ZimmerX Posted November 25, 2007 Share Posted November 25, 2007 Hey, I am getting a couple of errors with a register/login file for a site. Apache version 1.3.39 (Unix) PHP version 5.2.4 MySQL version 5.0.27-standard The problems are the following- I added the SHA1 encryption for the passwords, but not, even thought it encrypts, the email column in the MYSQL database does not appear. Meaning there must be another way to encrypt the password properly in the file. Second problem is that the file keeps inserting blank columns into the table of USERS - i.e without any information - so instead of telling me exactly how many users I have, it has like an extra 50 rows of blank info. So something is wrong on the insertion. I have realised that this file has been pretty weirdly coded. So if someone could help me iron out these 2 large errors, I would be forever grateful. Here is the code <? require_once("core/mailer.php"); class module extends controller { var $params = array("act"); var $isNeedMysql = true; function createAnonymus() { $this->db->query("INSERT INTO "._DB_TABLE_PREFIX."users (email, password) VALUES ('','')"); return $this->db->getLastId(); } function run() { $user_id = isset($_REQUEST['user_id']) ? getSafeStr($_REQUEST['user_id']) : null; $email = isset($_REQUEST['email']) ? getSafeStr($_REQUEST['email']) : null; $password = isset($_REQUEST['password']) ? getSafeStr($_REQUEST['password']) : null; $password = sha1($password); switch($this->act) { case "start_anonymus": if($user_id) { $res = $this->db->query("SELECT id FROM "._DB_TABLE_PREFIX."users WHERE id = '".$user_id."' AND email = '' AND password = '' LIMIT 1"); if($res) { $res_id = $res["id"]; } else { $res_id = $this->createAnonymus(); } } else { $res_id = $this->createAnonymus(); } $_SESSION['user_id'] = $res_id; return array("status" => "start_result", "user" => array("id" => $res_id, "email" => "", "password" => "")); break; case "start_user": if($email && $password) { if($res = $this->db->query("SELECT id FROM "._DB_TABLE_PREFIX."users WHERE email='".$email."' AND password='".$password."' LIMIT 1")) { $_SESSION['user_id'] = $res["id"]; return array("status" => "start_result", "user" => array("id" => $res["id"], "email" => $email, "password" => $password ) ); } } $res_id = $this->createAnonymus(); $_SESSION['user_id'] = $res_id; return array("status" => "start_result", "user" => array("id" => $res_id, "email" => "", "password" => "")); break; case "login_user": if(!$email || !$password) { return false; } $sql = " SELECT id, email FROM "._DB_TABLE_PREFIX."users WHERE email='".$email."' AND password='".$password."' LIMIT 1"; $res = $this->db->query($sql); if(isset($res["id"])) { $_SESSION['user_id'] = $res["id"]; return array("status" => "login_ok", "user" => array("id" => $res["id"], "email"=>$email, "password"=>$password ) ); } else { return array("status" => "login_error"); } break; case "register_user": if(!$email || !$password) { return false; } $sql = " SELECT id, email, password FROM "._DB_TABLE_PREFIX."users WHERE email='".$email."' LIMIT 1"; $res = $this->db->query($sql); if(isset($res["id"])) { return array("status" => "register_error"); } else { $sql = " UPDATE "._DB_TABLE_PREFIX."users SET email = '".$email."', password = '".$password."' WHERE id = '".$this->user_id."' LIMIT 1"; $this->db->query($sql); $m = new Mailer; $m->email = $email; $m->pwd = $password; $m->server = $_SERVER["SERVER_NAME"]; $m->compose("templates/mail/registration"); $m->send($email); return array("status" => "register_ok", "user" => array("id" => $this->user_id, "email" => $email, "password" => $password) ); } break; case "logout": session_destroy(); return array("status" => "logout_ok"); break; case "remind_pwd": if($email) { $sql = " SELECT id, password FROM "._DB_TABLE_PREFIX."users WHERE email='".$email."' LIMIT 1"; $res = $this->db->query($sql); if(isset($res["id"])) { $m = new Mailer; $m->pwd = $res["password"]; $m->compose("templates/mail/password_recovery"); $m->send($email); } } return array("status" => "pwd_sent"); break; } } } ?> As you can see, I have tried to insert the encryption for the passwords, but this method worked so far as to enrypt the password but not to identify the email. Thanks a lot. Quote Link to comment Share on other sites More sharing options...
Azu Posted November 25, 2007 Share Posted November 25, 2007 Try setting the columns to not null and make sure no default value is set. This should fix your problem with blank values being inserted. Also, you really shouldn't be storing the e-mails as a hash unless you don't mind not being able to e-mail them. The whole point of storing a hash of something is to make it impossible (or at least very hard) to ever find out what it is. Also note that SHA1 is a hashing algorithm, which has nothing whatsoever to do with encryption; when you encrypt data, you can later decrypt it. Quote Link to comment Share on other sites More sharing options...
ZimmerX Posted November 25, 2007 Author Share Posted November 25, 2007 Try setting the columns to not null and make sure no default value is set. This should fix your problem with blank values being inserted. Also, you really shouldn't be storing the e-mails as a hash unless you don't mind not being able to e-mail them. The whole point of storing a hash of something is to make it impossible (or at least very hard) to ever find out what it is. Also note that SHA1 is a hashing algorithm, which has nothing whatsoever to do with encryption; when you encrypt data, you can later decrypt it. Thanks for the first bit of input. As for your second comment, I never wanted to hash emails. If you look a bit further down the code, you will see that I am trying to hash the password. Not the email. But with the code I added in to hash the password, the email row in the table does not register properly when someone registers - i.e the "email" row is blank while the password is encrypted successfully. Quote Link to comment Share on other sites More sharing options...
ZimmerX Posted November 25, 2007 Author Share Posted November 25, 2007 Also, I have noticed that this is not how it should be } else { $sql = " UPDATE "._DB_TABLE_PREFIX."users SET email = '".$email."', password = '".$password."' WHERE id = '".$this->user_id."' LIMIT 1"; Instead of UPDATE, it should be INSERT. Right? If I changed this, would anything actually happen? Quote Link to comment Share on other sites More sharing options...
Azu Posted November 25, 2007 Share Posted November 25, 2007 If you change the UPDATE to INSERT you will probably get an error. The syntax you're using there is for updating not inserting. Quote Link to comment Share on other sites More sharing options...
ZimmerX Posted November 25, 2007 Author Share Posted November 25, 2007 That is what I don't understand. Why is it for updating when you are inserting values in to a field? Also, is the SHA1 part of the file correct? Or is there a better way to do it? Quote Link to comment Share on other sites More sharing options...
Azu Posted November 25, 2007 Share Posted November 25, 2007 The code you posted UPDATE "._DB_TABLE_PREFIX."users SET email = '".$email."', password = '".$password."' WHERE id = '".$this->user_id."' LIMIT 1"; is NOT for inserting values. It is for updating them. Try replace that word "update" with "insert" and see for yourself. It will error out. Quote Link to comment Share on other sites More sharing options...
ZimmerX Posted December 2, 2007 Author Share Posted December 2, 2007 Ok. Now it isn't working. This is what I did : I created a new column in MYSQL, named "sha_password". I copied the values from the column Password over to sha_password and hashed them. Now, this is the PHP code <? require_once("core/mailer.php"); class module extends controller { var $params = array("act"); var $isNeedMysql = true; function createAnonymus() { $this->db->query("INSERT INTO "._DB_TABLE_PREFIX."users (email, sha_password) VALUES ('','')"); return $this->db->getLastId(); } function run() { $user_id = isset($_REQUEST['user_id']) ? getSafeStr($_REQUEST['user_id']) : null; $email = isset($_REQUEST['email']) ? getSafeStr($_REQUEST['email']) : null; $password = isset($_REQUEST['password']) ? getSafeStr($_REQUEST['password']) : null; $password = sha1($password); switch($this->act) { case "start_anonymus": if($user_id) { $res = $this->db->query("SELECT id FROM "._DB_TABLE_PREFIX."users WHERE id = '".$user_id."' AND email = '' AND sha_password = '' LIMIT 1"); if($res) { $res_id = $res["id"]; } else { $res_id = $this->createAnonymus(); } } else { $res_id = $this->createAnonymus(); } $_SESSION['user_id'] = $res_id; return array("status" => "start_result", "user" => array("id" => $res_id, "email" => "", "sha_password" => "")); break; case "start_user": if($email && $password) { if($res = $this->db->query("SELECT id FROM "._DB_TABLE_PREFIX."users WHERE email='".$email."' AND sha_password='".$password."' LIMIT 1")) { $_SESSION['user_id'] = $res["id"]; return array("status" => "start_result", "user" => array("id" => $res["id"], "email" => $email, "sha_password" => $password ) ); } } $res_id = $this->createAnonymus(); $_SESSION['user_id'] = $res_id; return array("status" => "start_result", "user" => array("id" => $res_id, "email" => "", "sha_password" => "")); break; case "login_user": if(!$email || !$password) { return false; } $sql = " SELECT id, email FROM "._DB_TABLE_PREFIX."users WHERE email='".$email."' AND sha_password='".$password."' LIMIT 1"; $res = $this->db->query($sql); if(isset($res["id"])) { $_SESSION['user_id'] = $res["id"]; return array("status" => "login_ok", "user" => array("id" => $res["id"], "email"=>$email, "sha_password"=>$password ) ); } else { return array("status" => "login_error"); } break; case "register_user": if(!$email || !$password) { return false; } $sql = " SELECT id, email, sha_password FROM "._DB_TABLE_PREFIX."users WHERE email='".$email."' LIMIT 1"; $res = $this->db->query($sql); if(isset($res["id"])) { return array("status" => "register_error"); } else { $sql = " UPDATE "._DB_TABLE_PREFIX."users SET email = '".$email."', sha_password = '".$password."' WHERE id = '".$this->user_id."' LIMIT 1"; $this->db->query($sql); $m = new Mailer; $m->email = $email; $m->pwd = $password; $m->server = $_SERVER["SERVER_NAME"]; $m->compose("templates/mail/registration"); $m->send($email); return array("status" => "register_ok", "user" => array("id" => $this->user_id, "email" => $email, "sha_password" => $password) ); } break; case "logout": session_destroy(); return array("status" => "logout_ok"); break; case "remind_pwd": if($email) { $sql = " SELECT id, sha_password FROM "._DB_TABLE_PREFIX."users WHERE email='".$email."' LIMIT 1"; $res = $this->db->query($sql); if(isset($res["id"])) { $m = new Mailer; $m->pwd = $res["password"]; $m->compose("templates/mail/password_recovery"); $m->send($email); } } return array("status" => "pwd_sent"); break; } } } ?> That SHOULD WORK. I changed all the MYSQL column values from password to sha_password. So tell me, why is it not working? The code I used in the MYSQL was this following UPDATE users SET sha_password = SHA1(password) WHERE 1 = 1 After creating the new column ( orginally got from here http://www.phpfreaks.com/forums/index.php/topic,168839.msg744667.html ) All the MYSQL worked, but the PHP doesn't. I log in with the correct details, and it loads the page, but I am signed out again. I tested to see if the user was the problem, but it wasn't because it correctly detects if the user exists or not. I don't understand where I have gone wrong. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.