Jump to content

post form name different from database field name ? ***FIXED***

lixid

By lixid
in PHP Coding Help

 Share

Recommended Posts

lixid Newbie

lixid

Posted
Posted
ok i posted a few days back about a similar thing .. i know that my coding is rather harsh and ugly and cryptic but just trying to get through the hard parts and then going to clean it up .. also i am going to share what i have so far as to find out why its not working .. first of all if you want to view what i have so far download my source

if you want a challenge or maybe just a good laugh .. but i do really need some help with this.
what i am trying to accomplish is i have a login page that posts name="username" and also name="password" and the field names in the database are completely different from the post name's .
i need to figure out why i can register but i cannot login .. i have an excel file in the zip with references to understand what the queries actually mean and i know this might be a little cryptic but like i said if you would like a challenge or a good laugh at how silly all of this really is .. please though i do need the help .. i have adapted code from various tutorials on the net and i am definitely new to all of this but i do understand the basics and how things work .. just having problems with logging in ..  .. you'll understand once you see the code. seriously though anyone that can help me with this .. i will definitely keep you in mind and will be insanely grateful .. :]


***FIXED***
thanx
Link to comment
Share on other sites
heckenschutze Newbie

heckenschutze

Posted
Posted
After minutes of decrypting,

I think your problem lies with, how your setting sessions and checking how the user is logged in...
For example, why don't you just check if $_SESSION['zlaplustiufroachle'] is set, and skip setting encrypted sessions - its not a nessisity.[code]
function is_authed()
{
    // Check if the encrypted username is the same
    // as the unencrypted one, if it is, it hasn't been changed
    if (isset($_SESSION['zlaplustiufroachle']) && (md5($_SESSION['zlaplustiufroachle']) == $_SESSION['encrypted_name']))
    {
          return true;
    }
    else
    {
          return false;
    }
}[/code]

For debugging purposes, post the output of $_SESSION after you have logged in, (staight after you set the sessions).

[code]print_r($_SESSION);[/code]

PS: May I ask why the database columns have silly names, unless its another language - no offence intended.
Link to comment
Share on other sites
lixid Newbie

lixid

Posted
  • Author
Posted
thing is i cant get logged in .. i get sorry wrong username or password .. so i know that it is in this section somewhere ..
in the login page

[code] if(isset($_POST['check_login']))
    {
   

$username = mysql_real_escape_string($_POST['username']);
        $query = "SELECT tiapoahlephoubriaq FROM spoepoaswoacrieglu WHERE zlaplustiufroachle='$username' LIMIT 1";
$result = mysql_query($query) or die ('could not connect');
$usersalt = mysql_fetch_array($result);
$salt = $usersalt['tiapoahlephoubriaq'];
$password = $_POST['password'];
$encrypted = md5(md5($password).$salt);
       
        if(empty($_POST['password']) || empty($username))
        {
            echo "You left a field blank!";
        }
        else
        {
            $check_login = "SELECT zlaplustiufroachle, choehiaclucrleriaq, briuswouqieblefrie FROM spoepoaswoacrieglu WHERE zlaplustiufroachle = '$username' AND choehiaclucrleriaq = '$encrypted' LIMIT 1";
            $check_result = mysql_query($check_login)or die ("query failed");
[/code]

Link to comment
Share on other sites
lixid Newbie

lixid

Posted
  • Author
Posted
well my theory is that the field names i want random alpha characters and this way it will be harder to create an sql injection for the database .. but i could be wrong .. but mainly it makes me feel safe and all warm and fuzzy .. heheh .. but naw just trying to make it harder for them .. but in this particular case i guess its making it harder on me .. :] but any help is appreciated alot .. thanx ..
Link to comment
Share on other sites
heckenschutze Newbie

heckenschutze

Posted
Posted
I may suggest, perhaps NOT using random column names, its going to make it very hard and confusing on yourself... Or if your content on doing that, perhaps define them

eg.
[code]<?php
define("USER_COLUMN", "zlaplustiufroachle");
?>[/code]

At the moment, I have to play a guessing game, trying to work out whats what... Do you mind fixing the column names, or use the method above.

Link to comment
Share on other sites
lixid Newbie

lixid

Posted
  • Author
Posted
well here is (somewhat) the original code i am working with .. but added a better session section.

[code]
<?php
session_start();

if(!isset($_SESSION['logged_in']))
{
    if(!isset($_POST['check_login']))
    {
        echo "
        <form action='login.php' method='post'>
            Username: <input type='text' name='username' class='register_box' />
            <br />
            Password: <input type='password' name='password' class='register_box' />
            <br />
<br />
            <input type='submit' name='check_login' value='Login' class='register_box' />
        </form>
        ";
    }
    elseif(isset($_POST['check_login']))
    {
        $username = mysql_real_escape_string($_POST['username']);
        $password = md5($_POST['password']);
       
        if(empty($_POST['password']) || empty($username))
        {
            echo "You left a field blank!";
        }
        else
        {
            $check_login = mysql_query("SELECT username, password, id FROM user_system WHERE username = '$username' AND password = '$password' LIMIT 1");
            if(mysql_num_rows($check_login) > 0)
            {
                $_SESSION['logged_in'] = 1;
                $_SESSION['username'] = $username;
                echo "You have been successfully logged in!<br />";
echo "<a href='edit_profile.php'>edit profile</a>";
            }
            else
            {
                echo "Sorry. Wrong password, or user does not exist.";
            }
        }
    }
}
else
{
    echo "You are already logged in.";
}
?>
[/code]


i am pretty set on using the code i have for particular reasons so if its too insane then don't worry about it and i will figure it out .. :] its kool .. but if you get a chance or some free time to set up the init.inc.php file if you have a localhost server you could test it on .. then you might see exactly what's happening .. and why i am unable to login i have been checking the code over and over again .. but cant seem to get it to login .. when i set it up with normal fields and everything set as whatever the original settings where set up .. it works and i can login and register .. but with this code i can only register .. its very odd .. anyways thanx for looking at this for me ..

Link to comment
Share on other sites
Psycho Prolific Member

Psycho

Posted
Posted
I swear I need to write a piece on simple debuggin procedures. Is it so hard to echo a database query to the page before running it? Or checking if ANY results were returned?

Add LOTS AND LOTS of echos at every step of the process to see where it is failing.

For example
[code]
$username = mysql_real_escape_string($_POST['username']);
echo "username: " . $username . "<br>";
        $query = "SELECT tiapoahlephoubriaq FROM spoepoaswoacrieglu WHERE zlaplustiufroachle='$username' LIMIT 1";
echo "query: " . $query . "<br>";
$result = mysql_query($query) or die ('could not connect');
echo "Number of rows: " . mysql_num_rows($result) . "<br>";
$usersalt = mysql_fetch_array($result);
echo "usersalt: <pre>";
print_r($usersalt);
echo "</pre>";
$salt = $usersalt['tiapoahlephoubriaq'];
echo "salt: " . $salt . "<br>";
$password = $_POST['password'];
echo "password: " . $password . "<br>";
$encrypted = md5(md5($password).$salt);
[/code]

However I think the problem lies in that last line. Are you doing the same double/double encryption on the password before saving it to the database? Plus, why the hell are you doing another database query to test the password? Why don't you grap the password when you do the initial query for the username.

Also, get rid of the stupid column names. If you really concerned about sql injection then those name will have little to no benefit. For example if you had a query such as this:
"SELECT * FROM users WHERE userid='" . $userid . "'";
A user could enter "  ' OR '1' = '1 " (w/o the double quotes)
The resulting query would be:
" SELECT * FROM users WHERE userid='' or '1' = '1' "

They didn't even need to know the column names. The right way to prevent sql injection is by using mysql_real_escape_string() on any user entered date that will be put into the database.
Link to comment
Share on other sites
lixid Newbie

lixid

Posted
  • Author
Posted
well i had at one point filtered for sql injections w/ mysql_real_escape_string for the password field but i thought it might have been causing a problem with the code inserting the password ... as for the debugging idea .. that i have not thought of .. and i guess i shouldve .. but as for [quote]double/double encryption [/quote] there is a salt in there and would like to have it all encrypted not just
password.salt this way it is md5(password.salt) ... also [quote]Plus, why the hell are you doing another database query to test the password[/quote] btw .. that query is to get the salt .. just letting you know .. and there might be a way to pull the salt from the database with everything and put it into a variable .. but i just havent focused on cleaning up my code at this point .. just trying to get it to work .. as for getting all pissy with me over something you dont understand .. chill
Link to comment
Share on other sites
lixid Newbie

lixid

Posted
  • Author
Posted
thats what i did .. i have the whole system working perfect with the normal naming features such as name="username" and name="password" for the form and then for my mysql queries i have (ex. "SELECT id, username, password FROM user WHERE username='$username' AND password='$encrypted_pass' LIMIT 1" ) and so on .. and it works perfect .. so this is where i started to put in the more complex coding or what seems like useless coding. but now it doesnt work .. even though with the new code i can register and it will insert and do form validation such as username and email exists error reporting... but for some reason the login script doesnt work .. so i guess i will just have to figure it out with the suggested debugging idea .. i just havent had the time to set it up yet .. but if i dont get it worked out .. i guess i will just have to follow the standards... thanx for the replies though .. got me to think about things in a different way at least .. anymore suggestions would be  welcome as long as youve taken a look at my code first in the zip .. thanx again ..
Link to comment
Share on other sites
lixid Newbie

lixid

Posted
  • Author
Posted
thanx finally figured it out .. it was something really stupid .. the password field was only allowing 16 characters .. really stupid .. but the only reason i figured it out was because of the echo post by mjdamato thanx i really appreciate it .. i will definitely be using that in the future .. thanx again ..
Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.