This question already has answers here:
Insert data only if record does not exist
(3 answers)
Closed 9 years ago.
I need to have a system where a random password and username are created for each new user.
As such, I need to make sure the username is unique.
However I cant figure out why the code below isn't working. It isn't a syntax issue. I just can't figure out where I have gone wrong logically.
anyway here is what I have tried:
$Password= randomPassword();
$Username = randomPassword();
$UsernameCheckQuery = mysql_query("SELECT * FROM users WHERE username = '".$Username."'");
while (mysql_num_rows($UsernameCheckQuery ) >= 1) {
$Username = randomPassword();
$UsernameCheckQuery = mysql_query("SELECT * FROM users WHERE username = '".$Username."'");
}
I know this topic appears elsewhere on Stack Overflow and on the web. However every question I have seen has been using an if statement to check if the username is already used. In my case I cant see how an if statement would work as the randomPassword function could generated two username that already exist in a row.
Try
while (true) {
$Username = randomPassword();
$UsernameCheckQuery = mysql_query("SELECT * FROM users WHERE username = '".$Username."'");
if (mysql_num_rows($UsernameCheckQuery ) < 1) {
break;
}
}
echo 'The generated username is '.$Username;
Related
Closed. This question needs debugging details. It is not currently accepting answers.
Edit the question to include desired behavior, a specific problem or error, and the shortest code necessary to reproduce the problem. This will help others answer the question.
Closed 2 years ago.
Improve this question
I'm trying to develop a login form using HTML, PHP, and SQL. I'm scratching my head on trying to figure out what my issue is and how to fix it as I'm relatively new to PHP, so I'd appreciate some help. What I want to do is to check if the user's input on the HTML login form (in this case the password) matches the hashed password that is stored inside the database.
However, I'm currently having an issue where it doesn't do that. The code should verify the password and if it is correct, it should echo "password and username match" else it should echo "incorrect password" however the code does not echo anything.
Here is what I've tried:
get password using username
I am using PHP's password_hash plugin to hash and verify the user's password.
So my question is, how do I securely verify the user's input (the password) with the hashed password that is stored inside the database?
Here is the PHP code:
if($_SERVER["REQUEST_METHOD"] == "POST") {
//declare variables and set values to null
$username = $pass = "";
$username = $_POST['username'];
$pass = $_POST['pass'];
//check if username exists
$stmt = $conn->prepare("SELECT userName FROM userDetails WHERE userName=?");
$stmt->bind_param("s", $prepname);
$prepname = $username;
$stmt->execute();
$result = $stmt->get_result();
if ($result->num_rows > 0) {
//if username exists, check if password is linked to user
echo "user exists";
$stmt = "SELECT userPass FROM userDetails WHERE userName=?";
$stmt->bind_param("s", $prepname);
$prepname = $username;
$hashpass = $stmt->execute();
$stmt->bind_result($hashpass);
$stmt->fetch();
if (password_verify($pass, $hashpass)) {
echo "password and username match";
}
else {
echo "incorrect password";
}
}
else {
echo "That user does not exist!";
return false;
}
}
EDIT: Thanks to #Jovi, I have fixed the previous error however I am now recieving a new error:
Warning: Illegal string offset 'userPass' in /home/toeaimc2/public_html/php/pages/login.php on line 75
EDIT:
#Jovi has now solved the problem! Thank you to everyone for their help!
You are calling the bind_param method on a string, it should be a statement object.
You are missing the method call to create the prepared statement object for the query that extracts the password:
$stmt = $conn->prepare("SELECT userPass FROM userDetails WHERE userName=?");
$stmt->bind_param("s", $prepname);
This question already has answers here:
How do I use password hashing with PDO to make my code more secure? [closed]
(3 answers)
Closed 5 years ago.
Okay, so I'm trying to make a register/login code for my personal website.
I had no troubles making the registration form but I'm having some difficulties with the login.
Here's a part of my code:
$stmt = $pdo->prepare("SELECT password FROM members where username = ? ");
$stmt->bindValue(1, $username);
$stmt->execute();
Now to my understanding i need to fetch the first row from my table convert it to a string and then using password_verify to compare that string to whatever the users inputs in the form i created. The problem i have is that it fetches an array and can't really use password_verify to compare a string to an array.
Am I doing something wrong? how should I do this?
tl; dr How do I actually select a hashed password from DB, convert it to a string and then compare that string with the password my user will input.
Thanks.
This library works on
PHP 5.5+: use password_hash
$sql = "SELECT * FROM members WHERE username = ?";
$stmt = $pdo->prepare($sql);
$result = $stmt->execute([$_POST['username']]);
$users = $result->fetchAll();
if (isset($users[0]) {
if (password_verify($_POST['password'], $users[0]->password) {
// valid login
} else {
// invalid password
}
} else {
// invalid username
}
This question already has answers here:
Reference - What does this error mean in PHP?
(38 answers)
Closed 6 years ago.
i need to confirm login using Php and mysql. My codes keep bringing 'username and password not correct even when it is. Please where did i get it wrong.
HTML code looks like this
PHP code looks like this
enter image description here
Thank you
issue 1 : $user_name = $_POST['username']; you have used single quotes wrongly . Same for password in the screen shot. http://i.stack.imgur.com/FlUyR.jpg
issue 2 : mysqli_query($CONNECTIONHANDLER, $QUERY) but you are missing connectionhandler.
Full Code changes :
$username = mysqli_real_escape_string($con,$_POST['username']);
$password = mysqli_real_escape_string($con,$_POST['pass_word']);
$rs = mysqli_query($con, "Select username, pass_word from verify where username = '%s' and pass_word = '%s'", $username, $upassword);
$check_user = mysqli_num_rows($rs);
if($check_user>0){
echo "Logged in / valid user ";
} else {
echo "username / password incorrect";
}
change
'$_POST[username]' to $_POST['username'] and same goes for password.
You are actually assigned string values instead of getting them from $_POST array
Remove simple quote
$username = $_POST['username'];
$password = $_POST['pass_word'];
Keep in mind that POST input should ALWAYS be sanitized to avoid injection
I think you are doing it wrong. Also you just posted your username and password on the internet.
The query is redundant. You should just check for the presence of a user with such username and password (for example Select Count(*) from...)
the second control you are doing is superfluous. Also you are declaring a variable inside a while and you are trying to access those values from outside of it.
Also there are some syntactic errors like quotes and stuff that other users already suggested.
This question already has answers here:
How can I prevent SQL injection in PHP?
(27 answers)
Closed 6 years ago.
I'm working on a database login system in PHP but one of my users has an exclamation mark in his password which breaks it, The line where it says ($password = $_GET['p'];) is where the password gets passed in
$username = $_GET['u'];
$password = $_GET["p"];
function userLoginIpb($username, $password) { //select the password information froms elected user
$query = mysqli_query($GLOBALS["___mysqli_ston"], "SELECT `members_pass_salt`, `members_pass_hash` FROM `members` WHERE `name` = '$username'");
$results = mysqli_fetch_assoc($query);
$password = md5(md5($results['members_pass_salt']).md5($password));
if ($password == $results['members_pass_hash']) {
return true;
} else {
return false;
}
The issue is your $_GET[] request, since a ! character will be encoded to %21.
Since you're working on the system, do it the correct way instead.
Use POST requests, as you don't want the users to copy paste a link with a password in them.
Use the new functions in PHP, password_hash() with password_verify() as they have a salt build into them making it quite secure and very easy to work with.
Bind values to a SQL string do not blindly put them in there as you are currently open to an easy SQL injection. Adding a password like pass; DROP TABLE members; will break it.
You need to use mysqli_real_escape_string:
<?php
$username = $_GET['u'];
$password = $_GET["p"];
// select the password information froms elected user
function userLoginIpb($username, $password)
{
global $___mysqli_ston;
$s = mysqli_real_escape_string($___mysqli_ston, $username);
$query = mysqli_query($___mysqli_ston, "SELECT `members_pass_salt`, `members_pass_hash` FROM `members` WHERE `name` = '$s'");
$results = mysqli_fetch_assoc($query);
$password = md5(md5($results['members_pass_salt']).md5($password));
return $password == $results['members_pass_hash'];
}
Also take a look at PDO.
This question already has answers here:
The 3 different equals
(5 answers)
Closed 7 years ago.
I'm not a php programmer, so I only know what I have looked up online about the md5 tag.
I am checking to see if passwords match in a php page. I send the password in the php url and retrieve it with this code:
$u_pswd = md5(trim(strip_tags($_REQUEST['pswd'])));
Then I run a query to get the user's password so I can check if they are the same:
$usql = "SELECT user_password FROM ft_users WHERE user_email = '".$u_mail."'";
$ures = mssql_query($usql);
$urow = mssql_fetch_array($ures);
if ($urow['user_password'] = $u_pswd) {
// passwords match
} else {
// passwords do not match
}
My problem is that it says the passwords match every time. For example, if the current password is PASSWORD and I send it a password INCORRECT, the output is:
$_pswd = 64a4e8faed1a1aa0bf8bf0fc84938d25
$urow['user_password'] = 64a4e8faed1a1aa0bf8bf0fc84938d25
Could someone help me out in solving why it is saying the passwords are the same when they are not?
Do not use "=" for comparison. "=" will assign a value and any expression "$var = $value" will be evaluated to true. Use "==" instead.
if ($urow['user_password'] == $u_pswd) { ... }
= is for assigning , in your code you are assigning $u_pswd value to $urow['user_password']
you need to compare those values are equal or not by using == to get required result
$usql = "SELECT user_password FROM ft_users WHERE user_email = '".$u_mail."'";
$ures = mssql_query($usql);
$urow = mssql_fetch_array($ures);
if ($urow['user_password'] == $u_pswd) {
}
else
{
}
Hope it helps.