Jump to content

SuperNoob needs a second set of eyes

Mickey400z

By Mickey400z
in PHP Coding Help

 Share

Recommended Posts

Mickey400z Newbie

Mickey400z

Posted
Posted

I need a second set of eyes for my registration script please. Connectvars.php has the correct information to access the mySQL database. I keep getting an error at "mysqli_query or die(wtf?)". Thanks!

 

My connectvars.php script is in the same directory as this registration script.  It seems to be getting a connection considering my failure is "mysqli_query or die(wtf?)"

 

<?php
  // Insert the page header
  $page_title = 'Sign Up';

  require_once('connectvars.php');

  // Connect to the database
  $dbc = mysqli_connect(DB_HOST, DB_USER, DB_PASSWORD, DB_NAME);


if (mysqli_connect_error()) {
        die('Connect Error (' . mysqli_connect_errno() . ') ' . mysqli_connect_error());
    }
  if (isset($_POST['submit'])) {
    // Grab the profile data from the POST
    $firstname = mysqli_real_escape_string($dbc, trim($_POST['firstname']));
    $password1 = mysqli_real_escape_string($dbc, trim($_POST['password1']));
    $password2 = mysqli_real_escape_string($dbc, trim($_POST['password2']));

    if (!empty($firstname) && !empty($password1) && !empty($password2) && ($password1 == $password2)) {
      // Make sure someone isn't already registered using this username
      $query = "SELECT * FROM clients WHERE firstname = '$firstname'";
      $data = mysqli_query($dbc, $query) or die('error connecting to db');

      if (mysqli_num_rows($data) == 0) {
        // The username is unique, so insert the data into the database
        $query = "INSERT INTO clients (firstname, password1) VALUES ('$firstname', SHA1('$password1'))";
        mysqli_query($dbc, $query)
	or die('wtf?');

        // Confirm success with the user
        echo '<p>Your new account has been successfully created. You\'re now ready to <a href="index.php">log in</a>.</p>';

        mysqli_close($dbc);
        exit();
      }
      else {
        // An account already exists for this username, so display an error message
        echo '<p class="error">An account already exists for this username. Please use a different address.</p>';
        $firstname = "";
      }
    }
    else {
      echo '<p class="error">You must enter all of the sign-up data, including the desired password twice.</p>';
    }
  }

  mysqli_close($dbc);
?>

  <p>Please enter your username and desired password to sign up to The Haven.</p>
  <form method="post" action="signup.php">
    <fieldset>
      <legend>Registration Info</legend>
      <label for="firstname">Username:</label>
      <input type="text" name="firstname" id="firstname" value="<?php if (!empty($firstname)) echo $firstname; ?>" /><br />
      <label for="password1">Password:</label>
      <input type="password" name="password1" id="password1" /><br />
      <label for="password2">Password (retype):</label>
      <input type="password" name="password2" id="password2" /><br />
    </fieldset>
    <input type="submit" value="Sign Up" name="submit" />
  </form>

Link to comment
https://forums.phpfreaks.com/topic/201544-supernoob-needs-a-second-set-of-eyes/
Share on other sites
kenrbnsn Regular Member

kenrbnsn

Posted
Posted

You really should some meaningful into the die() function so you can tell what's wrong.

 

Something like

<?php
        $query = "INSERT INTO clients (firstname, password1) VALUES ('$firstname', SHA1('$password1'))";
        mysqli_query($dbc, $query)
	or die("Problem with the query: $query<br>" . $mysqli->error);
?>

 

Ken

TeddyKiller Advanced Member

TeddyKiller

Posted
Posted

On all your queries you'd do something similar to..

$query = mysqli_query("query here") or die(mysqli_error());

 

You wouldn't really need to include the query into the or die, like what kenrbnsn stated, (Unless your using notepad, or something similar) because it'll nearly if not always display a line number in where the problem is :) Also, with displaying the query isn't safe (Unless its on your localhost only) If it's on the actual web for us to use, if that error comes up with the query- we immediately know what the query is, whats involved in it, and in your instance.. the hash too.

Someone can come along.. spot the error. 'Look, its sha1 LETS HACK!'

 

Having or die('wtf?'); and or die('error connecting to db'); are pointless.

These will say where the error is, though not what it is.

We have *_error for a reason - To tell us the problem. (* being mysql, mysqli, etc etc)

kenrbnsn Regular Member

kenrbnsn

Posted
Posted

The reason I output the query is that you will see the complete query with all variables expanded. Looking in your source will not show that. You should only show the query when you're debugging the script. In production, you should do something like put out a generic error message and store the error somewhere.

 

Ken

Mickey400z Newbie

Mickey400z

Posted
  • Author
Posted

Ok....here's the output I got...

Problem with the query: INSERT INTO clients (firstname, password1) VALUES ('Mickey400z', SHA1('abc123'))

 

Now I currently have the password1 field set up as VARCHAR(40) in my databasel table.  I was under the impression that was all I needed.

ThisisForReal Member

ThisisForReal

Posted
Posted

I recognize a lot of the OP's code from the O'Reilly HeadStart PHP MySQL book.  Good stuff.  I am creating a similar page.  Got mine to work just fine.  But now I'm trying to replace some of the querying with a stored procedure.  The stored procedure is working just fine, except, I'm having trouble doing an SHA1 on the password before passing the variable along to the MySQL stored procedure to add to the DB table.

 

I'm essentially going from Mickey's code (seen here):

 

  // Connect to the database
  $dbc = mysqli_connect(DB_HOST, DB_USER, DB_PASSWORD, DB_NAME);


if (mysqli_connect_error()) {
        die('Connect Error (' . mysqli_connect_errno() . ') ' . mysqli_connect_error());
    }
  if (isset($_POST['submit'])) {
    // Grab the profile data from the POST
    $firstname = mysqli_real_escape_string($dbc, trim($_POST['firstname']));
    $password1 = mysqli_real_escape_string($dbc, trim($_POST['password1']));
    $password2 = mysqli_real_escape_string($dbc, trim($_POST['password2']));

    if (!empty($firstname) && !empty($password1) && !empty($password2) && ($password1 == $password2)) {
      // Make sure someone isn't already registered using this username
      $query = "SELECT * FROM clients WHERE firstname = '$firstname'";
      $data = mysqli_query($dbc, $query) or die('error connecting to db');
    
      if (mysqli_num_rows($data) == 0) {
        // The username is unique, so insert the data into the database
        $query = "INSERT INTO clients (firstname, password1) VALUES ('$firstname', SHA1('$password1'))";
        mysqli_query($dbc, $query)
      or die('wtf?');

 

And now I'm trying to simplify it as such:

 

<?php 
  
  // Connect to the database
  $dbc = mysqli_connect(DB_HOST, DB_USER, DB_PASSWORD, DB_NAME);

  if (isset($_POST['submit'])) {
    // Grab the profile data from the POST
    $email = mysqli_real_escape_string($dbc, trim($_POST['email']));
    $password1 = mysqli_real_escape_string($dbc, trim($_POST['password1']));
    $password2 = mysqli_real_escape_string($dbc, trim($_POST['password2']));

    if (!empty($email) && !empty($password1) && !empty($password2) && ($password1 == $password2)) {
      // Person has submitted data in all three fields and passwords match.
  
      $encrypt = sha1('$password1');
      $query = "CALL mealshare.spRegister('$email','$encrypt')";
      $data = mysqli_query($dbc, $query);

 

My problem is that no matter what I enter as a password on the registration page, the encrypted entry in the DB table is always the SAME 40 character hash.  Anybody have any clues where my SHA is breaking down?

ThisisForReal Member

ThisisForReal

Posted
Posted

Oh, that's hilarious.  I tried to check against that issue by created a new page and running this:

 

<?php 
$password1 = soccer;
$encrypt = sha1($password1);

$password2 = beer;
$encrypt2 = sha1('$password2');

echo "$encrypt <br />";
echo "$encrypt2";
?>

 

The page shot out 2 hashes, and neither matched what was being put in the database on my registration page, so I had eliminated that as a cause.  Now I realize I ran a faulty experiment because in the above experiment, it's password2 that has the quotes around it (thus the hash is of *$password2* rather than the value of the variable) rather than password1.  Had I put the quotes around password1 in my experiment, it'd have matched my db entries and I would have solved the problem.

 

Funny, because I'm not a total noob, but it's so easy to trip up on trial and error if you're not really careful about how you approach these things...  Thanks a bunch!

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.