Jump to content
Larry Ullman's Book Forums

Recommended Posts

Hello,

 

My name is Pejman Ghasemi. first of all I want to thanks Mr.Larry Ullman. PHP 6 AND MYSQL5 is the best book I have ever read. I never could understand the example and explanation of other books but this one is easy and useful.

 

Unfortunately Whole Today I worked on script 8.3 to run it but have not run it yet. so i decided to ask you help me.

 

			require_once('includes/db.php');
		$e= "test";
		$cp = 'test';
		$np = 'pejman';

		$q = "SELECT user_id FROM users WHERE (email='$e' AND pass=SHA1('$cp'))";
		$r = mysqli_query($dbc,$q);
		$num = mysqli_num_rows($r);
		echo 'step1';
		if ($num == 1){ //check if there is any email and the password matched
			echo 'step2';
			//Receive user_id data
			$row = mysqli_fetch_array($r,MYSQLI_NUM);
			echo $row[0];

			//Make update query
			$q = "UPDATE users SET pass=SHA1('$np') WHERE user_id=$row[0]";
			$r = mysqli_query($dbc,$q);

			if (mysqli_affected_rows($dbc)==1){ //if update ran ok...

				echo '<h1>Thank you</h1>';
				echo '<p>Your password changed.</p>';

			}else{ //else of if update ran ok...

				echo '<h1>Error</h1>';
				echo '<p>Sorry we faced an unknown error system Please try again.</p>';

			} //end of if update ran ok...
		}else{

		echo 'step3';
		}

 

I put echo 'steps' to know which step is work properly. by changing parameters to wrong data i see step 1 and step 3 but i have never seen step 2....

Please help me .

 

Thank you very much.

Link to comment
Share on other sites

Hmm... Not sure if I see anything right away that would cause it not to select. Try this:

 

Right after you echo 'step3', put this:

 

echo mysqli_errno($dbc) . '<br />';
echo mysqli_error($dbc);

 

 

It will return a mysqli error code and string which should provide more information.

Link to comment
Share on other sites

Common reasons for you not seeing step 2 here might be:

 

  1. Error in your query syntax but error reporting is not turned on e.g. column name mismatch
  2. Password column is defined as CHAR(32) it should be CHAR(40)
  3. You have more than 1 row with the same content e.g. Duplicate entries
  4. The password was originally stored in plain text not SHA1 hashed

 

See if any of those apply.

Link to comment
Share on other sites

Hi and thank you Zanimation and Stuart.

 

Finally I could understand what is the problem. There was a wrong with SHA1. I removed the condition of AND in this line:

 

$q = "SELECT user_id FROM users WHERE (email='$e' AND pass=SHA1('$cp'))";

Changed to:

$q = "SELECT user_id FROM users WHERE email='$e'";

I was able to run step 2 successfully. I think I need to trim($cp) and trim($np) to give me the best result.

But i do not understand why trim() should be apply for password.

As I understand, trim a string like:

$p="      t!=1   ";
trim ($p);
echo  $p; // This line will print "t!=1"

It removes spaces before and after. But as I know we always use spaces to make our password stronger.

 

I will be happy to answer this question too.

Thank you very much

Pejman

Link to comment
Share on other sites

Hi and thank you Zanimation and Stuart.

 

Finally I could understand what is the problem. There was a wrong with SHA1. I removed the condition of AND in this line:

 

$q = "SELECT user_id FROM users WHERE (email='$e' AND pass=SHA1('$cp'))";

Changed to:

$q = "SELECT user_id FROM users WHERE email='$e'";

I was able to run step 2 successfully. I think I need to trim($cp) and trim($np) to give me the best result.

But i do not understand why trim() should be apply for password.

As I understand, trim a string like:

$p="      t!=1   ";
trim ($p);
echo  $p; // This line will print "t!=1"

It removes spaces before and after. But as I know we always use spaces to make our password stronger.

 

I will be happy to answer this question too.

Thank you very much

Pejman

 

Hmm...

 

I haven't read the book, but it seems like what the script was trying to do was to ensure that the user knows the current password in order to enter in a new password, otherwise he/she cannot enter a new password.

 

By removing the second part of the AND clause, you are completely bypassing that validation, so you'll definitely want to leave it in.

 

Instead, let's try to figure out why SHA1 did not work. There are a few reasons why it's not working:

 

  1. Check that the column name 'pass' is consistent in the script and in the database
  2. If column names are consistent, check if the password is encrypted
  3. If encrypted, check that the SHA1 encrypted value for 'test' is the same in the database

 

You can check if the encrypted values are the same by inserting this temporary line after $cp='test';

echo sha1($cp);

Then compare the encrypted string with what's in the database. If it's not the same, then something went wrong with inserting the original password.

Link to comment
Share on other sites

Hello Zanimation, I put the registrar data into database and modifier file included line below:

 

Register.php

<div id="content">
<?php
$errorys = array();
if (isset($_POST['Submitted'])) {
$errors = array(); // put errors into an array

// Validate first name
	if (empty($_POST['first_name'])){
	$errors[] = 'Please enter first name';
	}else{
	$fn = trim($_POST['first_name']);
	}
// Validate Last Name
	if (empty($_POST['last_name'])){
	$errors[] = 'Please enter last name';
	}else{
	$ln = trim($_POST['last_name']);
	}
// Validate email address
			if (empty($_POST['email'])){
	$errors[] = 'Please fill email address';
	}else{
	$e = trim($_POST['email']);
	}

// Validate password to enter both verification and main password
			if (!empty($_POST['password']) && !empty($_POST['verification_password'])){

	// Validate that passwords are matched or not
				if ($_POST['password']==$_POST['verification_password']){
				$p = trim($_POST['password']);
				}else{
				$errors[] = 'Passwords are mismatched';
				}

			}else{
			$errors[] = 'Passwords has not entered yet';
			}
if(empty($errors)){ //check for errors
//connect to db
require_once('includes/db.php');
// make query
$q = "INSERT INTO users (first_name, last_name, email, pass, registration_date)
VALUES ('$fn', '$ln', '$e', SHA1('$p'), NOW())";
$r = @mysqli_query ($dbc,$q); //run mysql query
if ($r) { //if it worked properly

echo "Thank you, Mr.$ln, your registration done successfully"; //print success message
} else{ //if it did not work properly
echo "An unknown error occured please contact admin if this error persist"; //error message
}

}else{
// if errors occured show errors;
foreach($errors as $msg){
echo " - $msg <br/>\n";
}
echo '<p>please try again.</p>';
}
}
?>
<form method="Post" action="register.php">
<br/><br/>First Name: <input type="text" name="first_name" value="<?php if(isset($_POST['first_name'])) {echo $_POST['first_name']; }?>" /> <br/><br/>
Last Name: <input type="text" name="last_name" value="<?php if(isset($_POST['last_name'])) {echo $_POST['last_name']; }?>" /> <br/><br/>
Email: <input type="text" name="email" size="40" value="<?php if(isset($_POST['email'])) {echo $_POST['email']; }?>" /> <br/><br/>
Password: <input type="password" name="password" /> <br/><br/>
Verify Password: <input type="password" name="verification_password" /> <br/><br/>
<input type="hidden" name="submitted" value="1" />
<input type="submit" value="submit" /> <br/>
</form>
</div>

 

Change password file ,password.php:

 


<?php 
require_once('includes/db.php'); //Connect to Database
$errors = array();

if (isset($_POST['submitted'])){ //Check if form is submitted

	if (empty($_POST['email'])){ //check if email is empty

		$errors[] = 'Please enter your email.';

	}else{ //else of check if email is empty

		$e = mysqli_real_escape_string ($dbc,trim($_POST['email']));

	}//end of check if email is empty




	if (empty($_POST['password'])){ //check if password is empty

		$errors[]= 'Please enter your current password.';

	}else{ //else of check if email is empty

		$cp = mysqli_real_escape_string($dbc,trim($_POST['password']));

	}//end of check if email is empty




	if (empty($_POST['password2'])){ //check if new password is empty

		$errors[]= 'Please enter your new password.';

	}else{ //else of check if new password is empty

		if ($_POST['password2'] != $_POST['confirm_password2']){ //check if the both confirm password and new passord matched.

			$errors[] = 'Confirmation password is mismatched.';

		}else{ //else of check if the both confirm password and new passord matched.

			$np = mysqli_real_escape_string($dbc,trim($_POST['password2']));

		}//end of check if the both confirm password and new passord matched.


	}//end of check if new password is empty




	if(empty($errors)){ //check if proccess run with no error.

		$q = "SELECT user_id FROM users WHERE (email='$e' AND pass=SHA1('$cp'))";
		$r = @mysqli_query($dbc,$q);
		$num = @mysqli_num_rows($r);

		if ($num==1){ //check if there is any email and the password matched

			//Receive user_id data
			$row = mysqli_fetch_array($r,MYSQLI_NUM);


			//Make update query
			$q = "UPDATE users SET pass=SHA1('$np') WHERE user_id=$row[0]";
			$r = @mysqli_query($dbc,$q);

			if (mysqli_affected_rows($dbc)==1){ //if update ran ok...

				echo '<h1>Thank you</h1>';
				echo '<p>Your password changed.</p>';

			}else{ //else of if update ran ok...
				echo "mysqli_error('$dbc')":
				echo '<h1>Error</h1>';
				echo '<p>Sorry we faced an unknown error system Please try again.</p>';

			} //end of if update ran ok...


		}else{ //else of check if there is any email and the password matched
			echo '<h1>Error</h1>';
			echo '<p>Sorry we could not find such entered details.</p>';


		}//end of check if there is any email and the password matched



	}else{ //else of check if proccess run with no error.

		echo '<p>We encounter below errors:<br/>\n</p>';
		foreach ($errors as $msg){ //Print occured errors.
			echo "<p> -$msg</p>";
		}
		echo '<p>please try again.</p>';


	} //end of check if proccess run with no error.
}//Check if form is submitted or not
?>

 

And even I describe user table below:

 

 

 

Field - Type -Key -Extra information

(user_id) - mediumint(8) unsigned - NOT NULL - PRIMARY KEY - AUTO INCREMENT

(first_name) - varchar(20) - NOT NULL

(last_name) - varchar(40) - NOT NULL

(email) - varchar(60) - NOT NULL

(pass) - char(40) - NOT NULL

(registration_date) - datetime - NOT NULL

 

 

At the end I want to thank you very much. and sorry for bad writing models because i am a novice in programming language and i do not know where should i put spaces or comments.

Link to comment
Share on other sites

Thanks for the nice words on the book. It is appreciated. So to confirm, are you still having a problem or no?

 

Hi,

 

Actually I have some questions in this topics that are still unanswered.

 

First:

I have not understood yet, why trim() should be apply for password.

As I understand, trim a string is something like:

 

$p="      t!=1   ";
trim ($p);
echo  $p; // This line will print "t!=1"

It removes spaces before and after. But as I know we always use spaces to make our password stronger.

 

And my final question what is the problem with my script that has not worked yet. I have not found syntactical problem but maybe I have logical.

 

Thank you very much.

Link to comment
Share on other sites

But as I know we always use spaces to make our password stronger.

 

The password policy enforced by Larry's scripts via the REGEX only allow for letters, numbers and the underscore. Not sure if there's a technical reason for not allowing spaces in passwords but if you want to remove trim then you might aswel alter the REGEX also to allow for spaces. A lot of sites I can think of don't allow spaces in the password - presumably there's some reason for this.

 

If you want to create more secure passwords enforce the use of upper and lowercase characters, numbers and symbols and a minimum length of say 8.

Link to comment
Share on other sites

I would further argue that using one or more spaces at the beginning and end of a password doesn't add much security whereas not using trim() could make things much harder for your users if extra spaces inadvertently get in there (before or after). This can happen through no fault of their own, by the way, like if the HTML isn't tight. That's my opinion, anyway.

 

As for your problem, if I understand you correctly, the use of SHA1() is making the query not return any results. You can compare the stored value to what it should be by just running the password through SHA1() and echoing the result, then comparing this value to the stored value. Perhaps the original, stored password isn't what you think it is? You could also reset the stored password and test it again.

Link to comment
Share on other sites

 Share

×
×
  • Create New...