This question already has an answer here:
Closed 11 years ago.
Possible Duplicate:
fail execute statement with php and mysql
I have this statement taking output out of the database:
function ValidateLogin($user_name, $pass)
{
$user_name=SanitizeString($user_name);
$pass=SanitizeString($pass);
$user_name=mysql_real_escape_string($user_name);
$pass=mysql_real_escape_string($pass);
$salt = 'SHIFLETT';
$password_hash = hash('sha256',$salt.hash('sha256', $pass));
$result=mysql_query("SELECT * FROM users WHERE user_name='$user_name' AND pass='$password_hash' LIMIT 1") or die(mysql_error());
$dataArray=FALSE;
if(mysql_num_rows($result))
{
echo "Login successful".mysql_num_rows($result);
return $dataArray=TRUE;
}
else
{
echo "Login unsuccessful:".mysql_num_rows($result);
}
return $dataArray;
mysql_close();
}
The sanitize function is:
function SanitizeString($var)
{
$var=stripslashes($var);
$var=htmlentities($var, ENT_QUOTES, 'UTF-8');
$var=strip_tags($var);
$var=trim($var);
return $var;
}
Note on the insert I use the same hash algorithm. ... what I get here is always zero:
echo "Login unsuccessful:".mysql_num_rows($result);
Is mysql statement wrong..or is it the hash algorithm? or the sanitizeString function?
UPDATE:
result:
before the $pass is hashed I get this:
string(5) "Mad24"
string(1) "1"
when I insert the name and pass to the database. I get this:
string(5) "Mad24"
string(8) "luckyd55"
Again this is before the pass is hashed on the insert and login of the user. why when I login I get 1?!?!?
\
The login form
echo '
<form action="" method="POST">
<table width="80%" border="1" cellpadding="10" id="navigationBar">
<tr>
<td> Register</td>
<td> Control Panel</td>
<td> Donate </td>
<td align="right">name:<input name="name" type="text" /></td>
<td>password:<input name="pass" type="password" /> <input name="login" type="submit" value="Login" /> </td>
</tr>
</table>
</form>
';
answering to your question in the comments:
You can't improve your site security with hash algorithm.
You can improve your hash/salt usage by creating a different salt for each user, instead of using the same salt for all users.
Related
Sorry I'm a bit of a noob when it comes to PHP but I just wondered if someone had an idea on how I could solve this PHP/SQL problem.
I have a PDO statement that gets all users from a database.
With the array of users from the database I create a foreach loop to display all of the users in a table which I want to use to select a specific user, enter a number in the row of the user I select, then click submit and store the users name and also the number. I will use this information to populate another database later.
My question is, I cant seem to reference the user or the number in the table to extract the user and number I enter. When I try and request the numbered entered in the index.php, it will only ever display a number if I enter a number for a the final user in the table. When I try and view the FullName it never works and I get 'Undefined index: FullName' error.
I also specified to 'POST in the form but it doesnt seem to be doing that.
Does anyone have any ideas?
Thanks
//function.php
function getName($tableName, $conn)
{
try {
$result = $conn->query("SELECT * FROM $tableName");
return ( $result->rowCount() > 0)
? $result
: false;
} catch(Exception $e) {
return false;
}
}
//form.php
<form action "index.php" method "POST" name='form1'>
<table border="1" style="width:600px">
<tr>
<th>Name</th>
<th>Number Entered</th>
<tr/>
<tr>
<?php foreach($users as $user) : ?>
<td width="30%" name="FullName">
<?php echo $user['FullName']; ?>
</td>
<td width="30%">
<input type="int" name="NumberedEntered">
</td>
</tr>
<?php endforeach; ?>
</table>
<input type="submit" value="submit"></td>
</form>
//index.php
$users = getName('users', $conn);
if ( $_REQUEST['NumberedEntered']) {
echo $_REQUEST['NumberedEntered'];
echo $_REQUEST['FullName'];
}
The variable FullName isn't transmitted by your form to index.php. Only values of form elemnts are sent. You can add a hidden form field, that contains FullName like this:
<input type="hidden" name="FullName" value="<?php echo $user['FullName']">
But your second problem is, that your foreach loop will create several input fields with the exact same name. You won't be able to recieve any of the entered numbers, except the last one. have a look at this question for possible solutions.
Update
Putting each row in individual form tags should solve your problem:
<?php foreach($users as $user) : ?>
<form action="index.php" method="POST">
<tr>
<td align="center" width="40%" >
<?php echo $user['FullName']; ?>
<input type="hidden" name="FullName" value="<?php echo $user['FullName']; ?>" />
</td>
<td width="30%">
<input name="NumberedEntered"/>
</td>
<td>
<input type="submit" value="submit"/>
</td>
</tr>
</form>
<?php endforeach; ?>
This question already has answers here:
Is it possible to decrypt MD5 hashes?
(24 answers)
Closed 9 years ago.
How to fetch md5 password from database.
i am making a login form>
i want,when the user is going to login.if the username and password text field is matched with database than use will login.
database..
in database,i store the password with md5().
now how to fetch the password from database.and how to make validation with this.
thanks all
<h1>Login Here</h1>
<form name="f1" action="login.php" method="post">
<table border="1">
<tr><td>username</td><td><input type="text" name="t1"></td></tr>
<tr><td>password</td><td><input type="password" name="t2"></td></tr>
<tr><td><input type="submit" value="login"></td></tr>
</table>
</form>
login.php
<?php
include "db.php";
$user=$_POST['t1'];
$pass=$_POST['t2'];
$result=mysql_query("select * from core where username='$user'")or die(mysql_error());
$row=mysql_fetch_row($result);
?>
<h1>Welcome Mr. <?php echo $user;?></h1>
<table border="1">
<tr><td>Your User-Id :- </td><td><?php echo $row[0];?></td></tr>
<tr><td>Your Username: </td><td><?php echo $row[1];?></td></tr>
<tr><td>your md5 Password: </td><td><?php echo $row[2];?></td></tr>
<tr><td>your Email Id: </td><td><?php echo $row[3];?></td></tr>
</table>
Dont try to decode the password from database and check it with that of user entered input pasword.Instead of that try encoding the user entered password as md5 and check it with that it the database.
There is no way to decrypt MD5. Well, there is, but no reasonable way
to do it. That's kind of the point.
To check if someone is entering the correct password, you need to MD5 whatever the user entered, and see if it matches what you have in the database.
For more you can check in this answer.
So what you can do is like this
if(isset($_POST['t2']) && trim($_POST['t2']) != ''){
$pass = md5(trim($_POST['t2']));
//Do a select query for fetching with the username and $pass and do the rest
}
Hi I'm trying to update a single field from a HTML form, for some reason one of the session variables I am passing to the update query is not being accepted. I have already echoed the variable in the page so am fairly certain it exists in memory.
NB, I know my code is horrifically insecure but I'm learning PHP and once I've got the basics working Ill go over it and bring it upto best practice standards.
E2A: If I do var_dump($filename); before trying to run the query it returns string(6) "356/18", after the query it returns NULL. I'm not unsetting the variable anywhere so where could it be going!
Here is my form:
<form method="post" action="">
<p>Your username is: <?php echo $_SESSION['userid'] ?> Your company ID is: <?php echo $companyid['id']?></p>
<h3>Please enter note for file: <?php echo $filename; ?></h3>
<table width="200" cellpadding="5">
<tr>
<th width="18%" align="right" nowrap>Add Note: </th>
<td width="82%" nowrap>
<input type="text" name="note" />
</td>
</tr>
<tr>
<td colspan="2" width="100%" nowrap>
<input type="submit" value="Submit" name="Submit" />
</td>
</tr>
</table>
</form>
Here is my UPDATE query:
$sql = "UPDATE fields SET Notes = ('".mysql_real_escape_string(stripslashes($_REQUEST['note']))."')
WHERE companyId='".$companyid['id']."' AND fileNumber ='".$filename."'";
if($result = mysql_query($sql)) {
echo "<h1>Thank you</h1>Your information has been entered into our database<br><br>";
echo $sql;
echo $filename;
} else {
echo "ERROR: ".mysql_error();
}
} else {
echoing $sql produces the following:
UPDATE fields SET Notes = ('asdasda') WHERE companyId='11' AND fileNumber =''
and here is the bit where I instantiate the POST vars.
include "header.php";
$checkFiles = "checkFiles.php";
// Catches form input from previous page and stores it into session variable called filename for future reference;
$_SESSION['filename']=$_POST['filename'];
$filename = $_SESSION['filename'];
//User id stuff from previous page too;
$userid = $_SESSION['userid'];
$id = mysql_query("SELECT id FROM users WHERE DXNumber='".$userid."'");
// Returns pointer so fetch it as an array and insert it into variable $companyid for later use;
$companyid = mysql_fetch_array($id);
You need to include session_start() on the top of each file.
Just do:
AND fileNumber ='".$_SESSION[filename]."'";
In your update query.
If that doesn't work, make sure that a value for $_SESSION[filename] is being set.
<h3>Please enter note for file: <?php echo $filename; ?></h3>
Create a input box
<input type="text" name="filename" value="<?php echo $filename; ?>"/>
Then filename value will be pass to $_POST array
<?
require_once('etcore.php');
mysql_connect($dburl,$dbuser,$dbpass) or die(mysql_error());
mysql_select_db("rshost") or die(mysql_error());
$username=strtoupper(clean($_POST['username']));
$password=md5($_POST['password']);
$andover = mysql_query("SELECT * FROM users WHERE usernameupper='$username' AND password='$password'") or die(mysql_error().__LINE__);
$numberofthings = mysql_num_rows($andover) or die(mysql_error().__LINE__);
if ($numberofthings = 1) {
$getit=mysql_fetch_array($andover) or die(mysql_error().__LINE__);
$_SESSION['id'] = $getit['id'];
header('Location: index.php');
}
else {
?>
<h1>Login:</h1>
<img src='http://media.idownloadblog.com/wp-content/uploads/2011/12/Warning.png' width="25" height="25" />
<strong style="color:#F03;">Incorrect Username and/or Password </strong><br>
<form method="POST" action="login.php">
Username: <input name="username" type="text" /><br />
Password: <input name="password" type="password" /><br />
<input name="submit" type="submit" value="Log In!" /><br />
</form>
<? } ?>
This is the code I am using. Whenever I run the code, I get the error "No database selected" on line 7. Any help would be appreciated. Thanks! BTW: Db user, pass and URL are all in the 'etcore.php' file, so it is not a problem there. I have also tried replacing those variables with strings and get the same error.
How about:
mysql_select_db("rshost", mysql_connect($dburl,$dbuser,$dbpass))
or even better:
$handle = mysql_connect($dburl,$dbuser,$dbpass);
mysql_select_db("rshost", $handle);
And maybe for a better knowledge and understanding:
manual page
in the section parameters
so it would be clear why it may OR may not work without using the $handle argument
Give the database privileges. May be you don't have the user permission to access database,
check this
mysql> grant all privileges on Databasename.* to 'username'#'localhost' identified by password
I wrote a simple form from which a user will change his/her name , Facebook Name and image
here is the profile.php code with the form
<!!--edit form--!!>
<div id="edit">
<table width="300" border="0" align="center" cellpadding="0" cellspacing="1"
bgcolor="#CCCCCC">
<tr>
<td>
<table width="100%" border="0" cellpadding="1" cellspacing="1"bgcolor="#FFFFFF">
<tr>
<form method="POST" action="save_profile.php">
<td colspan="3"><strong>Username<br><? echo $row['session'];?></strong></td>
<td colspan="3"><strong>Name</strong><input type="text" name="name" id="name"
value="<? echo $row['name'];?>"/><br></td>
<td colspan="3"><strong>Facebook</strong><input type="text" name="fb" id="fb" value="<? echo $row['facebook'];?>"/></td>
<td colspan="3"><strong>Image</strong><input type="text" name="img" id="img" value="<? echo $row['img'];?>"/></td>
<input type="hidden" name="pros" />
<input type="submit" value="Save" />
</form>
and this is the save_profile.php
<?
include"sp-includes/sp-config2.php";
$resultz = mysql_query($slctq);
while($rowqw = mysql_fetch_array($resultz, MYSQL_ASSOC))
{
if($_POST['pros']){
$name=$_POST['name'];
$fb=$_POST['fb'];
$img=$_POST['img'];
$do =mysql_query("UPDATE profile SET name='$name', facebook='$fb', img='$img' WHERE id='$rowqw[id]'");
}
echo $rowqw['id'];
}
?>
I dont Know where i am wrong..
First of all, PLEASE SANITIZE YOUR QUERIES. Your query is completely open for exploitation right now and that might entirely be the reason why it fails.
Write your query like this:
mysql_query('UPDATE profile SET name="'.mysql_real_escape_string($name).'", facebook="'.mysql_real_escape_string($fb).'", img="'.mysql_real_escape_string($img).'" WHERE id="'.mysql_real_escape_string($rowqw['id']).'";');
Also, note that the rowqw index should be written as 'id' instead of id.
The problems with your code:
You are not checking for errors. Use mysql_error().
You are not checking your input (if it's valid or not). You should be binding parameters or escaping with mysql_real_escape_string.
Put the query in a separate string. Something like $query = "UPDATE ..."; $do = mysql_query($query);. It is useful for debugging. You know what the exact query you are sending is.
You are using $rowq[id] the wrong way. When in a string you either use the . notation, you concatenate multiple strings; or you enclose it in {$rowq[id]}.
When you do all this, you'll solve the problems yourself. Read the docs too.
Change the code to
$do = mysql_query("UPDATE profile SET name = '$name', facebook = '$fb', img = '$img' WHERE id = '$rowqw[id]'");