypt? Or am I being naive?
Security is like drugs -the further down the rabbit hole you go, the more paranoid you get.

In an ideal world, yeah, you'd use mcrrypt() functions along with salting and hashing (and store the hash with the password and verify it every time you pull the password from the database). This also allows you to not only store encrypted passwords, but also provide a password retrieval system.

HOWEVER...mycrypt and hashing is computationally expensive. An active site with many users would bog down pretty quickly. So then you start to think, maybe I should run a password checking daemon on a separate machine, whose only job is to store and verify passwords? And it only gets better from there. And there are discussions that the Rijndael 256 bit algorithm is actually worse than the 128 bit one for a variety of esoteric reasons. And on and on.

Also, assuming even the best crypto algorithms, where and how do you store the salt and the key? If they're just sitting there in your PHP file, well, if anyone gains access to that, there goes all your fancy encryption. So do you store them encrypted as well, perhaps in a flat file accessible only to root? And if so, how would you access that from PHP securely. It's all enough to drive you mad.

So...just the way they say in the hosting forum here that "there is no best hosting, only the best hosting for you," so it goes with cryptography. You need to look at how secure you want to be, what kind of traffic you've got, what kind of hardware, what you're protecting. And none of this addresses anything beyond password storage. You need to protect yourself from session hijacking, stale sessions, session files visible to others on the server (in shared hosting environments) etc.

And lastly, DO NOT use md5(), as suggested by ionisis. It's easily cracked, and there are already lots of rainbow tables out there as well, meaning all you have to do is look up the hash, not even try and crack it. At the very least, if you *must* encrypt via a hash, use either the hash() or mhash() functions with a strong algorithm and a dual salt.

Whew. I'm done

Reply

Similar Threads
Thread Thread Starter Forum Replies Last Post
Installer for php/mysql open source CMS and php/mysql coder needed 0utlier Employment / Job Offers 4 03-11-2008 03:24 PM
Need help setting up PHP/MySQL & Compiling PHP w/MySQL pixeldawn Employment / Job Offers 3 01-13-2007 05:37 PM
PHP/MySQL or Perl/MySQL Web Developer asmar Employment / Job Offers 1 10-25-2005 05:50 AM
PHP/mySQL expert required for one off mysql troubleshooting project singtel22 Employment / Job Offers 0 02-13-2005 01:30 PM
Lightning FAST MySQL and PHP Hosting - Dedicated 64 Bit MySQL Servers! jphilipson Shared Hosting Offers 0 01-18-2005 05:57 AM

Related posts from TheWhir.com
Title Type Date Posted
Google Releases Hosted Database Service Cloud SQL to General Availability Web Hosting News 2014-02-12 13:46:02
Google Cloud Provides Support For Native MySQL Connections Web Hosting News 2013-11-01 14:36:06
Web Hosting Sales and Promos Roundup - September 20, 2013 Web Hosting News 2013-09-20 18:35:29
Hackers Pack More Sophistication into Simple Scripts to Attack PHP Applications Web Hosting News 2013-09-09 11:52:48
PHP And MySQL Scaling: Preparing A Startup For Growth Blog 2013-08-19 12:25:00


Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes
Postbit Selector

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Forum Jump
Login:
Log in with your username and password
Username:
Password:



Forgot Password?
Advertisement:
Web Hosting News:



 

X

Welcome to WebHostingTalk.com

Create your username to jump into the discussion!

WebHostingTalk.com is the largest, most influentual web hosting community on the Internet. Join us by filling in the form below.


(4 digit year)

Already a member?