|
PHP - Need Help With Password Validation
I want to add password validation to this code so that it displays "Incorrect Password" if the email and password doesn't match...Need some help..
<?php
include('dbconnect.php');
session_start();
if(isset($_POST['userLogin'])){
$email=mysqli_real_escape_string($conn,$_POST['email']);
$pwd=md5($_POST['pwd']);
$sql="SELECT * FROM user_info WHERE email='$email' AND password='$pwd'";
$run_query=mysqli_query($conn,$sql);
$count=mysqli_num_rows($run_query);
if($count==1){
$row=mysqli_fetch_array($run_query);
$_SESSION['uid']=$row['user_id'];
$_SESSION['uname']=$row['first_name'];
echo "true";
}
}
?>
Similar TutorialsI am a newbie to php. Ran away from it from years but now I see the light! I am in the process of developing a web site application w/ MySql backend and I would like to do the following: 1. Client registers for my site. 2. How do I create code that validates password format to meet my password criteria (i.e. (2) capital letters, (2) special characters etc etc. Hi, I am trying to set up a useername / password validation log in for a website - code below. I'm fairly new to php, so my understanding of what I have done is: config and env pick up some basic info including the servername, username, password and dbname for the connection, $_POST["username"] and $_POST["pwd"] are the values entered by the user on a previous log in page. Users is queried to bring back the data in $sql where the posted username ($userid) matches the UserName in the table. This is then checked to ensure there is one row returned - if not we go to test3.php If there is one row, the password entered on the log in ['pwd'] is compared to the password in the table. If they match we go to test1.php If they don't we go to test2.php test1.php test2.php and test3.php are holding pages which just display "Success", "incorrect password" or "No User" to check that this codeworks and will be replaced later.When I go through the login page and put an invalid user name, I get sent to test3.php - this is correct. However, if a put in a valid user name and a password, I get sent to test2.php (incorrect password) regardless of the password used being correct or not. Which makes me think the validation is not working.
This is the code from the input page for username & password:
<div style="display: table-row">
Thanks in advance for any assistance.
<?php
//get config and environment files - includes session script and database ID
require_once("config.php");
require_once("env.php");
// Create connection
$conn = new mysqli($servername, $username, $password, $dbname);
// Check connection
if ($conn->connect_error)
{ die("Connection failed: " . $conn->connect_error); }
$userid = $_POST["username"];
$sql = "SELECT UserID, UserName, Psswrd, FirstName, LastName, UserType FROM Users WHERE UserName = '$userid';";
$result = $conn->query($sql);
$row = mysqli_fetch_assoc($result);
if ($result->num_rows == 1)
{ $pwcheck = $row['Psswrd'];
if(password_verify($_POST["pwd"],$pwcheck))
{ header("Location: test1.php");
exit();
}else
{ header("Location: test2.php");
exit();
}
}else
{ header("Location: test3.php");
exit(); }
?>
Quote
I am trying to validate username and password fields. I want to use preg match, but have little knowledge of this function. I want the password to only contain A-z 0-9 and with at least one letter and one number. Username needs to only include "A-z 0-9 _ -" no spaces in any of these. Here is what I have so far: $username= $_POST['username']; $password = $_POST['password']; $password2 = $_POST['password2']; if($password==$password2){ if( preg_match("[A-z0-9]", $password) || strlen($password)>6 // at least 7 chars || strlen($password)<26 // at most 20 chars ){$errors[] = 'Password must contain at least one number and letter plus be between 7-25 characters. May only contain alphanumeric characters, _ and .';} }else{$errors[] = 'Your Passwords did not Match';} if( preg_match("[A-z0-9_-]", $username) || strlen($username)>5 // at least 6 chars || strlen($username)<26 // at most 25 chars ){ $errors[] = 'Username must be 6-25 characters and contain only alphanumeric characters, _ and .'; } Hello ever1 , I ve created a php password change script with validation but its nt working properly can any1 please help me with this as m new with php???? below m pasting the code : <?php session_start(); include "connection.php"; //include_once('header1.php'); $msg=""; if($_SERVER['REQUEST_METHOD']=='POST' && empty($_POST['username']) || empty($_POST['password']) || empty($_POST['newpass']) || empty($_POST['newpassconfirm']) ) { $msg="empty fields"; } { $user=$_POST['username']; $pass=$_POST['password']; $newpass=$_POST['newpass']; $confirmpass=$_POST['newpassconfirm']; $result=mysql_query("SELECT password FROM user WHERE username='$user'"); if(!$result) { $msg="The Username You Entered Does not Exist"; } elseif($pass!= mysql_result($result,0)) { echo $msg="You Entered An Incorrect Password"; } if($newpass != $confirmpass) { $msg = "Passwords do not match"; } elseif($newpass=$confirmpass) $sql=mysql_query("update user set password='$newpass' where username ='$user'"); if($sql) { echo "Congrats you have successfully changed your password."; } header('refresh:3 databases.php'); } { ?> <html> <body> <?php echo $msg ; ?> <form class="changepass" action="changepass.php" method="POST"><P> <table><tr><td> Enter ur username :</td> <td> <input type="text" name="username" /></td></tr> <tr><td>Enter ur existing pass : </td><td><input type="password" name="password" /></td></tr> <tr><td>Enter ur new pass :</td> <td><input type="password" name="newpass" /></td></tr> <tr><td>Renter ur new pass :</td> <td><input type="password" name="newpassconfirm" /></td></tr> <tr><td><input class="cpassbtn" name="Submit" type="image" value="Submit" src="passnrm.png" onmouseover="this.src='passhvr.png'" onmouseout="this.src='passnrm.png'"></td></tr> </table> </form> </body> </html> <?php }?> I am trying to use the new way of validating the entered email in a register form. Code: [Select] /* REGISTER FORM */ // check if submit button has been clicked if (isset($_POST['submit_signup'])) { // process and assign variables after post submit button has been clicked $user_email = strip_tags(trim($_POST['email'])); $user_email = filter_var($user_email, FILTER_VALIDATE_EMAIL); $nickname = strip_tags(trim($_POST['nickname'])); $password = $_POST['password']; $repassword = $_POST['repassword']; $month = $_REQUEST['month']; $day = $_REQUEST['day']; $year = $_REQUEST['year']; $dob = $year . "-" . $month . "-" . $day; $find_us_question = strip_tags(trim($_POST['find_us_question'])); // connect to database $dbc = mysqli_connect(DB_HOST, DB_USER, DB_PASSWORD, DB_NAME); $check_query = "SELECT * FROM user WHERE nickname = '$nickname'"; $check_connect = mysqli_query($dbc, $check_query) or die(mysqli_error($dbc)); $check_count = mysqli_num_rows($check_connect); // Check if the email exists twice $query_get = "SELECT email FROM user WHERE email = '$user_email'"; $query_run = mysqli_query($dbc, $query_get); $num_rows = mysqli_num_rows($query_run); // check if username is already taken if ($check_count != 0) { echo "Username already exists!"; } elseif ($num_rows != 0) { echo "This email address is already registered in the database, you can not register it twice."; // check if fields are empty } elseif (empty($user_email) || empty($nickname) || empty($password) || empty($day) || empty($month) || empty($year)) { echo "Please fill out all the fields!"; // check char length of input data } elseif (strlen($nickname) > 30 || strlen($user_email) > 50) { echo "Maximum allowed character length for nickname/firstname/lastname are 30 characters!"; // check password char length } elseif (strlen($password) > 25 || strlen($password) < 6) { echo "Your password must be between 6 and 25 characters!"; // check if passwords match with each other } elseif ($password != $repassword) { echo "Please make sure your passwords are matching!"; } else { // encrypt password $password = sha1($password); I would like to implement now an error message stating something along the lines that the entered email address is not valid, how would I have to do the if statement to check the condition? Hello PhP Freaks forum In the past weeks ive been trying to make a website, where you can register. Everything seems to work except my cherished Change password feature. Everytime you try to change the password, it just resets it to nothing. Here is the code below. <?php if(isset($_SESSION['username'])) { $username = $_SESSION['username']; $lastname = $_SESSION['lastname']; $firstname = $_SESSION['firstname']; $email = $_SESSION['email']; echo " <h4>Options for:</h4> $username <br /> <br /> First name: $firstname <br />Last name: $lastname <br /><br /><h3>Want to change your password:</h3><br /> <form action='?do=option' method='post'> Old password <input type='password' placeholder='Has to be between 5-15 digits' name='password' size='30' value='' /><br /> <br /> New Password<input type='password' placeholder='Has to be between 5-15 digits' name='newpass' size='30' value='' /><br /> <br /> Confirm new password <input type='password' placeholder='Has to be between 5-15 digits' name='passconf' size='30' value='' /><br /> <center></div><input type='submit' value='Submit'/></center></form>"; }else{ echo 'Please login to view your options!'; } $password = $_REQUEST['password']; $pass_conf = $_REQUEST['newpass']; $email = $_REQUEST['passconf']; $connect = mysql_connect("Host", "User", "Password"); if(!$connect){ die(mysql_error()); } //Selecting database $select_db = mysql_select_db("My Database", $connect); if(!$select_db){ die(mysql_error()); } //Find if entered data is correct $result = mysql_query("SELECT * FROM users WHERE username='$username' AND password='$password'"); $row = mysql_fetch_array($result); $id = $row['id']; mysql_query("UPDATE users SET password='$newpass' WHERE username='$user'") ?> And i do know that i dont have a if(Empty($newpass)){ Die(Please fill out the new password) } Or any security on the others, but the problem just seems that it resets the password into nothing Hope i can get this fixed Best Regards William Pfaffe <?php
require_once('upper.php'); require_once('database.php'); echo $error_msg=''; if(isset($_POST['submit'])) { $LoginId=mysqli_real_escape_string($dbc,trim($_POST['LoginId'])); $Password1=mysqli_real_escape_string($dbc,trim($_POST['Password1'])); $Password2=mysqli_real_escape_string($dbc,trim($_POST['Password2'])); $Name=mysqli_real_escape_string($dbc,trim($_POST['Name'])); $Age=mysqli_real_escape_string($dbc,trim($_POST['Age'])); $BloodGroup=mysqli_real_escape_string($dbc,trim($_POST['BloodGroup'])); if(!isset($_POST['Sex'])) { echo 'Please enter Sex<br>'; } else{ $Sex= mysqli_real_escape_string($dbc,trim($_POST['Sex'])); } $Qualification=mysqli_real_escape_string($dbc,trim($_POST['Qualification'])); $ContactNumber=mysqli_real_escape_string($dbc,trim($_POST['ContactNumber'])); $Email=mysqli_real_escape_string($dbc,trim($_POST['Email'])); $Address=mysqli_real_escape_string($dbc,trim($_POST['Address'])); $AboutYourself=mysqli_real_escape_string($dbc,trim($_POST['AboutYourself'])); //$countCheck=count($_POST['checkbox']); //echo $countCheck; //$checkbox=$_POST['checkbox']; //$countCheck=count($checkbox); if(empty($LoginId)){echo 'Please enter Login Id';} elseif(empty($Password1)){echo 'Please enter Password';} elseif(empty($Password2)){echo 'Please confirm Password';} elseif($Password1!==$Password2){echo 'Password didn\'t match';} elseif(empty($Name)){echo 'Please enter Name';} elseif(empty($Age)){echo 'Please enter Age';} elseif(!isset($_POST['Sex'])){} elseif(empty($Qualification)){echo 'Please enter Qualification';} elseif(empty($ContactNumber)){echo 'Please enter Contact Number';} elseif(empty($Email)){echo 'Please enter Email';} elseif(empty($Address)){echo 'Please enter Address';} elseif(empty($AboutYourself)){echo 'Please enter About Yourself';} elseif(!isset($_POST['checkbox'])){ echo 'You have to register at least one activity.';} elseif(!isset($_POST['TermsAndConditions'])){ echo 'You have to agree all Terms and Conditions of Elite Brigade.';} else { require_once('database.php'); $query="select * from registration where LoginId='$LoginId'"; $result=mysqli_query($dbc,$query); if(mysqli_num_rows($result)==0) { $checkbox=$_POST['checkbox']; $countCheck=count($_POST['checkbox']); $reg_id=' '; for($i=0;$i<$countCheck;$i++) { $reg_id=$reg_id.$checkbox[$i].','; $query="insert into activity_participation (LoginId,Title,Date) values ('$LoginId','$checkbox[$i]',CURDATE())"; $result=mysqli_query($dbc,$query) or die("Not Connected"); } $query="insert into registration (LoginId,Password,Name,Age,BloodGroup,Sex,Qualification,ContactNumber,Email,Address,AboutYourself,Activity)values ('$LoginId'[B],SHA('$Password1'),[/B]'$Name','$Age','$BloodGroup','$Sex','$Qualification','$ContactNumber','$Email','$Address','$AboutYourself',',$reg_id')"; $result=mysqli_query($dbc,$query) or die("Not Connect"); echo ' Dear '.$Name.'.<br>Your request has been mailed to admin.<br>Your account is waiting for approval<br>'; $from= 'Elite Brigade'; $to='ankitp@rsquareonline.com'; $subject='New User Registration'; $message="Dear admin,\n\nA new user request for registration. Please check it out.\n\nRegards\nMicro"; mail($to,$subject,$message,'From:'.$from); //header('Location: index.php'); // header('Location: Registration.php'); } else { echo 'Dear '.$Name. ', <br> An account already exist with login-id<b> '.$LoginId.'</b> <br>Please try another login-id'; }} } ?> <html> <head> <script src="jquery-latest.js"></script> <script type="text/javascript" src="jquery-validate.js"></script> <style type="text/css"> * { font-family: Verdana; } label.error { color: white; padding-left: .5em; } p { clear: both; } .submit { margin-left: 12em; } em { font-weight: bold; padding-right: 1em; vertical-align: top; } </style> <script> $(document).ready(function(){ $("#commentForm").validate(); }); </script> </head> <body> <?php echo $error_msg; ?> <form action='<?php echo $_SERVER['PHP_SELF'];?>' id="commentForm" method='post'> <div class="registration_and_activity"> <table border="0" width="380"> <tr><td colspan="2"> <h3>New User?</h3></td></tr> <tr><td width="120"> <em>*</em>Enter Login id</td><td width="150"><input type='text' name='LoginId' minlength="4" value='<?php if(!empty($LoginId))echo $LoginId;?>' /></td></tr> <tr><td> <em>*</em>Enter Password</td> <td><head> <div id="divMayus" style="visibility:hidden">Caps Lock is on.</div> <SCRIPT language=Javascript> function capLock(e){ kc = e.keyCode?e.keyCode:e.which; sk = e.shiftKey?e.shiftKey:((kc == 16)?true:false); if(((kc >= 65 && kc <= 90) && !sk)||((kc >= 97 && kc <= 122) && sk)) document.getElementById('divMayus').style.visibility = 'visible'; else document.getElementById('divMayus').style.visibility = 'hidden'; } </SCRIPT> </HEAD> <input onkeypress='return capLock(event)' type='password' name='Password1' value='<?php if(!empty($Password1))echo $Password1;?>' /></td></tr> <tr><td> <em>*</em>Confirm Password</td><td><input type='password' name='Password2' value='<?php if(!empty($Password2))echo $Password2;?>' /></td></tr> <tr><td width="120"> <em>*</em>Enter Name</td> <td><input type='text' name='Name' value='<?php if(!empty($Name))echo $Name;?>' /></td></tr> <tr><td> <em>*</em>Enter Age</td><HEAD> <SCRIPT language=Javascript> function isNumberKey(evt) { var charCode = (evt.which) ? evt.which : event.keyCode if (charCode > 31 && (charCode < 48 || charCode > 57)) return false; return true; } </SCRIPT> </HEAD> <td><INPUT onkeypress='return isNumberKey(event)' type='text' name='Age' value='<?php if(!empty($Age))echo $Age;?>'/></td></tr> <tr><td> <em>*</em>Enter Blood</td><td><input type='text' name='BloodGroup' value='<?php if(!empty($BloodGroup))echo $BloodGroup;?>' /></td></tr> <tr><td> <em>*</em>Enter Sex</td><td><input type='radio' name='Sex' style='width:16px; border:0;' 'value='Male' />Male <input type='radio' name='Sex' style='width:16px; border:0;' 'value='Female' />Female</td></tr> <tr><td> <em>*</em>Enter Qualification</td><td><input type='text' name='Qualification' value='<?php if(!empty($Qualification))echo $Qualification;?>' /></td></tr> <tr><td> <em>*</em>Contact Number </td><td><input onkeypress='return isNumberKey(event)'type='text' name='ContactNumber' value='<?php if(!empty($ContactNumber))echo $ContactNumber;?>' /></td></tr> <tr><td> <em>*</em>Enter Email</td><td><input type='text' name='Email'class="email" value='<?php if(!empty($Email))echo $Email;?>' /></td></tr> <tr><td> <em>*</em>Enter Address</td><td><input type='text' name='Address' value='<?php if(!empty($Address))echo $Address;?>' /></td></tr> <tr ><td > <em>*</em>About Yourself </td></tr> <tr><td colspan="2"><textarea rows='10' cols='40' name='AboutYourself' /><?php if(!empty($Address))echo $Address;?></textarea></td></tr> <tr><td> <?php echo" <tr><td colspan='2'><em>*</em><b>Select fields for which you want to register</b></td></tr>"; require_once('database.php'); $query="select * from activity"; $result=mysqli_query($dbc,$query); while($row=mysqli_fetch_array($result)){ $Title=$row['Title']; $ActivityId=$row['ActivityId']; echo "<tr><td>$Title</td>"; echo "<td><input type='checkbox' name='checkbox[]' value='$Title' style='width:14px; text-align:right;'/></td></tr>";//value=$ActivityId tells ActivityId variable extracts with name="checkbox" echo "<br/>"; } echo "<td><em>*</em><input type='checkbox' name='TermsAndConditions' style='width:14px; text-align:right;'/></td><td> I agree all <a href='TermsAndConditions.php'>Terms and conditions </a>of Elite Brigade</td></tr>"; echo "<tr><td colspan='2' align='center'><input type='submit' value='Register' name='submit' style='background:url(./images/button_img2.png) no-repeat 10px 0px; width:100px; padding:3px 0 10px 0; color:#FEFBC4; border:0;'/></td></tr><br>"; echo " </td></tr></table> </div> </form> </body> </html>"; require_once('lower.php'); ?> Hi Friends .... I encrypt user password by SHA('$Password') method but now i want to add "Forget Password Module" for which I need to decrypt it first before tell my user but I don't Know how to decrypt it. Please help me........ This topic has been moved to Application Design. http://www.phpfreaks.com/forums/index.php?topic=353345.0 Hi all, I am trying to make a 'forgot password' script. The passwords in the database are md5 encrypted. Is there a way to reverse this md5 password and send the forgotten password in its orginal for to the user through email? Thanks. <?PHP include("cxn.php"); $sql = "SELECT password FROM Members WHERE email='$_POST[email]'"; $result = mysqli_query($cxn,$sql) or die ("Couldn't execute query"); $num = mysqli_num_rows($result); if ($num >0) // Email Address Found { $password = md5($_POST['password']); // Trying to take the md5 off the password here. $to = "$_POST[email]"; $subj = "Password for website.co.uk"; $mess = "Your password for www.website.co.uk is: \n $_POST['password'] \n Please login with your email address and this password. Thank you."; $mailsend = mail($to,$subj,$mess,$headers); $update= "An email containing your password has been sent to". $_POST['email']."."; include("signin-redirect.php"); } else // Email Address Not Found { $registrationerror = "The email address '$_POST[email]' is already registered!"; include("signin-redirect.php"); } ?> I am having some trouble getting this to pull the password correctly from the database. I believe the problem is from the password being in md5 format. I am not sure how to fix the issue. Much thanks Code: [Select] <?php //signin.php include 'connect.php'; include 'header.php'; echo '<h3>Sign in</h3><br />'; //first, check if the user is already signed in. If that is the case, there is no need to display this page if(isset($_SESSION['signed_in']) && $_SESSION['signed_in'] == true) { echo 'You are already signed in, you can <a href="signout.php">sign out</a> if you want.'; } else { if($_SERVER['REQUEST_METHOD'] != 'POST') { /*the form hasn't been posted yet, display it note that the action="" will cause the form to post to the same page it is on */ echo '<form method="post" action=""> Username: <input type="text" name="username" /><br /> Password: <input type="password" name="password"><br /> <input type="submit" value="Sign in" /> </form>'; } else { /* so, the form has been posted, we'll process the data in three steps: 1. Check the data 2. Let the user refill the wrong fields (if necessary) 3. Varify if the data is correct and return the correct response */ $errors = array(); /* declare the array for later use */ if(!isset($_POST['username'])) { $errors[] = 'The username field must not be empty.'; } if(!isset($_POST['password'])) { $errors[] = 'The password field must not be empty.'; } if(!empty($errors)) /*check for an empty array, if there are errors, they're in this array (note the ! operator)*/ { echo 'Uh-oh.. a couple of fields are not filled in correctly..<br /><br />'; echo '<ul>'; foreach($errors as $key => $value) /* walk through the array so all the errors get displayed */ { echo '<li>' . $value . '</li>'; /* this generates a nice error list */ } echo '</ul>'; } else { //the form has been posted without errors, so save it //notice the use of mysql_real_escape_string, keep everything safe! //also notice the sha1 function which hashes the password $sql = "SELECT userid, username, userlevel FROM users WHERE username = '" . mysql_real_escape_string($_POST['username']) . "' AND password = '" . sha1($_POST['password']) . "'"; $result = mysql_query($sql); if(!$result) { //something went wrong, display the error echo 'Something went wrong while signing in. Please try again later.'; //echo mysql_error(); //debugging purposes, uncomment when needed } else { //the query was successfully executed, there are 2 possibilities //1. the query returned data, the user can be signed in //2. the query returned an empty result set, the credentials were wrong if(mysql_num_rows($result) == 0) { echo 'You have supplied a wrong user/password combination. Please try again.'; } else { //set the $_SESSION['signed_in'] variable to TRUE $_SESSION['signed_in'] = true; //we also put the user_id and user_name values in the $_SESSION, so we can use it at various pages while($row = mysql_fetch_assoc($result)) { $_SESSION['userid'] = $row['userid']; $_SESSION['username'] = $row['username']; $_SESSION['userlevel'] = $row['userlevel']; } echo 'Welcome, ' . $_SESSION['username'] . '. <br /><a href="index.php">Proceed to the forum overview</a>.'; } } } } } include 'footer.php'; ?> Hello, I recently inherited my company's website from a former coworker and it's done in PHP. I'm still learning PHP so I need a little help. There's one page that our sales guy goes to to put our specials on the site and it's set to remember the username and password. I'm fine with it holding the username I just need to know how to make it ask for a password. Here is the code Actual username and password removed Code: [Select] <?php function clean($text) { return trim(htmlspecialchars($text, ENT_QUOTES )); } class database { var $DB, $username, $database, $result, $rowNum, $lUID; function database($database, $username="*****", $password="***") { $this->DB = mysql_connect("localhost", $username, $password) // $this->DB = mysql_connect("commerce.****.org", $username, $password) or die ("Failed to connect to DB with username ".$username." error: ".mysql_error()); mysql_select_db($database, $this->DB) or die ("Can't select db ".$database." error: ".mysql_error()); This is just the top of the page, if you need more info just ask. Any help you can offer would be great, thanks. I'm making the password field have these restrictions: Length >= 8 That's it. I then use javascript to md5 the value of that text field, then I send it using ajax to the php script to process the signup. Is it bad not to have a max length, or does this way work. Any suggestions? Okay, so I am trying to create a login page My problem is that after I register and I want to login it says I have an incorrect password I encrypted the password with the md5 function and when I echoed the password in the db I get e882b72bccfc2ad578c27b0d9b472a14 and when I echoed the password I tried to login with I get e882b72bccfc2ad5 The password seems to be correct, just cut in half... Now why is the password I logged in with half the size it should be? I know i left out the connect that works fine but when i run this it tell me wrong password even if i copy and paste the user name and password from my database.... Can anyone help me please { $username = $_COOKIE['ID_my_site']; $pass = $_COOKIE['Key_my_site']; $check = mysql_query("SELECT * FROM users WHERE username = '$username'")or die(mysql_error()); while($info = mysql_fetch_array( $check )) { if ($pass != $info['password']) { } else { header("Location: members.php"); } } } if (isset($_POST['submit'])) { // if form has been submitted if(!$_POST['username'] | !$_POST['pass']) { die('You did not fill in a required field.'); } if (!get_magic_quotes_gpc()) { $_POST['email'] = addslashes($_POST['email']); } $check = mysql_query("SELECT * FROM users WHERE username = '".$_POST['username']."'")or die(mysql_error()); $check2 = mysql_num_rows($check); if ($check2 == 0) { die('That user does not exist in our database.'); } while($info = mysql_fetch_array( $check )) { $_POST['pass'] = stripslashes($_POST['pass']); $info['password'] = stripslashes($info['password']); $_POST['pass'] = md5($_POST['pass']); if ($_POST['pass'] != $info['password']) { die('Incorrect password, please try again.'); } else { $_POST['username'] = stripslashes($_POST['username']); $hour = time() + 3600; setcookie(ID_my_site, $_POST['username'], $hour); setcookie(Key_my_site, $_POST['pass'], $hour); header("Location: members.php"); } } } else { ?> <form action="<?php echo $_SERVER['PHP_SELF']?>" method="post"> <table border="0"> <tr><td colspan=2><h1>Login</h1></td></tr> <tr><td>Username:</td><td> <input type="text" name="username" maxlength="40"> </td></tr> <tr><td>Password:</td><td> <input type="password" name="pass" maxlength="50"> </td></tr> <tr><td colspan="2" align="right"> <input type="submit" name="submit" value="Login"> </td></tr> </table> </form> <?php } ?> Dear All, Below is a php file for my website invitacoach.com I need to issue passwords myself to members who have already paid up for my services...of which they will then be able to access the advantages of a members area which include Videos, Audios and other publications. Which part of my code am i to edit Below is the SQL and register.php code. SQL CREATE TABLE users ( userid int(25) NOT NULL auto_increment, first_name varchar(25) NOT NULL default '', last_name varchar(25) NOT NULL default '', email_address varchar(25) NOT NULL default '', username varchar(25) NOT NULL default '', password varchar(255) NOT NULL default '', info text NOT NULL, user_level enum('0','1','2','3') NOT NULL default '0', signup_date datetime NOT NULL default '0000-00-00 00:00:00', last_login datetime NOT NULL default '0000-00-00 00:00:00', activated enum('0','1') NOT NULL default '0', PRIMARY KEY (userid) ) TYPE=MyISAM COMMENT='Membership Information'; REGISTER.PHP <? include 'db.php'; // Define post fields into simple variables $first_name = $_POST['first_name']; $last_name = $_POST['last_name']; $email_address = $_POST['email_address']; $username = $_POST['username']; $info = $_POST['info']; /* Let's strip some slashes in case the user entered any escaped characters. */ $first_name = stripslashes($first_name); $last_name = stripslashes($last_name); $email_address = stripslashes($email_address); $username = stripslashes($username); $info = stripslashes($info); /* Do some error checking on the form posted fields */ if((!$first_name) || (!$last_name) || (!$email_address) || (!$username)){ echo 'You did not submit the following required information! <br />'; if(!$first_name){ echo "First Name is a required field. Please enter it below.<br />"; } if(!$last_name){ echo "Last Name is a required field. Please enter it below.<br />"; } if(!$email_address){ echo "Email Address is a required field. Please enter it below.<br />"; } if(!$username){ echo "Desired Username is a required field. Please enter it below.<br />"; } include 'join_form.html'; // Show the form again! /* End the error checking and if everything is ok, we'll move on to creating the user account */ exit(); // if the error checking has failed, we'll exit the script! } /* Let's do some checking and ensure that the user's email address or username does not exist in the database */ $sql_email_check = mysql_query("SELECT email_address FROM users WHERE email_address='$email_address'"); $sql_username_check = mysql_query("SELECT username FROM users WHERE username='$username'"); $email_check = mysql_num_rows($sql_email_check); $username_check = mysql_num_rows($sql_username_check); if(($email_check > 0) || ($username_check > 0)){ echo "Please fix the following errors: <br />"; if($email_check > 0){ echo "<strong>Your email address has already been used by another member in our database. Please submit a different Email address!<br />"; unset($email_address); } if($username_check > 0){ echo "The username you have selected has already been used by another member in our database. Please choose a different Username!<br />"; unset($username); } include 'join_form.html'; // Show the form again! exit(); // exit the script so that we do not create this account! } /* Everything has passed both error checks that we have done. It's time to create the account! */ /* Random Password generator. http://www.phpfreaks.com/quickcode/Random_Password_Generator/56.php We'll generate a random password for the user and encrypt it, email it and then enter it into the db. */ function makeRandomPassword() { $salt = "abchefghjkmnpqrstuvwxyz0123456789"; srand((double)microtime()*1000000); $i = 0; while ($i <= 7) { $num = rand() % 33; $tmp = substr($salt, $num, 1); $pass = $pass . $tmp; $i++; } return $pass; } $random_password = makeRandomPassword(); $db_password = md5($random_password); // Enter info into the Database. $info2 = htmlspecialchars($info); $sql = mysql_query("INSERT INTO users (first_name, last_name, email_address, username, password, info, signup_date) VALUES('$first_name', '$last_name', '$email_address', '$username', '$db_password', '$info2', now())") or die (mysql_error()); if(!$sql){ echo 'There has been an error creating your account. Please contact the webmaster.'; } else { $userid = mysql_insert_id(); // Let's mail the user! $subject = "Your Membership at invitacoach.com!"; $message = "Dear $first_name, Thank you for registering at our website, http://www.invitacoach.com You are two steps away from logging in and accessing our exclusive members area. To activate your membership, please click he http://www.invitacoach.com/test/activate.php?id=$userid&code=$db_password Once you activate your membership, you will be able to login with the following information: Username: $username Password: $random_password Thanks! Invita Coach when a user forgets his or her password they can retreive it by sending an email to their account and the password is given to them. unfortunatly the password they recieve is in md5: for example the password 'the' is given in an email like so: Password:6e9b31333e61aad015fa16a3a5fe8e0d Username:the Please change your password as soon as you logon could someone please advise me what i am doing wrong so the password would be converted back to plain text. here is the code for the email: $query="Select pw from user where uname='$name'" or die(mysql_error()); $result= mysql_query($query); if(mysql_num_rows($result)>0){ for ($i=0; $i<mysql_num_rows($result); $i++) { $row = mysql_fetch_assoc($result); $pass= md5($row['pw']); $to="$em\r\n"; $from="From: Admin@asdesigns.co.uk\r\n"; $msg="Password:$pass\r\n"; $msg .="Username:$name\r\n"; $msg .="Please change your password as soon as you logon\r\n"; $subject="From Admin Your Login Password\r\n"; thanks in advance i know im doing something really silly by missing something out but i cant see where it is Having a little problem with passwords, they are stored clear text and not encrypted because its for an assignment and I need to prove in the write up that users can change their passwords. Anyway when I register a user with a username and a password of say Password1, I can still login with PASSword1 or any other variation of upper and lower case characters! This is my select statement: Code: [Select] $qry = "SELECT * FROM users WHERE username='$username' AND password='$password'"; Just wondering if there is anything that can be done to this, I read somewhere about using === but that doesn't seem to be fixing the problem, it just causes the query to fail! Using MySQL if thats any help. Thanks Well, I can now add/change/delete data in my db. But then I find I have no security at all. I know that IE/View/Source will display the code, but I did not know that right click on a frame would display that particular frameset code. Can you point me to a simple php security script. I have looked at many of them and they are pretty complicated. No need for me to reinvent the wheel and not sure I could do it anyway. I have many other programs I can be working on. I don't need anything extreme as the data is only phone nos. and email addresses. It is just that the site members don't want others to be able to view it. What if I created a db password table, then simply verified that the entered password was in the file. What kind of security would I have? Thanks Hi, im trying to make a password reminder for my game server accounts. Ok, so now in mysql i have table with 2 fields: email and pass. Here is my php coding to remind password: Code: [Select] <?php session_start(); include "./global.php"; ?> <html> <head> <title>Password Reminder</title> </head> <body> <?php if(!isset ($_POST['submit'])) { echo "Your e-mail: <input type='input' name='email'> <input type='submit' name='submit' value='Ok'>\n"; }else{ $to = $_POST['email']; if($to) { $sql = "SELECT pass FROM fpass WHERE email='".$to."'"; $res = mysql_query($sql) or die(mysql_error()); if(mysql_num_rows($res) > 0) { $rrow = mysql_fetch_assoc($res); echo "Your password is: '".$rrow['pass']."'"; }else{ echo "The e-mail that you supplied does not exist!\n"; } }else{ echo "E-Mail field is empty! Please fill it up.\n"; } } ?> </body> </html> global.php connects to mysql. But now when i typing email, the it should select password from table fpass where email = my typed email. But when i click Ok button, then it don't doing anything... It should show me this: Your password is: blabla... I am sure this is a simple fix and I am total beginner but thanks to these forums learn alot Here is the code: Code: [Select] http://$host/forgot.php?doReset=Reset&VeriCode=$new_code And when I click the link in email I get the following error The requested URL /forgot.php?doReset=Reset&VeriCode=60dea138b76c71acccfe34d4fab3e004 was not found on this server. If someone needs the full code to help, please PM me. |
|||||||