Re: [PHP] Login Script: mysql_num_rows(): supplied argument is not a valid MySQL result resource
On Fri, 2010-02-19 at 00:30 -0800, David Hutto wrote: The following script is supposed to validate a username and password in a mysql db. When entering the username and password of a preregistered user, I get the following errors: Warning: mysql_num_rows(): supplied argument is not a valid MySQL result resource in /var/www/login.php on line 24 Warning: Cannot modify header information - headers already sent by (output started at /var/www/login.php:24) in /var/www/login.php on line 26 On line 24 is: if(!mysql_num_rows($login)) //if the username and pass are wrong --The supplied argument is $login, which is previously defined as: $login = mysql_query(SELECT * FROM 'userinfo' WHERE `user` = '$user' AND `pass` = '$pass`); --which is further defined above it as these values: $user = $_POST['user']; //pulls the username from the form $pw = $_POST['pass']; //pulls the pass from the form $pass = md5($pw); //makes our password an md So why is the sum of those previous definitions an invalid argument for the mysql_query() to test for whether the username and md5 password values are true/equivalent to each other? Thanks for any help you may be able to provide, below is the full login.php page. David This is the full login.php script, I'm pretty sure no other portions are needed to show at this point for the current problem: ?php $act = $_GET['act']; //retrives the page action if(empty($act)) //if there is no action { echo('form action=login.php?act=auth method=post name=loginform id=loginform pUsername input type=text name=user /p pPassword input type=password name=pass /p p input type=submit name=Submit value=Login /p /form'); } elseif($act == auth) //if our page action = auth { $user = $_POST['user']; //pulls the username from the form $pw = $_POST['pass']; //pulls the pass from the form $pass = md5($pw); //makes our password an md5 include(connect.php); //connects to our mysql database $login = mysql_query(SELECT * FROM `userinfo` WHERE `user` = '$user' AND `pass` = '$pass`); //selects info from our table if the row has the same user and pass that our form does if(!mysql_num_rows($login)) //if the username and pass are wrong { header(Location: login.php); //redirects to our login page die(); //stops the page from going any further } else { setcookie(user, $user, time()+3600);//sets our user cookie setcookie(pass, $pass, time()+3600);//sets our pass cookie header(Location: memprar.php);//instead of yourpage.php it would be your protected page } } ? First, please create a new email when sending to the list and don't just reply to the last one, as those of us with email clients that group by threads get confused when the subject line appears to change mid-thread! On to your question, you've got an error with your query, so it will never work: SELECT * FROM `userinfo` WHERE `user` = '$user' AND `pass` = '$pass`// change that last back tick after $pass! Lastly; protect your queries! That $user variable is open to injection. Replacing it with something like $user = mysql_real_escape_string($_POST['user']); Your $pass is protected (I believe) because of what you're doing with the hash, but I'm not an expert in these things, so it could be that this may not be enough. Thanks, Ash http://www.ashleysheridan.co.uk
Re: [PHP] Login Script: mysql_num_rows(): supplied argument is not a valid MySQL result resource
--- On Fri, 2/19/10, Ashley Sheridan a...@ashleysheridan.co.uk wrote: From: Ashley Sheridan a...@ashleysheridan.co.uk Subject: Re: [PHP] Login Script: mysql_num_rows(): supplied argument is not a valid MySQL result resource To: David Hutto dwightdhu...@yahoo.com Cc: php-general@lists.php.net Date: Friday, February 19, 2010, 5:34 AM On Fri, 2010-02-19 at 00:30 -0800, David Hutto wrote: The following script is supposed to validate a username and password in a mysql db. When entering the username and password of a preregistered user, I get the following errors: Warning: mysql_num_rows(): supplied argument is not a valid MySQL result resource in /var/www/login.php on line 24 Warning: Cannot modify header information - headers already sent by (output started at /var/www/login.php:24) in /var/www/login.php on line 26 On line 24 is: if(!mysql_num_rows($login)) //if the username and pass are wrong --The supplied argument is $login, which is previously defined as: $login = mysql_query(SELECT * FROM 'userinfo' WHERE `user` = '$user' AND `pass` = '$pass`); --which is further defined above it as these values: $user = $_POST['user']; //pulls the username from the form $pw = $_POST['pass']; //pulls the pass from the form $pass = md5($pw); //makes our password an md So why is the sum of those previous definitions an invalid argument for the mysql_query() to test for whether the username and md5 password values are true/equivalent to each other? Thanks for any help you may be able to provide, below is the full login.php page. David This is the full login.php script, I'm pretty sure no other portions are needed to show at this point for the current problem: ?php $act = $_GET['act']; //retrives the page action if(empty($act)) //if there is no action { echo('form action=login.php?act=auth method=post name=loginform id=loginform pUsername input type=text name=user /p pPassword input type=password name=pass /p p input type=submit name=Submit value=Login /p /form'); } elseif($act == auth) //if our page action = auth { $user = $_POST['user']; //pulls the username from the form $pw = $_POST['pass']; //pulls the pass from the form $pass = md5($pw); //makes our password an md5 include(connect.php); //connects to our mysql database $login = mysql_query(SELECT * FROM `userinfo` WHERE `user` = '$user' AND `pass` = '$pass`); //selects info from our table if the row has the same user and pass that our form does if(!mysql_num_rows($login)) //if the username and pass are wrong { header(Location: login.php); //redirects to our login page die(); //stops the page from going any further } else { setcookie(user, $user, time()+3600);//sets our user cookie setcookie(pass, $pass, time()+3600);//sets our pass cookie header(Location: memprar.php);//instead of yourpage.php it would be your protected page } } ? First, please create a new email when sending to the list and don't just reply to the last one, as those of us with email clients that group by threads get confused when the subject line appears to change mid-thread! On to your question, you've got an error with your query, so it will never work: SELECT * FROM `userinfo` WHERE `user` = '$user' AND `pass` = '$pass` // change that last back tick after $pass! Lastly; protect your queries! That $user variable is open to injection. Replacing it with something like $user = mysql_real_escape_string($_POST['user']); Your $pass is protected (I believe) because of what you're doing with the hash, but I'm not an expert in these things, so it could be that this may not be enough. Thanks, Ash http://www.ashleysheridan.co.uk Apologies for hijacking the thread, I hit reply all in a randomly picked email and deleted the info/subject line, guess that doesn't work. Thanks for the advice, it's almost working right, all things considered. David
Re: [PHP] Login script problem
On Jan 5, 2008 11:50 AM, Reese [EMAIL PROTECTED] wrote: Daniel Brown wrote: Do you expect the value of $key in this condition to be a literal zero? $twoyears = array('alphanumeric_code1', 'alphanumeric_code2', 'alphanumeric_code3', 'alphanumeric_code4', 'alphanumeric_code5', 'alphanumeric_code6', 'alphanumeric_code7'); $key = in_array($sPromocode,$twoyears); if($key=='0') I changed if($key=='0') to if(!isset($key=='1')) to see what effect that change might make, the server threw an error so I set it back to its original state: Parse error: parse error, unexpected T_IS_EQUAL, expecting ',' or ')' in /[PATH]/login.php on line 16 That's because isset() isn't able to eval() an expression. Remove the !isset() part, or the =='1' part and that will remove the parse error. -- Daniel P. Brown [Phone Numbers Go Here!] [They're Hidden From View!] If at first you don't succeed, stick to what you know best so that you can make enough money to pay someone else to do it for you. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Login script problem
Daniel Brown wrote: if(!isset($key=='1')) //caused parse error That's because isset() isn't able to eval() an expression. Got it, I see the mistake now. Remove the !isset() part, or the =='1' part and that will remove the parse error. I changed it to if(!isset($key)) and you were right, the parse error went away. This change seems to have no effect on access code logins (I'm able to log in, as expected) or IP-authenticated logins (I still cannot log in, even though my IP is in the MySQL db). Reese -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Login script problem
On Jan 4, 2008 9:54 AM, Reese [EMAIL PROTECTED] wrote: Greetings, I've been lurking for several weeks, I thought I'd post to describe a problem I've been having in the hope that a solution can be found. And my thanks to Casey, for his offlist assistance with another, unrelated issue earlier this week. :-) [snip=all] Reese, While I noticed several areas for improvement in the code (such as being sure to exit; after calling header(Location: ); ), two things primarily come to mind: Do you expect the value of $key in this condition to be a literal zero? $twoyears = array('alphanumeric_code1', 'alphanumeric_code2', 'alphanumeric_code3', 'alphanumeric_code4', 'alphanumeric_code5', 'alphanumeric_code6', 'alphanumeric_code7'); $key = in_array($sPromocode,$twoyears); if($key=='0') Also, what about ISPs such as AOHell who use fully-dynamic IP proxies that change on location, at time intervals, and are interspersed with random changes? Even putting that into a range won't help, as it's likely the IP will only have the network prefix (and perhaps the same Class B slot). -- Daniel P. Brown [Phone Numbers Go Here!] [They're Hidden From View!] If at first you don't succeed, stick to what you know best so that you can make enough money to pay someone else to do it for you. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Login script problem
Web Design Company wrote: Someone? Me31!1!1ONE Please, if you do not need amplifying information or if you do not intend to pose a suggestion, it is better to remain silent. I wasn't helped by your Someone? post, no one else was either. Reese -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Login script problem
Someone? - http://ooyes.net Web design company | http://ooyes.net Graphic design company | http://ooyes.net Outsourcing company -- View this message in context: http://www.nabble.com/Login-script-problem-tp14618073p14618942.html Sent from the PHP - General mailing list archive at Nabble.com. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Login script problem
Daniel Brown wrote: [snip=all] Reese, While I noticed several areas for improvement in the code (such as being sure to exit; after calling header(Location: ); ), two things primarily come to mind: Do you expect the value of $key in this condition to be a literal zero? $twoyears = array('alphanumeric_code1', 'alphanumeric_code2', 'alphanumeric_code3', 'alphanumeric_code4', 'alphanumeric_code5', 'alphanumeric_code6', 'alphanumeric_code7'); $key = in_array($sPromocode,$twoyears); if($key=='0') No, it should either be 1 if set or NULL(?) if not set, there is nothing to set that value to 0 - only this check to see if it is == to 0. Is this another area, like the one Casey helped with earlier, where '!empty' was being used instead of 'isset'? The programmer is aware that improvement is possible and we've had some discussions in that regard, but owing to this being a for a friend item and his currently declared job demands, either he is truly swamped or he is brushing me off. I'm willing to give him benefit of the doubt, until I'm confronted with evidence to the contrary. Also, what about ISPs such as AOHell who use fully-dynamic IP proxies that change on location, at time intervals, and are interspersed with random changes? Even putting that into a range won't help, as it's likely the IP will only have the network prefix (and perhaps the same Class B slot). That's an area where I left detail out, my apologies. The dual login mechanisms are geared towards accommodating this, AOHell users will tend to be individual entities and the 'access code' mechanism is geared towards them. Meanwhile, entities with static, assigned IP addresses such as libraries on city networks are meant to be given IP-based access, hence the other login validation method (which isn't working quite right). Reese -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Login script problem
On Jan 4, 2008 11:55 AM, Reese [EMAIL PROTECTED] wrote: Web Design Company wrote: Someone? Me31!1!1ONE Please, if you do not need amplifying information or if you do not intend to pose a suggestion, it is better to remain silent. I wasn't helped by your Someone? post, no one else was either. It's just some jackass who's replying to random posts to SPAM the links in his/her signature, I'm sure. Ridiculous posts have been made in other threads from Web Design Company as well. -- Daniel P. Brown [Phone Numbers Go Here!] [They're Hidden From View!] If at first you don't succeed, stick to what you know best so that you can make enough money to pay someone else to do it for you. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Login script login
- Original Message - From: Dave Carrera [EMAIL PROTECTED] Hi All, Having a grey brain moment here and need some advise on the logic of this, should be simple, login script. I am checking validity of customer number customer email customer password (md5 in mysql) So i have my form with relevant fields Now i am getting problems with either sql or how i am handling , and showing, and errors. I think what i am asking is this If someone just hits the login button show error All fields must be entered If customer number dose not excist show relevant error If customer number ok but email not show error If customer number ok but email ok but password is not show error In login scripts you usually don't tell which part of the login is wrong, otherwise, you are hinting at what is right. Once the customer is logged in, you are right to be as helpful as possible, but until the customer proves who he/she is, you don't give away anything. Satyam If all is ok set sessions, got this ok, and proceed. Any help with with this is very much appreciated. Kind Regards Dave C -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Login script login
Dave Carrera wrote: Hi All, Having a grey brain moment here and need some advise on the logic of this, should be simple, login script. I am checking validity of customer number customer email customer password (md5 in mysql) So i have my form with relevant fields Now i am getting problems with either sql or how i am handling , and showing, and errors. I think what i am asking is this If someone just hits the login button show error All fields must be entered If customer number dose not excist show relevant error If customer number ok but email not show error If customer number ok but email ok but password is not show error If all is ok set sessions, got this ok, and proceed. Any help with with this is very much appreciated. Kind Regards Dave C I'm not totally clear what the question was in there. Personally I keep this simple... ?php $_POST['number'] = (isset($_POST['number']) ? trim($_POST['number']) : ''); $_POST['email'] = (isset($_POST['email']) ? trim($_POST['email']) : ''); if (empty($_POST['number']) or empty($_POST['email']) or empty($_POST['password'])) { die('All fields must be entered'); } // Find the customer/user/whatever you need from the given details if (not found) { die('Unable to locate customer/user/whatever'); } // Set up the session here, or however you're tracking the // current customer/user/whatever header('Location: /somewhere_else'); ? Hope that helps. -Stut -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Login script login
Hi Stut, I think i have found where i am going wrong. Its in the comparison login for the db result. So i select * from jfjfjfjf where custno=$_POST[number] But now i am getting messed up with if cust no not found then all i get is a blank page but hoping for an error And i dont think i am comparing the db result with the $_POST correctly Struggling here a bit :-( Dave C Stut wrote: Dave Carrera wrote: Hi All, Having a grey brain moment here and need some advise on the logic of this, should be simple, login script. I am checking validity of customer number customer email customer password (md5 in mysql) So i have my form with relevant fields Now i am getting problems with either sql or how i am handling , and showing, and errors. I think what i am asking is this If someone just hits the login button show error All fields must be entered If customer number dose not excist show relevant error If customer number ok but email not show error If customer number ok but email ok but password is not show error If all is ok set sessions, got this ok, and proceed. Any help with with this is very much appreciated. Kind Regards Dave C I'm not totally clear what the question was in there. Personally I keep this simple... ?php $_POST['number'] = (isset($_POST['number']) ? trim($_POST['number']) : ''); $_POST['email'] = (isset($_POST['email']) ? trim($_POST['email']) : ''); if (empty($_POST['number']) or empty($_POST['email']) or empty($_POST['password'])) { die('All fields must be entered'); } // Find the customer/user/whatever you need from the given details if (not found) { die('Unable to locate customer/user/whatever'); } // Set up the session here, or however you're tracking the // current customer/user/whatever header('Location: /somewhere_else'); ? Hope that helps. -Stut -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Login script login
On p, 2007-02-02 at 12:10 +, Dave Carrera wrote: Hi Stut, I think i have found where i am going wrong. Its in the comparison login for the db result. So i select * from jfjfjfjf where custno=$_POST[number] But now i am getting messed up with if cust no not found then all i get is a blank page but hoping for an error because you get an empty result set if no match is found so check it like if ($row = mysql_fetch_array($result)) { // ok, found } else { // not found, error } or whatever sql you use hope that helps Zoltán Németh And i dont think i am comparing the db result with the $_POST correctly Struggling here a bit :-( Dave C Stut wrote: Dave Carrera wrote: Hi All, Having a grey brain moment here and need some advise on the logic of this, should be simple, login script. I am checking validity of customer number customer email customer password (md5 in mysql) So i have my form with relevant fields Now i am getting problems with either sql or how i am handling , and showing, and errors. I think what i am asking is this If someone just hits the login button show error All fields must be entered If customer number dose not excist show relevant error If customer number ok but email not show error If customer number ok but email ok but password is not show error If all is ok set sessions, got this ok, and proceed. Any help with with this is very much appreciated. Kind Regards Dave C I'm not totally clear what the question was in there. Personally I keep this simple... ?php $_POST['number'] = (isset($_POST['number']) ? trim($_POST['number']) : ''); $_POST['email'] = (isset($_POST['email']) ? trim($_POST['email']) : ''); if (empty($_POST['number']) or empty($_POST['email']) or empty($_POST['password'])) { die('All fields must be entered'); } // Find the customer/user/whatever you need from the given details if (not found) { die('Unable to locate customer/user/whatever'); } // Set up the session here, or however you're tracking the // current customer/user/whatever header('Location: /somewhere_else'); ? Hope that helps. -Stut -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Login script login
Stut wrote: I'm not totally clear what the question was in there. Personally I keep this simple... ?php $_POST['number'] = (isset($_POST['number']) ? trim($_POST['number']) : ''); $_POST['email'] = (isset($_POST['email']) ? trim($_POST['email']) : ''); if (empty($_POST['number']) or empty($_POST['email']) or empty($_POST['password'])) { die('All fields must be entered'); } // Find the customer/user/whatever you need from the given details if (not found) { die('Unable to locate customer/user/whatever'); } // Set up the session here, or however you're tracking the // current customer/user/whatever header('Location: /somewhere_else'); ? Hope that helps. -Stut be aware that you need a session_write_close(); before header('Location... or the session data might not be written to disk! just my 2 cent -- View this message in context: http://www.nabble.com/Login-script-login-tf3160341.html#a8766588 Sent from the PHP - General mailing list archive at Nabble.com. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Login script login
On Fri, February 2, 2007 5:19 am, Dave Carrera wrote: Having a grey brain moment here and need some advise on the logic of this, should be simple, login script. I am checking validity of customer number customer email customer password (md5 in mysql) So i have my form with relevant fields Now i am getting problems with either sql or how i am handling , and showing, and errors. I think what i am asking is this If someone just hits the login button show error All fields must be entered $customer_number = (int) (isset($_POST['customer_number']) ? $_POST['customer_number'] : 0); $customer_email = isset($_POST['customer_email']) ? $_POST['customer_email'] : ''; $customer_password = isset($_POST['customer_password']) ? $_POST['customer_password'] : ''; if (!$customer_number || !strlen($customer_email) || !strlen($customer_password)){ $messages[] = All fields are required; } else{ $customer_number_sql = mysql_real_escape_string($customer_number); $customer_email_sql = mysql_real_escape_string($customer_email); $customer_password_sql = mysql_real_escape_string($customer_password); $query = select ; $query .=email = '$customer_email_sql' as email_ok $query .= , password = md5('$customer_password_sql') as password_ok $query .= FROM customer ; $query .= WHERE customer_number = $customer_number_sql ; $customer_info = mysql_query($query) or die(mysql_error()); if (!mysql_num_rows($customer_info)){ $messages[] = Invalid Customer Number; } else{ list($email_ok, $password_ok) = mysql_fetch_row($customer_info); if (!$email_ok) $messages[] = Invalid Email; elseif (!$password_ok) $messages[] = Invalid Password; } } if count($messages)) echo div class=\errorp, implode(/p\np, $messages), /p/div\n; else require 'proceed.inc'; -- Some people have a gift link here. Know what I want? I want you to buy a CD from some starving artist. http://cdbaby.com/browse/from/lynch Yeah, I get a buck. So? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Login script login
On Fri, February 2, 2007 5:33 am, Satyam wrote: In login scripts you usually don't tell which part of the login is wrong, otherwise, you are hinting at what is right. Once the customer is logged in, you are right to be as helpful as possible, but until the customer proves who he/she is, you don't give away anything. Satyam is correct: It's more secure to not indicate when the username was incorrect differently from an incorrect password. But it's definitely also (very much) less user-friendly. For example, in seldom-used applications where the user is very likely to forget their username, such as 99% of the stupid websites that require me to register for something that needs no security in the first place, it's a royal pain in the ass. :-) You have to balance Security against Usability and make an informed intelligent decision. I also wondered why you have an ID number that somebody is supposed to remember, and an email, when either one should be sufficient for most applications, but it was easier to type out an answer than to get you to re-think your design decisions. :-) -- Some people have a gift link here. Know what I want? I want you to buy a CD from some starving artist. http://cdbaby.com/browse/from/lynch Yeah, I get a buck. So? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Login script login
If you are splicing $_POST directly into your SQL, you are DEFINITELY doing it wrong, but not in the way that you think. Start reading here: http://phpsec.org On Fri, February 2, 2007 6:10 am, Dave Carrera wrote: Hi Stut, I think i have found where i am going wrong. Its in the comparison login for the db result. So i select * from jfjfjfjf where custno=$_POST[number] But now i am getting messed up with if cust no not found then all i get is a blank page but hoping for an error And i dont think i am comparing the db result with the $_POST correctly Struggling here a bit :-( Dave C Stut wrote: Dave Carrera wrote: Hi All, Having a grey brain moment here and need some advise on the logic of this, should be simple, login script. I am checking validity of customer number customer email customer password (md5 in mysql) So i have my form with relevant fields Now i am getting problems with either sql or how i am handling , and showing, and errors. I think what i am asking is this If someone just hits the login button show error All fields must be entered If customer number dose not excist show relevant error If customer number ok but email not show error If customer number ok but email ok but password is not show error If all is ok set sessions, got this ok, and proceed. Any help with with this is very much appreciated. Kind Regards Dave C I'm not totally clear what the question was in there. Personally I keep this simple... ?php $_POST['number'] = (isset($_POST['number']) ? trim($_POST['number']) : ''); $_POST['email'] = (isset($_POST['email']) ? trim($_POST['email']) : ''); if (empty($_POST['number']) or empty($_POST['email']) or empty($_POST['password'])) { die('All fields must be entered'); } // Find the customer/user/whatever you need from the given details if (not found) { die('Unable to locate customer/user/whatever'); } // Set up the session here, or however you're tracking the // current customer/user/whatever header('Location: /somewhere_else'); ? Hope that helps. -Stut -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- Some people have a gift link here. Know what I want? I want you to buy a CD from some starving artist. http://cdbaby.com/browse/from/lynch Yeah, I get a buck. So? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Login script login
On Fri, February 2, 2007 7:05 am, Jürgen Wind wrote: // Set up the session here, or however you're tracking the // current customer/user/whatever header('Location: /somewhere_else'); ? Hope that helps. -Stut be aware that you need a session_write_close(); before header('Location... or the session data might not be written to disk! If we're gonna get picuyane... The Location header technically requires a full URL. And using a re-direct instead of an include is a shocking waste of HTTP resources imho, but that may not matter if traffic is low. -- Some people have a gift link here. Know what I want? I want you to buy a CD from some starving artist. http://cdbaby.com/browse/from/lynch Yeah, I get a buck. So? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Login script login
Richard Lynch wrote: And using a re-direct instead of an include is a shocking waste of HTTP resources imho, but that may not matter if traffic is low. I generally redirect there because on occasion the login process does stuff like clear out potentially pre-existing session data from another part of the site. Having it happen again because of the user refreshing the page needs to be avoided. The redirect accomplishes this. -Stut -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] login script
Ross wrote: first how do I check two tables is it? $sql = SELECT * FROM mytable, mytable2 WHERE username = '$username' AND userpass = '$userpass'; That depends on what you are trying to achieve. Your example makes no sense at all. What are you trying to get from each table? How are they linked? etc! However, since this is a PHP list I suggest you try Googling for an introductory SQL tutorial or a SQL mailing list. Secondly my table just sends and returns straight values from the db but I expect some kind of encription is required. What is a simple, secure method. md5() or another method. Do I store an encypted file on the server and just decrypt it at the php page. my auth script at present ?php session_start(); $auth = false; // Assume user is not authenticated $username= $_REQUEST['username']; $userpass= $_REQUEST['userpass']; if (isset($username) isset($userpass)) { $sql = SELECT * FROM mytable WHERE username = '$username' AND userpass = '$userpass'; // Execute the query and put results in $result $result = mysql_query( $sql ) or die ( 'Unable to execute query.' ); // Get number of rows in $result. $num_rows = mysql_num_rows($result); if($num_rows == 0) { } else { $_SESSION['username']= $username; $_SESSION['userpass']= $userpass; header(Location: disclaimer.php); $auth = true; } } If that's your login script you have bigger problems than securing the passwords in the database. There is no escaping applied to the username and password you get from the browser - this is a massive security hole. See http://php.net/mysql_real_escape_string about that one. As far as securing the password goes, the most common approach is to store the MD5 hash in the DB. What you want is something like this... ?php session_start(); $auth = false; // Assume user is not authenticated $username = $_REQUEST['username']; $userpass = $_REQUEST['userpass']; if (!empty($username) !empty($userpass)) { $sql = SELECT * FROM mytable WHERE username = '.mysql_real_escape_string($username).' AND userpass = md5('.mysql_real_escape_string($userpass).'); // Execute the query and put results in $result $result = mysql_query( $sql ) or die ( 'Unable to execute query.' ); // Get number of rows in $result. if (mysql_num_rows($result) == 0) { // Login failed, blah blah blah } else { $_SESSION['username']= $username; $_SESSION['userpass']= $userpass; header(Location: disclaimer.php); $auth = true; } } ? -Stut -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] login script
On 15/08/06, Ross [EMAIL PROTECTED] wrote: Hello, I have a couple of questions first how do I check two tables is it? $sql = SELECT * FROM mytable, mytable2 WHERE username = '$username' AND userpass = '$userpass'; Secondly my table just sends and returns straight values from the db but I expect some kind of encription is required. What is a simple, secure method. md5() or another method. Do I store an encypted file on the server and just decrypt it at the php page. my auth script at present ?php session_start(); $auth = false; // Assume user is not authenticated $username= $_REQUEST['username']; $userpass= $_REQUEST['userpass']; if (isset($username) isset($userpass)) { $sql = SELECT * FROM mytable WHERE username = '$username' AND userpass = '$userpass'; // Execute the query and put results in $result $result = mysql_query( $sql ) or die ( 'Unable to execute query.' ); // Get number of rows in $result. $num_rows = mysql_num_rows($result); if($num_rows == 0) { } else { $_SESSION['username']= $username; $_SESSION['userpass']= $userpass; header(Location: disclaimer.php); $auth = true; } } Question 1 - you are doing a join so there has to be a linking index between the two table ie select * from table1, table2 where table1.id = table2.userid (for example). Question 2 - md5 is sufficient, depends on what your are storing (ie credit card numbers may require a stronger encyption method. To check: $pass = md5(password); select * from table 1 where password = '$pass'; I think the php and mysql md5 functions differ but I may be wrong! -- http://www.web-buddha.co.uk http://www.projectkarma.co.uk
Re: [PHP] login script
I would hope that MD5 hashing is MD5 hashing no matter where it originates. However, I think it's better to use the database server's implementation. I believe it is less likely to be changed in future versions, and it removes some processing time from the front end. Additionally, if you ever move away from PHP, you have one less line of platform-specific code to change. On 8/15/06, Dave Goodchild [EMAIL PROTECTED] wrote: $pass = md5(password); select * from table 1 where password = '$pass'; I think the php and mysql md5 functions differ but I may be wrong! -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] login script
On Tue, August 15, 2006 5:37 am, Ross wrote: I have a couple of questions first how do I check two tables is it? You probably should not have 2 tables at all. Both username and password would normally be stored in a single record in the same table CREATE TABLE user ( user_id int(11) auto_increment unique not null primary key, username text, password text ); /* You'd probably have other fields like name, address, email, etc */ $sql = SELECT * FROM mytable, mytable2 WHERE username = '$username' AND userpass = '$userpass'; So it would just be: FROM user WHERE username = '$username' AND password = '$userpass' Second, SELECT * is Evil, for various reasons. You can Google and find the debates about it. Secondly my table just sends and returns straight values from the db but I expect some kind of encription is required. What is a simple, secure method. md5() or another method. Do I store an encypted file on the server and just decrypt it at the php page. You never ever ever actually decrypt it. But wait, you way, how can that work?! It's quite simple, really. The whole purpose of a one-way encryption is that you only store the ENCRYPTED result. Later, the user then has to put in the correct password, and you one-way encrypt that, and you compare the ENCRYPTED values. Either the encrypted values match, or the password is wrong. You can almost think of the ENCRYPTED value as being like a lock to which there is only one key that fits -- the password. To test if the key fits the lock, you don't make another copy of the key -- You just encrypt it, and see if it matches the shape of the lock. MD5 would be a perfectly reasonable one-way encryption scheme. So if the password was 'foo', then your MD5-encrypted value would be: acbd18db4cc2f85cedef654fccc4a4d8 Your database would have 'acbd18db4cc2f85cedef654fccc4a4d8' stored in it. When they login, you do: SELECT user_id, username FROM user WHERE username = '$username' AND password = md5('$userpass') Either the MD5 of their input ('foo') is the correct value you have stored: acbd18db4cc2f85cedef654fccc4a4d8 or they have the wrong password/key, and you should not let them in. ?php session_start(); $auth = false; // Assume user is not authenticated $username= $_REQUEST['username']; $userpass= $_REQUEST['userpass']; if (isset($username) isset($userpass)) { $sql = SELECT * FROM mytable WHERE username = '$username' AND userpass = '$userpass'; Yikes! You REALLY need to read about SQL-injection here: http://phpsec.org/ and start using this function: http://php.net/mysql_real_escape_string Also, your $username and $userpass should be constrained at all times to very specific validation rules. Can't be blank. Must be at least X characters. (you pick a nice X) Passwords should probably contain at least one non-alpha character. // Execute the query and put results in $result $result = mysql_query( $sql ) or die ( 'Unable to execute query.' ); or die() is a great simple way to demonstrate the basics of code. It's not something you would really really want to use on a production server, unless you are 100% sure that you've turned off display-errors and are logging your errors and you have a process in place to examine the logs... Something like http://php.net/set_error_handler and http://php.net/trigger_error would be more appropriate for real code. // Get number of rows in $result. $num_rows = mysql_num_rows($result); if($num_rows == 0) { } else { $_SESSION['username']= $username; $_SESSION['userpass']= $userpass; header(Location: disclaimer.php); Instead of a header(Location:) which has some issues involved, you could just do: require 'disclaimer.php'; exit; $auth = true; This doesn't do anything, at least not with your current code, nor with anything I've suggested here... } } -- Like Music? http://l-i-e.com/artists.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] login script
On Tue, August 15, 2006 5:51 am, Dave Goodchild wrote: I think the php and mysql md5 functions differ but I may be wrong! You are wrong. :-) The whole point of MD5 is that MD5 is MD5, no matter where you go. Even ASP MD5 is the same as PHP MD5. Except it probably sucks for being too slow or you have to pay for it or something. :-) -- Like Music? http://l-i-e.com/artists.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: PHP Login Script
Chuck [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] Could anyone let me know or point me to where I could find out how to setup a login for my php site. I've been looking around and found plenty of stuff for PHP/Apache, but nothing for just PHP. Any help or info about this would be appreciated. Thanks, Chuck Hi Chuck, you could try those two PEAR packages: http://pear.php.net/package/Auth http://pear.php.net/package/LiveUser If you have any questions about those packages that the docs and the source code can't answer there is the PEAR general mailing list to help ;) Best regards, Torsten Roehr -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Login Script
Hey Brian, how about something like this, just change the session info to cookies if you want? ? session_start(); ## get db connection Require_once('../conf/Systemconfig.inc.php'); ## Disable DOS Attacks if ($_SERVER['HTTP_USER_AGENT'] == || $_SERVER['HTTP_USER_AGENT'] == -) { die(); } // If no Post Dont Process Page If ([EMAIL PROTECTED]){ @header(HTTP/1.0 404 Not Found); $error = 1; // Error No Post die(); } ## Process Login ## Run security Checks if (!get_magic_quotes_gpc()) { $User = addslashes($_POST['Username']); $Password = addslashes($_POST['Password']); } else { $User = $_POST['Username']; $Password = $_POST['Password']; } $Result = mysql_query(SELECT * From `site_users` WHERE Username='$User' AND Password='$Password' AND Visible='1'); if($GetRes=mysql_fetch_array($Result)); { ## Create Session vars and redirect $_SESSION['AuthUser'] = TRUE; $_SESSION['AuthName'] = $User; $_SESSION['AdminID'] = $GetRes['UserID']; $_SESSION['FirstName'] = $GetRes['FirstName']; } else { $_SESSION['FAILURE'] = TRUE; } ## Redirect to Main page @header('Location: index.php'); exit(); ? hth On Mon, 2004-07-19 at 21:01, Brian Krausz wrote: [snip] a. do not reply off-list unless asked, your question may not receive the attention it needs [/snip] Sorry, I got the email before the board post so I assumed you were only replying off-list. [snip] 2. You do know basic PHP, correct? Create a page that accepts a username and password. Have the un and pw checked against the db. If it is good, set a cookie and check for the cookie with each page, if not redirect to the proper location. [/snip] My 2 main concern are security and user-friendlyness. I would like anyone (regardless of cookies being allowed or not) to be able to use my service, but I would still like it to be secure. But I guess I'll try making my own script...worth a shot.
Re: [PHP] Login Script
Thanks for all the suggestions guys, I took your advice and currently have a working login script (hopefully :) ). If I have any more problems I'll be sure to ask you, it's nice to know that there's a place I can always go for questions. Thanks, Brian -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Login Script
[snip] While I know there are many scripts out there, and have spent many hours looking through them, I am having trouble finding a login script that fits my needs. I am looking for the following: A MySQL-based login system that doesn't use Pear :: DB. All I would like is for it to support cookies and all those things that would make it more secure. I have had trouble finding this...any suggestions? [/snip] Do you mean a login script where the username and password are stored in a MySQL database table? One where if the login is good a cookie is set? Nope. :) -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Login Script
Well I already have a db with username/password fields, etc. I'm just looking for code for a login page and a file to include at the top of each page for auth. Jay Blanchard wrote: [snip] While I know there are many scripts out there, and have spent many hours looking through them, I am having trouble finding a login script that fits my needs. I am looking for the following: A MySQL-based login system that doesn't use Pear :: DB. All I would like is for it to support cookies and all those things that would make it more secure. I have had trouble finding this...any suggestions? [/snip] Do you mean a login script where the username and password are stored in a MySQL database table? One where if the login is good a cookie is set? Nope. :) -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Login Script
[snip] Well I already have a db with username/password fields, etc. I'm just looking for code for a login page and a file to include at the top of each page for auth. [/snip] a. do not reply off-list unless asked, your question may not receive the attention it needs 2. You do know basic PHP, correct? Create a page that accepts a username and password. Have the un and pw checked against the db. If it is good, set a cookie and check for the cookie with each page, if not redirect to the proper location. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Login Script
Hello Brian, Take a look at setcookie() in the PHP manual. The algorithm is pretty simple. Once the user submits the form, you compare form data with the data in the database. If the password matches, then set a cookie with the username (using setcookie()). Then you'll just have to check if the cookie is set - if(isset($_COOKIE['username'])) {...} - and if it's set, proceed to user page; if not, display the login form again. -- Best regards, Cosmin -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Login Script
[snip] a. do not reply off-list unless asked, your question may not receive the attention it needs [/snip] Sorry, I got the email before the board post so I assumed you were only replying off-list. [snip] 2. You do know basic PHP, correct? Create a page that accepts a username and password. Have the un and pw checked against the db. If it is good, set a cookie and check for the cookie with each page, if not redirect to the proper location. [/snip] My 2 main concern are security and user-friendlyness. I would like anyone (regardless of cookies being allowed or not) to be able to use my service, but I would still like it to be secure. But I guess I'll try making my own script...worth a shot. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Login Script
Brian Krausz [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] [snip] a. do not reply off-list unless asked, your question may not receive the attention it needs [/snip] Sorry, I got the email before the board post so I assumed you were only replying off-list. [snip] 2. You do know basic PHP, correct? Create a page that accepts a username and password. Have the un and pw checked against the db. If it is good, set a cookie and check for the cookie with each page, if not redirect to the proper location. [/snip] My 2 main concern are security and user-friendlyness. I would like anyone (regardless of cookies being allowed or not) to be able to use my service, but I would still like it to be secure. But I guess I'll try making my own script...worth a shot. Hi Brian, if you want to be independent of the user's browser cookie settings you have to pass the session id from page to page via POST (e.g. as a hidden field in a form) or GET: a href=page2.php?php= SID ?link/a I would recommend searching the mailing list archives. You will find LOADS of useful information on sessions. Regards, Torsten Roehr -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Login Script
[snip] a. do not reply off-list unless asked, your question may not receive the attention it needs [/snip] Sorry, I got the email before the board post so I assumed you were only replying off-list. [snip] 2. You do know basic PHP, correct? Create a page that accepts a username and password. Have the un and pw checked against the db. If it is good, set a cookie and check for the cookie with each page, if not redirect to the proper location. [/snip] My 2 main concern are security and user-friendlyness. I would like anyone (regardless of cookies being allowed or not) to be able to use my service, but I would still like it to be secure. If security is in mind, adding SSL to your website is a great start. --Matthew Sims --http://killermookie.org -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Login Script
On Tuesday 20 July 2004 03:24, Brian Krausz wrote: While I know there are many scripts out there, and have spent many hours looking through them, I am having trouble finding a login script that fits my needs. I am looking for the following: A MySQL-based login system that doesn't use Pear :: DB. All I would like is for it to support cookies and all those things that would make it more secure. I have had trouble finding this...any suggestions? I find it hard to believe that there is nothing out there that suits your purpose. But anyway, it would be helpful if you listed what packages you've tried that didn't meet your requirements so people don't recommend those. -- Jason Wong - Gremlins Associates - www.gremlins.biz Open Source Software Systems Integrators * Web Design Hosting * Internet Intranet Applications Development * -- Search the list archives before you post http://marc.theaimsgroup.com/?l=php-general -- /* Life is both difficult and time consuming. */ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Login Script and Global Registering Things
--- Master Mark [EMAIL PROTECTED] wrote: Is HTTP auth better than HTML? In my opinion, no. Handling authentication in your application is a much better choice for numerous reasons (although HTTP authentication has its place and can be very useful). Chris = Become a better Web developer with the HTTP Developer's Handbook http://httphandbook.org/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Login Script and Global Registering Things
Sounds good (o; I find it easyer to work with HTML auth anyway. / Mark - Original Message - From: Chris Shiflett [EMAIL PROTECTED] To: [EMAIL PROTECTED]; PHP [EMAIL PROTECTED] Sent: Thursday, July 24, 2003 4:06 PM Subject: Re: [PHP] Login Script and Global Registering Things --- Master Mark [EMAIL PROTECTED] wrote: Is HTTP auth better than HTML? In my opinion, no. Handling authentication in your application is a much better choice for numerous reasons (although HTTP authentication has its place and can be very useful). Chris = Become a better Web developer with the HTTP Developer's Handbook http://httphandbook.org/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] login script fix help needed
Move this below to after your php logic: html head titleAdd a User/title meta http-equiv=Content-Type content=text/html; charset=iso-8859-1 /head body Timothy Hitchens (HiTCHO) Open Source Consulting e-mail: [EMAIL PROTECTED] -Original Message- From: Karl James [mailto:[EMAIL PROTECTED]] Sent: Monday, 20 January 2003 1:59 PM To: php Subject: [PHP] login script fix help needed hey guys, I was wondering if you can see why i cant insert the info into a table, right now its Warning: Cannot add header information - headers already sent by (output started at /home/virtual/site12/fst/var/www/html/Create_Account.php:8) in /home/virtual/site12/fst/var/www/html/Create_Account.php on line 10 http://www.ultimatefootballleague.com/Create_Account.phps can anyone help me get this working thanks. and let me know what i did wrong. Karl IncrediMail - Email has finally evolved - Click Here -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] login script fix help needed
--- Karl James [EMAIL PROTECTED] wrote: Warning: Cannot add header information - headers already sent by (output started at /home/virtual/site12/fst/var/www/html/Create_Account.php:8) in /home/virtual/site12/fst/var/www/html/Create_Account.php on line 10 This means you have something on line 10 of Create_account.php that sends headers, but PHP cannot because you have something on line 8 that causes output. Chris -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Login script, session problem (I think)
More information is needed... what version of PHP are your running? I bit of sample code on how you set up your sessions would also be helpful... /dkm - Original Message - From: Hawk [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, January 15, 2002 11:19 AM Subject: [PHP] Login script, session problem (I think) I made a simple login script which uses MySQL for username and password retrieval and that stores the username in a session, the problem is that this script only works locally, e.g. I can only login from this computer but not from any other, I have session.use_cookies = 1 and I also have another session on the page that stores a counted var so the counter doesn't jump up everytime someone changes page. The thing confusing me is that the counter session works global but the login only works local.. Does anyone have an idea how I should solve this? I'm not so good with php yet so I might have missed something, but i think it's wierd anyway... :p please reply as soon as possible. :) Hawk -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
RE: [PHP] Login Script
Line 10 is? $sid (login($user, $pass)); --- missing = -Original Message- From: Necro [mailto:[EMAIL PROTECTED]] Sent: Friday, December 21, 2001 1:40 PM To: [EMAIL PROTECTED] Subject: [PHP] Login Script Lo all, I am trying to get the following script to work.. ? if ($HTTP_POST_VARS[action] == 1) { checklogin($HTTP_POST_VARS[user_name], $HTTP_POST_VARS[password]); exit; } function checklogin($user, $pass) { $sid (login($user, $pass)); if ($sid != -1) { header(Location: http://localhost/hq.php?sid=$sid;); } else { header(Location: http://localhost/error.php;); } } function login($user, $pass) { $db = zoner2; $SQL = SELECT * FROM users WHERE user_name='.$user.' AND password='.$pass.'; $connection = db_connect(); $query = mysql_db_query($db, $SQL, $connection); if (mysql_num_rows($query) != 1) { return -1; } $row = mysql_fetch_array($query); $user_id = $row[user_id]; $sid = md5(blah blah.$user_id.$time()); $remip = REMOTE_ADDR(); $ttime = date(YmdHis); $SQL2 = INSERT INTO details ; $SQL2 = $SQL2 . (user_id, sid, ttime, remip) VALUES ; $SQL2 = $SQL2 . ('$user_id','$sid','$ttime','$remip') ; ### $result2 = mysql_db_query($db,$SQL2,$connection); if (!$result2) { echo(ERROR: . mysql_error() . \n$SQL\n); mysql_close($cid); exit; } ### SetCookie(TheLoginCookie, $user_id:$sid:$ip, time()+3600); return $sid; } ? But every time I open the login page and try to login I get the following error. Fatal error: Call to undefined function: () in d:\htdocs\web\login1.inc on line 10 Can anyone explain why this is?? Thankyou. Andrew -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED] The information contained in this email is confidential and may be legally privileged. It is intended solely for the addressee. Access to this email by anyone else is unauthorized. If you are not the intended recipient, any form of disclosure, production, distribution or any action taken or refrained from in reliance on it, is prohibited and may be unlawful. Please notify the sender immediately. The content of the email is not legally binding unless confirmed by letter bearing two authorized signatures. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] Login Script
This is your problem -- what do you expect this line to do? $sid (login($user, $pass)); Bogdan -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]