So I've been fooling around on a very simple design for a database that has a feature to allow an admin to log in and edit some of the products. This is the current layout of getting the username and password from the log in form:
$manager = $_POST["username"];
$password = $_POST["password"];
$manager = stripslashes($manager);
$password = stripslashes($password);
$manager = mysql_real_escape_string($manager);
$password = mysql_real_escape_string($password);
I've created log in scripts before but for some reason I'm having trouble with this log in actually working. So I was checking what some variables were being passed as in order to see where the problem was occurring when I got to these lines:
echo "manager = " . $manager . "<br />";
echo "password = " . $password . "<br />";
$sql = "SELECT * FROM admin WHERE username='$manager' AND password='$password'";
echo $sql;
The output was:
manager = scott
password = password123
SELECT * FROM admin WHERE username='scott' AND password=''
where the $password variable was removed from the output of the $sql string. Any suggestions on why it is leaving out the $password variable?
Here is the HTML form code:
<form id="form1" name="form1" method="post" action="admin_login.php">
Username:<br />
<input name="username" type="text" id="username" size="40" />
<br /><br />
Password:<br />
<input name="password" type="password" id="password" size="40" />
<br /><br /><br />
<input type="submit" name="button" id="button" value="Log In" />
</form>
To close this question:
SQL uses password() as a function and will not show a password for security reasons when using that word. Here's some documentation on it:
https://dev.mysql.com/doc/refman/5.0/en/set-password.html
https://dev.mysql.com/doc/refman/5.1/en/password-hashing.html
Therefore, use another name for the password variable.
Passwords
I also noticed that you are storing passwords in plain text. This is not recommended.
Use one of the following:
CRYPT_BLOWFISH
crypt()
bcrypt()
scrypt()
On OPENWALL
PBKDF2
PBKDF2 on PHP.net
PHP 5.5's password_hash() function.
Other links:
PBKDF2 For PHP
Footnotes:
mysql_* functions deprecation notice:
http://www.php.net/manual/en/intro.mysql.php
This extension is deprecated as of PHP 5.5.0, and is not recommended for writing new code as it will be removed in the future. Instead, either the mysqli or PDO_MySQL extension should be used. See also the MySQL API Overview for further help while choosing a MySQL API.
These functions allow you to access MySQL database servers. More information about MySQL can be found at » http://www.mysql.com/.
Documentation for MySQL can be found at » http://dev.mysql.com/doc/.
$sql = "SELECT * FROM admin WHERE username='" .$manager. "' And password='" .$password. "';
Try this
Related
This question already has answers here:
encrypt and decrypt md5
(6 answers)
Closed 5 years ago.
I am sharing my 2 file's code.for insert username and passwords and to retrieve data. My scenario is something different. if username :
abc and password: 123456789
on login screen user have to enter only 3 digits from his password.But that will be random numbers from his password. if now system will ask me for 1st,3rd and 9th digit from password.after reload page it will change randomly. it will display 2nd,5th and 4th etc etc.
I am done this task earlier with my code. but now i am thinking to insert password with md5 encryption method.
I am stuck here if i used md5 for encryption then how to retrive password.
insert.php :
<!DOCTYPE html>
<html>
<head>
<title></title>
</head>
<body>
<form action="" method="post">
<label>username</label>
<input type="text" name="username">
<label>pin</label>
<input type="password" name="pin">
<label>password</label>
<input type="password" name="password">
<button name="submit">Submit</button>
</form>
</body>
</html>
<?php
include 'conn.php';
if (isset($_POST['submit']))
{
$name = $_POST['username'];
$pass = md5($_POST['password']);
$sql = mysqli_query($conn,'INSERT INTO `emp`(`name`, `pass`) VALUES ("'.$name.'","'.$pass.'")');
if ($sql>0)
{
header('Location: index.php');
}
}
?>
index.php:
<!DOCTYPE html>
<html>
<head>
<title></title>
</head>
<body>
<?php
include 'conn.php';
if (isset($_POST['submit'])) {
$name = $_POST['username'];
$pass1 = $_POST['pass1'];
$pass2 = $_POST['pass2'];
$pass3 = $_POST['pass3'];
$char1 = $_POST['char1'];
$char2 = $_POST['char2'];
$char3 = $_POST['char3'];
$sql = 'SELECT name,pass,pin from `emp` '
. 'where `name` = "'.$name.'" '
. 'AND SUBSTR(pass, '.($char1).', 1) = \''.$pass1.'\' '
. 'AND SUBSTR(pass, '.($char2).', 1) = \''.$pass2.'\' '
. 'AND SUBSTR(pass, '.($char3).', 1) = \''.$pass3.'\' ';
$sql = mysqli_query($conn,$sql);
$data = mysqli_fetch_assoc($sql);
if ($data)
{
echo 'success';
}
else
{
echo 'Fail';
}
}
// generate unique, not equal numbers
$char_pos = range(1, 9);
shuffle($char_pos);
$char_pos = array_slice($char_pos, 0, 3);
sort($char_pos);
?>
<form action="" method="post">
<input type="hidden" name="char1" value="<?php echo $char_pos[0]; ?>">
<input type="hidden" name="char2" value="<?php echo $char_pos[1]; ?>">
<input type="hidden" name="char3" value="<?php echo $char_pos[2]; ?>">
Username:
<input type="text" name="username" value="">
Password:
<input type="password" class="inputs" maxlength="1" name="pass1" placeholder='<?php echo $char_pos[0]; ?>st' value="">
<input type="password" class="inputs" maxlength="1" name="pass2" placeholder='<?php echo $char_pos[1]; ?>th' value="">
<input type="password" class="inputs" maxlength="1" name="pass3" placeholder='<?php echo $char_pos[2]; ?>th' value="">
<button name="submit">Submit</button>
</form>
<script src="https://ajax.googleapis.com/ajax/libs/jquery/3.2.1/jquery.min.js"></script>
<script>
$(".inputs").keyup(function () {
if (this.value.length == this.maxLength) {
$(this).next('.inputs').focus();
}
});
</script>
</body>
</html>
MD5() function is not a encrypt decrypt function. it produce data based on input. That data cannot be reverted. if you need to check MD5 output with ordinary text, you have to MD5 ordinary text then compare both MD5 output.
There are several Online MD5 Decrypter present. It is based on Past input history.
www.md5online.org
md5decrypt.net/en/
You can check with this ..
Thank you...
As already pointed out in comments, md5 is a one-way hash function, not an encryption. This means that it is impossible to perform a partial password verification against the hash because the original password cannot be retrieved.
The Smart Architects blog used to have a great article on partial password verification, but now it is only accessible via web archive.
To sum up the possibilities (omitting the completely unsecure storing password in plain text solution):
Store the passwords in an encrypted format, meaning you can retrieve the password in plain text if needed for comparison. Pro: easy to implement. Con: if someone obtains the key, then all passwords can be reversed. If you want something really secure, then you probably need an HSM (Hardware Security Module) for this. Until you get your hands on an HSM, you can try openssl_encrypt() function.
Hash all combination of letters the interface may ask in a hashed format. Pro: probably the most secure storage format (if the right hashing algorithm is used with salts). Con: just think about the number of records you need to create for a long password.
Use Shamir secret sharing scheme. Pro: compromise in storage space vs security. Con: probably the most difficult solution to implement from a coding perspective.
I want my password to be at least 6 characters long and if it is less than 6 characters long it has to say an error but it does not say anything.
<?php
if (strlen($_POST['userPassword']) < 6 ) {
$error[]= "wachtwoord moet minimaal 6 karakters bevatten <br />";
} else {
$cryptpass = md5($password);
$query = $dbcon->prepare("INSERT INTO users (userName,userPassword,userMail) VALUES (:userName,:userPassword, :userMail)");
$query->bindParam(":userName", $_POST['userName']);
$query->bindvalue(":userPassword", $cryptpass);
$query->bindParam(":userMail", $_POST['userMail']);
$query->execute();
echo "gebruiker aangemaakt";
}
foreach ($error as $errors) {
echo $errors;
}
?>
this is my form:
<form action="registratie.php" method="post">
Username <br />
<input type="text" id="user_input" name="userName" placeholder="userame" /><br />
Password<br />
<input type="password" id="pass_input" name="userPassword" placeholder="password" /><br />
Password<br />
<input type="password" id="v_pass_input" name="userPassAgain" placeholder="password" /><br />
Email<br />
<input type="email" id="email" name="userMail" placeholder="email"><br />
<input type="submit" id="register" name="register" value="Register" disabled="disabled" />
</form>
Taken from comments:
"plus, is the form and PHP/PDO in the same file? how is this accessed, on a hosted site? local? if local, http://localhost/file.xxx or file:///file.xxx??
and
"#fred-ii- it is local. it is accessed like : file:///file.xxx – Furkan yavuz"
and
"there is the problem ^ #Furkanyavuz and why is this disabled="disabled" /> for submit disabled?"
There's the problem. You have to run this off a webserver and not as file:///file.xxx directly in your web browser.
The browser itself won't parse PHP directives.
But as http://localhost/file.xxx or http://example.com/file.xxx.
If you don't have a webserver/PHP installed, you will have to install one or run it off a hosted website.
Sidenote: If you're running this off the same file, you will first need to check if the inputs are empty or not.
Reference: http://php.net/manual/en/function.empty.php
Also, since you're using PDO, why are you using MD5 to store passwords with? It is no longer safe to do so now.
Use one of the following:
CRYPT_BLOWFISH
crypt()
bcrypt()
scrypt()
On OPENWALL
PBKDF2
PBKDF2 on PHP.net
PHP 5.5's password_hash() function.
Compatibility pack (if PHP < 5.5) https://github.com/ircmaxell/password_compat/
Other links:
PBKDF2 For PHP
Important sidenote about column length:
If and when you do decide to use password_hash() or crypt, it is important to note that if your present password column's length is anything lower than 60, it will need to be changed to that (or higher). The manual suggests a length of 255.
You will need to ALTER your column's length and start over with a new hash in order for it to take effect. Otherwise, MySQL will fail silently.
Footnotes:
Comments from Ali Zia:
You can fix that by using if (isset($_POST['userPassword']) && strlen($_POST['userPassword']) < 6 ) #Furkanyavuz – Ali Zia 2 mins ago
Also if (!empty($error)){ before foreach – Ali Zia 1 min ago
Sidenote: Using !empty() over isset() is better as it checks if it's both set and empty.
if (!empty($_POST['userPassword']) && strlen($_POST['userPassword']) < 6 )
Regarding PDO/query/connection.
The connection is unknown, whether it is in fact PDO.
Note that different MySQL APIs do not intermix. So, if you're using mysqli_ or mysql_ to connect with, that won't work with your PDO query.
I am attempting to create a basic login/registration for a website using PHP. The code below shows that I required config.php which I tested and it connects to my site smoothly. What happens is when I go to the page, and enter in values, no matter what I enter for email and password, it says they always match. When I try to output the values of email1 and email2, it outputs nothing. I think the form isn't collecting the data when you press submit. If anyone could see what I am doing wrong it would be so appreciated!
<?php
require('config.php');
if(isset($_POST['submit'])) {
$email1 = $POST['email1'];
$email2 = $POST['email2'];
$pass1 = $POST['pass1'];
$pass2 = $POST['pass2'];
if($email1 == $email2)
{
echo "Emails match.<br />";
if($pass1 == $pass2)
{
echo "Passwords match.<br />";
}
else
{
echo "Sorry, your passwords do not match.<br />";
exit();
}
}
else
{
echo "Sorry, your emails do not match.<br /><br />";
}
}
else {
$form = <<<EOT
<form action="register.php" method="POST">
First Name: <input type="text" name="name" /><br />
Last Name: <input type = "text" name = "lname" /><br />
User Name: <input type = "text" name = "uname" /><br />
Email: <input type = "text" name = "email1" /><br />
Confirm Email: <input type = "text" name = "email2" /><br />
Password: <input type = "password" name = "pass1" /><br />
Confirm Password: <input type = "password" name = "pass2" /><br />
<input type = "submit" value = "Register" name = "submit" />
</form>
EOT;
echo $form;
}
?>
The problem is that you've forgotten the underscores for all $POST's
Change them all to $_POST
It's a superglobal which 8 out of 9 of those require the underscore, unlike $GLOBALS
$GLOBALS <=== No underscore required for this one.
$_SERVER
$_GET
$_POST <=== Change them all to this.
$_FILES
$_COOKIE
$_SESSION
$_REQUEST
$_ENV
Had error reporting been set/on, you would have been signaled of the error, and multiple times:
Notice: Undefined variable: POST in...
To enable it, you can add the following after your opening <?php tag:
error_reporting(E_ALL);
ini_set('display_errors', 1);
N.B.: Error reporting should only be done in staging, and never production.
Sidenote:
Since you're obviously running the entire code from the same page, you can simply change action="register.php" to action="" if you want.
Passwords
I also noticed that you may be storing passwords in plain text. This is not recommended.
Use one of the following:
CRYPT_BLOWFISH
crypt()
bcrypt()
scrypt()
On OPENWALL
PBKDF2
PBKDF2 on PHP.net
PHP 5.5's password_hash() function.
Compatibility pack (if PHP < 5.5) https://github.com/ircmaxell/password_compat/
Other links:
PBKDF2 For PHP
If you use plain text as a password storage method, I'm afraid that it will just be a question of time before your site gets compromised.
I already have this code figured out, but the entries a user submits with the submit button aren't going anywhere. Is there any way to fix this, or should I just use the $_POST method?
PHP code:
<?php
include ("dbroutine.php");
function register() {
$connect = db_connect;
if (!$connect)
{
die(mysql_error());
}
$select_db = mysql_select_db(securitzed, $connect);
if (!$select_db) {
die(mysql_error());
}
//Collecting info
$fname = $_REQUEST ['fname'];
$lname = $_REQUEST ['lname'];
$username = $_REQUEST['username'];
$password = $_REQUEST['password'];
$email = $_REQUEST['email'];
//Here we will check do we have all inputs filled
if(empty($_REQUEST['username'])){
die("Please enter your username!<br>");
}
if(empty($_REQUEST['password'])){
die("Please enter your password!<br>");
}
if(empty($_REQUEST['email'])){
die("Please enter your email!");
}
//Let's check if this username is already in use
$user_check = mysql_query("SELECT username FROM members WHERE username = '".$_REQUEST
['username']."'");
$do_user_check = mysql_num_rows($user_check);
//Now if email is already in use
$email_check = mysql_query("SELECT email FROM members WHERE email= '".$_REQUEST['email']."'");
$do_email_check = mysql_num_rows($email_check);
//Now display errors
if($do_user_check > 0){
die("Username is already in use!<br>");
}
if($do_email_check > 0){
die("Email is already in use!");
}
//If everything is okay let's register this user
$insert = mysql_query("INSERT INTO members (username, password, email)
VALUES ('".$_REQUEST['username']."', '".$_REQUEST['password']."', '".$_REQUEST['email']."', '".$_REQUEST['fname']."', '".$_REQUEST['lname']."')");
if(!$insert){
die("There's little problem: ".mysql_error());
}
}
switch($act){
case "register";
register();
break;
}
HTML code:
<body>
<form method="post">
First Name: <input type="text" name="fname" value="" /> <br />
Last Name: <input type="text" name="lname" value="" /> <br />
E-mail: <input type="email" name="email" value="" /> <br />
Desired Username: <input type="text" name="username" value="" /> <br />
Password: <input type="password" name="password" value="" /> <br />
Confirm Password: <input type="password" name="passwordconf" value="" /> <br />
<input type="submit" value="Submit"/>
</form>
</body>
If I need to add anything, could anyone point it out, if not, I could also add some extra code if needed.
$_REQUEST contains: $_COOKIE, $_GET, and $_POST variables. if you use $_REQUEST you have no guarantee that the data came from the post data, which leads to security holes in your script. I would use $_POST but by using this method you are vulnerable to SQL injections.
$_GET retrieves variables from the querystring, or your URL. $_POST retrieves variables from a POST method, such as (generally) forms. $_REQUEST is a merging of $_GET and $_POST where $_POST overrides $_GET.
Fix
You have to specify the action in your form as below.
<form action="fetch_data.php" method="post">
<form action="URL">
URL - Where to send the form-data when the form is submitted.
Possible values:
An absolute URL - points to another web site (like
action="http://www.example.com/example.htm")
A relative URL - points to a file within a web site (like action="example.htm")
First, I advice you to read more about variables.
Second, $_REQUEST is a variable like $_POST, $_SESSION, $_GET and so on, which can be stored into your database. So, for your question, Yes you can use $_REQUEST to insert data in a MySQL database
HOWEVER, using it as a substitute for the $_POST variable is not secure at all and not a good practice. Take a look at this to see how the $_POST variable works.
Third, you are using mysql_* functions in your code. please consider using PDO or MYSQLI instead to prevent SQL INJECTION and secure your website better. In addition, MYSQL is dupricated in PHP 5.5 and up. take a look at this tutorial, it shows you how to use PDO instead of MYSQL.
Fourth, you should not be storing passwords directly to databases, you need some form of password hashing. read more about it here
Try using
$fname = $_POST ['fname'];
$lname = $_POST ['lname'];
$username = $_POST['username'];
$password = $_POST['password'];
$email = $_POST['email'];
You could also do following to check request params
var_dump($_POST);
Use ACTION in your HTML form.
Sanitize the data as well from sql injection.
Check if data from $_REQUEST is not empty.
<?
require_once('etcore.php');
mysql_connect($dburl,$dbuser,$dbpass) or die(mysql_error());
mysql_select_db("rshost") or die(mysql_error());
$username=strtoupper(clean($_POST['username']));
$password=md5($_POST['password']);
$andover = mysql_query("SELECT * FROM users WHERE usernameupper='$username' AND password='$password'") or die(mysql_error().__LINE__);
$numberofthings = mysql_num_rows($andover) or die(mysql_error().__LINE__);
if ($numberofthings = 1) {
$getit=mysql_fetch_array($andover) or die(mysql_error().__LINE__);
$_SESSION['id'] = $getit['id'];
header('Location: index.php');
}
else {
?>
<h1>Login:</h1>
<img src='http://media.idownloadblog.com/wp-content/uploads/2011/12/Warning.png' width="25" height="25" />
<strong style="color:#F03;">Incorrect Username and/or Password </strong><br>
<form method="POST" action="login.php">
Username: <input name="username" type="text" /><br />
Password: <input name="password" type="password" /><br />
<input name="submit" type="submit" value="Log In!" /><br />
</form>
<? } ?>
This is the code I am using. Whenever I run the code, I get the error "No database selected" on line 7. Any help would be appreciated. Thanks! BTW: Db user, pass and URL are all in the 'etcore.php' file, so it is not a problem there. I have also tried replacing those variables with strings and get the same error.
How about:
mysql_select_db("rshost", mysql_connect($dburl,$dbuser,$dbpass))
or even better:
$handle = mysql_connect($dburl,$dbuser,$dbpass);
mysql_select_db("rshost", $handle);
And maybe for a better knowledge and understanding:
manual page
in the section parameters
so it would be clear why it may OR may not work without using the $handle argument
Give the database privileges. May be you don't have the user permission to access database,
check this
mysql> grant all privileges on Databasename.* to 'username'#'localhost' identified by password