Page 1 of 7

Mixing php and html

Posted: Wed Mar 14, 2012 2:34 pm
by Pavilion
Well... with the help of folks on this board... I've been successful in getting a basic registration page (with password hashing) up and running (and formatted). While working on the registration process, I've also developed an activate.php file. The activation process works wonderfully. After registration, the user receives an email. Upon clicking the link in the email. the activate.php page opens, the fields "Activation" and "Active" are updated in the UserTbl. "Activation" is set to null, and "Active" is set to True (1).

This resource is what I used to develop the activate.php file. Specifically Step 4 : Activation Page was my guide to building activate.php. With a bit of help from Celauran.

Now.. my goal is to format the activate.php file. This has been an interesting exercise. If you review the resource I used to build this page you will see that there is some mixing of php and html. Specifically the following if block uses echo statements to execute html formatting of messages.

Code: Select all

12	if (isset($email) && isset($key)) {
13	 
14	 // Update the database to set the "activation" field to null
15	 
16	 $query_activate_account = "UPDATE members SET Activation=NULL WHERE(Email ='$email' AND Activation='$key')LIMIT 1";
17	 $result_activate_account = mysqli_query($dbc, $query_activate_account);
18	 
19	 // Print a customized message:
20	 if (mysqli_affected_rows($dbc) == 1) //if update query was successfull
21	 {
22	 echo '<div>Your account is now active. You may now <a href="login.php">Log in</a></div>';
23	 
24	 } else {
25	 echo '<div>Oops !Your account could not be activated. Please recheck the link or contact the system administrator.</div>';
26	 
27	 }
28	 
29	 mysqli_close($dbc);
30	 
31	} else {
32	 echo '<div>Error Occured .</div>';
33	}
In order to format these messages within the body of my own page, I adapted the above code. Following is the whole of my activate.php file:

Code: Select all

<?php
// include database connection file, if connection doesn't work the include file will throw an error message
include '../schedule/include/db_connect.php';

// the following code is an adaptation of registration code examples found at: http://youhack.me/2010/04/01/building-a-registration-system-with-email-verification-in-php/

if (isset($_GET['email']) && preg_match('/^([a-zA-Z0-9])+([a-zA-Z0-9\._-])*@([a-zA-Z0-9_-])+([a-zA-Z0-9\._-]+)+$/',
 $_GET['email'])) {
 $email = $_GET['email'];
}
if (isset($_GET['key']) && (strlen($_GET['key']) == 32))
 //The Activation key will always be 32 since it is MD5 Hash
 {
 $key = $_GET['key'];
}
?>
<html>
    <head>
        <meta http-equiv="content-type" content="text/html; charset=utf-8" />
        <title>Activation Form</title>
        <link rel="stylesheet" type="text/css" href="../schedule/include/formats.css"/>
    </head>
<body>
	<div class="shadow"><div class="header"></div></div>
	<?php
		if (isset($email) && isset($key)) {

		// Update the database to set the "activation" field to null and "Active" field to 1.

		$query_activate_account = "UPDATE UserTbl SET Activation = NULL, Active = '1' WHERE(EmailAddress ='$email' AND Activation='$key')LIMIT 1";
		$result_activate_account = mysql_query($query_activate_account, $link);
 
		// Print a customized message:
		if (mysql_affected_rows($link) == 1) //if update query was successfull
		{
		echo '<fieldset id="standardForm">Your account is now active. You may now <a href="login.php">Log in</a></fieldset>';
		
		} else {
		echo '<fieldset id="standardForm">Oops !Your account could not be activated. Please recheck the link or contact the system administrator.</fieldset>';
		}

		mysql_close($link);

		} else {
		echo '<fieldset id="standardForm">An Error Occured. I have no idea where, but an error did occur.</fieldset>';
		}
	?>
</body>
</html>
This mixing of different scripting languages is new for me. In the classical database world I deal mainly with VB (and a small bit of SQL). Rarely are the two languages mixed. After reviewing how I adapted the original code, is there a better way that I could have gone about the process?

The same linked resource has a login page that I will want to use and adapt for my own purposes (including accommodation of hashed passwords). So... it is important for me to make sure I'm getting the formatting correct before attempting to adapt another file.

Thanks Much: - Pavilion

Re: Mixing php and html

Posted: Wed Mar 14, 2012 2:47 pm
by Celauran
Looks good on the whole. I've made a few minor changes.

Code: Select all

<?php

// include database connection file, if connection doesn't work the include file will throw an error message
include '../schedule/include/db_connect.php';

// the following code is an adaptation of registration code examples found at: http://youhack.me/2010/04/01/building-a ... on-in-php/
// if (isset($_GET['email']) && preg_match('/^([a-zA-Z0-9])+([a-zA-Z0-9\._-])*@([a-zA-Z0-9_-])+([a-zA-Z0-9\._-]+)+$/', $_GET['email']))
if (isset($_GET['email']) && filter_var($_GET['email'], FILTER_VALIDATE_EMAIL))
{
    // If you're putting it in a query, escape it.
    $email = mysql_real_escape_string($_GET['email']);
}
//The Activation key will always be 32 since it is MD5 Hash
if (isset($_GET['key']) && (strlen($_GET['key']) == 32))
{
    $key = mysql_real_escape_string($_GET['key']);
}
?>
<html>
    <head>
        <meta http-equiv="content-type" content="text/html; charset=utf-8" />
        <title>Activation Form</title>
        <link rel="stylesheet" type="text/css" href="../schedule/include/formats.css"/>
    </head>
    <body>
        <div class="shadow"><div class="header"></div></div>
        <?php
        if (isset($email) && isset($key))
        {

            // Update the database to set the "activation" field to null and "Active" field to 1.

            $query_activate_account  = "UPDATE UserTbl SET Activation = NULL, Active = '1' WHERE(EmailAddress = '{$email}' AND Activation = '{$key}') LIMIT 1";
            $result_activate_account = mysql_query($query_activate_account, $link);

            // Print a customized message:
            if (mysql_affected_rows($link) == 1) //if update query was successfull
            {
                echo '<fieldset id="standardForm">Your account is now active. You may now <a href="login.php">Log in</a></fieldset>';
            }
            else
            {
                echo '<fieldset id="standardForm">Oops !Your account could not be activated. Please recheck the link or contact the system administrator.</fieldset>';
            }

            mysql_close($link);
        }
        else
        {
            echo '<fieldset id="standardForm">An Error Occured. I have no idea where, but an error did occur.</fieldset>';
            // Might be worth logging this. See error_log()
        }
        ?>
    </body>
</html>

Re: Mixing php and html

Posted: Fri Mar 16, 2012 8:04 am
by Pavilion
Celauran:

Thank you for your help. I tried your changes. They worked wonderfully and your code does seem more efficient:

Code: Select all

// if (isset($_GET['email']) && preg_match('/^([a-zA-Z0-9])+([a-zA-Z0-9\._-])*@([a-zA-Z0-9_-])+([a-zA-Z0-9\._-]+)+$/', $_GET['email']))
if (isset($_GET['email']) && filter_var($_GET['email'], FILTER_VALIDATE_EMAIL))
{
    // If you're putting it in a query, escape it.
    $email = mysql_real_escape_string($_GET['email']);
Specifically, with the above snippet, what is happening with the email. Is the code validating whether the submitted value is an appropriate email address?

Your line:

Code: Select all

if (isset($_GET['email']) && filter_var($_GET['email'], FILTER_VALIDATE_EMAIL))
Seems much cleaner than the original line.

Code: Select all

if (isset($_GET['email']) && preg_match('/^([a-zA-Z0-9])+([a-zA-Z0-9\._-])*@([a-zA-Z0-9_-])+([a-zA-Z0-9\._-]+)+$/', $_GET['email']))
what is all the "[a-zA-Z0-9])+([a-zA-Z0-9\._-])*@([a-zA-Z0-9_-])+([a-zA-Z0-9\._-]" doing????

Thanks - Pavilion

Re: Mixing php and html

Posted: Fri Mar 16, 2012 8:06 am
by Celauran
Take a look at filter_var() and the available validate filters. filter_var() was introduced in PHP 5.2, so previously regular expressions were required to validate email addresses.

Re: Mixing php and html

Posted: Fri Mar 16, 2012 10:35 am
by Pavilion
Thanks Celauran. Your patience in answering my questions really does help. Sometimes I feel there is so much to absorb with php. But... I keep telling myself that I can learn it - with almost 20 years of classical database development I should be able to learn php/html/css.

Now onto the login.php file.

After all I'd learned with registration.php and activate.php I really thought I could get login.php up and running with very little trouble. But... I was wrong. Just as a refresher, I am adapting my own files from this code. Specifically, I am working on Step 4 :Login Page.

After our work together on registration.php, I decided to combine the html and php script together in one file titled login.php. The script for that file follows:

Code: Select all

<?php
// include database connection file, if connection doesn't work the include file will throw an error message
include '../schedule/include/db_connect.php';

// including PasswordHash file for purposes of hashing password submission.
require '../PasswordHash.php';

?>
<html>
<form action="login.php" method="post">
 <fieldset>
 <legend>Login Form  </legend>

 <p>Enter Your username and Password Below  </p>

 <div>
 <label for="name">Email :</label>
 <input type="email" id="email" name="email" size="25" />
 </div>

 <div>
 <label for="Password">Password:</label>
 <input type="password" id="Password" name="Password" size="25" />
 </div>
 <div>
 <input type="hidden" name="formsubmitted" value="TRUE" />
 <input type="submit" value="Login" />
 </div>
 </fieldset>
</form>
</html>

<?php
if (isset($_POST['formsubmitted'])) {
 // Initialize a session:
session_start();
 $error = array();//this aaray will store all error messages
 
 if (empty($_POST['email'])) {//if the email supplied is empty
 $error[] = 'You forgot to enter  your Email ';
 } else {

if (isset($_GET['email']) && filter_var($_GET['email'], FILTER_VALIDATE_EMAIL))
{
    // If you're putting it in a query, escape it.
    $email = mysql_real_escape_string($_GET['email']);
} 
else {
 $error[] = 'Your EMail Address is invalid  ';
 }
}

if (empty($_POST['Password'])) {
 $error[] = 'Please Enter Your Password ';
 } else {
 $Password = $_POST['Password'];
 }
 
 // Hash submitted password here, so that it can be compared to hashed password stored in UserTbl.
 	$hasher = new PasswordHash($hash_cost_log2, $hash_portable);
	$hash = $hasher->HashPassword($password);
	if (strlen($hash) < 20)
	fail('Failed to hash new password');
	unset($hasher);

 if (empty($error))//if the array is empty , it means no error found
 {
$query_check_credentials = "SELECT * FROM UserTbl WHERE (EmailAddress='$email' AND Password='$hash') AND Activation IS NULL";
 $result_check_credentials = mysql_query($query_check_credentials, $link);
 if(!$result_check_credentials){//If the QUery Failed
 echo 'Query Failed ';
 }

 if (@mysql_num_rows($result_check_credentials) == 1)//if Query is successfull
 { // A match was made.

 $_SESSION = mysql_fetch_array($result_check_credentials, MYSQLI_ASSOC);

//Assign the result of this query to SESSION Global Variable

 header("Location: page.php");

 }else
 { $msg_error= 'Either Your Account is inactive or Email address /Password is Incorrect';
 }
}  else {
 echo '<div> <ol>';
 foreach ($error as $key => $values) {
 echo '    <li>'.$values.'</li>';
}
 echo '</ol></div>';
}
 if(isset($msg_error)){
 echo '<div>'.$msg_error.' </div>';
 }
 /// var_dump($error);
 mysql_close($link);
} // End of the main Submit conditional

?>
This is bare-bones script, no formatting, etc... My goal is to get the script functioning and then format. I'm sure you'll find all sorts of problems that I am missing, but I really have tried to take the lessons you've taught me and incorporate them into login.php.
  • Firstly I combined php and html scripts
  • I incorporated password hashing. (If I'm storing a hashed password, then login requires comparing the submitted password as a hash as well.)
    I incorporated email validation - that we just finished discussing.
  • I made sure the my_sql select statement had all appropriate table, field, input variable names
But... I am still getting errors when I use login.php. The error messages follow:
Warning: session_start() [function.session-start]: Cannot send session cookie - headers already sent by (output started at /home/content/38/7901938/html/schedule/login.php:26) in /home/content/38/7901938/html/schedule/login.php on line 36

Warning: session_start() [function.session-start]: Cannot send session cache limiter - headers already sent (output started at /home/content/38/7901938/html/schedule/login.php:26) in /home/content/38/7901938/html/schedule/login.php on line 36

Your EMail Address is invalid
line 36 is as follows:

Code: Select all

session_start();
It is followed by line 34:

Code: Select all

if (isset($_POST['formsubmitted'])) {
I assume line 34 references line 26:

Code: Select all

<input type="hidden" name="formsubmitted" value="TRUE" />
What is this hidden field for? And how do I fix the problem?

Again - thank you for your patience. It helps my frustrations level greatly to simply know I can ask a human being some questions.

Pavilion

Re: Mixing php and html

Posted: Fri Mar 16, 2012 10:41 am
by Celauran
session_start() needs to come before any output has been sent to the browser. In this case, it's a simple question of moving the

Code: Select all

if (isset($_POST['formsubmitted']))
block before your HTML. Unrelated to the problem at hand, you need to declare a DOCTYPE.

I also notice that you're using POST to submit the form, but checking for $_GET['email']

Re: Mixing php and html

Posted: Fri Mar 16, 2012 10:56 am
by Pavilion
session_start() needs to come before any output has been sent to the browser. In this case, it's a simple question of moving the

Code: Select all

if (isset($_POST['formsubmitted']))
block before your HTML. Unrelated to the problem at hand, you need to declare a DOCTYPE.
OK.... I moved the ENTIRE php block to the top of the page. The reason I did this is because all the php content below the

Code: Select all

if (isset($_POST['formsubmitted']))
is included in this block.

So... now my script is as follows:

Code: Select all

<?php
// include database connection file, if connection doesn't work the include file will throw an error message
include '../schedule/include/db_connect.php';

// including PasswordHash file for purposes of hashing password submission.
require '../PasswordHash.php';

if (isset($_POST['formsubmitted'])) {
 // Initialize a session:
session_start();
 $error = array();//this aaray will store all error messages

 if (empty($_POST['email'])) {//if the email supplied is empty
 $error[] = 'You forgot to enter  your Email ';
 } else {

if (isset($_GET['email']) && filter_var($_GET['email'], FILTER_VALIDATE_EMAIL))
{
    // If you're putting it in a query, escape it.
    $email = mysql_real_escape_string($_GET['email']);
} 
else {
 $error[] = 'Your EMail Address is invalid  ';
 }
}

if (empty($_POST['Password'])) {
 $error[] = 'Please Enter Your Password ';
 } else {
 $Password = $_POST['Password'];
 }
 
 // Hash submitted password here, so that it can be compared to hashed password stored in UserTbl.
 	$hasher = new PasswordHash($hash_cost_log2, $hash_portable);
	$hash = $hasher->HashPassword($password);
	if (strlen($hash) < 20)
	fail('Failed to hash new password');
	unset($hasher);

 if (empty($error))//if the array is empty , it means no error found
 {
$query_check_credentials = "SELECT * FROM UserTbl WHERE (EmailAddress='$email' AND Password='$hash') AND Activation IS NULL";
 $result_check_credentials = mysql_query($query_check_credentials, $link);
 if(!$result_check_credentials){//If the QUery Failed
 echo 'Query Failed ';
 }

 if (@mysql_num_rows($result_check_credentials) == 1)//if Query is successfull
 { // A match was made.

 $_SESSION = mysql_fetch_array($result_check_credentials, MYSQLI_ASSOC);

//Assign the result of this query to SESSION Global Variable

 header("Location: page.php");

 }else
 { $msg_error= 'Either Your Account is inactive or Email address /Password is Incorrect';
 }
}  else {
 echo '<div> <ol>';
 foreach ($error as $key => $values) {
 echo '    <li>'.$values.'</li>';
}
 echo '</ol></div>';
}
 if(isset($msg_error)){
 echo '<div>'.$msg_error.' </div>';
 }
 /// var_dump($error);
 mysql_close($link);
} // End of the main Submit conditional
?>
<!DOCTYPE html>
<html>
<form action="login.php" method="post">
 <fieldset>
 <legend>Login Form  </legend>

 <p>Enter Your username and Password Below  </p>

 <div>
 <label for="name">Email :</label>
 <input type="email" id="email" name="email" size="25" />
 </div>

 <div>
 <label for="Password">Password:</label>
 <input type="password" id="Password" name="Password" size="25" />
 </div>
 <div>
 <input type="hidden" name="formsubmitted" value="TRUE" />
 <input type="submit" value="Login" />
 </div>
 </fieldset>
</form>
</html>
Now I can login without error messages about improper syntax. But I am still getting
Your EMail Address is invalid
as an error message. I know I am putting in the correct email address, I am copying it directly out of my table. In addition it is an email address I use everyday and type out several times a day.

Thanks - Pavilion

Re: Mixing php and html

Posted: Fri Mar 16, 2012 10:58 am
by Celauran
You're still checking for $_GET['email'] instead of $_POST['email']

Re: Mixing php and html

Posted: Fri Mar 16, 2012 11:09 am
by Pavilion
Celauran wrote:You're still checking for $_GET['email'] instead of $_POST['email']
Yes - I just now figured that out - in reviewing the code. I changed $_GET to $_POST. Still I am getting the following error:
Either Your Account is inactive or Email address /Password is Incorrect
I know I am using the correct email address and password. At this point my password is quite simple: "test" - all small case.

Thanks - Pavilion

Re: Mixing php and html

Posted: Fri Mar 16, 2012 11:13 am
by Celauran
So you know this is failing

Code: Select all

if (@mysql_num_rows($result_check_credentials) == 1
Use a var_dump() to see what the value is. It may also be helpful to echo out the query string and run it manually.

Re: Mixing php and html

Posted: Fri Mar 16, 2012 11:15 am
by Celauran
Some minor changes and comments.

Code: Select all

<?php

// Initialize a session:
session_start();

// include database connection file, if connection doesn't work the include file will throw an error message
include '../schedule/include/db_connect.php';

// including PasswordHash file for purposes of hashing password submission.
require '../PasswordHash.php';

if (isset($_POST['formsubmitted']))
{
    $error = array(); //this aaray will store all error messages

    if (empty($_POST['email']))
    {//if the email supplied is empty
        $error[] = 'You forgot to enter  your Email ';
    }
    else
    {
        if (isset($_POST['email']) && filter_var($_POST['email'], FILTER_VALIDATE_EMAIL))
        {
            // If you're putting it in a query, escape it.
            $email = mysql_real_escape_string($_POST['email']);
        }
        else
        {
            $error[] = 'Your EMail Address is invalid  ';
        }
    }

    if (empty($_POST['Password']))
    {
        $error[] = 'Please Enter Your Password ';
    }
    /* There's really no point in doing this
    else
    {
        $Password = $_POST['Password'];
    }
    */

    if (empty($error))//if the array is empty , it means no error found
    {
        // Hash submitted password here, so that it can be compared to hashed password stored in UserTbl.
        $hasher = new PasswordHash($hash_cost_log2, $hash_portable);
        $hash   = $hasher->HashPassword($_POST['password']);
        // What kind of hash are you using? You could be more specific here
        if (strlen($hash) < 20)
            fail('Failed to hash new password');
        unset($hasher);

        // Don't SELECT *; specify which columns you need.
        $query_check_credentials  = "SELECT * FROM UserTbl WHERE (EmailAddress='$email' AND Password='$hash') AND Activation IS NULL";
        $result_check_credentials = mysql_query($query_check_credentials, $link);
        if (!$result_check_credentials)
        {//If the QUery Failed
            // Probably better to add this to the error array. You'll also likely want to add some logging here.
            echo 'Query Failed: ' . mysql_error();
        }

        if (@mysql_num_rows($result_check_credentials) == 1)//if Query is successfull
        { // A match was made.
            //Assign the result of this query to SESSION Global Variable
            $_SESSION = mysql_fetch_array($result_check_credentials, MYSQLI_ASSOC);
            header("Location: page.php");
        }
        else
        {
            // You know the value of active. Also, why not add this to the error array?
            $msg_error = 'Either Your Account is inactive or Email address /Password is Incorrect';
        }
    }
    // Probably best to move this into the page itself. Now it's just going to look weird.
    else
    {
        echo '<div><ol>';
        // You weren't using $key anyway
        foreach ($error as $value)
        {
            echo '<li>' . $value . '</li>';
        }
        echo '</ol></div>';
    }
    if (isset($msg_error))
    {
        echo '<div>' . $msg_error . ' </div>';
    }
    /// var_dump($error);
    mysql_close($link);
} // End of the main Submit conditional
?>
<!DOCTYPE html>
<html>
    <head>
        <meta http-equiv="content-type" content="text/html; charset=utf-8" />
        <title>Login Page</title>
    </head>
    <body>
        <form action="login.php" method="post">
            <fieldset>
                <legend>Login Form  </legend>

                <p>Enter Your username and Password Below  </p>

                <!-- You don't really need all these divs -->
                <div>
                    <label for="name">Email :</label>
                    <input type="email" id="email" name="email" size="25" />
                </div>

                <div>
                    <label for="Password">Password:</label>
                    <input type="password" id="Password" name="Password" size="25" />
                </div>
                <div>
                    <input type="hidden" name="formsubmitted" value="TRUE" />
                    <input type="submit" value="Login" />
                </div>
            </fieldset>
        </form>
    </body>
</html>

Re: Mixing php and html

Posted: Fri Mar 16, 2012 11:33 am
by Pavilion
Celauran:

Thank you for the var_dump(). I had been wondering if there was a way to "step-through" the code.

So... I used var_dump($query_check_credentials); and discovered my password submission is not hashing out the same as my hashed password in the table.

SO... now I have to go back to the original hash references you gave me and figure out what I am doing wrong.

I also see you posted some edits. I will come back to those. But first things first:
  1. Lunch
  2. Figure out the password hashing
  3. Clean up the code
  4. Format the file
  5. And somewhere in all of that - take care of my regular clients.
I do thank you Celauran - your help means more than you know. But... right now I'm going to go get some lunch.

Thanks again - Pavilion

Re: Mixing php and html

Posted: Fri Mar 16, 2012 11:37 am
by Celauran
I think you'll want to take a look at PasswordHash::CheckPassword()

Re: Mixing php and html

Posted: Fri Mar 16, 2012 9:00 pm
by Pavilion
Celauran wrote:I think you'll want to take a look at PasswordHash::CheckPassword()
Hello Celauran -

Thank you for steering me towards CheckPassword(). I have checked it out and I've not yet made any use of it, because it makes no sense to me. It's like trying to read french. So... I want to learn what is going on with the code before using it.

Firstly - about the initial registration code.....

Code: Select all

// Now hash the $password before inserting into UserTbl
$hasher = new PasswordHash($hash_cost_log2, $hash_portable);
$hash = $hasher->HashPassword($password);
if (strlen($hash) < 20)
fail('Failed to hash new password');
unset($hasher);
If the registration code was used to initially create the hashed password during registration, why doesn't it equally hash a submitted password during registration? The same password is being processed in the same way at both registration and log-in, so why is the hashed result different at log-in.

Now about the CheckPassword($pass, $hash) element - this "else" code snippet follows successful registration and creation of a user. So... to me... this code snippet is the most applicable to my current task of creating log-in capabilities:

Code: Select all

	$what = 'User created';
} else {
	$hash = '*'; // In case the user is not found
	($stmt = $db->prepare('select pass from users where user=?')) // I take it this statement is selecting the appropriate password "pass" from the users table?
		|| fail('MySQL prepare', $db->error);
	$stmt->bind_param('s', $user) // As far as I've been able to figure out "->" means "output". But I can not figure out what "bind_param('s', $user)" is doing. Why is the 's inside the ()s?
		|| fail('MySQL bind_param', $db->error);
	$stmt->execute() // Again, I just simply can not figure out what is happening here.
		|| fail('MySQL execute', $db->error);
	$stmt->bind_result($hash) // is $hash being applied to the stored hash in the table, or is it being applied to the hashed password submitted during log-in.
		|| fail('MySQL bind_result', $db->error);
	if (!$stmt->fetch() && $db->errno)
		fail('MySQL fetch', $db->error);

	if ($hasher->CheckPassword($pass, $hash)) { // again what is being compared to what here? Is $pass from the log-in submission or from the users table, and the same goes for $hash. As far as I can tell $pass is from the table, and $hash is from the log-in submission. But I cannot figure out for sure.
		$what = 'Authentication succeeded';
	} else {
		$what = 'Authentication failed';
	}
	unset($hasher);
}
Lastly - how do I use this snippet in my own code? Is this used in conjunction with the initial $hasher (that was used in registration)? And if so... it takes us right back to my initial question, why isn't the initial hashing procedure producing the same result when hashing log-in password submissions? :?

_________________________

Edit
Here is what is confusing me...

Code: Select all

$pass = get_post_var('pass');
First use of $pass - pretty straight forward, it is a variable for the submitted log-in password.

Code: Select all

$hash = $hasher->HashPassword($pass);
this seems to be applying $hash to $pass (very confusing). As far as I can tell - it is used in the process of creating a new user. But... then where is it re-defined for an existing user?





I'm sorry, this must all seem so basic to you - but it is truly confusing to me.

Pavilion

Re: Mixing php and html

Posted: Fri Mar 16, 2012 9:33 pm
by Celauran
Pavilion wrote:If the registration code was used to initially create the hashed password during registration, why doesn't it equally hash a submitted password during registration? The same password is being processed in the same way at both registration and log-in, so why is the hashed result different at log-in.
HashPassword() uses a random salt which will be different on each use.
Pavilion wrote:this "else" code snippet follows successful registration
No idea where this comes from. Looks like MySQLi using prepared statements.
Pavilion wrote:Here is what is confusing me...

Code: Select all

$pass = get_post_var('pass');
First use of $pass - pretty straight forward, it is a variable for the submitted log-in password.

Code: Select all

$hash = $hasher->HashPassword($pass);
this seems to be applying $hash to $pass (very confusing). As far as I can tell - it is used in the process of creating a new user. But... then where is it re-defined for an existing user?
No idea whose code this is. get_post_var() is definitely a custom function. Anyway, what it appears to be doing is assigning $_POST['pass'] to the local variable $pass. It's then passing that as an argument to the HashPassword() method of the $hasher object, which is an instance of PasswordHash.

Have you taken a look at the test.php file that comes with PHPass? I think you'll find the examples contained therein to be far simpler.