Okay, and that's because I haven't asked it to verify that the username and password are the same entries as those in the database?Celauran wrote:It's not performing any authentication. That block, in English, would ready "If a (any) username and password have been provided, open a connection to the database. Otherwise, don't and inform the user you couldn't." Or something to that effect.
Code Issue
Moderator: General Moderators
-
TheHappyPeanut
- Forum Commoner
- Posts: 50
- Joined: Wed Apr 11, 2012 8:54 am
- Location: United States
Re: Code Issue
Re: Code Issue
Right. All you've really done is establish a connection to the database. social_experiment and I actually just worked on a user registration/login tutorial. It's still being reviewed, but contains example scripts you may be interested in looking at.
-
TheHappyPeanut
- Forum Commoner
- Posts: 50
- Joined: Wed Apr 11, 2012 8:54 am
- Location: United States
Re: Code Issue
I'll read up on it. Also, quick question. Since there are no verification measures in place, that is also why I can erase all the text and still make connection, right?Celauran wrote:Right. All you've really done is establish a connection to the database. social_experiment and I actually just worked on a user registration/login tutorial. It's still being reviewed, but contains example scripts you may be interested in looking at.
Re: Code Issue
Yes. You could, in theory, also check that the username and password fields contain values before checking credentials.
-
TheHappyPeanut
- Forum Commoner
- Posts: 50
- Joined: Wed Apr 11, 2012 8:54 am
- Location: United States
Re: Code Issue
When you're creating a user system, do you prefer to create the registration first or the login?
Re: Code Issue
I always do registration first; you need a user to make sure your login works.
-
TheHappyPeanut
- Forum Commoner
- Posts: 50
- Joined: Wed Apr 11, 2012 8:54 am
- Location: United States
Re: Code Issue
How would I verify the username and password? Is it anything like this?
Code: Select all
$mysqli->query (SELECT * FROM 'tracker' WHERE username='$username' and password='$password');Re: Code Issue
Pretty close. Don't use SELECT * though; only grab the columns you need. Including the password in a WHERE clause may or may not work, depending on how you've implemented password hashing (ie. it won't work with PHPass).
Assuming $username has already been sanitized
Assuming $username has already been sanitized
Code: Select all
$query = "SELECT id, password FROM tracker WHERE username = '{$username}'";
$result = $mysqli->query($query);-
TheHappyPeanut
- Forum Commoner
- Posts: 50
- Joined: Wed Apr 11, 2012 8:54 am
- Location: United States
Re: Code Issue
What if I'm going to use bcrypt? Would it work for that? If so, would 'WHERE' be a viable method of doing this or would there be a better alternative?
When you said to remove SELECT *, I'm assuming the above code is what you meant to do? I could be wrong.
Code: Select all
$mysqli->query (FROM 'tracker' WHERE username='$username' and password='$password');Re: Code Issue
You must select something in a SELECT query, I was just saying don't blindly grab everything. Think about what you need and select only those columns. See my example above.TheHappyPeanut wrote:What if I'm going to use bcrypt? Would it work for that? If so, would 'WHERE' be a viable method of doing this or would there be a better alternative?
When you said to remove SELECT *, I'm assuming the above code is what you meant to do? I could be wrong.Code: Select all
$mysqli->query (FROM 'tracker' WHERE username='$username' and password='$password');
If you're using bcrypt, it depends how you're salting it. If you use the same salt everywhere, you can hash the submitted password and use the hash in the WHERE clause. If you've got a per-user salt, that won't work.
-
TheHappyPeanut
- Forum Commoner
- Posts: 50
- Joined: Wed Apr 11, 2012 8:54 am
- Location: United States
Re: Code Issue
I believe I understand what you are saying. * gives it a wildcard which means "Grab anything"? Anyway, here's the code since I put it in.. but I don't think it's correct:
Code: Select all
<?php
if (!empty($_POST))
{
if (isset($_POST['username']) && isset($_POST['password']))
$mysqli->query (SELECT FROM 'tracker' WHERE username='$username' and password='$password');
{
$mysqli = new mysqli();
$mysqli = new mysqli('localhost', 'root', '', 'tracker');
}
else
die('Unable to proceed');
}
?>
Re: Code Issue
That's a bit of a mess.
- You currently have your query between your if statement and its associated brace, which is sure to generate a syntax error.
- You haven't selected any columns, so your query is malformed.
- You're trying to call an object's methods before having instantiated the object itself.
- You're creating the same object twice for no apparent reason.
- You're not assigning the query's results to a variable, so you won't be able to access them.
- Your query needs to be a string; ie. it needs to be enclosed in quotes.
- $username and $password are undefined.
Code: Select all
<?php
if (!empty($_POST))
{
if (isset($_POST['username']) && isset($_POST['password']))
{
$mysqli = new mysqli('localhost', 'root', '', 'tracker');
$username = $mysqli->real_escape_string($_POST['username']);
$query = "SELECT id, password FROM 'tracker' WHERE username='$username'";
$result = $mysqli->query($query)->fetch_assoc();
}
else
die('Unable to proceed');
}
?>-
TheHappyPeanut
- Forum Commoner
- Posts: 50
- Joined: Wed Apr 11, 2012 8:54 am
- Location: United States
Re: Code Issue
Thanks for the help. Do you know of any tutorials that focus on code etiquette? I really have no clue what code goes where, when to close them off, or what to close them off with.Celauran wrote:That's a bit of a mess.
Try something like this:
- You currently have your query between your if statement and its associated brace, which is sure to generate a syntax error.
- You haven't selected any columns, so your query is malformed.
- You're trying to call an object's methods before having instantiated the object itself.
- You're creating the same object twice for no apparent reason.
- You're not assigning the query's results to a variable, so you won't be able to access them.
- Your query needs to be a string; ie. it needs to be enclosed in quotes.
- $username and $password are undefined.
Code: Select all
<?php if (!empty($_POST)) { if (isset($_POST['username']) && isset($_POST['password'])) { $mysqli = new mysqli('localhost', 'root', '', 'tracker'); $username = $mysqli->real_escape_string($_POST['username']); $query = "SELECT id, password FROM 'tracker' WHERE username='$username'"; $result = $mysqli->query($query)->fetch_assoc(); } else die('Unable to proceed'); } ?>
Re: Code Issue
The New Boston apparently has some great tutorials, ditto PHP Academy. This is just hearsay, mind; I've never looked at them myself.
-
TheHappyPeanut
- Forum Commoner
- Posts: 50
- Joined: Wed Apr 11, 2012 8:54 am
- Location: United States
Re: Code Issue
Any books you'd recommend?Celauran wrote:The New Boston apparently has some great tutorials, ditto PHP Academy. This is just hearsay, mind; I've never looked at them myself.