ill like to remove the sha1 encryption on this code so i can store my password as typed in the database instead of the encrypted code. Am new to coding so I need help
The code (settings_model.php)
<?php
$settings = new Datasettings();
if(isset($_GET['q'])){
$settings->$_GET['q']();
}
class Datasettings {
function __construct(){
if(!isset($_SESSION['id'])){
header('location:../../');
}
}
function changepassword(){
include('../../config.php');
$username = $_GET['username'];
$password = $_GET['password'];
$current = sha1($_POST['current']);
$new = sha1($_POST['new']);
$confirm = sha1($_POST['confirm']);
$q = "select * from userdata where username='$username' and password='$current'";
$r = mysqli_query($db,$q);
if(mysqli_num_rows($r) > 0){
if($new == $confirm){
$r2 = mysqli_query($db,"update userdata set password='$new' where username='$username' and password='$current'");
header('location:../settings.php?msg=success&username='.$username.'');
}else{
header('location:../settings.php?msg=error&username='.$username.'');
}
}else{
header('location:../settings.php?msg=error&username='.$username.'');
}
}
function addaccount(){
include('../../config.php');
$level = $_GET['level'];
$id = $_GET['id'];
$q = "select * from $level where id=$id";
$r = mysqli_query($db,$q);
$row = mysqli_fetch_array($r);
if($level == 'student'){
$username = $row['studid'];
$fname = $row['fname'];
$lname = $row['lname'];
$password = sha1($username.'-'.$fname);
}else{
$username = $row['teachid'];
$fname = $row['fname'];
$lname = $row['lname'];
$password = sha1($username.'-'.$fname);
}
$verify = $this->verifyusername($username);
if($verify){
$q2 = "insert into userdata values(null,'$username','$password','$fname','$lname','$level')";
mysqli_query($db,$q2);
header('location:../'.$level.'list.php?r=added an account');
}else{
header('location:../'.$level.'list.php?r=updated');
}
}
function verifyusername($user){
$q = "select * from userdata where username='$user'";
$r = mysql_query($q);
if(mysql_num_rows($r) < 1){
return true;
}else{
return false;
}
}
function getuser($search){
include('../config1.php');
$user = $_SESSION['id'];
$q = "select * from userdata where username !='$user' and username like '%$search%' order by lname asc";
$r = mysqli_query($db, $q);
return $r;
}
function addaccounts(){
include('../../config1.php');
extract($_POST);
$q = "select * from $level where id=$id";
$r = mysqli_query($db,$q);
$row = mysqli_fetch_array($r);
if($level == 'student'){
$username = $row['studid'];
$fname = $row['fname'];
$lname = $row['lname'];
$password = sha1($username.'-'.$fname);
}else{
$username = $row['teachid'];
$fname = $row['fname'];
$lname = $row['lname'];
$password = sha1($username.'-'.$fname);
}
$verify = $this->verifyusername($username);
if($verify){
$q2 = "insert into userdata values(null,'$username','$password','$fname','$lname','$level')";
mysqli_query($db,$q2);
header('location:../'.$level.'list.php?r=added an account');
}else{
header('location:../'.$level.'list.php?r=updated');
}
}
}
?>
please help need an answer soon. thanks.
just change this line
$confirm = sha1($_POST['confirm']);
to this
$confirm = $_POST['confirm'];
Related
session_start();
require_once 'config.php';
if(isset($_POST['username']) && isset($_POST['password'])){
$uname = $_POST['username'];
$upass = $_POST['password'];
//select users information from database
$buildsql = "SELECT * FROM umembersd WHERE uusername = '$uname' AND upassword = '$upass'";
$myexec = mysqli_query($conn, $buildsql) or die (mysqli_error($conn));
if($myexec->num_rows > 0){
while($data = $myexec->fetch_assoc()){
$_SESSION['no'] = 'id';
$_SESSION['firstname'] = 'ufname';
$_SESSION['lastname']= 'ulname';
$_SESSION['phonenumber'] = 'uphone';
$_SESSION['emailaddress']= 'uemail';
$_SESSION['datejoined'] = 'uregdate';
$_SESSION['datereg'] = 'uusername';
header('location: index.php?successful');
}
}else{
header('location: login.php?nerror');
}
}
I have read a ton of question about it and the discussions are different along with the answers on this matter.
I need to have the User ID in order to retrieve his data from the DB and create a session with this data in order to create a continues login.
Hashing the session:
function createNewUserSession($uid, $email, $salt){
$session_key = $email.$salt;
$options = [
'cost' => 11
];
$session_key = password_hash($session_key, PASSWORD_BCRYPT, $options);
$connect = mysqliConnect();
$query = "UPDATE `users` SET";
$query .= " session_key = '$session_key'";
$query .= " WHERE id = '$uid'";
mysqli_query($connect, $query);
return $session_key;
}
function generateRandomString($length) {
return substr(str_shuffle(str_repeat($x='0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ!##$%^&*()_+|"}?><~', ceil($length/strlen($x)) )),1,$length);
}
$user_session_salt = generateRandomString(32);
if (isset($_COOKIE['sk'])) {
if (password_verify($email.$_COOKIE['sk'], $session_key)) {
// Creating Sessions
$_SESSION['uid'] = $uid;
$_SESSION['fName'] = $fName;
$_SESSION['lName'] = $lName;
} else {
// Creating New Sessions
createNewUserSession($uid, $email, $user_session_salt);
$_SESSION['uid'] = $uid;
$_SESSION['fName'] = $fName;
$_SESSION['lName'] = $lName;
// Creating Cookies
setcookie("sk", $user_session_salt, time() + (90 * 24 * 60 * 60), '/', '.mywebsite.io');
}
}
Renew Session:
function restoreSession($uid) {
$connect = mysqliConnect();
$query = "SELECT * FROM `users` WHERE id = '$uid'";
$result = mysqli_query($connect, $query);
if (mysqli_num_rows($result) == 1) {
$row = mysqli_fetch_array($result, MYSQLI_ASSOC);
$uid = $row['id'];
$email = $row['email'];
$fName = $row['first_name'];
$lName = $row['last_name'];
$session_key = $row['session_key'];
if (isset($_COOKIE['sk']) && !isset($_SESSION['uid'])) {
$user_salt = $_COOKIE['sk'];
if (password_verify($email.$user_salt, $session_key)) {
// Creating Sessions
$_SESSION['uid'] = $uid;
$_SESSION['fName'] = $fName;
$_SESSION['lName'] = $lName;
}
}
}
}
I know this is not perfect, but I'm still learning and need some adequate input on this matter.
So, this is my code:
class Functions{
public static function login($email,$password){
$email = $_GET['email'];
$password = $_GET['password'];
if(isset($_GET['submit']) AND isset($email) AND isset($password)){
$password = md5($password);
$sql = "SELECT * FROM users WHERE email='$email' AND password='$password'";
$result = $conn->query($sql);
if ($result->num_rows > 0) {
$row = $result->fetch_assoc();
$_SESSION['nume'] = $row["name"];
$_SESSION['uid'] = $row["id"];
$_SESSION['admin'] = $row["admin"];
$_SESSION['email'] = $row["email"];
$_SESSION['points'] = $row["points"];
}else{
$errortxt = "Invalid Login Credentials";
$error = true;
}
}
return $error;
}
}
In my HTML file I'm calling for the function like this:
Function::login($email,$password);
But I'm wondering how can I get the $errortxt string to echo in the HTML file.
Thanks!
You just need a simple fix:
class Functions{
public static function login($email,$password){
$response['error'] = false;
$response['errortxt'] = "";
$email = $_GET['email'];
$password = $_GET['password'];
if(isset($_GET['submit']) AND isset($email) AND isset($password)){
$password = md5($password);
$sql = "SELECT * FROM users WHERE email='$email' AND password='$password'";
$result = $conn->query($sql);
if ($result->num_rows > 0) {
$row = $result->fetch_assoc();
$_SESSION['nume'] = $row["name"];
$_SESSION['uid'] = $row["id"];
$_SESSION['admin'] = $row["admin"];
$_SESSION['email'] = $row["email"];
$_SESSION['points'] = $row["points"];
}else{
$response['error'] = true;
$response['errortxt'] = "Invalid Login Credentials";
}
}
return $response;
}
}
And you need to call it this way:
$fnCallStatus = Function::login($email,$password); //Now you have the response;
if($fnCallStatus['error']) //we have an error
{
echo $fnCallStatus['errortxt']; //we print the message
}
Hi I fixed little bit your code because it lacks good coding principles and good taste (calling superglobal $_GET variable will always get you something after request despite you place something else into function parameters).
class Functions{
public static function login($email,$password)
{
$error['is'] = true;
$email = htmlspecialchars($email);
$password = md5(htmlspecialchars($password));
if(!empty($email) AND !empty($password))
{
$sql = "SELECT * FROM users WHERE email='$email' AND password='$password'";
$result = $conn->query($sql);
if ($result->num_rows > 0)
{
$row = $result->fetch_assoc();
$_SESSION['nume'] = $row["name"];
$_SESSION['uid'] = $row["id"];
$_SESSION['admin'] = $row["admin"];
$_SESSION['email'] = $row["email"];
$_SESSION['points'] = $row["points"];
} else {
$error['mismatch'] = "Email or password does not match.";
return $error;
}
} else {
$error['empty'] = "Please fill all login fields. Thank you";
return $error;
}
}
}
$error = Function::login($_GET['email'],$_GET['password']);
if($error['is'])
{
if ($error['mismatch']) {
echo $error['mismatch'];
} elseif ($error['empty']) {
echo $error['empty']
}
}
Your function also always return $error despite none occurred. I fixed that and function return error only in not query case.
Functions can return arrays. So if you need to set multiple fields with different text, you can place into array anything you like. This solution is more buletproof.
I am trying to change the value of an ENUM in a mySQL database that will help identify when a user is logged on or logged off on a website to be displayed to all users of the site. I set an ENUM column with possible values of 0 and 1. 0 being logged off, and 1 being logged on. But it doesnt seem to be changing anything. Here is my code:
//LOGIN
session_start();
$username = ($_POST['username']);
$password = ($_POST['password']);
$sql = "SELECT * FROM users WHERE username = '$username' LIMIT 1";
$query = mysqli_query($conn, $sql);
if ($query) {
$row = mysqli_fetch_row($query);
$userid = $row[0];
$dbusername = $row[1];
$dbpassword = $row[2];
$email = $row[4];
$status = $row[7];
$permit = $row[6];
$active = $row[5];
$fname = $row[8];
$lname = $row[9];
$dob = $row[10];
$signupdate = $row[3];
$ipadd = $row[11];
$loggedin = $row[12];
}
if ($username == $dbusername && $password == $dbpassword){
$_SESSION['username'] = $username;
$_SESSION['id'] = $userid;
$_SESSION['email'] = $email;
$_SESSION['status'] = $status;
$_SESSION['permit'] = $permit;
$_SESSION['email_activation'] = $active;
$_SESSION['first_name'] = $fname;
$_SESSION['last_name'] = $lname;
$_SESSION['dob'] = $dob;
$_SESSION['sign_up_date'] = $signupdate;
$_SESSION['ipv4'] = $ipadd;
$_SESSION['loggedin'] = $loggedin;
$sql = "UPDATE username SET loggedin = '1'";
header("Location: ../main.php");
Replace your update query with this one
"UPDATE users SET loggedin = '1' where `id` = $userid ";
//LOGIN
session_start();
$username = ($_POST['username']);
$password = ($_POST['password']);
$sql = "SELECT * FROM users WHERE username = '$username' LIMIT 1";
$query = mysqli_query($conn, $sql);
if ($query) {
$row = mysqli_fetch_row($query);
$userid = $row[0];
$dbusername = $row[1];
$dbpassword = $row[2];
$email = $row[4];
$status = $row[7];
$permit = $row[6];
$active = $row[5];
$fname = $row[8];
$lname = $row[9];
$dob = $row[10];
$signupdate = $row[3];
$ipadd = $row[11];
$loggedin = $row[12];
$sql = "UPDATE users SET loggedin = '1' where id = '$userid'";
mysqli_query($conn, $sql);
}
if ($username == $dbusername && $password == $dbpassword){
$_SESSION['username'] = $username;
$_SESSION['id'] = $userid;
$_SESSION['email'] = $email;
$_SESSION['status'] = $status;
$_SESSION['permit'] = $permit;
$_SESSION['email_activation'] = $active;
$_SESSION['first_name'] = $fname;
$_SESSION['last_name'] = $lname;
$_SESSION['dob'] = $dob;
$_SESSION['sign_up_date'] = $signupdate;
$_SESSION['ipv4'] = $ipadd;
$_SESSION['loggedin'] = $loggedin;
header("Location: ../main.php");
This php code for login form validation. Why it always returns 'Wrong user data' (Грешни данни!). $name & $pass1 come from the login form which is in other file.
$activated has values 0 || 1 and it is to see if user confirmed registration from email.
<?php
//connection with database
require "db_connect.php";
require "password_compat-master/lib/password.php";
$name = mysqli_real_escape_string($conn, stripslashes(trim(filter_input(INPUT_POST, 'name'))));
$pass1 = mysqli_real_escape_string($conn, stripslashes(trim(filter_input(INPUT_POST, 'pass1'))));
$errorName = '';
$errorPass1 = '';
$feedback = '';
$mainError = false;
//get hash
$retHash = "SELECT password FROM users WHERE user_name='$name'";
$query_retHash = mysqli_query($conn, $retHash);
$row = mysqli_fetch_array($query_retHash);
$hash = $row['password'];
//get name
$retName = "SELECT user_name FROM users WHERE user_name='$name'";
$query_retName = mysqli_query($conn, $retName);
$row = mysqli_fetch_array($query_retName);
$uname = $row['user_name'];
//get 'activated'
$retAct = "SELECT user_name FROM users WHERE user_name='$name'";
$query_retAct = mysqli_query($conn, $retAct);
$row = mysqli_fetch_array($query_retAct);
$activated = $row['activated'];
if (filter_input_array(INPUT_POST)) {
if ($name !== $uname) {
$mainError = true;
}
if (!password_verify($pass1, $hash)) {
$mainError = true;
}
if ($activated != 1) {
$mainError = true;
}
if (!$mainError) {
$feedback = 'Здравей,' . $name . '!';
} else {
$feedback = 'Грешни данни!';
}
}
?>
As #Rajdeep Answered,
$retAct = "SELECT user_name FROM users WHERE user_name='$name'";
^ it should be activated
Better use one query. Fetch all details.
<?php
//connection with database
require "db_connect.php";
require "password_compat-master/lib/password.php";
$name = mysqli_real_escape_string($conn, stripslashes(trim(filter_input(INPUT_POST, 'name'))));
$pass1 = mysqli_real_escape_string($conn, stripslashes(trim(filter_input(INPUT_POST, 'pass1'))));
$errorName = '';
$errorPass1 = '';
$feedback = '';
$mainError = false;
//get hash
$retHash = "SELECT * FROM users WHERE user_name='$name'";
$query_retHash = mysqli_query($conn, $retHash);
$row = mysqli_fetch_array($query_retHash);
$hash = $row['password'];
$uname = $row['user_name'];
$activated = $row['activated'];
if (filter_input_array(INPUT_POST)) {
if ($name !== $uname) {
$mainError = true;
}
if (!password_verify($pass1, $hash)) {
$mainError = true;
}
if ($activated != 1) {
$mainError = true;
}
if (!$mainError) {
$feedback = 'Здравей,' . $name . '!';
} else {
$feedback = 'Грешни данни!';
}
}
?>
Look at this statement here,
//get 'activated'
$retAct = "SELECT user_name FROM users WHERE user_name='$name'";
^ it should be activated
And there's no point running three separate queries. You can achieve the same thing using only one query, like this:
// your code
$query = "SELECT user_name, password, activated FROM users WHERE user_name='$name' LIMIT 1";
$result = mysqli_query($conn, $query);
$row = mysqli_fetch_array($result);
$uname = $row['user_name'];
$hash = $row['password'];
$activated = $row['activated'];
if (filter_input_array(INPUT_POST)) {
// your code
}