Code Issue

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

TheHappyPeanut
Forum Commoner
Posts: 50
Joined: Wed Apr 11, 2012 8:54 am
Location: United States

Re: Code Issue

Post by TheHappyPeanut »

Celauran wrote:It's not performing any authentication. That block, in English, would ready "If a (any) username and password have been provided, open a connection to the database. Otherwise, don't and inform the user you couldn't." Or something to that effect.
Okay, and that's because I haven't asked it to verify that the username and password are the same entries as those in the database?
User avatar
Celauran
Moderator
Posts: 6427
Joined: Tue Nov 09, 2010 2:39 pm
Location: Montreal, Canada

Re: Code Issue

Post by Celauran »

Right. All you've really done is establish a connection to the database. social_experiment and I actually just worked on a user registration/login tutorial. It's still being reviewed, but contains example scripts you may be interested in looking at.
TheHappyPeanut
Forum Commoner
Posts: 50
Joined: Wed Apr 11, 2012 8:54 am
Location: United States

Re: Code Issue

Post by TheHappyPeanut »

Celauran wrote:Right. All you've really done is establish a connection to the database. social_experiment and I actually just worked on a user registration/login tutorial. It's still being reviewed, but contains example scripts you may be interested in looking at.
I'll read up on it. Also, quick question. Since there are no verification measures in place, that is also why I can erase all the text and still make connection, right?
User avatar
Celauran
Moderator
Posts: 6427
Joined: Tue Nov 09, 2010 2:39 pm
Location: Montreal, Canada

Re: Code Issue

Post by Celauran »

Yes. You could, in theory, also check that the username and password fields contain values before checking credentials.
TheHappyPeanut
Forum Commoner
Posts: 50
Joined: Wed Apr 11, 2012 8:54 am
Location: United States

Re: Code Issue

Post by TheHappyPeanut »

When you're creating a user system, do you prefer to create the registration first or the login?
User avatar
Celauran
Moderator
Posts: 6427
Joined: Tue Nov 09, 2010 2:39 pm
Location: Montreal, Canada

Re: Code Issue

Post by Celauran »

I always do registration first; you need a user to make sure your login works.
TheHappyPeanut
Forum Commoner
Posts: 50
Joined: Wed Apr 11, 2012 8:54 am
Location: United States

Re: Code Issue

Post by TheHappyPeanut »

How would I verify the username and password? Is it anything like this?

Code: Select all

$mysqli->query (SELECT * FROM 'tracker' WHERE username='$username' and password='$password');
User avatar
Celauran
Moderator
Posts: 6427
Joined: Tue Nov 09, 2010 2:39 pm
Location: Montreal, Canada

Re: Code Issue

Post by Celauran »

Pretty close. Don't use SELECT * though; only grab the columns you need. Including the password in a WHERE clause may or may not work, depending on how you've implemented password hashing (ie. it won't work with PHPass).

Assuming $username has already been sanitized

Code: Select all

$query  = "SELECT id, password FROM tracker WHERE username = '{$username}'";
$result = $mysqli->query($query);
TheHappyPeanut
Forum Commoner
Posts: 50
Joined: Wed Apr 11, 2012 8:54 am
Location: United States

Re: Code Issue

Post by TheHappyPeanut »

What if I'm going to use bcrypt? Would it work for that? If so, would 'WHERE' be a viable method of doing this or would there be a better alternative?

Code: Select all

$mysqli->query (FROM 'tracker' WHERE username='$username' and password='$password');
When you said to remove SELECT *, I'm assuming the above code is what you meant to do? I could be wrong.
User avatar
Celauran
Moderator
Posts: 6427
Joined: Tue Nov 09, 2010 2:39 pm
Location: Montreal, Canada

Re: Code Issue

Post by Celauran »

TheHappyPeanut wrote:What if I'm going to use bcrypt? Would it work for that? If so, would 'WHERE' be a viable method of doing this or would there be a better alternative?

Code: Select all

$mysqli->query (FROM 'tracker' WHERE username='$username' and password='$password');
When you said to remove SELECT *, I'm assuming the above code is what you meant to do? I could be wrong.
You must select something in a SELECT query, I was just saying don't blindly grab everything. Think about what you need and select only those columns. See my example above.

If you're using bcrypt, it depends how you're salting it. If you use the same salt everywhere, you can hash the submitted password and use the hash in the WHERE clause. If you've got a per-user salt, that won't work.
TheHappyPeanut
Forum Commoner
Posts: 50
Joined: Wed Apr 11, 2012 8:54 am
Location: United States

Re: Code Issue

Post by TheHappyPeanut »

I believe I understand what you are saying. * gives it a wildcard which means "Grab anything"? Anyway, here's the code since I put it in.. but I don't think it's correct:

Code: Select all

<?php

if (!empty($_POST))
{
    if (isset($_POST['username']) && isset($_POST['password']))
    $mysqli->query (SELECT FROM 'tracker' WHERE username='$username' and password='$password');
    {
    $mysqli = new mysqli();
    $mysqli = new mysqli('localhost', 'root', '', 'tracker');
    }
    else
        die('Unable to proceed');
}
   
?>
User avatar
Celauran
Moderator
Posts: 6427
Joined: Tue Nov 09, 2010 2:39 pm
Location: Montreal, Canada

Re: Code Issue

Post by Celauran »

That's a bit of a mess.
  • You currently have your query between your if statement and its associated brace, which is sure to generate a syntax error.
  • You haven't selected any columns, so your query is malformed.
  • You're trying to call an object's methods before having instantiated the object itself.
  • You're creating the same object twice for no apparent reason.
  • You're not assigning the query's results to a variable, so you won't be able to access them.
  • Your query needs to be a string; ie. it needs to be enclosed in quotes.
  • $username and $password are undefined.
Try something like this:

Code: Select all

<?php

if (!empty($_POST))
{
    if (isset($_POST['username']) && isset($_POST['password']))
    {
        $mysqli   = new mysqli('localhost', 'root', '', 'tracker');
        $username = $mysqli->real_escape_string($_POST['username']);
        $query    = "SELECT id, password FROM 'tracker' WHERE username='$username'";
        $result   = $mysqli->query($query)->fetch_assoc();
    }
    else
        die('Unable to proceed');
}
   
?>
TheHappyPeanut
Forum Commoner
Posts: 50
Joined: Wed Apr 11, 2012 8:54 am
Location: United States

Re: Code Issue

Post by TheHappyPeanut »

Celauran wrote:That's a bit of a mess.
  • You currently have your query between your if statement and its associated brace, which is sure to generate a syntax error.
  • You haven't selected any columns, so your query is malformed.
  • You're trying to call an object's methods before having instantiated the object itself.
  • You're creating the same object twice for no apparent reason.
  • You're not assigning the query's results to a variable, so you won't be able to access them.
  • Your query needs to be a string; ie. it needs to be enclosed in quotes.
  • $username and $password are undefined.
Try something like this:

Code: Select all

<?php

if (!empty($_POST))
{
    if (isset($_POST['username']) && isset($_POST['password']))
    {
        $mysqli   = new mysqli('localhost', 'root', '', 'tracker');
        $username = $mysqli->real_escape_string($_POST['username']);
        $query    = "SELECT id, password FROM 'tracker' WHERE username='$username'";
        $result   = $mysqli->query($query)->fetch_assoc();
    }
    else
        die('Unable to proceed');
}
   
?>
Thanks for the help. Do you know of any tutorials that focus on code etiquette? I really have no clue what code goes where, when to close them off, or what to close them off with.
User avatar
Celauran
Moderator
Posts: 6427
Joined: Tue Nov 09, 2010 2:39 pm
Location: Montreal, Canada

Re: Code Issue

Post by Celauran »

The New Boston apparently has some great tutorials, ditto PHP Academy. This is just hearsay, mind; I've never looked at them myself.
TheHappyPeanut
Forum Commoner
Posts: 50
Joined: Wed Apr 11, 2012 8:54 am
Location: United States

Re: Code Issue

Post by TheHappyPeanut »

Celauran wrote:The New Boston apparently has some great tutorials, ditto PHP Academy. This is just hearsay, mind; I've never looked at them myself.
Any books you'd recommend?
Post Reply