Search Project, and Login help

[chunkymonkey11]

Hey guys!

 

It seems like the only thing I do on this forum is ask for help, but yet again Steve Jobs said that the only way one can be successful is to ask for help 

 

I will be as detailed as possible for you guys, but if you need more just let me know

 

So, I need two question to be solved

 

I have a XAMPP server with a database called members with the following field: id, businessname, username, password, sign_up_date, email, taxnumber, account_permissions, email_activation

 

I am going to create a new database table called: Registered with the following fields: picture,discription,location,keywords,latest news

 

so I created a login and register script and they work fine, but the unforutnate part is that all registered users that login end up on the same dang webpage. I am trying to allow each user to login to their own profile page, but use a unviersial template. Luckly, I was smart enough to create a id field in the member table, but dumb enough not really know what to do with it. Each new user will be assigned a new id starting with 01 and going up. Can I uses that to allow each user to create their own profile, and when they login the php script directs them to that user id?

 

Below is the script:

 

<?php

session_start();

$username = $_POST['username'];
$password = $_POST['password'];

if($username&&$password)
{

	$connect = mysql_connect("127.0.0.1","root","") or die ("Couldnt connect to database");
	mysql_select_db("test_database") or die ("Couldnt find database");

	$query = mysql_query("SELECT * FROM member WHERE username='$username'");

	$numrows = mysql_num_rows($query);

	if($numrows !=0)

	{

	while ($row = mysql_fetch_assoc($query))
	{

		$dbusername = $row['username'];
		$dbpassword	= $row['username'];

	}
		if ($username==$dbusername&&$password==$dbpassword)
		{

			echo "Login successful. <a href=''>Click here to enter members area</a";
			$_SESSION['username']=$dbusername;

		}
		else
			echo "Incorrect password";
	}

	else
		die ("That username doesnt exist");

}
else
die ("Please enter a username and password");

?>

 

Now to my second question.

 

 

Once each user has their own profile (thanks to your help  ), I want to create a database search engine that one (a non-registred) user can use to search through all the users profiles and then list the searches by most relavent keyword hits and by location. So for example, if they searched cars the engine would go through all the registered users data in the Registered table and then list by relevance using two fields in that database:location, and keywords. The non-registred user types in the desired keywords in one search box and location in another and then the engine lists the searches in a diffrent page by most hits down to some what relevant. To be honest with you this one is WAY out of my knowledge league, so it would be great if you could walk me through it.Since you know my whole database architecture giving some step by steps would be awesome.

 

I really appricate your guys help in helping me create this project. I was helping my Uncle creata a website for his conslting company but i guess my mind got a lot more curious.

 

 

 

 

[ialsoagree]

Well, for starters:

 

while ($row = mysql_fetch_assoc($query))
{

$dbusername = $row['username'];
$dbpassword	= $row['username'];

}
if ($username==$dbusername&&$password==$dbpassword)

 

There's a few things wrong with this chunk of code:

 

For starters, can users share the same username? If no, then you might want to check to make sure $numrows == 1 or == 0; the former means you have 1 regitered user with that username, the latter (which you already check) means no one with that username exists. If both conditions are false (IE. the number of rows is greater than 1) then you have multiple users with the same username, you should report an error to yourself (as the web administrator) so you can look into how that happened.

 

If, however, users can share a username, then you need to modify your loop, because currently on the user with the last ID will be checked (and all other users with that username will never be able to login). Say you had 3 users with the username "Bob" - the way your script currently works, it would assign the details of the 1st "Bob" to the variable $row, then IMMIDIATELY overwrite $row with the details of the 2nd "Bob", then IMMIDIATELY overwrite $row with the details of the 3rd "Bob" - so if you were the 1st or 2nd "Bob" your login credentials are checked against "Bob" 3, and unless you have the same password, you won't authenticate.

 

Secondly, you have this problem:

 

$dbpassword	= $row['username'];

 

This should probably be:

 

$dbpassword	= $row['password'];

 

Additionally, you should NOT store passwords as plain text. This is a huge security problem. Even if your website doesn't contain any sensitive information many users will use the same username and password across multiple sites. If your passwords aren't stored encrypted at all, you've now given a hacker access to users e-mail addresses, the password they might use for that e-mail address, and the username they might use on lots of websites. And you can be held liable for damages.

 

You might want to look into phpass:

 

http://www.openwall.com/phpass/

[chunkymonkey11]

I appreciated the response,and concern, but this is not a registration script, my registration script tells my users database to store their passwords and email in a MD6 algorithm, and then stores it in a configuration file (which only the database can un-encrypt). This login script does not store data to my database (except maybe for last sign in date) only verifies the users existence. The registration page checks for existing individuals with the same username, so no more than one individual can have that same username.  My issue was regarding the the direction all users are sent when they are verified. They will be sent to (as the code says) "Click here to enter members area". I don't want that. I want to be able to assign each user their own page (i guess much how each Facebook user has their own profile page), and I want to store that link in the id section of the database. The more I am thinking about it, the more I believe this has to do with my registration script. How would I (in PHP language) assign each user their own page using the id field in my database, and how would I tell my login script to direct the user to their specific page.

 

Also, if somebody can please help me tackle the second question that would be great

 

 

[ialsoagree]

Once again, I want to reinterate, you're not properly checking whether the user has logged in successfully.

 

It's great that you're storing passwords with some amount of hashing/encryption, but your login script doesn't account for that:

 

$dbusername = $row['username'];
$dbpassword	= $row['username'];

}
if ($username==$dbusername&&$password==$dbpassword)

 

Firstly, as I indicated before, $dbpassword doesn't appear to have the right data saved to it.

 

Secondly, because you're not hashing/encrypting the $password variable, authentication will always fail because $password will never == the hashed/encrypted password (well, unless someone put in the proper hash/encryptiong string of their actual password).

 

That being established, to get it to redirect them after login, you might want to do something like this:

 

Echo "Login successful. <a href='profile.php?id=[[insert user ID variable here]]'>Click here to enter members area</a";

 

Then have profile.php check $_GET['id'] for the user ID, and get the relevant information from the database.

[chunkymonkey11]

I think I know where you are coming from, so your saying (please correct me if I'm wrong): The login script will fail because the script does not account for the encrypted passwords that are stored in the database?

 

So lets say I tell my registration script to encrypt the passwords in MD5. Would I do something like this?

 

$dbusername = $row['username'];
$dbpassword	= $row['username'];

}
if ($username==$dbusername&&$password==$enc_password) 

 

Because if I were using MD5 in my registration script I would put

$enc_password = md5($password 

 

Now for the profile.php. How would you write the code for this file? I know you are big on data safety  so how would you write this file so that nobody can just put the specific url and have access the the users specific page?

 

Also, do you have any idea's on how to approach the second question?

 

[MMDE]

You don't want to encrypt the password, because that implies it can be decrypted too!

You will want to do some one-way only operation on the password with as few as possible collisions, and also make this operation unique for that user (salt the password), so you can't make a rainbow table.

 

The operation that is done to the password the first time you save it in the database, should be the same as you do when you compare their password to what is stored in the database. What you can do is to first get the salt the user with said username uses, and then use that to get the string that hopefully is the same as the one in the database.

 

here's that last part:

 

$result = mysql_query("SELECT * FROM member WHERE username='$username' AND password='$password'");
if(mysql_num_rows($result)==1){
// logged in
}

 

Remember to sanitize input.

[chunkymonkey11]

Hey MMDE thanks for being involved. So for clarification I don't have to install Salt or anything, right?

 

So instead of this:

 

$query = mysql_query("SELECT * FROM member WHERE username='$username'");

	$numrows = mysql_num_rows($query);

 

I should put this

 

$query = mysql_query("SELECT * FROM member WHERE username='$username'");

	if(mysql_num_rows($result)==1){
// logged in
}

 

and since you are in this topic, any clue how to make a profile.php like ialsoagree said?

 

And if ANYONE knows how to tackle the second question their help would be great 

 

 

[Christian F.]

Chunkeymonkey11: You really should read this article, until you're 100% certain you understand everything discussed in it.

[chunkymonkey11]

ChristianF thanks for the article it helped a lot (even tho it was a bit too advance for me). To be fully honest with you the coding stuff flew right over me, but the purpose behind the article was something I could understand. 

 

Now I am not a mathematical genius, so the likely hood of me making an algorithm for securing the passwords are slim.

 

So I started to play around with the concepts of the article and other sources to develop this code (please keep in mind that I am still new at PHP so this script most likely is laden with problems, and reading an article will not make me an expert  ) :

 

<?php

function enc($string) {
$salt = "@x2p";
$hash = shal(md5($salt.$string)).md5($string).shal(md5(md5($string)));
return $hash;
}

echo md5("$dbpassword");
echo "<br />";
echo enc("$dbpassword");
?>

 

 

It seems like nobody has answered the profile.php question as well as my second main question. So any answers would be great!

[xyph]

ChristianF thanks for the article it helped a lot (even tho it was a bit too advance for me). To be fully honest with you the coding stuff flew right over me, but the purpose behind the article was something I could understand. 

 

Now I am not a mathematical genius, so the likely hood of me making an algorithm for securing the passwords are slim.

 

So I started to play around with the concepts of the article and other sources to develop this code (please keep in mind that I am still new at PHP so this script most likely is laden with problems, and reading an article will not make me an expert  ) :

 

<?php

function enc($string) {
$salt = "@x2p";
$hash = shal(md5($salt.$string)).md5($string).shal(md5(md5($string)));
return $hash;
}

echo md5("$dbpassword");
echo "<br />";
echo enc("$dbpassword");
?>

 

 

It seems like nobody has answered the profile.php question as well as my second main question. So any answers would be great!

 

You've missed the mark though. You have a static (useless) salt, and you're stringing/stacking a bunch of hash functions together (doesn't add any security).

 

Grab the class linked in that article. It makes life so much easier.

 

$hasher = new PasswordHash(8, FALSE);
$hash = $hasher->HashPassword($pass);

 

To compare them later

if ($hasher->CheckPassword($pass, $hash_in_db)) {
$what = 'Authentication succeeded';
} else {
$what = 'Authentication failed';
$op = 'fail'; // Definitely not 'change'
}

[chunkymonkey11]

I guess I have no other option. Studying the concept it is  :'( ...

 

Thanks all for the help (even though we never reached my second question)

 

 

[Christian F.]

You're welcome, and good luck with your studies.

 

As for your second question, you should have put it into a thread of its own. Which belongs to the Application Design section. Though, I can tell you right away that you'll need to read up on the MySQL FULLTEXT search features. Yep, more studying.

[chunkymonkey11]

Thanks ChristianF.

"Life is 1% fun, and 99% learning how to have fun"