Page 4 of 6
Re: Code Issue
Posted: Fri Apr 13, 2012 10:03 am
by TheHappyPeanut
Celauran wrote:It's not performing any authentication. That block, in English, would ready "If a (any) username and password have been provided, open a connection to the database. Otherwise, don't and inform the user you couldn't." Or something to that effect.
Okay, and that's because I haven't asked it to verify that the username and password are the same entries as those in the database?
Re: Code Issue
Posted: Fri Apr 13, 2012 10:07 am
by Celauran
Right. All you've really done is establish a connection to the database. social_experiment and I actually just worked on a
user registration/login tutorial. It's still being reviewed, but contains example scripts you may be interested in looking at.
Re: Code Issue
Posted: Fri Apr 13, 2012 10:10 am
by TheHappyPeanut
Celauran wrote:Right. All you've really done is establish a connection to the database. social_experiment and I actually just worked on a
user registration/login tutorial. It's still being reviewed, but contains example scripts you may be interested in looking at.
I'll read up on it. Also, quick question. Since there are no verification measures in place, that is also why I can erase all the text and still make connection, right?
Re: Code Issue
Posted: Fri Apr 13, 2012 10:16 am
by Celauran
Yes. You could, in theory, also check that the username and password fields contain values before checking credentials.
Re: Code Issue
Posted: Fri Apr 13, 2012 10:21 am
by TheHappyPeanut
When you're creating a user system, do you prefer to create the registration first or the login?
Re: Code Issue
Posted: Fri Apr 13, 2012 10:22 am
by Celauran
I always do registration first; you need a user to make sure your login works.
Re: Code Issue
Posted: Fri Apr 13, 2012 10:56 am
by TheHappyPeanut
How would I verify the username and password? Is it anything like this?
Code: Select all
$mysqli->query (SELECT * FROM 'tracker' WHERE username='$username' and password='$password');
Re: Code Issue
Posted: Fri Apr 13, 2012 11:00 am
by Celauran
Pretty close. Don't use SELECT * though; only grab the columns you need. Including the password in a WHERE clause may or may not work, depending on how you've implemented password hashing (ie. it won't work with PHPass).
Assuming $username has already been sanitized
Code: Select all
$query = "SELECT id, password FROM tracker WHERE username = '{$username}'";
$result = $mysqli->query($query);
Re: Code Issue
Posted: Fri Apr 13, 2012 11:03 am
by TheHappyPeanut
What if I'm going to use bcrypt? Would it work for that? If so, would 'WHERE' be a viable method of doing this or would there be a better alternative?
Code: Select all
$mysqli->query (FROM 'tracker' WHERE username='$username' and password='$password');
When you said to remove SELECT *, I'm assuming the above code is what you meant to do? I could be wrong.
Re: Code Issue
Posted: Fri Apr 13, 2012 11:08 am
by Celauran
TheHappyPeanut wrote:What if I'm going to use bcrypt? Would it work for that? If so, would 'WHERE' be a viable method of doing this or would there be a better alternative?
Code: Select all
$mysqli->query (FROM 'tracker' WHERE username='$username' and password='$password');
When you said to remove SELECT *, I'm assuming the above code is what you meant to do? I could be wrong.
You must select something in a SELECT query, I was just saying don't blindly grab everything. Think about what you need and select only those columns. See my example above.
If you're using bcrypt, it depends how you're salting it. If you use the same salt everywhere, you can hash the submitted password and use the hash in the WHERE clause. If you've got a per-user salt, that won't work.
Re: Code Issue
Posted: Fri Apr 13, 2012 11:16 am
by TheHappyPeanut
I believe I understand what you are saying. * gives it a wildcard which means "Grab anything"? Anyway, here's the code since I put it in.. but I don't think it's correct:
Code: Select all
<?php
if (!empty($_POST))
{
if (isset($_POST['username']) && isset($_POST['password']))
$mysqli->query (SELECT FROM 'tracker' WHERE username='$username' and password='$password');
{
$mysqli = new mysqli();
$mysqli = new mysqli('localhost', 'root', '', 'tracker');
}
else
die('Unable to proceed');
}
?>
Re: Code Issue
Posted: Fri Apr 13, 2012 11:25 am
by Celauran
That's a bit of a mess.
- You currently have your query between your if statement and its associated brace, which is sure to generate a syntax error.
- You haven't selected any columns, so your query is malformed.
- You're trying to call an object's methods before having instantiated the object itself.
- You're creating the same object twice for no apparent reason.
- You're not assigning the query's results to a variable, so you won't be able to access them.
- Your query needs to be a string; ie. it needs to be enclosed in quotes.
- $username and $password are undefined.
Try something like this:
Code: Select all
<?php
if (!empty($_POST))
{
if (isset($_POST['username']) && isset($_POST['password']))
{
$mysqli = new mysqli('localhost', 'root', '', 'tracker');
$username = $mysqli->real_escape_string($_POST['username']);
$query = "SELECT id, password FROM 'tracker' WHERE username='$username'";
$result = $mysqli->query($query)->fetch_assoc();
}
else
die('Unable to proceed');
}
?>
Re: Code Issue
Posted: Fri Apr 13, 2012 11:33 am
by TheHappyPeanut
Celauran wrote:That's a bit of a mess.
- You currently have your query between your if statement and its associated brace, which is sure to generate a syntax error.
- You haven't selected any columns, so your query is malformed.
- You're trying to call an object's methods before having instantiated the object itself.
- You're creating the same object twice for no apparent reason.
- You're not assigning the query's results to a variable, so you won't be able to access them.
- Your query needs to be a string; ie. it needs to be enclosed in quotes.
- $username and $password are undefined.
Try something like this:
Code: Select all
<?php
if (!empty($_POST))
{
if (isset($_POST['username']) && isset($_POST['password']))
{
$mysqli = new mysqli('localhost', 'root', '', 'tracker');
$username = $mysqli->real_escape_string($_POST['username']);
$query = "SELECT id, password FROM 'tracker' WHERE username='$username'";
$result = $mysqli->query($query)->fetch_assoc();
}
else
die('Unable to proceed');
}
?>
Thanks for the help. Do you know of any tutorials that focus on code etiquette? I really have no clue what code goes where, when to close them off, or what to close them off with.
Re: Code Issue
Posted: Fri Apr 13, 2012 11:35 am
by Celauran
The New Boston apparently has some great tutorials, ditto PHP Academy. This is just hearsay, mind; I've never looked at them myself.
Re: Code Issue
Posted: Fri Apr 13, 2012 12:18 pm
by TheHappyPeanut
Celauran wrote:The New Boston apparently has some great tutorials, ditto PHP Academy. This is just hearsay, mind; I've never looked at them myself.
Any books you'd recommend?