Im working on a form that needs a password that is between 6 and 25 characters. The username and fullname must be less than 25 characters. The username and fullname part works fine, but when I put in a password thats 10 characters long it echos out my error code as if it were less than 6. What Am I doing wrong with this?
Please take a look at the code and help me please:
The issue is within the area commented as //check password length. Thanks everone
The php code is:
<?php
echo "<h1>Register</h1>";
$submit = filter_input(INPUT_POST, 'submit');
//form data
$fullname = strip_tags (filter_input(INPUT_POST, 'fullname'));
$username = strip_tags (filter_input(INPUT_POST, 'username'));
$password = strip_tags(filter_input(INPUT_POST, 'password'));
$repeatpassword = strip_tags(filter_input(INPUT_POST, 'repeatpassword'));
$date = date("Y-m-d");
if ($submit)
{
//check for existence
if($fullname&&$username&&$password&&$repeatpassword)
{
$password = md5($password);
$repeatpassword = md5($repeatpassword);
if ($password==$repeatpassword)
{
//check char length of username and fullname
if (strlen($username)>25||strlen($fullname)>25)
{
echo "Length of username or full name is too long!";
}
else
{
//check password length
if (strlen ($password)>25 || strlen ($password)<6)
{
echo "Password must be between 6 and 25 characters";
}
else
{
//register user
}
}
}
else echo "Your passwords do not match";
}
else echo "Please fill in <b>all</b> fields!";
}
?>`
and the html is:
<html>
<form action='register.php' method='POST'>
<table>
<tr>
<td>
Your full name:
</td>
<td>
<input type='text' name='fullname'>
</td>
</tr>
<tr>
<td>
choose a username:
</td>
<td>
<input type='text' name='username'>
</td>
</tr>
<tr>
<td>
Choose a password:
</td>
<td>
<input type='password' name='password'>
</td>
</tr>
<tr>
<td>
Repeat your password:
</td>
<td>
<input type='password' name='repeatpassword'>
</td>
</tr>
<table>
<p>
<input type='submit' name='submit' value='Register'>
You overwrite the password with its MD5 sum here:
$password = md5($password);
I'd suggest using different variable names for these different values:
$password_md5 = md5($password);
Naming your variables appropraitely will remove confusion and reduce the risk of errors.
You run MD5 on your password and repeat password before you compare it. Do the comparison and length checking before you run MD5 on them.
Why won't you quit the MD5 and instead of that use Whirlpool?
$password_wp = hash('whirlpool', $password);
Still having your doubts?
If it is, your answer on Stackoverflow has already been answered :
Which one is more secured md5 or whirlpool (hashes) and Why?
{ more info }
http://md5-sha-whirlpool.reviews.r-tt.com
Related
Am new to php and am taking a web application development to allow come across different skill, problems and find a way to fix them.
Am now creating a registration form and validating the form and protecting it against SQL Injection and XSS. NOTE I understand could have use prepared statement, but for my level of skill i think starting from Mysqli procedural wold be best result for my development until if fill confident enough.
So i just want you the expert to see if there is something i needed to remove or add or use instead (apart from stmt).
Here is my Register page.
<?php
// define mqsqli real escape string function
function _olaskee($escape) {
$escape = htmlspecialchars ($escape, ENT_QUOTES, 'UTF-8');
$escape = trim ($escape, ENT_QUOTES, 'UTF-8');
$escape = stripcslashes ($escape, ENT_QUOTES, 'UTF-8');
return $escape;
}
// start session
session_start();
// include database connection
//require_once('include/connection.php');
// if user type already detected, redirect to index.php
if(isset($_SESSION['user_type'])){
header('Location: index.php');
}
// check if we have submited / if the for as being submitted
if(!empty($_POST['submit'])){
//instantiate
$firstname = _olaskee($con, $_POST['firstname']);
$lastname = _olaskee($con, $_POST['lastname']);
$user_name = _olaskee($con, $_POST['user_name']);
$user_type = _olaskee($con, $_POST['user_type']);
$password = _olaskee($con, $_POST['password']);
$confirm_password = _olaskee($con, $_POST['confirm_password']);
// hash password
$hashed_password = password_hash($password, PASSWORD_BCRYPT, ['cost' => 12]);
// include database connection
require_once('include/errMsg.php');
}
// include page title
$title = 'Registration Page';
// include header layout
require_once('include/header.php');
?>
<div>
<form name="register" action="<?php echo htmlspecialchars($_SERVER['PHP_SELF'], ENT_QUOTES, 'UTF-8'); ?>" method="post">
<table>
<tr>
<td>First Name</td>
<td><input type="text" name="firstname" value='<?php// echo htmlspecialchars ($firstname) ?>'><br><span style='color: red'><?php echo $fnErr ?></span></td>
<?php echo $firstname ; ?>
</tr>
<tr>
<td>Last Name</td>
<td><input type="text" name="lastname" value='<?php echo htmlspecialchars ($lastname) ?>'><br><span style='color: red'><?php echo $lnErr ?></span></td>
</tr>
<tr>
<td>User Name</td>
<td><input type="text" name="user_name" value='<?php echo htmlspecialchars ($user_name) ?>'><br><span style='color: red'><?php echo $unameErr ?></span></td>
</tr>
<tr>
<td>User Type</td>
<td>
<!-- <label for="flavor">Select User Type:</label > -->
<select id="user_type" name='user_type' >
<option value="">Select User Type</option>
<option <?php echo $user_type=='rsw'?'selected':''; ?> >rsw</option>
<option <?php echo $user_type=='sp'?'selected':''; ?> >sp</option>
</select>
<span style='color: red'><?php echo $u_typeErr?></span>
</td>
</tr>
<tr>
<td>Email</td>
<td><input type="email" name="email" value='<?php echo htmlspecialchars ($email) ?>'><br /><span style='color: red'><?php echo $emailErr ?></span></td>
</tr>
<tr>
<td>Password:</td>
<td><input type="password" name="password" id="password"><br /><span style='color: red'><?php echo $passErr ?></span></td></td>
</tr>
<tr>
<td>Confirm Password:</td>
<td><input type="password" name="confirm_password" id="confirm_password"><br /><span style='color: red'><?php echo $cpassErr ?></span></td></td>
</tr>
<tr>
<td></td>
<td><input type="submit" name="submit" value="Register"><a href='index.php'> Login</a></td>
</tr>
</table>
</form>
</div>
<?php
if(is_file('include/footer.php'))
include_once('include/footer.php');
?>
And here is my error message page
<?php
// error handler variable
$fnErr = $lnErr = $unameErr = $u_typeErr = $emailErr = $passErr = $cpassErr = '';
$firstname = $lastname = $user_name = $user_type = $email = $password = $confirm_password = '';
// if submit, then validate
$firstname = ($_POST['firstname']);
// set field validation for first name
if (empty($firstname)){
$fnErr = 'Field empty, please enter your first name';
}else{
if (strlen($firstname) < 3){
$fnErr = 'First Name is too short';
}
}
// check if name only contains letters and whitespace
if (!preg_match("/^[a-zA-Z ]*$/",$firstname)) {
$fnErr = "Only letters and white space allowed";
}
// set field validation for last name
$lastname = ($_POST['lastname']);
if (empty($lastname)){
$lnErr = 'Field empty, please enter your last name';
}else{
if (strlen($lastname) < 3){
$lnErr = 'Last Name is too short';
}
}
// check if name only contains letters and whitespace
if (!preg_match("/^[a-zA-Z ]*$/",$lastname)) {
$lnErr = "Only letters and white space allowed";
}
// set field validation for user name
$user_name = ($_POST['user_name']);
if (empty($user_name)){
$unameErr = 'Field empty, please enter user name';
}else{
if (strlen($user_name) < 6){
$unameErr = 'Password is too short';
}else{
if (strlen($user_name) > 15){
$unameErr = 'Password is too long';
}
}
}
// check if name only contains letters and whitespace
if (!preg_match("#.*^(?=.*[a-z])(?=.*[A-Z]).*$#",$user_name)) {
$unameErr = "At least one CAPS, letters and white space allow";
}
// check if user select user type from list
$user_type = ($_POST['user_type']);
if (empty($user_type)){
$u_typeErr = 'Please select user type from list';
}
// set email filter validation
$email = ($_POST['email']);
if (empty($email)){
$emailErr = 'Field empty, please enter your last name';
}else{
// check if e-mail address is well-formed
if (!filter_var($email, FILTER_VALIDATE_EMAIL)) {
$emailErr = "Invalid email format";
}
}
// set field validation for password
$password = ($_POST['password']);
if (empty($password)){
$passErr = 'Field empty, please create a password';
}else{
if (strlen($password) < 6){
$passErr = 'Password is too short';
}else{
if (strlen($password) > 15){
$passErr = 'Password is too long';
}
}
}
if( !preg_match("#[A-Z]+#", $password) ) {
$passErr = "Password must include at least one CAPS! ";
}else{
if( !preg_match("#[0-9]+#", $password) ) {
$passErr = "Password must include at least one NUMBER! ";
}
}
// // // check if name only contains letters and whitespace
// if (preg_match("#.*^(?=.*[a-z])(?=.*[A-Z])(?=.*[0-9]).*$#", $password)) {
// $passErr = "Try again... Password must contain NUMBER, LETTER and CAPS";
// }
// set field validation for confirm password
$confirm_password = ($_POST['confirm_password']);
if (empty($confirm_password)){
$cpassErr = 'Field empty, please confirm your password';
}else{
if ($password != $confirm_password) {
$cpassErr = 'Error... Passwords do not match';
}
}
// // define mqsqli real escape string function
// function _olaskee($escape) {
// $escape = htmlspecialchars ($escape, ENT_QUOTES, 'UTF-8');
// $escape = trim ($escape, ENT_QUOTES, 'UTF-8');
// $escape = stripcslashes ($escape, ENT_QUOTES, 'UTF-8');
// return $escape;
// }
?>
NOTE have commented out some lines in both pages.
Also in the register page have include the security function at the top of the session unsure if that's right.
Also have used the password hashing, but i haven't test in on database yet, but (have i used it right?)
Please just have a look and give me your expert opinion
Best Regards
I am not an expert but I can give you some notes. In your sanitizing function _olaskee, I think you need to understand what these functions does and how to use it
You don't need stripcslashes here. This function removes the slashes why are you putting it here?
You don't need to sanitize the password. You will be hashing it before using it and hashing will replace any injected code
For sanitizing against SQL Injection you need to use mysqli_real_escape_string It will take care of sanitizing strings.
Take a look at filter_var function. You will find it very useful in sanitizing and validating your inputs. This function allows you to validate against a specified length, allow some HTML tags in certain inputs (like textarea) and so on
To understand how to protect yourself from attacks you need to know first how the attacks are made. Read about SQL Injections and see if you can hack your database through vulnerable code.
You may try also try ZAP tool. You can use automatic scan by just passing the URL of your site and it will automatically scan your web app and report any vulnerabilities it finds
It is good to learn how to make a login system. But for real world applications, it is not advised to make your own login system. Always rely on tested and approved software or you will be creating systems full of vulnerabilities. Good luck!
This question already has answers here:
PHP MySQL insert not working
(6 answers)
Closed 6 years ago.
I have created a webpage named Register.php which should insert data into my database. The problem with this is that the registration page works but then when I try to log in the information was not added into my database is there anything that I did wrong that I cannot find?
<?php
echo "<h1>Register</h1>";
$submit = $_POST['submit'];
//form data
$FullName = strip_tags($_POST['FullName']);
$UserName = strip_tags($_POST['UserName']);
$Password = strip_tags($_POST['Password']);
$RepeatPassword = strip_tags($_POST['RepeatPassword']);
if ($submit)
{
//open database
$connect = mysql_connect("localhost","root","");
mysql_select_db("cs266db_db1");
$namecheck = mysql_query("SELECT UserName FROM user_ID WHERE UserName='$UserName'");
$count = mysql_num_rows($namecheck);
if ($count!=0)
{
die("UserName already taken");
}
//check for existence
if($FullName&&$UserName&&$Password&&$RepeatPassword)
{
//check password and repeat password match
if($Password==$RepeatPassword)
{
//check length of username and fullname
if (strlen($UserName) > 25 || strlen($FullName)>25)
{
echo "Length of username or fullname is over 25 characters!";
}
else {
//check password
if(strlen($Password)>25 || strlen($Password) < 6) {
echo "Password must be between 6 and 25 characters";
} else {
//encrypt password
$Password = md5($Password);
$RepeatPassword = md5($RepeatPassword);
$queryreg = mysql_query("INSERT INTO user_id VALUES (FullName='".$FullName."',UserName='".$UserName."',Password='".$Password."'");
}
die("You have been registered <a href='index1.php'> Return to Login Page </a>");
}
}
else{
echo "Your passwords do not match";
}
} else {
echo "Please fill in all fields!";
}
}
?>
<html>
<form action="register.php" method="POST">
<table>
<tr>
<td>
Your full name:
</td>
<td>
<input type="text" name="FullName" value="<?php echo $FullName ?>">
</td>
</tr>
<tr>
<td>
Choose a username:
</td>
<td>
<input type="text" name="UserName" value="<?php echo $UserName ?>">
</td>
</tr>
<tr>
<td>
Choose a password:
</td>
<td>
<input type="password" name="Password">
</td>
</tr>
<tr>
<td>
Repeat your password:
</td>
<td>
<input type="password" name="RepeatPassword">
</td>
</tr>
</table>
<br>
<input type="submit" name="submit" value="Register">
</form>
</html>
Im getting an error of this as well(I am running on netbeans):
Notice: Undefined index: submit in
C:\Xampp\htdocs\Resume_DB\register.php on line 4 Notice: Undefined
index: FullName in C:\Xampp\htdocs\Resume_DB\register.php on line 7
Notice: Undefined index: UserName in
C:\Xampp\htdocs\Resume_DB\register.php on line 8 Notice: Undefined
index: Password in C:\Xampp\htdocs\Resume_DB\register.php on line 9
Notice: Undefined index: RepeatPassword in
C:\Xampp\htdocs\Resume_DB\register.php on line 10
Does this have to do with my problem of insertion? If so can you help! Please and thank you!
I don't think the the way you run the insert is even valid in MySql,
I just tried it on my MySql on wamp and the line does not return error but all the values that are been insert are NULL
I'm talking about this line
insert into tmp_table values (`field_1`='value_1', `field_2`='value_2', `field_3`='value_3' ...)
Do you get empty rows in your DB or no rows at all ?
I'm working on a php login form and every time i try to login it says "The username you entered was not found." witch i have in one of my if statement's in my code and i think its because I'm not linking something right to mySQL. I've been working on this for a couple of days now and cant fix it! can you guys help me please. thanks -John
<?
$form = "<form action='./login.php' method='post'>
<table>
<tr>
<td>Username:</td>
<td><input type='text' name='user' /></td>
</tr>
<tr>
<td>Password:</td>
<td><input type='password' name='password' /></td>
</tr>
<tr>
<td></td>
<td><input type='submit' name='loginbtn' value='Login' /></td>
</tr>
</table>
</form>";
if ($_POST['loginbtn']){
$user = $_POST['user'];
$password = $_POST['password'];
if ($user){
if ($password){
require("connect.php");
$password = md5(md5("ak3sfx".$password."58ghy7"));
//Make sure login info is good
$query = mysql_select_db("users");
if ($numrows == 1){
$row = mysql_fetch_assoc($query);
$dbuser = $row['users'];
$dbpassword = $row['password'];
if ($password == $dbpassword){
//Set session info
$_SESSION['username'] = $dbusers;
echo "You have been logged in as <b>$dbuser</b> <a href='./member.php'>Click here</a> to continue";
}
else
echo "You did not enter the right password. $form";
}
else
echo "The username you entered was not found. $form";
mysql_close();
}
else
echo"You must enter your password. $form";
}
else
echo"You must enter your username. $form";
}
else
echo $form;
?>
mysql_select_db("users") will change db to users. Are you trying to select data from users table? If so, you need to change this line.
Have a look of this link.
http://php.net/manual/en/function.mysql-fetch-assoc.php
These example will help you
My register.php file is working but when submit button is clicked. This is error message I get
Notice: Use of undefined constant username - assumed 'username' in C:\xampp\htdocs\Hamza\register.php on line 18
You have been registered! Return to login page
However it does not add any users to the database though, what am I doing wrong? I believe something along INSERT INTO users VALUES is incorrect. I searched around and spent 2 hours solving it but can't figure out what's wrong. Any help would be useful, thanks.
register.php file
<?php
echo "<h1>Register</h1>";
$submit = #$_POST['submit'];
//form data
$fullname = strip_tags(#$_POST['fullname']);
$username = strip_tags(#$_POST['username']);
$password = strip_tags(#$_POST['password']);
$repeatpassword = strip_tags(#$_POST['repeatpassword']);
$date = date ("y-m-d");
if ($submit)
{
//check for existance
if ($fullname&&username&&$password&&$repeatpassword)
{
if ($password==$repeatpassword)
{
//check char length of username and fullname
if (strlen($username)>25||strlen($fullname)>25)
{
echo "Length of username or fullname is too long";
}
else
{
//check password length
if (strlen($password)>25||strlen($password)<6)
{
echo "Password must be between 6 and 25 characters";
}
else
{
//register the user!
// encrypt password
$password = md5($password);
$repeatpassword = md5($repeatpassword);
//open database
$connect = mysql_connect("localhost","root","");
mysql_select_db("phplogin"); //select database
$queryreg = mysql_query("
INSERT INTO users VALUES ('','".$fullname."','".$username."','".$password."','".$date."')
");
die ("You have been registered! <a href='index.php'>Return to login page</a>");
}
}
}
else
echo "Your passwords do not match!";
}
else
echo "Please fill in <b>all</b> fields!";
}
?>
<html>
<p>
<form action='register.php' method='POST'>
<table>
<tr>
<td>
Your full name:
</td>
<td>
<input type='text' name='fullname' value='<?php echo $fullname; ?>'
</td>
</tr>
<tr>
<td>
Choose a username:
</td>
<td>
<input type='text' name='username' value='<?php echo $username; ?>'
</td>
</tr>
<tr>
<td>
Choose a password:
</td>
<td>
<input type='password' name='password'>
</td>
</tr>
<tr>
<td>
Repeat your password:
</td>
<td>
<input type='password' name='repeatpassword'>
</td>
</tr>
</table>
<p>
<input type='submit' name='submit' value='Register'>
</form>
</html>
Check your 18th line:
if ($fullname&&username&&$password&&$repeatpassword)
You forgot to put $ sign for username.
I am working on a section of code that changes a password in a database upon completion of the following form:
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<title>Password Change</title>
</head>
<body>
<h1>Change Password</h1>
<form method="POST" action="password_change.php">
<table>
<tr>
<td>Enter your UserName</td>
<td><input type="username" size="10" name="username"></td>
</tr>
<tr>
<td>Enter your existing password:</td>
<td><input type="password" size="10" name="password"></td>
</tr>
<tr>
<td>Enter your new password:</td>
<td><input type="password" size="10" name="newpassword"></td>
</tr>
<tr>
<td>Re-enter your new password:</td>
<td><input type="password" size="10" name="confirmnewpassword"></td>
</tr>
</table>
<p><input type="submit" value="Update Password">
</form>
<p>Home
<p>Logout
</body>
</html>
And the the PHP:
<?php
session_start();
include 'dbconfig.php';
$username = $_POST['username'];
$password = $_POST['password'];
$newpassword = $_POST['newpassword'];
$confirmnewpassword = $_POST['confirmnewpassword'];
$result = mysql_query("SELECT password FROM user_info WHERE
user_id='$username'");
if(!$result)
{
echo "The username you entered does not exist";
}
else if($password!= mysql_result($result, 0))
{
echo "You entered an incorrect password";
}
if($newpassword=$confirmnewpassword)
$sql=mysql_query("UPDATE user_info SET password='$newpassword' where
user_id='$username'");
if($sql)
{
echo "Congratulations You have successfully changed your password";
}
else
{
echo "Passwords do not match";
}
?>
The problem I have at the moment is when I submit the submit button takes me to a read only page of this code.
Any suggestions?
On first looks I can figure out few major mistakes you made:
if you are comparing you should use
$newpassword == $confirmnewpassword
and not
$newpassword=$confirmnewpassword
secondly when you use if..elseif... loop format shold be
if (condition)
{
//code to be executed if condition is true;
}
else if (condition)
{
// code to be executed if condition is true;
}
else
{
//code to be executed if condition is false;
}
You apparently miss the else part in one of your such loops.
Please correct your syntax and try again...
u can 1st select a table and check a password is correct and if correct a update a password .else display a error message.hey this just update a password if old is password is match to update a password....,
Cracker World
$old_password=$_POST['old_password'];
$new_password=$_POST['new_password'];
$con_password=$_POST['con_password'];
$chg_pwd=mysql_query("select * from users where id='1'");
$chg_pwd1=mysql_fetch_array($chg_pwd);
$data_pwd=$chg_pwd1['password'];
if($data_pwd==$old_password){
if($new_password==$con_password){
$update_pwd=mysql_query("update users set password='$new_password' where id='1'");
$change_pwd_error="Update Sucessfully !!!";
}
else{
$change_pwd_error="Your new and Retype Password is not match !!!";
}
}
else
{
$change_pwd_error="Your old password is wrong !!!";
}}
You made a mistake here
This include 'dbconfig.php';
Should be like this include ('dbconfig.php');
After seen your script, i found that you have not use '==' in your password comparison condition.
if($newpassword=$confirmnewpassword)
Which is wrong. You accepted the birju shah's answer above which is pointing out what i want to say.
Apart from this, i found that you did't use any encryption method, which is extremely wrong. Anyone can hack your password from the database.
You should use Password_verify() and Password_hash() functions to encrypt and decrypt your password. These encryption and decryption are considered most safe now days. You should not use md5 encryption because now days anyone can decrypt md5 algorithm.
Here i have made one tutorial Change password code in PHP. I have covered all the above topics. I Hope that this tutorial will help you.
Cheers,