dnabbrocks

Agreed, and I am aware of the difference. I guess I'm looking for which I should be using. Now I'm trying to have the user changed their password, when I print the query the crypted password passing is not matching the password that was crypted when the user registered, and is already in the database.

Thanks for the input. I've seen "crypt" to encrypt the passwords as well. Do you have any input on this? Thanks

Hello. I've been trying to determine the best encryption method for passwords on my site. I've used sha1 as is in the book. Can you please explain why this is the best method, if you believe it is, for securing passwords on my site rather than md5 or crypt, etc? Thanks

Good point. We really don't expect to get that many users at first, but we want to be prepared if/when we do, so that we don't need to recreate the databases later. Thanks

Hi. I'm creating a site where users can create different "groups". We're at the point where we're designing the database, and we're not sure how to proceed to maintain security, while not compromising performance. Our current design uses one database with three tables per group: settings, members, and message board/forum. Our concern is that if this site becomes what we hope, we may have hundreds or thousands of "groups" each with three tables in the database, the database would be massive. We were also considering having one table for all groups containing the group settings and then two tables per group (members and message board). Or, do we make each group its own separate database? Our site is not going to sell anything or keep personal information but we want to give our end users the best experience possible.

Okay. I've done what the appendix says, but there is no php.ini file in my server's directory. If I download and insert it, where should it go? Thanks for the help.

Okay. Will do. Thanks

After typing this, i realize nothing will be returned, because no info was in submitted. Which query would I run in mysql if nothing is submitted?

I've tried this in mysql client and I get an empty result: SELECT user_id, first_name FROM users WHERE email_address='$em' AND user_password=SHA1('$p')

Hello. I've been over this a million times but can't figure out what the problem is. I've been trying to get this to work but every time I try to login it tells me the username and password don't match those on file. However, I know that they are in because I've created a register script that works and they are in my database. Any help would be GREATLY appreciated. Thanks in advance. Login: <?php if ($_SERVER['REQUEST_METHOD'] == 'POST') { // Need two helper files: require ('includes/login_functions.php'); require ('../mysql_connect.php'); //Select Database: mysql_select_db(UDB_NAME, $dbc) OR die("Could not select the database: " . UDB_NAME . " " . mysql_error() ); // Check the login: list ($check, $data) = check_login($dbc, $_POST['email_address'], $_POST['user_password']); if ($check) { // OK! // Set the session data: session_start(); $_SESSION['user_id'] = $data['user_id']; $_SESSION['first_name'] = $data['first_name']; // Store the HTTP_USER_AGENT: $_SESSION['agent'] = md5($_SERVER['HTTP_USER_AGENT']); // Redirect: $url = absolute_url ('loggedin.php'); header("Location: $url"); } else { // Unsuccessful! // Assign $data to $errors for login_page.inc.php: $errors = $data; } mysql_close($dbc); // Close the database connection. } // End of the main submit conditional. // Create the page: include ('includes/login_page.php'); ?> Loggedin <?php # Script 12.13 - loggedin.php #3 // The user is redirected here from login.php. session_start(); // Start the session. // If no session value is present, redirect the user: // Also validate the HTTP_USER_AGENT! if (!isset($_SESSION['agent']) OR ($_SESSION['agent'] != md5($_SERVER['HTTP_USER_AGENT']) )) { // Need the functions: require ('includes/login_functions.php'); redirect_user(); } // Set the page title and include the HTML header: $page_title = 'Logged In!'; include ('includes/header.php'); // Print a customized message: echo "<h1>Logged In!</h1> <p>You are now logged in, {$_SESSION['first_name']}!</p> <p><a href=\"logout.php\">Logout</a></p>"; include ('includes/footer.php'); ?> Login_functions <?php function redirect_user ($page = 'index.php') { $url = 'http://' . $_SERVER['HTTP_localhost'] . dirname($_SERVER['PHP_SELF']); // Remove any trailing slashes: $url = rtrim($url, '/\\'); // Add the page: $url .= '/' . $page; // Redirect the user: header("Location: $url"); exit(); // Quit the script. } // End of redirect_user() function. function check_login($dbc, $email_address = ' ', $user_password = ' ') { $errors = array(); // Initialize error array. // Validate the email address: if (empty($email_address)) { $errors[] = 'You forgot to enter your username.'; } else { $em = mysql_real_escape_string($dbc, trim($email_address)); } // Validate the password: if (empty($user_password)) { $errors[] = 'You forgot to enter your password.'; } else { $p = mysql_real_escape_string($dbc, trim($user_password)); } if (empty($errors)) { // If everything's OK. // Retrieve the user_id and first_name for that email/password combination: $q = "SELECT user_id, first_name FROM users WHERE email_address='$em' AND user_password=SHA1('$p')"; $r = @mysql_query ($dbc, $q); // Run the query. // Check the result: if (mysql_num_rows($r) == 1) { // Fetch the record: $row = mysql_fetch_array ($r, MYSQL_ASSOC); // Return true and the record: return array(true, $row); } else { // Not a match! $errors[] = 'The username and password entered do not match those on file.'; } } // End of empty($errors) IF. // Return false and the errors: return array(false, $errors); } // End of check_login() function. Login_page <?php # Script 12.1 - login_page.inc.php // This page prints any errors associated with logging in // and it creates the entire login page, including the form. // Include the header: $page_title = 'Login'; // Print any error messages, if they exist: if (isset($errors) && !empty($errors)) { echo '<h1>Error!</h1> <p class="error">The following error(s) occurred:<br />'; foreach ($errors as $msg) { echo " - $msg<br />\n"; } echo '</p><p>Please try again.</p>'; } // Display the form: ?> <h1>Login</h1> <form action="login.php" method="post"> <p>Email Address: <input type="text" name="email_address" size="20" maxlength="60" /> </p> <p>Password: <input type="password" name="user_password" size="20" maxlength="20" /></p> <p><input type="submit" name="submit" value="Login" /></p> <input type="hidden" name="submitted" value="TRUE"> </form> <?php include ('includes/footer.php'); ?>