Menu
Community /Pin to ProfileBookmark
@NogDogJul 24.2013 — #I don't see a session_start() anywhere?
Also, do you realize that Bill O'Reilly, Billy Bob Thornton, and Chris Evert-Lloyd would (silently) have their names changed to Bill OReilly, BillyBob Thornton, and Chris EvertLloyd when entered into your database? Is that really desirable/needed? @NogDogJul 24.2013 — #So when you say it's not working, what are the exact symptoms? Are you getting the "The information your provided is not correct" message, or is it something else? For debugging purposes, it's often useful to output the actual query being used, e.g.:
@NogDogJul 24.2013 — #No, you don't want to escape the entire query string, as then you'd be escaping the quotes you want to be actual quotes (and whatever else it escapes).
However, what we [i]really[/i] should be doing here is using MySQL[b]i[/b] (or PDO) and making use of prepared statements with bound parameters.
No more messing around with various "escape" functions. ?
Login form not working? sha1 problem?
I don’t know what exactly the problem is here, but I’m using xampp to run these scripts… it connects to the server, inputs the information just fine into the database with the registration script and everything works fine in these php codes except that after I run this php code to register:
[CODE]
<?php include_once(“scripts/global.php”);
$message = ”;
if(isset($_POST[‘username’])){
$username = $_POST[‘username’];
$fname = $_POST[‘fname’];
$lname = $_POST[‘lname’];
$email = $_POST[’email’];
$pass1 = $_POST[‘pass1’];
$pass2 = $_POST[‘pass2’];
//error handling
if((!$username)||(!$fname)||(!$lname)||(!$email)||(!$pass1)||(!$pass2)){
$message = ‘Please insert all fields in the form below’;
}else{
if($pass1 != $pass2){
$message = ‘Your passwords must match!’;
}else{
//securing the data
$username = preg_replace(“#[^0-9a-z]#i”,””,$username);
$fname = preg_replace(“#[^0-9a-z]#i”,””,$fname);
$lname = preg_replace(“#[^0-9a-z]#i”,””,$lname);
$pass1 = sha1($pass1);
$email = mysql_real_escape_string($email);
//check for duplicates
$user_query = mysql_query(“SELECT username FROM members WHERE username=’$username’ LIMIT 1”) or die(“Could not check username”);
$count_username = mysql_num_rows($user_query);
$email_query = mysql_query(“SELECT email FROM members WHERE email=’$email’ LIMIT 1”) or die(“Could not check email”);
$count_email = mysql_num_rows($email_query);
if($count_username > 0){
$message = ‘Your username is already in use’;
}else if($count_email > 0){
$message = ‘Your email is already in use’;
}else{
//insert members
$ip_address = $_SERVER[‘REMOTE_ADDR’];
$query = mysql_query(“INSERT INTO members (username, firstname, lastname, email, password, ip_address, sign_up_date)VALUES (‘$username’,’$fname’,’$lname’,’$email’,’$pass1′,’$ip_address’,now())”) or die(“Could not insert your information”);
$member_id = mysql_insert_id();
mkdir(‘users/’.$member_id,0755);
$message = ‘You have now been registered!’;
}
}
}
}
?>
I used this code to enable logins but it keeps coming back with “The information your provided is not correct” when i try to login.. I used the same information logging in as I did to register… not sure what’s wrong
[CODE]
<?php include_once(“scripts/global.php”);
$message = ”;
if(isset($_POST[’email’])){
$email=$_POST[’email’];
$pass=$_POST[‘pass’];
$remember=$_POST[‘remember’];
//error handling
if((!$email)||(!$pass)){
$message = ‘Please enter both email and password fields!’;
}else{
//secure data
$email = mysql_real_escape_string($email);
$pass = sha1($pass);
$query = mysql_query(“SELECT * FROM members WHERE email=’$email’ AND password=’$pass’ LIMIT 1”) or die (‘Could not check.’);
$count_query = mysql_num_rows($query);
if ($count_query == 0){
$message = “The information your provided is not correct”;
}else{
//start the session
$_SESSION[‘pass’] = $pass;
while($row = mysql_fetch_array($query)){
$username = $_row[‘username’];
$id = $_row[‘id’];
}
$_SESSION[‘username’] = $username;
$_SESSION[‘id’] = $id;
if($remember == ‘yes’){
//create cookies
setcookie(‘id_cookie’, $id, time()+60*60*24*100,”/”);
setcookie(‘pass_cookie’, $pass, time()+60*60*24*100,”/”);
}
header(‘Location: home.php’);
}
}
}
?>
Sign in
to post a comment12 Comments(s) ↴
0
@NogDogJul 24.2013 — #Also, do you realize that Bill O'Reilly, Billy Bob Thornton, and Chris Evert-Lloyd would (silently) have their names changed to Bill OReilly, BillyBob Thornton, and Chris EvertLloyd when entered into your database? Is that really desirable/needed?
0
@NogDogJul 24.2013 — #So when you say it's not working, what are the exact symptoms? Are you getting the "The information your provided is not correct" message, or is it something else? For debugging purposes, it's often useful to output the actual query being used, e.g.:[code=php]
}else{
//secure data
$email = mysql_real_escape_string($email);
$pass = sha1($pass);
// put the query into a variable first:
$sql = "SELECT * FROM members WHERE email='$email' AND password='$pass' LIMIT 1";
$query = mysql_query($sql) or die ('Could not check.');
$count_query = mysql_num_rows($query);
if ($count_query == 0){
$message = "The information your provided is not correct";
// debug only, delete this or change to error_log() later:
die("<pre>$sql</pre>"); // now we can see what we sent to the DB
// end debug
}else{
[/code]0
@NogDogJul 24.2013 — #No, you don't want to escape the entire query string, as then you'd be escaping the quotes you want to be actual quotes (and whatever else it escapes).However, what we [i]really[/i] should be doing here is using MySQL[b]i[/b] (or PDO) and making use of prepared statements with bound parameters.
[code=php]
$pdo = new PDO($dsn, $dbUser, $dpPass);
$sql = $sql = "SELECT * FROM members WHERE email=:email AND password=:password LIMIT 1";
$stmt = $pdo->prepare($sql);
if($stmt == false) {
throw new Exception($pdo->errorInfo());
}
$stmt->bindParam(':email', $email);
$stmt->bindParam(':password', $pass);
if($stmt->exec() == false) {
throw new Exception($stmt->errorInfo());
}
[/code]No more messing around with various "escape" functions. ?