The password function in mysql works fine with me in inserting and updating such as here:
$query_insert = "INSERT INTO `account`(`Gender`, `Birth_date`, `Name`, `UserName`, `Password`, `Email`, `Type`) VALUES ('" . $gender . "' , '" . $birthdate . "' , '" . $name . "' , '" . $username . "' , password('" . $password . "') , '" . $email . "' , 'Member' ) ";
it insert the hashed password correctly
but when i try to retrieve it in log in code it doesn't work !
mysqli_query($con, "SELECT * FROM account where UserName = '" . $username . "' AND password = password('" . $password . "') ");
I tried to use
mysqli_set_charset($con, 'utf8');
but the result is same
I even tried to use it in PHPMyAdmin as a select query, and the same error !
UPDATE
I used MD5()
and it worked with me !
As documented under PASSWORD():
Note
The PASSWORD() function is used by the authentication system in MySQL Server; you should not use it in your own applications. For that purpose, consider MD5() or SHA2() instead. Also see RFC 2195, section 2 (Challenge-Response Authentication Mechanism (CRAM)), for more information about handling passwords and authentication securely in your applications.
Also, if you're rolling your own authentication system (which I'd strongly discourage), you really should read both The definitive guide to form based website authentication and Secure hash and salt for PHP passwords.
Related
My insert data sql command in my PHP code is not working. Can anyone help please?
I have a registration form that takes the values from the input fields (name, lastname, email, username and password)
The values that the user inputs in this fields should be saved into my table "users" whith columns (ID [which is the primary key /INT], name [TEXT], lastname[TEXT], e-mail [VARCHAR], username[VARCHAR] and password [VARCHAR]) .
Here is my current code:
if (isset ($_POST['name'],$_POST['lastname'],$_POST['email'],$_POST['username'], $_POST['password']))
{
//connect to database
$conn = mysqli_connect ('localhost', 'root', '', 'test_database');
if ($conn)
{
$sql="SELECT username FROM users WHERE username = '" . $_POST['username'] . "';";
$query = mysqli_query ($conn, $sql);
$result = mysqli_fetch_array ($query);
if ($result ['username'])
{
header ('Location: ' . $_SERVER['PHP_SELF'] . '?errno=1');
}
else
{
$sql="INSERT INTO users (ID, name, lastname, e-mail, username, password) VALUES (' ','" .$_POST['name'] . "' ,'" . $_POST['lastname']. "' ,'" . $_POST['email']. "' ,'" . $_POST['username']. "' ,'" . $_POST['password']. "');";
mysqli_query ($conn, $sql);
mysqli_close ($conn);
//registration completed, redirect to index page
//header ('Location:index.php?reg=1');
}
}
else
{
echo 'connection error';
}
}
Besides what has already been outlined in comments for the space VALUES (' ', for the ID column etc., your email column name contains a hyphen and is interpreted as e MINUS mail and as a mathematical operation.
Either rename it to e_mail or place ticks around it.
`e-mail`
Read the following on Identifier Qualifiers:
http://dev.mysql.com/doc/refman/5.7/en/identifier-qualifiers.html
Having used mysqli_error($conn) on the query would have thrown you a syntax error.
Sidenote: You should be escaping your data for quite a few reasons, one is for protection against an SQL injection and if your data could contain characters that MySQL could complain about such as John's Bar & Grill as an example.
Your present code is open to SQL injection. Use prepared statements, or PDO with prepared statements.
Passwords
I also noticed that you may be storing passwords in plain text. This is not recommended.
Use one of the following:
CRYPT_BLOWFISH
crypt()
bcrypt()
scrypt()
On OPENWALL
PBKDF2
PBKDF2 on PHP.net
PHP 5.5's password_hash() function.
Compatibility pack (if PHP < 5.5) https://github.com/ircmaxell/password_compat/
Other links:
PBKDF2 For PHP
Important sidenote about column length:
If and when you do decide to use password_hash() or crypt, it is important to note that if your present password column's length is anything lower than 60, it will need to be changed to that (or higher). The manual suggests a length of 255.
You will need to ALTER your column's length and start over with a new hash in order for it to take effect. Otherwise, MySQL will fail silently.
you use ' ' to insert id. the id should be autoincrement and unique. you cannot insert a white space to all.
try to remove id from insert into query. turn your query into this
$sql="INSERT INTO users (name, lastname, e-mail, username, password) VALUES ('" .$_POST['name'] . "' ,'" . $_POST['lastname']. "' ,'" . $_POST['email']. "' ,'" . $_POST['username']. "' ,'" . $_POST['password']. "');";
I have key_id, key_verification, confirm_key, and key_status in my verification table.
I managed to encrypt my key_verification into my database by using AES:
$sql2 = "INSERT INTO verification (key_verification, key_status) VALUES ((AES_ENCRYPT('bhadana', '" . $key_verification . "')), '" . $key_status . "')";
However I have problem when trying to decrypt it back. This is the code I’m using:
$sql4="SELECT * FROM verification WHERE key_verification = AES_ENCRYPT ('bhadana', '" . $key_verification . "')";
$query4 = mysql_query($sql4) or die ("Error: " . mysql_error());
$num_rows4 = mysql_num_rows($query4);
$check4 = mysql_fetch_array($query4);
$sql3= "SELECT AES_DECRYPT (key_verification, '" . $key_verification . "') as encrypted from verification";
$query3 = mysql_query($sql3) or die ("Error: " . mysql_error());
$num_rows3 = mysql_num_rows($query3);
$check3 = mysql_fetch_array($query3);
I know the SQL is wrong but I don't know how to join the SQL. And if there's anything that I need to add in the code?
I am new to encryption and I hope someone can help me with this.
EDIT: The error is "undefined key_verification"
Your PHP code is trying to use the variable $key_verification, but it seems to be undefined.
Your example statement, formatted for readability, says
$sql3= "SELECT AES_DECRYPT (key_verification, '" .
$key_verification .
"') as encrypted from verification";
For this to work you need the variable $key_verification already defined, or you'll get the undefined message from PHP.
Pro-tip: Using encryption with the old insecure mysql_ API is like putting an expensive security lock on your window while leaving your front door wide open.
I am coding a login panel to access to an Administration Panel.
The data (username and passw) are stored in a MySQL Database (type: InnoDB).
Looking in the tables the passwords are stored as plain and in the field password I have:
{plain}password.
Adapting a code that I already have, I have some problems because that {plain} thing is confusing me a bit.
My old code is:
// Construct SQL statement for query & execute
$sql = "SELECT * FROM table WHERE user = '" . $username . "' AND password = '" . md5($password) . "'";
$result = $mysqli->query($sql) or die(mysql_error());
So if I replace the "{plain}password" from the field in the database with an MD5 password, the code works great, but if I modify my code to the following one:
// Construct SQL statement for query & execute
$sql = "SELECT * FROM table WHERE user = '" . $username . "' AND password = '" . $password . "'";
$result = $mysqli->query($sql) or die(mysql_error());
I can't login because the password is wrong!
Any idea how to fix this?
If there is the prefix "{plain}" in front of the real password, you have to adjust your query to include that prefix.
$sql = "SELECT * FROM table WHERE user = '" . $username . "' AND password = '{plain}" . $password . "'";
$result = $mysqli->query($sql) or die($mysqli->error());
Also note that you should change mysql_error() in the die() command to use mysqli functions as well (so use $mysqli->error).
PS: You should have a look at how to store password nowadays. Storing them in plain text is not secure by any means.
EDIT
Mentioning the comment by #BrianRasmussen here as well:
Make sure $username and $password have been sanitzed before being used directly (using string concat) in a query! Otherwise your code is open to SQL injections of all sorts.
I don't know for sure what {plain} means, I guess it indicates that the password is in plain text - and this string is actually present. Hence, your second SQL should include it:
$sql = "SELECT * FROM table WHERE user = '" . mysql_real_escape_string($username) . "' AND password = '{plain}" . mysql_real_escape_string($password) . "'";
Note that I'm not starting the discussion about storing admin passwords in plain text, purely answering a technical question. However I must say that storing plain text passwords is a VERY bad idea.
Also note that I added mysql_real_escape_string to sanitise your input.
Consider this:
$query = 'UPDATE ' . $table . 'SET optin_date = NOW() WHERE MD5(email_address) = ' . $email;
And I get this error:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '= NOW() WHERE MD5(email_address) = c5dfd29d956b52c1ffa00ce4a06ab' at line 1
What I want is to store the current timestamp to the optin_date column using NOW() function as its value (I'm not sure on how it works), only if the hashed email from the query string matches the hashed email from the database using MD5() from mysql. I already have a column having TIMESTAMP type and CURRENT_TIMESTAMP default.
Also, I need to send a mail for confirmation using the email address. Is this possible? What's a better way of doing this?:
$recipient = 'SELECT * FROM ' . $table . ' WHERE MD5(email_address) = ' . $email;
Please help me on the syntax and if there's an elegant way of coding 'Email Confirm Subscriptions" (At least the function handling hashed emails) that you might want to share, please feel free. Thanks.
Try adding these `` around table names and field names, also you have a missing SPACE after $table
$query = 'UPDATE `' . $table . '` SET `optin_date` = NOW() WHERE MD5(`email_address`) = ' . $email;
you should probably also use .mysql_real_escape_string($email) instead of just .$email at the end there - Security risk
$query = 'UPDATE `' . $table . '` SET `optin_date` = NOW() WHERE MD5(`email_address`) = ' . mysql_real_escape_string($email);
Unless of course (as it seems) your $email would be a md5 hash
you have syntex error at in sql query
write this query
$query = "Update '".$table."' SET option_date = NOW() WHERE email_address ='".md5($email)."' ";
try with this:
$query = "UPDATE " . $table . "SET optin_date = CURRENT_TIMESTAMP
WHERE MD5(email_address) = '" . $email . "'";
Hy all,
Not sure what's going on here, but if I run this:
$query = 'INSERT INTO users
(`id`, `first_name`, `second_name`, `register_date`, `lastlogin_date`)
VALUES
("'. $user_id . '", "' . $first_name .'", "'. $second_name . '", "' . $date . '", "' . $date . ");';
$result = mysql_query($query);
I get no return, but if I change it to this it's fine:
$query = 'INSERT INTO users (`id`, `first_name`, `second_name`, `register_date`, `lastlogin_date`)
VALUES ("21021212", "Joe", "Bloggs", "20090202", "20090202");';
$result = mysql_query($query);
User id = bigint(20)
first name = varchar(30)
second name = varchar(30)
date = int(8)
At first I thought it was a issue with the vars but they are exactly the same and still don't work.
Any help appreciated.
Get into the habit of escaping all database inputs with mysql_real_escape_string- really, you should use some kind of wrapper like PDO or ADODb to help you do this, but here's how you might do it without:
$query = sprintf("INSERT INTO users ".
"(id, first_name, second_name, register_date, lastlogin_date)".
"VALUES('%s','%s','%s','%s','%s')",
mysql_real_escape_string($user_id),
mysql_real_escape_string($first_name),
mysql_real_escape_string($second_name),
mysql_real_escape_string($date),
mysql_real_escape_string($date));
$result = mysql_query($query);
and also check for errors with mysql_error
if (!$result)
{
echo "Error in $query: ".mysql_error();
}
What's the result from "mysql_error()"? Always check this, especially if something doesn't seem to be working.
Also, echo out $query to see what it really looks like. That could be telling.
Maybe the value of $date was "1111'); DELETE FROM users;"?
Seriously though? The problem is that isn't how you interact with your database. You shouldn't be passing in your data with your query. You need to specify the query, the parameters for the query, and pass in the actual parameter values when you execute the query. Anything else is inefficient, insecure and prone to bugs like the one you have.
By using PDO or something that supports parametrized queries, you'll find these kinds of issues go away because you are calling the database property. It is also much more secure and can speed up the database.
$sth = $dbh->prepare("INSERT INTO users (`id`, `first_name`, `second_name`, `register_date`, `lastlogin_date`) VALUES (?,?,?,?,?)")
$sth->execute(array($user_id ,$first_name , $second_name , $date, $date ));
In addition to echoing the query and checking mysql_error() as #GoatRider suggests:
Are you escaping your data properly? See mysql_real_escape_string()
You shouldn't end your queries with a semicolon when using mysql_query()
in $query = 'INSERT INTO users (id, first_name, second_name, register_date, lastlogin_date) VALUES ("' . $user_id . '", "' . $first_name . '", "' . $second_name . '", "' . $date . '", "' . $date . '");
are u giving the correct date format?? it might be the issue. otherwise the syntax is all fine.