novella Posted May 3, 2012 Share Posted May 3, 2012 I can´t find out what I have done wrong. Can somebody please help me find out why the form do not find my user in the database? 18278_.php 18279_.php Quote Link to comment https://forums.phpfreaks.com/topic/262018-creating-a-log-ini-am-a-beginner/ Share on other sites More sharing options...
MMDE Posted May 3, 2012 Share Posted May 3, 2012 Why did you upload two? Only difference is this: $user = $_POST['user']; $password = $_POST['password']; $getuser = $_POST['user']; $getpassword = $_POST['password']; Both codes then checks for: if ($user){ Which in one case is not set. You then later in both scripts use: $query = mysql_query("SELECT * FROM users WHERE username='$getuser'"); ^ $getuser could this be the error? Quote Link to comment https://forums.phpfreaks.com/topic/262018-creating-a-log-ini-am-a-beginner/#findComment-1342691 Share on other sites More sharing options...
novella Posted May 3, 2012 Author Share Posted May 3, 2012 Why did you upload two? Only difference is this: $user = $_POST['user']; $password = $_POST['password']; $getuser = $_POST['user']; $getpassword = $_POST['password']; Both codes then checks for: if ($user){ Which in one case is not set. You then later in both scripts use: $query = mysql_query("SELECT * FROM users WHERE username='$getuser'"); ^ $getuser could this be the error? My fault, it should be only one file. Sorry for that! The error has to be somewhere around that code but it shows the same info if i just write: $query = mysql_query("SELECT * FROM users WHERE username='$user'"); Check if everything is right here: $query = mysql_query("SELECT * FROM users WHERE username='$getuser'"); $numrows = mysql_num_rows($query); if ($numrows == 1){ $row = mysql_fetch_assoc($query); $dbid = $row['id']; $dbuser = $row['username']; $dbpass = $row['password']; $dbactive = $row['active']; Thank you for taking the time! Quote Link to comment https://forums.phpfreaks.com/topic/262018-creating-a-log-ini-am-a-beginner/#findComment-1342708 Share on other sites More sharing options...
MMDE Posted May 3, 2012 Share Posted May 3, 2012 Why did you upload two? Only difference is this: $user = $_POST['user']; $password = $_POST['password']; $getuser = $_POST['user']; $getpassword = $_POST['password']; Both codes then checks for: if ($user){ Which in one case is not set. You then later in both scripts use: $query = mysql_query("SELECT * FROM users WHERE username='$getuser'"); ^ $getuser could this be the error? My fault, it should be only one file. Sorry for that! The error has to be somewhere around that code but it shows the same info if i just write: $query = mysql_query("SELECT * FROM users WHERE username='$user'"); Check if everything is right here: $query = mysql_query("SELECT * FROM users WHERE username='$getuser'"); $numrows = mysql_num_rows($query); if ($numrows == 1){ $row = mysql_fetch_assoc($query); $dbid = $row['id']; $dbuser = $row['username']; $dbpass = $row['password']; $dbactive = $row['active']; Thank you for taking the time! Yes, that seems correct. As I said in my earlier post, you got some logical errors you need to sort out, because it's not sure $getuser is set. Try to turn on error reporting at the start of the file: error_reporting(E_ALL); and do this to your mysql_query: $query = mysql_query("SELECT * FROM users WHERE username='$getuser'") or die(mysql_error()); Also make sure you sanitize the $getuser string. Quote Link to comment https://forums.phpfreaks.com/topic/262018-creating-a-log-ini-am-a-beginner/#findComment-1342710 Share on other sites More sharing options...
xyph Posted May 3, 2012 Share Posted May 3, 2012 Check out the article in my signature. I think it's still a little above your knowledge of PHP, but it's a great resource and gives advice on doing everything the secure way. You're off to a great start though. Rather than use md5(md5(password)), you should use md5(md5(password).password). As it is, you're limiting your first digest (return value from MD5) to always be 128-bit, so your second digest will always be based on the same length input. In cryptography, this is a bad thing. Adding the password on to the end means your second digest will be made using a variable-length input. It's okay if you don't quite understand the above. Security is a VERY complex topic, and developers are better off using something an expert has made, rather than trying to implement their own. I'm definitely not discouraging you from continuing scripts like the one you have above, I'm advising you to use them educationally, rather than in a production environment Quote Link to comment https://forums.phpfreaks.com/topic/262018-creating-a-log-ini-am-a-beginner/#findComment-1342738 Share on other sites More sharing options...
novella Posted May 3, 2012 Author Share Posted May 3, 2012 Check out the article in my signature. I think it's still a little above your knowledge of PHP, but it's a great resource and gives advice on doing everything the secure way. You're off to a great start though. Rather than use md5(md5(password)), you should use md5(md5(password).password). As it is, you're limiting your first digest (return value from MD5) to always be 128-bit, so your second digest will always be based on the same length input. In cryptography, this is a bad thing. Adding the password on to the end means your second digest will be made using a variable-length input. It's okay if you don't quite understand the above. Security is a VERY complex topic, and developers are better off using something an expert has made, rather than trying to implement their own. I'm definitely not discouraging you from continuing scripts like the one you have above, I'm advising you to use them educationally, rather than in a production environment Thank you so much for your answer. You are absolutely right, I did start working in php last week, so I am really new at this. But it´s so interesting! I truly want to be good at this. I did fix the problem but now i got a new one I´m trying to make a registration email with a activation-code that fills itself out on the activation.php, but every time I test it, the code shows up with a random number after the activation-code. It would be nice if you could take a peek at it: <?php error_reporting (E_ALL ^ E_NOTICE); ?> <html xmins="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content-type" content="text/html; charset=utf-8" /> <title>Medlemsystem - Medlemmar</title> </head> <body> <?php if ( $_POST['registerbtn'] ){ $getuser = $_POST['user']; $getemail = $_POST['email']; $getpass = $_POST['pass']; $getretypepass = $_POST['retypepass']; if ($getuser){ if ($getemail){ if ($getpass){ if ($getretypepass){ if ($getpass === $getretypepass){ if ( (strlen($getemail) >= 7) && (strstr($getemail, "@")) && (strstr($getemail, ".")) ){ require("./connect.php"); $query = mysql_query("SELECT * FROM users WHERE username='$getuser'"); $numrows = mysql_num_rows($query); if ($numrows == 0){ $query = mysql_query("SELECT * FROM users WHERE email='$getemail'"); $numrows = mysql_num_rows($query); if ($numrows == 0){ $password = md5(md5("kjfiufj".$password."fj56fj")); $date = date("F d, Y"); $code = md5(rand()); mysql_query("INSERT INTO users VALUES ( '', '$getuser', '$password', '$getemail', '0', '$code', '$date' )"); $query = mysql_query("SELECT * FROM users WHERE username='$getuser'"); $numrows = mysql_num_rows($query); if ($numrows == 1){ $site = "http://labs.rockheart.se/joakimforsberg"; $webmaster = "joakimforsberg <[email protected]>"; $headers = "From: $webmaster"; $subject = "Aktivera Ditt Konto"; $message = "Tack för din registrering. Klicka på länken här under för att aktivera ditt konto.\n\n"; $message .= "$site/activate.php?user=$getuser&code=$code \n"; $message .= "Du måste aktivera ditt konto för att logga in."; if ( mail($getemail, $subject, $message, $headers) ){ $errormsg = "Du har blivit registrerad. Du måste aktivera kontot från aktiveringslänken som sändes till <b>$getemail</b>"; $getuser = ""; $getemail = ""; } else $errormsg = "Ett fel har uppstått.Ditt aktiveringsmeddelande har ej blivit sänt."; } else $errormsg = "Ett fel har uppstått. Ditt konto har ej skapats."; } else $errormsg = "Det finns redan en användare med denna e-post."; } else $errormsg = "Det finns redan en användare med detta användarnamn."; mysql_close(); } else $errormsg = "Du måste ange en giltig e-postadress."; } else $errormsg = "Dina l&oulm;senord matchade ej."; } else $errormsg = "Du måste repetera l&oulm;senordet f&oulm;r att bli registrerad."; } else $errormsg = "Du måste ange ett l&oulm;senord f&oulm;r att bli registrerad."; } else $errormsg = "Du måste ange din e-postadress för att bli registrerad."; } else $errormsg = "Du måste ange ditt användarnamn för att bli registrerad."; } $form = "<form action='./register.php' method='post'> <table> <tr> <td></td> <td><font color='red'>$errormsg</font></td> </tr> <tr> <td>Användarnamn:</td> <td><input type='text' name='user' value='$getuser'/></td> </tr> <tr> <td>E-post:</td> <td><input type='text' name='email' value='$getemail'/></td> </tr> <tr> <td>Lösenord:</td> <td><input type='password' name='pass' value=''/></td> </tr> <tr> <td>Upprepa lösenord:</td> <td><input type='password' name='retypepass' value=''/></td> </tr> <tr> <td></td> <td><input type='submit' name='registerbtn' value='Registrera'/></td> </tr> </table> </form>"; echo $form; ?> </body> </html> Thanks for taking the time. Quote Link to comment https://forums.phpfreaks.com/topic/262018-creating-a-log-ini-am-a-beginner/#findComment-1342833 Share on other sites More sharing options...
xyph Posted May 3, 2012 Share Posted May 3, 2012 Now now, one step at a time! As it is, an attacker could mess around with your database! What happens when you use the following for both the username or email anything' OR '1'='1 ? What about just '? Odd behaviour? Quote Link to comment https://forums.phpfreaks.com/topic/262018-creating-a-log-ini-am-a-beginner/#findComment-1342841 Share on other sites More sharing options...
novella Posted May 5, 2012 Author Share Posted May 5, 2012 Now now, one step at a time! As it is, an attacker could mess around with your database! What happens when you use the following for both the username or email anything' OR '1'='1 ? What about just '? Odd behaviour? I´m sorry, I do not understand. Where am I suppose to write that? at this line? $query = mysql_query("SELECT * FROM users WHERE username='$user'"); Quote Link to comment https://forums.phpfreaks.com/topic/262018-creating-a-log-ini-am-a-beginner/#findComment-1343303 Share on other sites More sharing options...
NLT Posted May 5, 2012 Share Posted May 5, 2012 Write it in one of your form fields. Quote Link to comment https://forums.phpfreaks.com/topic/262018-creating-a-log-ini-am-a-beginner/#findComment-1343314 Share on other sites More sharing options...
novella Posted May 5, 2012 Author Share Posted May 5, 2012 I did this: $query = mysql_query("SELECT * FROM users WHERE username='anything' OR '1'='1'"); Now it´s "Wrong password" Quote Link to comment https://forums.phpfreaks.com/topic/262018-creating-a-log-ini-am-a-beginner/#findComment-1343316 Share on other sites More sharing options...
xyph Posted May 5, 2012 Share Posted May 5, 2012 I meant type it in to one of your form fields Write it in one of your form fields. Quote Link to comment https://forums.phpfreaks.com/topic/262018-creating-a-log-ini-am-a-beginner/#findComment-1343325 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.