Password Code

Hi Guys,

Final question from me I hope! I have explained what I am trying to achieve in the code. I basically want to write a select function that applies to a row from a previous result only rather than the whole database.

[php]<?php
//This makes sure they did not leave any fields blank

if (!$_POST[‘story’] | !$_POST[‘screen_name’] ) {

	die('You did not complete all of the required fields');

}

// Connection to database
$con = mysql_connect(“database”,“user”,“pass”);
if (!$con)
{
die('Could not connect: ’ . mysql_error());
}

mysql_select_db(“database”) or die(mysql_error());

$result = mysql_query(“SELECT * FROM login
WHERE screen_name=’$_POST[screen_name]’”);

if(mysql_num_rows($result) > 0)

// I would like to add the password check here. I would like the code to take the row found from the initial search and check the password with that of the one entered on the submit form. Basically i want a function like “select password from result and check against password entered”

{
$sql=“INSERT INTO banter (story, screen_name)
VALUES
(’$_POST[story]’,’$_POST[screen_name]’)”;

if (!mysql_query($sql,$con))
{
die('Error: ’ . mysql_error());
}
echo “Thank You for posting”;

mysql_close($con);
}

else
echo “Your username does not match our records”;

?>[/php]

I’m so close now! Thank you all for your help!

Sam

I think this is what you wanted, not quite sure though

[php]// Limit the result to only one row, because there should only be one user with that screen_name:
$result = mysql_query(“SELECT * FROM login WHERE screen_name=’$_POST[screen_name]’ LIMIT 0,1”);

// Check to see if it actually got something, if so, continue on:
if(mysql_num_rows($result) != 0) {
// Fetch the row and drop it into an array:
$row = mysql_fetch_array($result);

// Assuming that the password is entered in the database already, and is encrypted using sha1() :
if (sha1($_POST[‘password’]) == $row[‘password’]) {
// Password is correct
} else {
// Password is incorrect
}[/php]
And you should have something like this in your HTML:

<input type="password" name="password" />

Heya,

Thank you for that… just a quick question… what is sha1? this is the code i use to submit the password when registering - it encrypts the code and in the database appears as a string of random letters and numbers… do i need to edit my registration form to agree with the sha1? or edit the code you suggested to match my registration form?

Password section
[php]<?php

// here we encrypt the password and add slashes if needed

$_POST['pass'] = md5($_POST['pass']);

if (!get_magic_quotes_gpc()) {

	$_POST['pass'] = addslashes($_POST['pass']);

	$_POST['screen_name'] = addslashes($_POST['screen_name']);

		}?>[/php]

Thanks,

Sam

Hi Naxirus,

I did some research about sha1 and have changed my registration form from md5 to sha1. Everything appears correct but when I hit submit i get the error message "“Your password does not match our records”.

This is my completed registration code:

[php]<?php
// Connection to database
$con = mysql_connect(“database”,“user”,“password”);
if (!$con)
{
die('Could not connect: ’ . mysql_error());
}

mysql_select_db(“database”) or die(mysql_error());

//This makes sure they did not leave any fields blank

if (!$_POST[‘screen_name’] | !$_POST[‘pass’] | !$_POST[‘pass2’] | !$_POST[‘terms’]) {

	die('You did not complete all of the required fields');

}

// checks if the username is in use

if (!get_magic_quotes_gpc()) {

	$_POST['screen_name'] = addslashes($_POST['screen_name']);

}

$usercheck = $_POST[‘screen_name’];

$check = mysql_query(“SELECT screen_name FROM login WHERE screen_name = ‘$usercheck’”)

or die(mysql_error());

$check2 = mysql_num_rows($check);

//if the name exists it gives an error

if ($check2 != 0) {

	die('Sorry, the username '.$_POST['screen_name'].' is already in use.');

			}

//this makes sure both passwords entered match

if ($_POST['pass'] != $_POST['pass2']) {

	die('Your passwords did not match. ');

}



// here we encrypt the password and add slashes if needed

$_POST['pass'] = sha1($_POST['pass']);

session_start();

//Encrypt the posted code field and then compare with the stored key

if(md5($_POST[‘captcha_input’]) != $_SESSION[‘key’])
{
die(“Error: You must enter the code correctly”);
}

// now we insert it into the database
$sql=“INSERT INTO login (title, forename, surname, email, screen_name, pass, join_date)
VALUES
(’$_POST[title]’,’$_POST[forename]’,’$_POST[surname]’,’$_POST[email]’,’$_POST[screen_name]donkey’,’$_POST[pass]’,CURDATE())”;

if (!mysql_query($sql,$con))
{
die('Error: ’ . mysql_error());
}
echo “Thank You for registering a screen name. You can now post freely :)”;

mysql_close($con);

?>[/php]

and this is my submit code:

[php]<?php
//This makes sure they did not leave any fields blank

if (!$_POST[‘story’] | !$_POST[‘screen_name’] ) {

	die('You did not complete all of the required fields');

}

// Connection to database
$con = mysql_connect(“database”,“user”,“password”);
if (!$con)
{
die('Could not connect: ’ . mysql_error());
}

mysql_select_db(“database”) or die(mysql_error());

// Limit the result to only one row, because there should only be one user with that screen_name:
$result = mysql_query(“SELECT * FROM login WHERE screen_name=’$_POST[screen_name]’ or screen_name=’$_POST[screen_name]donkey’ LIMIT 0,1”);

// Check to see if it actually got something, if so, continue on:
if(mysql_num_rows($result) != 0) {

// Fetch the row and drop it into an array:
$row = mysql_fetch_array($result);

// Assuming that the password is entered in the database already, and is encrypted using sha1() :

if (sha1($_POST[‘pass’]) == $row[‘pass’]) {

// Password is correct
$sql=“INSERT INTO banter (story, screen_name)
VALUES
(’$_POST[story]’,’$_POST[screen_name]’)”;

if (!mysql_query($sql,$con))
{
die('Error: ’ . mysql_error());
}
echo “Thank You for posting”;

mysql_close($con);
}

else {
// Password is incorrect
echo “Your password does not match our records”;
}
}
else {
echo “Your username does not exist”;
}
?>[/php]

This is the final code I need before I can start the html/css transformation. I can’t see why the passwords wouldn’t match?

Many thanks for your help

Sam

To narrow it down its definitely something to do with the encryption. When I delete sha1 from both the registration from and the submit form it works perfectly… help!

Thanks!

Sam

Found it!

Changed this

if (sha1($_POST[‘pass’]) == $row[‘pass’]) {

to

if (sha1($_POST[‘pass’]) != $row[‘pass’]) {

Thank you for all your help

Sam

Unfortunately in my naivety i spoke to soon changing == to != accepts any password

I really can’t figure out whats wrong

Another update… if I take put the encryption from each form it works perfectly. When i test the submit page separately i.e. just an insert into function with the sha1 password encryption it displays the same password and used and stored in the login pass column under that user.

I am completely at a loss on this one. it makes no sense to me.

It looks like you might be encrypting the $_POST[‘pass’] twice, try this:

[php]// Edit this line:
if (sha1($_POST[‘pass’]) == $row[‘pass’]) {

// To look like this:
if ($_POST[‘pass’] == $row[‘pass’]) {[/php]

If that doesn’t work, then I’d need to see all of the code in those two pages to fix it.

Thank you for you suggestion. Unfortunately that didn’t work.

This is the entire code for each page

Registration
[php]<?php
// Connection to database
$con = mysql_connect(“database”,“user”,“password”);
if (!$con)
{
die('Could not connect: ’ . mysql_error());
}

mysql_select_db(“database”) or die(mysql_error());

//This makes sure they did not leave any fields blank

if (!$_POST[‘screen_name’] | !$_POST[‘pass’] | !$_POST[‘pass2’] | !$_POST[‘terms’]) {

	die('You did not complete all of the required fields');

}

// checks if the username is in use

if (!get_magic_quotes_gpc()) {

	$_POST['screen_name'] = addslashes($_POST['screen_name']);

}

$usercheck = $_POST[‘screen_name’] or $_POST[‘screen_name’];

$check = mysql_query(“SELECT screen_name FROM login WHERE screen_name = ‘$usercheck’ or screen_name=’$_POST[screen_name]donkey’”)

or die(mysql_error());

$check2 = mysql_num_rows($check);

//if the name exists it gives an error

if ($check2 != 0) {

	die('Sorry, the username '.$_POST['screen_name'].' is already in use.');

			}

//this makes sure both passwords entered match

if ($_POST['pass'] != $_POST['pass2']) {

	die('Your passwords did not match. ');

}



// here we encrypt the password and add slashes if needed

$_POST['pass'] = sha1($_POST['pass']);

session_start();

//Encrypt the posted code field and then compare with the stored key

if(md5($_POST[‘captcha_input’]) != $_SESSION[‘key’])
{
die(“Error: You must enter the code correctly”);
}

// now we insert it into the database

$sql=“INSERT INTO login (title, forename, surname, email, screen_name, pass, join_date, last_login, time)
VALUES
(’$_POST[title]’,’$_POST[forename]’,’$_POST[surname]’,’$_POST[email]’,’$_POST[screen_name]donkey’,’$_POST[pass]’,CURDATE(), CURDATE(), CURTIME())”;

if (!mysql_query($sql,$con))
{
die('Error: ’ . mysql_error());
}
echo “Thank You for registering a screen name. You can now post freely :)”;

mysql_close($con);
?>[/php]

Submit:
[php]<?php
//This makes sure they did not leave any fields blank

if (!$_POST[‘story’] | !$_POST[‘screen_name’] ) {

	die('You did not complete all of the required fields');

}

// Connection to database
$con = mysql_connect(“database”,“user”,“password”);
if (!$con)
{
die('Could not connect: ’ . mysql_error());
}

mysql_select_db(“database”) or die(mysql_error());

// Limit the result to only one row, because there should only be one user with that screen_name:
$result = mysql_query(“SELECT * FROM login WHERE screen_name=’$_POST[screen_name]’ or screen_name=’$_POST[screen_name]donkey’ LIMIT 0,1”);

// Check to see if it actually got something, if so, continue on:
if(mysql_num_rows($result) != 0) {
// Fetch the row and drop it into an array:
$row = mysql_fetch_array($result);

// Assuming that the password is entered in the database already, and is encrypted using sha1() :

if (sha1($_POST[‘pass’]) == $row[‘pass’]) {

// Password is correct
$sql=“INSERT INTO banter (story, screen_name)
VALUES
(’$_POST[story]’,’$_POST[screen_name]’)”;

if (!mysql_query($sql,$con))
{
die('Error: ’ . mysql_error());
}
echo “Thank You for posting”;

mysql_close($con);
}

else {
// Password is incorrect
echo “Your password does not match our records”;
}
}
else {
echo “Your username does not exist”;
}
?>[/php]

Its making me pull my hair out now! I hope you can crack it!

Sam

Check phpMyAdmin and see the screennames and passwords are correctly entered as nothing looks wrong to me.

Hiya,

I know its so frustrating because it looks right to me.

What I’ve done is taken out the encryption of both forms and everything works perfectly.

I’ll post the working scripts here. If you have a spare few minutes would you mind seeing if you can put encryption back into them how you normally would to make sure its not me doing some daft by mistake. I don’t mind how its done.

no worries if your too busy. Thank you for looking anyway.

Registration form:
[php]<?php
// Connection to database
$con = mysql_connect(“databse”,“user”,“pass!”);
if (!$con)
{
die('Could not connect: ’ . mysql_error());
}

mysql_select_db(“database”) or die(mysql_error());

//This makes sure they did not leave any fields blank

if (!$_POST[‘screen_name’] | !$_POST[‘pass’] | !$_POST[‘pass2’] | !$_POST[‘terms’]) {

	die('You did not complete all of the required fields');

}

// checks if the username is in use

if (!get_magic_quotes_gpc()) {

	$_POST['screen_name'] = addslashes($_POST['screen_name']);

}

$usercheck = $_POST[‘screen_name’] or $_POST[‘screen_name’];

$check = mysql_query(“SELECT screen_name FROM login WHERE screen_name = ‘$usercheck’ or screen_name=’$_POST[screen_name]donkey’”)

or die(mysql_error());

$check2 = mysql_num_rows($check);

//if the name exists it gives an error

if ($check2 != 0) {

	die('Sorry, the username '.$_POST['screen_name'].' is already in use.');

			}

//this makes sure both passwords entered match

if ($_POST['pass'] != $_POST['pass2']) {

	die('Your passwords did not match. ');

}

session_start();

//Encrypt the posted code field and then compare with the stored key

if(md5($_POST[‘captcha_input’]) != $_SESSION[‘key’])
{
die(“Error: You must enter the code correctly”);
}

// now we insert it into the database

$sql=“INSERT INTO login (title, forename, surname, email, screen_name, pass, join_date, last_login, time)
VALUES
(’$_POST[title]’,’$_POST[forename]’,’$_POST[surname]’,’$_POST[email]’,’$_POST[screen_name]donkey’,’$_POST[pass]’,CURDATE(), CURDATE(), CURTIME())”;

if (!mysql_query($sql,$con))
{
die('Error: ’ . mysql_error());
}
echo “Thank You for registering a screen name. You can now post freely :)”;

mysql_close($con);
?>[/php]

Submit:

[php]<?php
//This makes sure they did not leave any fields blank

if (!$_POST[‘story’] || !$_POST[‘screen_name’] ) {

	die('You did not complete all of the required fields');

}

// Connection to database
$con = mysql_connect(“database”,“user”,“pass”);
if (!$con)
{
die('Could not connect: ’ . mysql_error());
}

mysql_select_db(“database”) or die(mysql_error());

// Limit the result to only one row, because there should only be one user with that screen_name:
$result = mysql_query(“SELECT * FROM login WHERE screen_name=’$_POST[screen_name]donkey’ LIMIT 0,1”);

// Check to see if it actually got something, if so, continue on:
if(mysql_num_rows($result) != 0) {
// Fetch the row and drop it into an array:
$row = mysql_fetch_array($result);

// Assuming that the password is entered in the database already, and is encrypted using sha1() :

if (($_POST[‘pass’]) == $row[‘pass’]) {

// Password is correct
$sql=“INSERT INTO banter (story, screen_name)
VALUES
(’$_POST[story]’,’$_POST[screen_name]donkey’)”;

if (!mysql_query($sql,$con))
{
die('Error: ’ . mysql_error());
}
echo “Thank You for posting”;

mysql_close($con);
}

else {
// Password is incorrect
echo “Your password does not match our records”;
}
}
else {
echo “Your username does not exist”;
}
?>[/php]

Many Thanks,

Sam

Please give me the full html thanks

No problem,

HTML for the registration page is

[code]

Home

Submit

Register

Contact

Title: Mr Mrs Master Miss

Forename:

Surname:

e-Mail:

Screen Name:

Password:

Repeat Password:

Confirmation you have read and agree to the Terms and Conditions

[/code]

Submit page:

[code]

Banter Donkey | Submit test

Home

Submit

Register

Contact

Whisper in donkeys ear...

Please enter your screen name. If you currently do not have a screen name you can register for one here

Please enter your password. Forgotten your password? Click here

[/code]

Many Thanks,

Sam

I’m really busy right now but I promise I will get to this.

Thank you buddy I really appreciate it its been driving me mad!

Ok I’ll get at it right now.

BTW, did you really put your database in mysql_connect? It should be mysql_connect(“host”, “username”, “password”); In most cases the host is mysql1.whereyouregisteredyourdomain.com but on a computer with apache it should be localhost

AHA! $sql wasn’t a mysql query! That means (most likely) no action was taken when inserting the story into the table.

Spoke too soon, it was mysql query, my bad.

But is it just me, or is sha1 one way encryption?