I'm using the functions below. When I register a user, the hash seems to work fine. When I try to login the hash doesn't match. It has the correct hash, plus extra hash.
What's the issue?
function salt($pass){
$salt = 'hello';
return hash('sha512', $pass.$salt);
}
function valid_credentials($user,$pass) {
$user = mysql_real_escape_string($user);
$pass = salt($pass);
$total = mysql_query("SELECT COUNT(`user_id`) FROM `users` WHERE `user_name` = '".$user."' AND `password` = '{$pass}' ");
return (mysql_result($total, 0) == '1' ) ? true : false;
}
function add_user($user, $pass) {
$user = mysql_real_escape_string(htmlentities($user));
$pass = salt($pass);
$time = now();
mysql_query("INSERT INTO `users` ( user_name, password, date_created ) VALUES ( '{$user}', '{$pass}', '{$time}' )");
}
I think in your validation code this line:
$total = mysql_query("SELECT COUNT(`user_id`) FROM `users` WHERE `user_name` = '".$user."' AND `password` = '{$pass}' ");
needs to be changed to something like so:
$total = mysql_query("SELECT COUNT(`user_id`) FROM `users` WHERE `user_name` = '".$user."' AND `password` = '".$pass."' ");
Right now it appears to be checking for the password column being equal to "{$pass}".
just double check your value returned before and after inserting the value to db table. Echo it with a trim function. or use strcmp to check the values that is inserted in the db with your generated value.
Related
I'm encountering a problem with this object. I don't know (if it is possible), how to get the value of COUNT(id).
I tried $req[0]->COUNT(id) but "COUNT()" it detected it as a function. How could it be detect as a key?
Here's a var_dump($req):
object(stdClass)[4]
public 'COUNT(id)' => string '1' (length=1)
PHP
$req = $db->query('SELECT COUNT(id) FROM `users` WHERE username ="'.$username.'" AND password = "'.$password.'"');
if($req == 1){
$_SESSION['authentificated'] = true;
$_SESSION['username'] = $username;
}
var_dump($req);
The output of the query should be 0 or 1 if the user is already register or not.
1.You need to add alias for COUNT()
2.After query execution you need to fetch record and then do the comparison
Do like below:-
$req = $db->query('SELECT COUNT(id) as count FROM `users` WHERE username ="'.$username.'" AND password = "'.$password.'"');
$result = mysqli_fetch_assoc($req); // sample example,you need to change accordingly
if($result['count'] == 1){
//your code
}
Note:-
Saving plain password is very bad idea. so use password hashing
Your current code is wide-open for SQL INJECTION. To prevent from it use prepared statements
mysqli::prepare
PDO::prepare
I will do it something like this: https://3v4l.org/YOBGX
Here alias required or else it won't capture that count value the way you want.
$req = $db->query('SELECT COUNT(id) cnt FROM `users` WHERE username ="'.$username.'" AND password = "'.$password.'"');
var_dump($req);
Here is the solution you have not bind the key for that please see below
$req = $db->query('SELECT COUNT(id) as user_exists FROM `users` WHERE username
="'.$username.'" AND password = "'.$password.'"');
if($req == 1){
$_SESSION['authentificated'] = true;
$_SESSION['username'] = $username;
}
var_dump($req);
Try this --
$req = mysqli_query($db,'SELECT (COUNT(id)) as countID FROM `users` WHERE username ="'.$username.'" AND password = "'.$password.'"'));
$row = mysqli_fetch_array($req);
$countID = $row['countID'];
if($countID == 1){
$_SESSION['authentificated'] = true;
$_SESSION['username'] = $username;
}
var_dump($req);
if(isset($_SESSION['username']))
{
$con = mysql_connect('localhost','root','');
mysql_select_db('chatbox',$con);
$result = mysql_query("SELECT id FROM users");
mysql_query("UPDATE users SET `online` = 0 WHERE `username` = ".$username."");
}
Can you make the username is session (that is logged in) to be equal to
mysql_query("UPDATE users SET `online` = 0 WHERE `username` = "to_put_it_here");
Simple and cute trick
$username = $_SESSION['username'];
if(isset($username))
{
$con = mysql_connect('localhost','root','');
mysql_select_db('chatbox',$con);
$result = mysql_query("SELECT id FROM users");
mysql_query("UPDATE users SET `online` = 0 WHERE `username` = '$username' ");
}
If I was you, I would be using PDO. Although I think this would help you
mysql_query("UPDATE users SET `online` = 0 WHERE `username` = $_SESSION['username']);
How can I update my SQL table to show the last login date? I have tried "UPDATE table SET user_last_login="'date("m.d.y")'" WHERE $user_name" but it the table doesn't update. If I click on the table column, it changes it to the current date.
SQL Table:
CREATE TABLE IF NOT EXISTS `users` (
`id` int(100) NOT NULL AUTO_INCREMENT,
`user_name` varchar(10) COLLATE utf8_unicode_ci NOT NULL,
`user_pass` varchar(50) COLLATE utf8_unicode_ci NOT NULL,
`user_rank` varchar(50) COLLATE utf8_unicode_ci NOT NULL DEFAULT 'Member',
`user_ip` varchar(15) CHARACTER SET utf8 COLLATE utf8_bin NOT NULL,
`user_last_login` date NOT NULL,
PRIMARY KEY (`id`)
) ENGINE=MyISAM DEFAULT CHARSET=utf8 COLLATE=utf8_unicode_ci AUTO_INCREMENT=4 ;
PHP:
if(isset($_POST['login'])){
$name = $_POST['name'];
$password = $_POST['pass'];
$check_user = "select * from users where user_name='$name' AND user_pass='".md5($_POST['pass'])."'";
$run = mysql_query($check_user);
if(mysql_num_rows($run)>0){
//Create query
$qry="SELECT * FROM users WHERE user_name='$name' AND user_pass='".md5($_POST['pass'])."'";
$result=mysql_query($qry);
$update="UPDATE table SET user_last_login="'date("m.d.y")'"
//Check whether the query was successful or not
if($result) {
if(mysql_num_rows($result) == 1) {
//Login Successful
session_regenerate_id();
$users = mysql_fetch_assoc($result);
$_SESSION['id'] = $users['id'];
$_SESSION['name'] = $users['user_name'];
$_SESSION['pass'] = $users['user_pass'];
$_SESSION['rank'] = $users['user_rank'];
$_SESSION['ip'] = $users['user_ip'];
session_write_close();
}
}
}
session_start();
if($_SERVER["REQUEST_METHOD"] == "POST") {
// username and password sent from form
// $db is connection to database
$myusername = mysqli_real_escape_string($db,$_POST['username']);
$mypassword = mysqli_real_escape_string($db,$_POST['password']);
$sql = "SELECT id FROM users WHERE username = '$myusername' and password = '$mypassword'";
$result = mysqli_query($db,$sql);
$row = mysqli_fetch_array($result,MYSQLI_ASSOC);
$count = mysqli_num_rows($result);
// If result matched $myusername and $mypassword, table row must be 1 row
if($count == 1) {
//session_register("myusername");
$_SESSION['login_user'] = $myusername;
header("location: account.php");
}else {
echo $error = "Your Login Name or Password is invalid";
}
$t_sql = "UPDATE users SET login_time=CURRENT_TIMESTAMP WHERE username = '$myusername'";
$t_result = mysqli_query($db,$t_sql);
}
WHERE $user_name
should be
WHERE user_name=$user_name
You're current query is throwing an error I assume.
You need to insert MySql date format:
Is 2012-01-01 = YYYY-MM-DD
instead m.d.y
Here are some things wrong in your code.
First of all, you put your POST value in a variable and you never use it!
$name = $_POST['name'];
$password = $_POST['pass'];
You could do
$name = $_POST['name'];
$password = md5($_POST['pass']);
$check_user = "select * from users where user_name='$name' AND user_pass='$password'";
Why do you use next line of code?
$qry="SELECT * FROM users WHERE user_name='$name' AND user_pass='".md5($_POST['pass'])."'";
And for updating your databank. Try following code.
$date = date('Y-m-d');
$update="UPDATE table SET user_last_login='$date' WHERE user_name='$name' AND user_pass='$password'";"
I'm having one error when I try to use my function and I don't know how can I fix it.
function is_valid($email_e, $email_code_e, $username_e) {
$email = mysql_real_escape_string($email_e);
$email_code = mysql_real_escape_string($email_code_e);
$username = sanitize($username_e);
return (mysql_result
(mysql_query
("SELECT COUNT(*) FROM `users`
WHERE `username` = $username
AND `email_code` = $email_code
AND `email` = $email"), 0) == 1) ? true : false;
}
Warning: mysql_result() expects parameter 1 to be resource, boolean given in /home/meuts3/public_html/core/functions/users.php on line 34
I'm trying to make a forget password system and when someone try to get a new password, he receives a link with email_code, username and email. When he clicks, he goes to a changepassword page, in this page, I will check if these information is valid using the function is_valid, so if is_valid I have to return the user_id to start a session user_id.
How can I do that?
Thanks, I really appreciate you guys.
You have an error in sql statement. You must quote $username, $email_code & $email in ''.
SELECT COUNT(*) FROM `users` WHERE `username` = '$username' AND `email_code` = '$email_code' AND `email` = '$email'
So mysql_query returns false, not a resource object.
Try this:
function is_valid($email_e,$email_code_e,$username_e) {
$email = mysql_real_escape_string($email_e);
$email_code = mysql_real_escape_string($email_code_e);
$username = sanitize($username_e);
$sql = "SELECT user_id FROM `users`
WHERE `username` = $username
AND `email_code` = $email_code
AND `email` = $email";
$result = mysql_query($sql) or die(mysql_error());
if(mysql_num_rows($result) <= 0)
return -1;
return mysql_result($result,1);
}
first, avoid mysql_* functions as they're deprecated.
second,
the process should be like,
we select the user_id
If number of rows fetched is 0 then no such user else we get a unique user_id
so let's write the sql considering your column name for user_id is user_id and user_id is always>0:
$q = "SELECT user_id FROM `users` WHERE `username` = '$username' AND `email_code` = '$email_code' AND `email` = '$email'";
$r = mysql_query($q); //warning I don't like mysql_* functions
if(mysql_num_rows($r)>0){ //we have got more than 0 rows
$d = mysql_fetch_assoc($r);
return $d['user_id'];
} else { // No such username, email, email_code combination found in database
return 0;
}
i'm using php to make some mods on my database, i have two identical tables and i want to move one row from the first table to the second one how can i do that using pure php and mysql.
that is how my tables looks like
CREATE TABLE users (
username varchar(30) primary key,
password varchar(32),
userid varchar(32),
userlevel tinyint(1) unsigned not null,
email varchar(50),
timestamp int(11) unsigned not null
);
and here is my php code so far
function procMoveUser(){
global $session, $database, $form;
/* Username error checking */
$subuser = $this->checkUsername("user");
/* Errors exist, have user correct them */
if($form->num_errors > 0){
$_SESSION['value_array'] = $_POST;
$_SESSION['error_array'] = $form->getErrorArray();
header("Location: ".$session->referrer);
}
/* move the user */
else{
$q = "SELECT * FROM ".TBL_USERS." WHERE username = '$subuser'";
$result = $database->query($q);
if($result && $result->num_rows == 1){
while($array = $result->fetch_assoc() ){
$second_query = "INSERT INTO".TBL_USERSDONT."VALUES ($array['user'], $array['password'], $array['userid'] , $array['userlevel'] , $array['email'] , $array['timestamp'])";
$second_result = $mysqli->query($second_query);
if($second_result){
// it worked!
$q = "DELETE FROM ".TBL_USERS." WHERE username = '$subuser'";
$database->query($q);
}
}
}
}
}
First, SELECT * FROM the first table for the row that you want to move. Then, as suggested above, run an INSERT statement with the values from the first table.
$q = "SELECT * FROM ".TBL_USERS." WHERE username = '$username'";
$result = $mysqli->query($q);
if($result && $result->num_rows == 1){
while($array = $result->fetch_assoc() ){
$second_query = "INSERT INTO second_table VALUES ($array['user'], $array['something'])";
$second_result = $mysqli->query($second_query);
if($second_result){
// it worked!
}
}
}
Maybe this will help: Copy an existing MySQL table to a new table