Jump to content

Creating a log in(I am a beginner)

novella

By novella
in PHP Coding Help

 Share

Recommended Posts

MMDE Member

MMDE

Posted
Posted

Why did you upload two?

 

Only difference is this:

		  $user = $_POST['user'];
	  $password = $_POST['password'];

		  $getuser = $_POST['user'];
	  $getpassword = $_POST['password'];

Both codes then checks for:

			if ($user){

Which in one case is not set. You then later in both scripts use:

					$query = mysql_query("SELECT * FROM users WHERE username='$getuser'");

^ $getuser

 

could this be the error?

Link to comment
Share on other sites
novella Newbie

novella

Posted
  • Author
Posted

Why did you upload two?

 

Only difference is this:

		  $user = $_POST['user'];
	  $password = $_POST['password'];

		  $getuser = $_POST['user'];
	  $getpassword = $_POST['password'];

Both codes then checks for:

			if ($user){

Which in one case is not set. You then later in both scripts use:

					$query = mysql_query("SELECT * FROM users WHERE username='$getuser'");

^ $getuser

 

could this be the error?

 

My fault, it should be only one file. Sorry for that!

 

The error has to be somewhere around that code but it shows the same info if i just write:

 

					$query = mysql_query("SELECT * FROM users WHERE username='$user'");

 

 

 

Check if everything is right here:

$query = mysql_query("SELECT * FROM users WHERE username='$getuser'");
				$numrows = mysql_num_rows($query);
				if ($numrows == 1){
					$row = mysql_fetch_assoc($query);
					$dbid = $row['id'];
					$dbuser = $row['username'];
					$dbpass = $row['password'];
					$dbactive = $row['active'];

 

Thank you for taking the time!

 

 

Link to comment
Share on other sites
MMDE Member

MMDE

Posted
Posted

Why did you upload two?

 

Only difference is this:

		  $user = $_POST['user'];
	  $password = $_POST['password'];

		  $getuser = $_POST['user'];
	  $getpassword = $_POST['password'];

Both codes then checks for:

			if ($user){

Which in one case is not set. You then later in both scripts use:

					$query = mysql_query("SELECT * FROM users WHERE username='$getuser'");

^ $getuser

 

could this be the error?

 

My fault, it should be only one file. Sorry for that!

 

The error has to be somewhere around that code but it shows the same info if i just write:

 

					$query = mysql_query("SELECT * FROM users WHERE username='$user'");

 

 

 

Check if everything is right here:

$query = mysql_query("SELECT * FROM users WHERE username='$getuser'");
				$numrows = mysql_num_rows($query);
				if ($numrows == 1){
					$row = mysql_fetch_assoc($query);
					$dbid = $row['id'];
					$dbuser = $row['username'];
					$dbpass = $row['password'];
					$dbactive = $row['active'];

 

Thank you for taking the time!

Yes, that seems correct. As I said in my earlier post, you got some logical errors you need to sort out, because it's not sure $getuser is set.

Try to turn on error reporting at the start of the file:

error_reporting(E_ALL);

and do this to your mysql_query:

$query = mysql_query("SELECT * FROM users WHERE username='$getuser'") or die(mysql_error());

Also make sure you sanitize the $getuser string.

Link to comment
Share on other sites
xyph Advanced Member

xyph

Posted
Posted

Check out the article in my signature. I think it's still a little above your knowledge of PHP, but it's a great resource and gives advice on doing everything the secure way.

 

You're off to a great start though. Rather than use md5(md5(password)), you should use md5(md5(password).password). As it is, you're limiting your first digest (return value from MD5) to always be 128-bit, so your second digest will always be based on the same length input. In cryptography, this is a bad thing. Adding the password on to the end means your second digest will be made using a variable-length input.

 

It's okay if you don't quite understand the above. Security is a VERY complex topic, and developers are better off using something an expert has made, rather than trying to implement their own. I'm definitely not discouraging you from continuing scripts like the one you have above, I'm advising you to use them educationally, rather than in a production environment :)

Link to comment
Share on other sites
novella Newbie

novella

Posted
  • Author
Posted

Check out the article in my signature. I think it's still a little above your knowledge of PHP, but it's a great resource and gives advice on doing everything the secure way.

 

You're off to a great start though. Rather than use md5(md5(password)), you should use md5(md5(password).password). As it is, you're limiting your first digest (return value from MD5) to always be 128-bit, so your second digest will always be based on the same length input. In cryptography, this is a bad thing. Adding the password on to the end means your second digest will be made using a variable-length input.

 

It's okay if you don't quite understand the above. Security is a VERY complex topic, and developers are better off using something an expert has made, rather than trying to implement their own. I'm definitely not discouraging you from continuing scripts like the one you have above, I'm advising you to use them educationally, rather than in a production environment :)

 

Thank you so much for your answer.

You are absolutely right, I did start working in php last week, so I am really new at this.

But it´s so interesting! I truly want to be good at this.

 

I did fix the problem but now i got a new one :)

 

I´m trying to make a registration email with a activation-code that fills itself out on the activation.php,

but every time I test it, the code shows up with a random number after the activation-code.

 

It would be nice if you could take a peek at it:

 

<?php

error_reporting (E_ALL ^ E_NOTICE);

?>
<html xmins="http://www.w3.org/1999/xhtml">
<head>
      <meta http-equiv="content-type" content="text/html; charset=utf-8" />
      <title>Medlemsystem - Medlemmar</title>
</head>
<body>
<?php



if ( $_POST['registerbtn'] ){
$getuser = $_POST['user'];
$getemail = $_POST['email'];
$getpass = $_POST['pass'];
$getretypepass = $_POST['retypepass'];

if ($getuser){
	if ($getemail){
		if ($getpass){
			if ($getretypepass){
				if ($getpass === $getretypepass){
					if ( (strlen($getemail) >= 7) && (strstr($getemail, "@")) && (strstr($getemail, ".")) ){
						require("./connect.php");

						$query = mysql_query("SELECT * FROM users WHERE username='$getuser'");
						$numrows = mysql_num_rows($query);
						if ($numrows == 0){
							$query = mysql_query("SELECT * FROM users WHERE email='$getemail'");
							$numrows = mysql_num_rows($query);
							if ($numrows == 0){

								$password = md5(md5("kjfiufj".$password."fj56fj"));
								$date = date("F d, Y");
								$code = md5(rand());

								mysql_query("INSERT INTO users VALUES (
									'', '$getuser', '$password', '$getemail', '0', '$code', '$date'
								)");

								$query = mysql_query("SELECT * FROM users WHERE username='$getuser'");
								$numrows = mysql_num_rows($query);
								if ($numrows == 1){


									$site = "http://labs.rockheart.se/joakimforsberg";
									$webmaster = "joakimforsberg <joakimerikforsberg@gmail.com>";
									$headers = "From: $webmaster";
									$subject = "Aktivera Ditt Konto";
									$message = "Tack för din registrering. Klicka på länken här under för att aktivera ditt konto.\n\n";
									$message .= "$site/activate.php?user=$getuser&code=$code \n";
									$message .= "Du måste aktivera ditt konto för att logga in.";

									if ( mail($getemail, $subject, $message, $headers) ){
										$errormsg = "Du har blivit registrerad. Du måste aktivera kontot från aktiveringslänken som sändes till <b>$getemail</b>";
										$getuser = "";
										$getemail = "";
									}
									else
										$errormsg = "Ett fel har uppstått.Ditt aktiveringsmeddelande har ej blivit sänt.";

								}
								else
									$errormsg = "Ett fel har uppstått. Ditt konto har ej skapats.";

							}
							else
								$errormsg = "Det finns redan en användare med denna e-post.";
						}
						else
							$errormsg = "Det finns redan en användare med detta användarnamn.";

						mysql_close();
					}
					else
						$errormsg = "Du måste ange en giltig e-postadress.";
				}
				else
					$errormsg = "Dina l&oulm;senord matchade ej.";
			}
			else
				$errormsg = "Du måste repetera l&oulm;senordet f&oulm;r att bli registrerad.";
		}
		else
			$errormsg = "Du måste ange ett l&oulm;senord f&oulm;r att bli registrerad.";
	}
	else
		$errormsg = "Du måste ange din e-postadress för att bli registrerad.";
}
else
	$errormsg = "Du måste ange ditt användarnamn för att bli registrerad.";

}

$form = "<form action='./register.php' method='post'>
<table>
<tr>
<td></td>
<td><font color='red'>$errormsg</font></td>
</tr>
<tr>
<td>Användarnamn:</td>
<td><input type='text' name='user' value='$getuser'/></td>
</tr>
<tr>
<td>E-post:</td>
<td><input type='text' name='email' value='$getemail'/></td>
</tr>
<tr>
<td>Lösenord:</td>
<td><input type='password' name='pass' value=''/></td>
</tr>
<tr>
<td>Upprepa lösenord:</td>
<td><input type='password' name='retypepass' value=''/></td>
</tr>
<tr>
<td></td>
<td><input type='submit' name='registerbtn' value='Registrera'/></td>
</tr>
</table>
</form>";


echo $form;


?>
</body>
</html>

 

Thanks for taking the time.

Link to comment
Share on other sites
xyph Advanced Member

xyph

Posted
Posted

Now now, one step at a time!

 

As it is, an attacker could mess around with your database!

 

What happens when you use the following for both the username or email anything' OR '1'='1 ? What about just '? Odd behaviour?

Link to comment
Share on other sites
novella Newbie

novella

Posted
  • Author
Posted

Now now, one step at a time!

 

As it is, an attacker could mess around with your database!

 

What happens when you use the following for both the username or email anything' OR '1'='1 ? What about just '? Odd behaviour?

 

I´m sorry, I do not understand.

 

Where am I suppose to write that?

 

at this line?

$query = mysql_query("SELECT * FROM users WHERE username='$user'");

 

:confused:

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.