Search the Community

Chapter 13 page 421 creating a receipt page.... Wondering if anyone else had this issue or if anyone can recommend a work around... For the query to grab the order info .. this is not working "SHA1(email)=?".. I have echo out $email_hash and and I have echo out echo sha1(email address in the order)....they are the same... I am wondering if there is a mysqli issue when using sha1?

<?php # Script 18.8 - login.php // This is the login page for the site. require ('includes/config.inc.php'); $page_title = 'Login'; include ('includes/header.html'); if ($_SERVER['REQUEST_METHOD'] == 'POST') { require (MYSQL); // Validate the email address: if (!empty($_POST['email'])) { $e = mysqli_real_escape_string ($dbc, $_POST['email']); } else { $e = FALSE; echo '<p class="error">You forgot to enter your email address!</p>'; } // Validate the password: if (!empty($_POST['pass'])) { $p = mysqli_real_escape_string ($dbc, $_POST['pass']); } else { $p = FALSE; echo '<p class="error">You forgot to enter your password!</p>'; } if ($e && $p) { // If everything's OK. include('includes/lib/password.php'); // Query the database: $q = "SELECT user_id, first_name, user_level FROM users WHERE (email='$e' AND pass='" . password_hash($p, PASSWORD_BCRYPT) . "') AND active IS NULL"; $r = mysqli_query ($dbc, $q) or trigger_error("Query: $q\n<br />MySQL Error: " . mysqli_error($dbc)); if (@mysqli_num_rows($r) == 1) { // A match was made. // Register the values: $_SESSION = mysqli_fetch_array ($r, MYSQLI_ASSOC); mysqli_free_result($r); mysqli_close($dbc); // Redirect the user: $url = BASE_URL . 'index1.php'; // Define the URL. ob_end_clean(); // Delete the buffer. header("Location: $url"); exit(); // Quit the script. } else { // No match was made. echo '<p class="error">Either the email address and password entered do not match those on file or you have not yet activated your account.</p>'; } } else { // If everything wasn't OK. echo '<p class="error">Please try again.</p>'; } mysqli_close($dbc); } // End of SUBMIT conditional. ?> <h1>Login</h1> <p>Your browser must allow cookies in order to log in.</p> <form action="login.php" method="post"> <fieldset> <p><b>Email Address:</b> <input type="text" name="email" size="20" maxlength="60" /></p> <p><b>Password:</b> <input type="password" name="pass" size="20" maxlength="20" /></p> <div align="center"><input type="submit" name="submit" value="Login" /></div> </fieldset> </form> <?php include ('includes/footer.html'); ?> include('includes/lib/password.php'); // Add the user to the database: $q = "INSERT INTO users (email, pass, first_name, last_name, active, registration_date) VALUES ('$e', '" . password_hash($p, PASSWORD_BCRYPT) . "', '$fn', '$ln', '$a', NOW() )"; $r = mysqli_query ($dbc, $q) or trigger_error("Query: $q\n<br />MySQL Error: " . mysqli_error($dbc)); I am trying to use the password_hash encryption technique for the Ch 18 example rather than SHA1. I was able to successfully register via changing the registration query (see second script, which includes 'lib/password.php' due to my version of Php). However, when I try to login (see top script), it indicates my password doesn't match what's on file. Is it possible something needs changed in the login's validation? Or have I possibly missed something else? Any help would be greatly appreciated.

I'm rebuilding a registration system with the model from your book, but I keep coming across articles that say SHA1, SALT, and SHA256 are not very useful anymore. Therefore, I am thinking of using scrypt, or something like it to handle encryption. Is this an overblown issue? If it is a valid concern, do you have any advice on how to implement it with the code from the book? I am using a hosted server, in case that is important for downloading etc.