Hi Got couple of problems I need urgent help with I need a urgent login and registration script that works, the current one I am using is no good for the following reasons I register and stores the info in the database but when I go to login with the details I have just registered, it says the password is wrong so I check it and copy the password from the database into the login form and works, trouble is the password in the database is not the one I created, its generating a different password in the database, think its using all that md5 stuff to hide the password so I need a login and registration form that actually logs in with the password I create in the registration form My second problem is I need to display the username of the user logged in on a order confirmation page Please help me, been trying for hours and the brain is going now and eyes are hurting from trying to figure it out Thank you in advance Kind regards Ian
Instead of making it urgent, you could just take your site down for a day. Unless it is a business site... Try searching around the web, or maybe installing an account tool, so you don't have to do very much coding (if any). -Tony
I Think This Code Helps You To Create a Login and Registration Form Just Create Three Files 1.Login.php 2.Register.php 3.Lastmember.php Code for Login.php is given below <?php //session_start(); // set your infomation. $dbhost='localhost'[COLOR=#000000] [/COLOR]; $dbusername='root'[COLOR=#000000] [/COLOR]; $dbuserpass=''[COLOR=#000000] [/COLOR]; $dbname='userdb'[COLOR=#000000] [/COLOR]; if (isset($_COOKIE['user'[COLOR=#000000] [/COLOR]])) { echo "Welcome $_COOKIE[user]"; }else{ //connect to the mysql database server. mysql_connect ($dbhost, $dbusername, $dbuserpass); mysql_select_db($dbname) or die('Cannot select database'[COLOR=#000000] [/COLOR]); if ($_POST['username'[COLOR=#000000] [/COLOR]]) { //did they supply a password and username $username=$_POST['username'[COLOR=#000000] [/COLOR]]; $password=$_POST['password'[COLOR=#000000] [/COLOR]]; if ($password==NULL) { echo "A password was not supplied"; }else{ $query = mysql_query("SELECT username,password FROM users WHERE username = '$username'") or die(mysql_error()); $data = mysql_fetch_array($query); if($data['password'[COLOR=#000000] [/COLOR]] != $password) { echo "The supplied login is incorrect"; }else{ $query = mysql_query("SELECT username,password FROM users WHERE username = '$username'") or die(mysql_error()); $row = mysql_fetch_array($query); setcookie("user", "$username", time()+3600); echo ""; } } } ?> <[URL="http://webdevelopplus.com/tag/form/"]form[/URL] action="login.php" method="POST"> <table style="border: 1px solid #000000;"> <tbody> <tr> <td align="right"> Username:<input type="text" name="username" size="15" maxlength="25" /></td> </tr> <tr> <td align="right"> Password:<input type="password" name="password" size="15" maxlength="25" /></td> </tr> <tr> <td align="center"><input type="submit" value="Login" /></td> </tr> <tr> <td align="center"><a href="register.php">Register Here</a></td> </tr> </tbody> </table> </form> Code (markup): Code for Register.php <?php // set your infomation. $dbhost='localhost'[COLOR=#000000] [/COLOR]; $dbusername='root'[COLOR=#000000] [/COLOR]; $dbuserpass=''[COLOR=#000000] [/COLOR]; $dbname='userdb'[COLOR=#000000] [/COLOR]; // connect to the mysql database server. mysql_connect ($dbhost, $dbusername, $dbuserpass); mysql_select_db($dbname) or die("Cannot select database"); //Are they just getting here or submitting their info? if (isset($_POST["username"])) { $username = $_POST["username"]; $password = $_POST["password"]; $cpassword = $_POST["cpassword"]; $email = $_POST["email"]; if($username==NULL|$password==NULL|$cpassword==NULL|$email==NULL) { echo "A field was left blank."; } else{ //Do the passwords match? if($password!=$cpassword) { echo "Passwords do not match"; } else{ //Has the username or email been used? $checkuser = mysql_query("SELECT username FROM users WHERE username='$username'"); $username_exist = mysql_num_rows($checkuser); $checkemail = mysql_query("SELECT email FROM users WHERE email='$email'"); $email_exist = mysql_num_rows($checkemail); if ($email_existɬ|$username_existɬ) { echo "The username or email is already in use"; } else{ //Everything seems good, lets insert. $query = "INSERT INTO users (username, password, email) VALUES('$username','$password','$email')"; mysql_query($query) or die(mysql_error()); echo "The user $username has been successfully registered."; } } } } ?> <h1>Register</h1> <form action="register.php" method="POST"> <table style="border: 1px solid #000000;"> <tbody> <tr> <td align="right"> Username:<input type="text" name="username" size="15" maxlength="25" /></td> </tr> <tr> <td align="right"> Password:<input type="password" name="password" size="15" maxlength="25" /></td> </tr> <tr> <td align="right"> Confirm Password:<input type="password" name="cpassword" size="15" maxlength="25" /></td> </tr> <tr> <td align="right"> Email:<input type="text" name="email" size="15" maxlength="25" /></td> </tr> <tr> <td align="center"><input type="submit" value="Register" /></td> </tr> <tr> <td align="center"><a href="login.php">Login Here</a></td> </tr> </tbody> </table> </form> Code (markup): Code for Lastmember.php <?php $dbhost='localhost'[COLOR=#000000] [/COLOR]; $dbusername='root'[COLOR=#000000] [/COLOR]; $dbuserpass=''[COLOR=#000000] [/COLOR]; $dbname='userdb'[COLOR=#000000] [/COLOR]; //connect to the mysql database server. mysql_connect ($dbhost, $dbusername, $dbuserpass); mysql_select_db($dbname) or die('Cannot select database'[COLOR=#000000] [/COLOR]); $row1 = mysql_query("SELECT * FROM users ORDER BY uid DESC LIMIT 1") or die(mysql_error()); echo "$row1"; while($row=mysql_fetch_array($row1)) { echo " <h2>$row[username]</h2> "; } ?>; To check to see if someone is logged in use. <?php if (isset($_COOKIE['user'[COLOR=#000000] [/COLOR]])) { echo "You are logged in: $_COOKIE['user'] Enjoy."; } else{ echo "You are not logged in. <a href="register.php">Register here</a>"; ?>; Code (markup):
Its probably saying your password is wrong because you are encrypting it with md5 as you said. When you log in, make sure to take the entered password and use md5 on that password and then compare it to the md5'ed encrypted password in your database and check if they are the same. From there, just redirect to their profile or whereever they go once logged in. PM me if you still need help.
@Anujak Dear god what site is that on so I can hack you? But seriously, you need to study php security BIG TIME.
Here is a login parser that is better.... $e = sqlclean($_POST['e']); $p = $_POST['p']; $postPass = sha1($salt1 . $p . $salt2); //echo $e.' :: '.$p.' :: '.$postPass;die; //$postPass = md5($p); $sql = query('SELECT `email`,`validated`,`banned` FROM `users` WHERE `username`="'.$e.'" && `password`="'.$postPass.'"'); if (mysql_num_rows($sql) == 0) { redirect($spath.'login.php?m=1'); } else { $r = mysql_fetch_row($sql); $validated = $r[1]; $banned = $r[2]; $email = stripslashes($r[0]); //echo $validated.'::'.$banned.'::'.$email;exit; if ($validated == 1) { unset($_SESSION['loggedin']); $main = '<div class="formMessage">'.$lang_chkemail2.'</div>'; require_once($docroot.'functions/tpltr/general.templater.php'); } elseif ($banned != 1) { unset($_SESSION['loggedin']); $main = '<div class="formMessage">'.$lang_banned.'</div>'; require_once($docroot.'functions/tpltr/general.templater.php'); } else { $_SESSION['loggedin'] = $email.'::'.$postPass; query('UPDATE `users` SET `ip`="'.$ip.'" WHERE `email`="'.$email.'"'); redirect($spath); //$main = '<div class="formMessage">Thank you for logging in. <a href="'.$spath.'">Click here to continue...</a></div>'; //require_once($docroot.'functions/tpltr/general.templater.php'); } } PHP:
Oh and security.... if (!function_exists('sqlclean')) { function sqlclean($data) { if (filter_var($data, FILTER_VALIDATE_INT) !== FALSE) { return $data; } else { $data = filter_var($data, FILTER_SANITIZE_STRING); return mysql_real_escape_string($data); } } } PHP:
the login parser is a partial sample btw, dont use it wont work without the rest of the code.... which aint free.
1. why do you need to check if the value is an integer, very useless comparison 2. your sqlclean will not allow usernames like <Username>, <Hello123> 3. it will also encode quotes by default, so why may you need crap like & #39; & #34; in your db? 4. stripslashes($r[0]); <- why do you store data with extra slashes in db?
You need to get PHP for Dummies. Your base PHP education is very very bad. 1. So you dont change it from integer to string. This is a general purpoase security function for more than just unames. 2. Ok then, get hacked genius. PHP filter is your best bet, especially as a noob as these inquiries are. 3. Decode when it comes out. This functionality prevents XSS attacks, corss site scripting. 4. MySQL escapes dangerous characters with a backslash. If it didn't you'd be openeing your database to be hacked by the dumbest of script kiddies. You really need to study. These are 1st day student questions.
you are too impulsive 1. there are general rules how to escape data and there is no difference if it is an integer or a string, mysql_real_escape_string inside ('), or pdo is more than enough (the only known bug has with GBK charset has been fixed long time ago) 2. if you read the docs "<" and ">" and not potentially dangerous symbols in sql statements, they are regular characters that should not be escaped. But your function removes them(modifying original data)? - your function is totally wrong way to escape data. 3. preventing XSS? it should be done only when you print the data, so keep original data clean(without any additional slashes and html entities) in db and escape it when you need to print it. 4. read statement 1 The code you write is very raw and wandering, atleast looking at code you posted above.
You are the impulsive one, you are giving ignorant advice on "how to be most hackable" and "how to waste server resources". These were examples so he can learn on his own. If he wants to customize, he can. Stop being a narcissist... and spreader of BAD information. 1. Go back to school. Once a number is converted to string, it cannot be used in equations unless you convert back to numeric. So you are wrong and looking stupid. It is also a waste of resources to sanitize a numeric once confirmed as being numeric. I guess that you also validate the contents of a password string prior to being encoded and stored in the database. 2. You have no idea what you are talking about. The purpose of FILTER_SANITIZE_STRING is to filter out dangerous characters. http://php.net/manual/en/filter.filters.sanitize.php How the hell do you think that it targets only < and > ? also wtf would you want those in the username? 3. So when you go to output info after selecting it from the db later, you will have to sanitize on every page load? WOW you must love wasting resources. It is wiser to clean prior to db insertion. Then again, my scripts have never been hacked and run faster than most ( according to google page insights).... so who am I to serve as the expert. If oyu have a var that nedds less sterilization then you write a custom function for it. Duh. I said this is a general purpose function. 4. Read PHP for Dummies. You need it. I am not going to sit and explain every place you are wrong, it is Thanksgiving and not sitting here teaching you PHP. I have coded for over 15 years, for major companies and the military. I went to college for web development and linux administration. I might know my stuff a little better than you. Raw and wandering... lol ok newbie. Post your solution. Yes I can post a set of functions, each specially made for each field, but then I would be feeding a troll all day. I am done here leray, you are not only misinformed and not well educated /experienced in PHP, you are threat hijacking. Post your solution genius... don't copy and paste from another site either.
@it cannot be used in equations unless you convert back to numeric. We are talking about escaping variable values in sql statement, sql statement is a string by itself, so there is no difference if the php variable is integer or string - it's converted to string and added to sql statement. @ It is also a waste of resources to sanitize You're so worrying about resources and still do not use limits in sql statements. @The purpose of FILTER_SANITIZE_STRING is to filter out dangerous characters The question is still unanswered: "<" and ">" are regular symbols in sql statements(like a,b and c) so why your function strips them? what's the problem to keep them? the point is that the way you escape data is totally wrong.. and you haven't understood it during 15 years I just don't like when people reinvent the wheel, do it wrong and still say they're right.
The function can be used for instances with no sql moron, jsut remove mysql_real_escape_string() amnd oyu have a function that is used with regular validation of user posted vars without sql query. Are you that dumb? This was a fracking example to the poster. Um how would it strip from the query? <?php $var = sqlclean($var); $query = query('SELECT `blah` FROM `blah` WHERE `blah` > "' . $var . '"'); ?> PHP: Hmmmm.... greater than and less than still there, nothing to do with my function dumb***. Learn php and then come back and I don't care what you like, new guy. Again, show your examples. I didn't think you had better. Using (int) is fooking lazy. I am setting my acct to ignore you, you are getting annoying and you have hijacked this thread. Is not a debate thread.