I have key_id, key_verification, confirm_key, and key_status in my verification table.
I managed to encrypt my key_verification into my database by using AES:
$sql2 = "INSERT INTO verification (key_verification, key_status) VALUES ((AES_ENCRYPT('bhadana', '" . $key_verification . "')), '" . $key_status . "')";
However I have problem when trying to decrypt it back. This is the code I’m using:
$sql4="SELECT * FROM verification WHERE key_verification = AES_ENCRYPT ('bhadana', '" . $key_verification . "')";
$query4 = mysql_query($sql4) or die ("Error: " . mysql_error());
$num_rows4 = mysql_num_rows($query4);
$check4 = mysql_fetch_array($query4);
$sql3= "SELECT AES_DECRYPT (key_verification, '" . $key_verification . "') as encrypted from verification";
$query3 = mysql_query($sql3) or die ("Error: " . mysql_error());
$num_rows3 = mysql_num_rows($query3);
$check3 = mysql_fetch_array($query3);
I know the SQL is wrong but I don't know how to join the SQL. And if there's anything that I need to add in the code?
I am new to encryption and I hope someone can help me with this.
EDIT: The error is "undefined key_verification"
Your PHP code is trying to use the variable $key_verification, but it seems to be undefined.
Your example statement, formatted for readability, says
$sql3= "SELECT AES_DECRYPT (key_verification, '" .
$key_verification .
"') as encrypted from verification";
For this to work you need the variable $key_verification already defined, or you'll get the undefined message from PHP.
Pro-tip: Using encryption with the old insecure mysql_ API is like putting an expensive security lock on your window while leaving your front door wide open.
Related
The password function in mysql works fine with me in inserting and updating such as here:
$query_insert = "INSERT INTO `account`(`Gender`, `Birth_date`, `Name`, `UserName`, `Password`, `Email`, `Type`) VALUES ('" . $gender . "' , '" . $birthdate . "' , '" . $name . "' , '" . $username . "' , password('" . $password . "') , '" . $email . "' , 'Member' ) ";
it insert the hashed password correctly
but when i try to retrieve it in log in code it doesn't work !
mysqli_query($con, "SELECT * FROM account where UserName = '" . $username . "' AND password = password('" . $password . "') ");
I tried to use
mysqli_set_charset($con, 'utf8');
but the result is same
I even tried to use it in PHPMyAdmin as a select query, and the same error !
UPDATE
I used MD5()
and it worked with me !
As documented under PASSWORD():
Note
The PASSWORD() function is used by the authentication system in MySQL Server; you should not use it in your own applications. For that purpose, consider MD5() or SHA2() instead. Also see RFC 2195, section 2 (Challenge-Response Authentication Mechanism (CRAM)), for more information about handling passwords and authentication securely in your applications.
Also, if you're rolling your own authentication system (which I'd strongly discourage), you really should read both The definitive guide to form based website authentication and Secure hash and salt for PHP passwords.
mysql_query($sqlQ, $connection);
mysql_query("DELETE FROM Leaderboards WHERE UserName=" . $row['UserName'] . " LIMIT 1", $connection);
echo("Success3");
Table Information is comprised of: {UserName, Cash, Assets}.
$row['UserName'] has data as $row['Assets'] has data, INSERT works via query, yet it does not delete the row from the db table.
Tell me what I am doing wrong, this is the first time I worked with PHP & MySQL so I have no idea what I am doing.
Is UserName a string? You're missing quotes.
mysql_query("DELETE FROM Leaderboards WHERE UserName='" . $row['UserName'] . "' LIMIT 1", $connection);
All mysql_* functions are deprecated and will be removed in a future version of PHP. You should use an alternative.
You must escape the data used in a query. Using MySQLi functions, your code would be:
mysqli_query($sqlQ, $connection);
mysqli_query("DELETE FROM Leaderboards WHERE UserName='" . mysqli_real_escape_string($connection, $row['UserName']) . "' LIMIT 1", $connection);
echo("Success3");
You are also missing quotes around the username.
I recommand not to, but if you really want to use mysql_* functions, then use:
mysqli_query("DELETE FROM Leaderboards WHERE UserName='" . mysql_real_escape_string($row['UserName']) . "' LIMIT 1", $connection);
I am coding a login panel to access to an Administration Panel.
The data (username and passw) are stored in a MySQL Database (type: InnoDB).
Looking in the tables the passwords are stored as plain and in the field password I have:
{plain}password.
Adapting a code that I already have, I have some problems because that {plain} thing is confusing me a bit.
My old code is:
// Construct SQL statement for query & execute
$sql = "SELECT * FROM table WHERE user = '" . $username . "' AND password = '" . md5($password) . "'";
$result = $mysqli->query($sql) or die(mysql_error());
So if I replace the "{plain}password" from the field in the database with an MD5 password, the code works great, but if I modify my code to the following one:
// Construct SQL statement for query & execute
$sql = "SELECT * FROM table WHERE user = '" . $username . "' AND password = '" . $password . "'";
$result = $mysqli->query($sql) or die(mysql_error());
I can't login because the password is wrong!
Any idea how to fix this?
If there is the prefix "{plain}" in front of the real password, you have to adjust your query to include that prefix.
$sql = "SELECT * FROM table WHERE user = '" . $username . "' AND password = '{plain}" . $password . "'";
$result = $mysqli->query($sql) or die($mysqli->error());
Also note that you should change mysql_error() in the die() command to use mysqli functions as well (so use $mysqli->error).
PS: You should have a look at how to store password nowadays. Storing them in plain text is not secure by any means.
EDIT
Mentioning the comment by #BrianRasmussen here as well:
Make sure $username and $password have been sanitzed before being used directly (using string concat) in a query! Otherwise your code is open to SQL injections of all sorts.
I don't know for sure what {plain} means, I guess it indicates that the password is in plain text - and this string is actually present. Hence, your second SQL should include it:
$sql = "SELECT * FROM table WHERE user = '" . mysql_real_escape_string($username) . "' AND password = '{plain}" . mysql_real_escape_string($password) . "'";
Note that I'm not starting the discussion about storing admin passwords in plain text, purely answering a technical question. However I must say that storing plain text passwords is a VERY bad idea.
Also note that I added mysql_real_escape_string to sanitise your input.
http://dl.dropbox.com/u/11246427/naysof_template.rar
I am using XAMPP and set up my db using phpmyadmin.
above is my current project. I am trying to set up a database to this "quote" template. As you may see, most of the user's input are the <textarea>.
I want the invoice number to be auto-increment, and when save is clicked(i made a button on other template already), it will store the data into the database. I created database, tables but i am not sure how to set this up.
Do I include all textarea in this template to a single table, or do i make 2 tables? Because I am not sure if they can be combined together(like the address, title, invoice number in one table, AND item, price and such in another table). If so, how do i define them in my database? i am using "id" when linked to css, and the guides i have found all over internet are "name". i am not sure if its going to be any different, but I am not getting a proper database saving/calling when following the guides.
and also, the guides i have been following are using <input> as the example. not sure how to work with <textarea>.
Here is my sql statement, i got an error while executing save function,
<?php
// Connect database
mysql_connect("localhost", "root", "") or die (mysql_error());
// Select database
mysql_select_db("naysof_template") or die(mysql_error());
$strSQL = "INSERT INTO invoice_info(";
//$strSQL = $strSQL . "invoice_id, ";
$strSQL = $strSQL . "cust_address, ";
$strSQL = $strSQL . "title, ";
$strSQL = $strSQL . "date, ";
$strSQL = $strSQL . "signature_name) ";
$strSQL = $strSQL . "VALUES(";
//$strSQL = $strSQL . "' . $_POST["invoice_id"] . ', ";
$strSQL = $strSQL . "' . $_POST["cust_address"] . ', ";
$strSQL = $strSQL . "' . $_POST["title"] . ', ";
$strSQL = $strSQL . "' . $_POST["date"] . ', ";
$strSQL = $strSQL . "' . $_POST["signature_name"] . ')";
// The SQL statement is executed
mysql_query($strSQL) or die (mysql_error());
// Close the database connection
mysql_close();
<h1>The database is updated!</h1>
?>
and this is the error, i didnt understand:
Parse error: syntax error, unexpected '"', expecting T_STRING or T_VARIABLE or T_NUM_STRING in C:\xampp\htdocs\naysof_template\insert.php on line 20
There's only HTML/CSS/JS code present in your project files even though the HTML is placed in *.php files there is no actual PHP code anywhere.
HTML/CSS/JSS work on the visitors computer in the browser and they are called client-side technologies.
Apache/PHP/MySQL work on the hosting computers (the server) and they are called server-side technologies.
The client can request an item to be downloaded from the server and he will receive it (as that is the server's default behaviour).
The client by default has no ability to store information on the server. It can send information (such as forms) to the server but they will not be saved anywhere by default.
There has to be some PHP code (that you wrote) on the server that inspects the received forms and decides what to do with them (save them in some MySQL tables for example).
Edit (now that you're showing us your PHP code):
unexpected '"', expecting T_STRING or Means you did not use quotes correctly here:
$strSQL = $strSQL . "' . $_POST["cust_address"] . ', ";
You should be using them like this:
$strSQL = $strSQL . "'" . $_POST["cust_address"] . "', ";
Hy all,
Not sure what's going on here, but if I run this:
$query = 'INSERT INTO users
(`id`, `first_name`, `second_name`, `register_date`, `lastlogin_date`)
VALUES
("'. $user_id . '", "' . $first_name .'", "'. $second_name . '", "' . $date . '", "' . $date . ");';
$result = mysql_query($query);
I get no return, but if I change it to this it's fine:
$query = 'INSERT INTO users (`id`, `first_name`, `second_name`, `register_date`, `lastlogin_date`)
VALUES ("21021212", "Joe", "Bloggs", "20090202", "20090202");';
$result = mysql_query($query);
User id = bigint(20)
first name = varchar(30)
second name = varchar(30)
date = int(8)
At first I thought it was a issue with the vars but they are exactly the same and still don't work.
Any help appreciated.
Get into the habit of escaping all database inputs with mysql_real_escape_string- really, you should use some kind of wrapper like PDO or ADODb to help you do this, but here's how you might do it without:
$query = sprintf("INSERT INTO users ".
"(id, first_name, second_name, register_date, lastlogin_date)".
"VALUES('%s','%s','%s','%s','%s')",
mysql_real_escape_string($user_id),
mysql_real_escape_string($first_name),
mysql_real_escape_string($second_name),
mysql_real_escape_string($date),
mysql_real_escape_string($date));
$result = mysql_query($query);
and also check for errors with mysql_error
if (!$result)
{
echo "Error in $query: ".mysql_error();
}
What's the result from "mysql_error()"? Always check this, especially if something doesn't seem to be working.
Also, echo out $query to see what it really looks like. That could be telling.
Maybe the value of $date was "1111'); DELETE FROM users;"?
Seriously though? The problem is that isn't how you interact with your database. You shouldn't be passing in your data with your query. You need to specify the query, the parameters for the query, and pass in the actual parameter values when you execute the query. Anything else is inefficient, insecure and prone to bugs like the one you have.
By using PDO or something that supports parametrized queries, you'll find these kinds of issues go away because you are calling the database property. It is also much more secure and can speed up the database.
$sth = $dbh->prepare("INSERT INTO users (`id`, `first_name`, `second_name`, `register_date`, `lastlogin_date`) VALUES (?,?,?,?,?)")
$sth->execute(array($user_id ,$first_name , $second_name , $date, $date ));
In addition to echoing the query and checking mysql_error() as #GoatRider suggests:
Are you escaping your data properly? See mysql_real_escape_string()
You shouldn't end your queries with a semicolon when using mysql_query()
in $query = 'INSERT INTO users (id, first_name, second_name, register_date, lastlogin_date) VALUES ("' . $user_id . '", "' . $first_name . '", "' . $second_name . '", "' . $date . '", "' . $date . '");
are u giving the correct date format?? it might be the issue. otherwise the syntax is all fine.