hello i have problems while using crypt function. i would like to check passwords from a database and an entered one.
the problem i have is that when i will enter a password it even will redirect even in case when it is a totally different password? this is strange to me.
so i use this function:
function salt_crypt($login_password, $rounds = 7) {
$salt = "";
$salt_chars = array_merge(range('A','Z'), range('a','z'), range(0,9)); for($i=0; $i < 22; $i++) {
$salt .= $salt_chars[array_rand($salt_chars)];
}
return crypt($login_password, sprintf('$2a$%02d$', $rounds) . $salt);
i will get the stored password from a function that returns an array:
function ab($a){
global $db;
$query = $db->query("SELECT col_a, col_b FROM table WHERE Field= '$a' ");
$check = $query->fetch_assoc();
return ($check);
}
and this will be used in this function:
function login($a, $login_password){
$user_data = user_data($a);
global $db;
$uname = sanitize($uname);
$crypted_password = salt_crypt($login_password);
if(crypt($user_data['col_b'], $crypted_password) == $crypted_password) {
$query = $db->query("SELECT col_a FROM table WHERE Field_a= '$a' AND Field_b = '$crypted_password' ");
$check = $query->num_rows;
return ($check == 1) ? true : false;
}
}
this function wil be called and in case of the returning result header with:
$login = login($a, $login_password);
if ($login === false){
$errors[] = "text";
} else {
header('Location: page.php');
}
Not all code paths return a value -> your function will return true, even if the if statement is false. Try it with something like this:
function login($a, $login_password){
//All your stuff
if(crypt($user_data['col_b'], $crypted_password) == $crypted_password) {
//Your stuff
}
return false
}
Related
I have a little problem and I can't find the reason..
I have this easy function that should check if the user/pass are correct and i would like to save all the infos about the user from $row object into $userdata global object
function check_credentials($username, $password) {
global $userdata;
$password = md5($password);
$result = mysql_query("SELECT * FROM users WHERE username='$username' AND password='$password' LIMIT 0,1")or die(mysql_error());
while ($row = mysql_fetch_object($result)) {
if(($row->password == $password) && ($row->username == $username) && ($row->ver == 1)) {
$userdata = clone $row;
return true;
}
else break;
}
}
unset($_SESSION['logged_as']);
return false;
}
Do you have any idea of why, out of the function, the global variable disappear ? because it should be global
Your function simply returns boolean true, not the modified variable.
Change
$userdata = clone $row;
return true;
to
$userdata = clone $row;
return $userdata;
As #Broatcast said, the global function must have been declared out of the function before.
$var = null;
function name() {
global $var
}
// use $var as global
Instead using using a global variable, just return the $userdata:
if(($row->password == $password) && ($row->username == $username) && ($row->ver == 1)) {
return $row;
}
Then capture the row when you call the function
$userdata = check_credentials($username, $password);
I am trying to run a function that checks a db table for a username and an email. I call the function with two parameters ($user_username, $user_password). The function checks the database to see if those values exist. However, I cannot get the variables from the function to return properly. Here's what i have so far:
Function:
class registerClass{
public function checkUser($user_username, $user_email){
//connect to db via pdo...
$st_1 = $handler->prepare("SELECT * FROM tbl_users WHERE user_username = '$user_username'");
$st_1->execute();
if($st_1->rowCount() > 0){$user_exists = '1';}
$st_2 = $handler->prepare("SELECT * FROM tbl_users WHERE user_email = '$user_email'");
$st_2->execute();
if($st_2->rowCount() > 0){$email_exists = '1';}
}
}
Call to function:
$object = new registerClass();
$object->checkUser($user_username, $user_email);
if($user_exists >= '1'){$errors[] = "Username taken";}
if($email_exists >= '1'){$errors[] = "Email taken";}
For some reason the errors never get thrown. I'm not sure what I'm doing wrong here.
The variables you're setting are local to the function, they're not visible in the scope of the caller. Instead, the function should return the variables in an array:
class registerClass{
public function checkUser($user_username, $user_email){
$user_exists = $email_exists = false;
//connect to db via pdo...
$st_1 = $handler->prepare("SELECT * FROM tbl_users WHERE user_username = '$user_username'");
$st_1->execute();
if($st_1->rowCount() > 0){$user_exists = true;}
$st_2 = $handler->prepare("SELECT * FROM tbl_users WHERE user_email = '$user_email'");
$st_2->execute();
if($st_2->rowCount() > 0){$email_exists = true;}
return array($user_exists, $email_exists)
}
}
You can then use it like this:
list($user_exists, $email_exists) = $object->checkUser($user_username, $user_email);
if($user_exists){$errors[] = "Username taken";}
if($email_exists){$errors[] = "Email taken";}
I've also changed the values from strings with 0 and 1 to booleans false/true.
You should use return to return value by function and than in place where you call your function use for example list to get function return values.
Complete code:
<?php
class registerClass
{
public function checkUser($user_username, $user_email)
{
//connect to db via pdo...
$user_exists = 0;
$email_exists = 0;
$st_1 = $handler->prepare(
"SELECT * FROM tbl_users WHERE user_username = '$user_username'"
);
$st_1->execute();
if ($st_1->rowCount() > 0) {
$user_exists = '1';
}
$st_2 = $handler->prepare(
"SELECT * FROM tbl_users WHERE user_email = '$user_email'"
);
$st_2->execute();
if ($st_2->rowCount() > 0) {
$email_exists = '1';
}
return array($user_exists, $email_exists);
}
}
$object = new registerClass();
list($user_exists, $email_exists) = $object->checkUser(
$user_username,
$user_email
);
if ($user_exists >= '1') {
$errors[] = "Username taken";
}
if ($email_exists >= '1') {
$errors[] = "Email taken";
}
However normally you rather don't set value 1 in that case but boolean true so you should rather use this code:
class registerClass
{
public function checkUser($user_username, $user_email)
{
//connect to db via pdo...
$user_exists = false;
$email_exists = false;
$st_1 = $handler->prepare(
"SELECT * FROM tbl_users WHERE user_username = '$user_username'"
);
$st_1->execute();
if ($st_1->rowCount() > 0) {
$user_exists = true;
}
$st_2 = $handler->prepare(
"SELECT * FROM tbl_users WHERE user_email = '$user_email'"
);
$st_2->execute();
if ($st_2->rowCount() > 0) {
$email_exists = true;
}
return array($user_exists, $email_exists);
}
}
$object = new registerClass();
list($user_exists, $email_exists) = $object->checkUser(
$user_username,
$user_email
);
if ($user_exists) {
$errors[] = "Username taken";
}
if ($email_exists) {
$errors[] = "Email taken";
}
When you call a class method like: $object->checkUser($user_username, $user_email); or a function like : checkUser($user_username, $user_email); you must remember that php pass the params by copy, not by reference.
So by default what you pass (for example $user_name), it's not the same $user_name on function/method body. Seee http://php.net/manual/en/functions.arguments.php for more.
You can resolve your problem by using new method declaration this code:
public function checkUser(&$user_username, &$user_email){
//connect to db via pdo...
$st_1 = $handler->prepare("SELECT * FROM tbl_users WHERE user_username = '$user_username'");
$st_1->execute();
if($st_1->rowCount() > 0){$user_exists = '1';}
$st_2 = $handler->prepare("SELECT * FROM tbl_users WHERE user_email = '$user_email'");
$st_2->execute();
if($st_2->rowCount() > 0){$email_exists = '1';}
}
So to have have an argument to a function passed by reference, prepend an ampersand (&):checkUser(&$user_username, &$user_email)
I have the following PHP function that attempts to register a user in a database with a temporary password when they post an email adress via a form:
public function registerNewUser() {
$temp_pass = '';
$characters = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ';
$random_string_length=8;
for ($i = 0; $i < $random_string_length; $i++) {
$temp_pass .= $characters[rand(0, strlen($characters) - 1)];
}
if (empty($_POST['user_email'])) {
$this->errors[] = FEEDBACK_EMAIL_FIELD_EMPTY;
} elseif (strlen($_POST['user_email']) > 64) {
$this->errors[] = FEEDBACK_EMAIL_TOO_LONG;
} elseif (!filter_var($_POST['user_email'], FILTER_VALIDATE_EMAIL)) {
$this->errors[] = FEEDBACK_EMAIL_DOES_NOT_FIT_PATTERN;
} elseif (!empty($_POST['user_email'])
&& strlen($_POST['user_email']) <= 64
&& filter_var($_POST['user_email'], FILTER_VALIDATE_EMAIL)) {
$this->user_email = htmlentities($_POST['user_email'], ENT_QUOTES);
$this->user_password = $temp_pass;
$this->hash_cost_factor = (defined('HASH_COST_FACTOR') ? HASH_COST_FACTOR : null);
$this->user_password_hash = password_hash($this->user_password, PASSWORD_DEFAULT, array('cost' => $this->hash_cost_factor));
$sth = $this->db->prepare("SELECT * FROM users WHERE user_email = :user_email ;");
$sth->execute(array(':user_email' => $this->user_email));
$count = $sth->rowCount();
if ($count == 1) {
$this->errors[] = FEEDBACK_USEREMAIL_ALREADY_TAKEN;
} else {
$this->user_activation_hash = sha1(uniqid(mt_rand(), true));
$sth = $this->db->prepare("INSERT INTO users (user_email, user_password_hash, user_activation_hash) VALUES(:user_email, :user_password_hash, :user_activation_hash) ;");
$sth->execute(array(':user_email' => $this->user_email, ':user_password_hash' => $this->user_password_hash, ':user_activation_hash' => $this->user_activation_hash));
$count = $sth->rowCount();
if ($count == 1) {
$this->user_id = $this->db->lastInsertId();
// send a verification email
if ($this->sendVerificationEmail()) {
// when mail has been send successfully
$this->messages[] = FEEDBACK_ACCOUNT_SUCCESSFULLY_CREATED;
$this->registration_successful = true;
return true;
} else {
$sth = $this->db->prepare("DELETE FROM users WHERE user_id = :last_inserted_id ;");
$sth->execute(array(':last_inserted_id' => $this->db->lastInsertId() ));
$this->errors[] = FEEDBACK_VERIFICATION_MAIL_SENDING_FAILED;
}
} else {
$this->errors[] = FEEDBACK_ACCOUNT_CREATION_FAILED;
}
}
} else {
$this->errors[] = FEEDBACK_UNKNOWN_ERROR;
}
// standard return. returns only true of really successful (see above)
return false;
}
I keep tripping the FEEDBACK_ACCOUNT_CREATION_FAILED error, but can't figure out why. Any ideas?
Have you dumped "$sth" after it does the insert?
What does that give you?
If you are using mysql you can turn the general_log (http://dev.mysql.com/doc/refman/5.1/en/query-log.html) to see the mysql query that gets executed.
This way you can see if the query is getting created properly.
Turning on mysql logging can be very useful if you are not sure whats happening at the other end.
In following code I have upgraded function from MYSQL into MYSQLI, I got some help in my previous posts and they said what should be done.. but now comes the question how to do it..
The thing is to set id before return, otherwise I still will be receiving user ID = 1 no matter on which account I login.
function user_id_from_username($username) {
$username = sanitize($username);
global $db_connect;
$result = $db_connect->query("SELECT(id) FROM members WHERE username = '$username'");
if (false === $result) {
return false;
}
return ($result->num_rows == 1) ? id : false;
I tried to do as in my old MYSQL code, but then it gives error.
My old code:
function user_id_from_username($username){
$username = sanitize ($username);
return mysql_result(mysql_query("SELECT(id) FROM members WHERE username = '$username'"), 0, 'id');
}
I would be grateful for any help!
I didn't try it out but this should work right?
I also put $db_connect as parameter because its safer but it's up to you.
function user_id_from_username($username) {
$username = sanitize($username);
global $db_connect;
$result = $db_connect->query("SELECT id FROM members WHERE username = '".$db_connect->real_escape_string($username)."'");
if (!$result) {
return false;
}
if($result->num_rows == 1){
$row = $result->fetch_assoc();
$output = $row['id'];
}
else{
$output = "Username does not exist in table or is a duplicate.";
}
return $output;
}
Did you try fetch_array or mysqli_fetch_array?
$row = $result->fetch_array(MYSQLI_ASSOC);
// or
$row = mysqli_fetch_array($result, MYSQLI_ASSOC);
// and returning
return $row['id'] ? $row['id'] : false;
return ($result->num_rows == 1) ? id : false;
should be
if(mysqli_num_rows($result) ===1 ){
$row = mysqli_fetch_assoc($result);
return intval($row['id']);
}
return false;
if(isset($_POST['uname']))
{
$query = "SELECT * FROM user_info";
$res = $mysqli->query($query);
$num = $res->num_rows;
$i = 0;
$cpwd = $_POST["pswd"];
$hpwd = SHA1($cpwd);
$tmp = $_POST["uname"];
while($i < $num)
{
$row = $res->fetch_object();
$name = $row->Username;
$pwd = $row->Password;
if($name == $tmp)
{
//check if user is blocked
}
//hashed pwd
if($pwd == $hpwd)
{
//success
exit();
}
//request for pwd change
else if($pwd == $cpwd)
{
//change
exit();
}
else if($pwd != $hpwd)
{
//incorrect pwd
}
}
$i++;
}
if($i == $num)
{
//new user
}
}
I'd guess that you're somehow looping past the end of the array and $row is actually NULL.
So $res->fetch_object() did not return an object. Take a look at the documentation of this function. What does it return when it finds nothing?
some times num_rows return 1, even if no rows effected. Try to use
while($row = $res->fetch_object())
or
you forget to increment $i :)
get rid of that junk and make it like this
$query = "SELECT * FROM user_info WHERE Username = ? AND Password = ?";
$stmt = $mysqli->prepare($query);
$stmt->bind_param('ss', $_POST["uname"], SHA1($_POST["pswd"]));
$stmt->execute() or trigger_error($mysqli->error());
if (!$mysqli->affected_rows) {
//no such user
}
I've never used mysqli myself, so, there may be typos.
But I hope you'll be able to get the idea.