Log In Page

Not for 'how-to' coding questions but PHP theory instead, this forum is here for those of us who wish to learn about design aspects of programming with PHP.

Moderator: General Moderators

richo
Forum Commoner
Posts: 58
Joined: Sun Aug 06, 2006 11:56 am

Undefined index error

Post by richo »

Okay guys, i got it working, woo! :D

One thing is had a problem with was this:

Code: Select all

$username = preg_replace('/[^a-zA-Z0-9]/', '', $_POST['user']);
    $password = preg_replace('/[^a-zA-Z0-9]/', '', $_POST['pass']);
But when i changed it to:

Code: Select all

$username = preg_replace('/[^a-zA-Z0-9]/', '', $_POST['username']);
    $password = preg_replace('/[^a-zA-Z0-9]/', '', $_POST['password']);
And then set the username and password in the if statement:

Code: Select all

if (($username == 'somethinghere') && ($password == 'andsomminere')) {
It works fine! As for the preg_replace, could someone explain why we're using that bit out of interest?

Also, i'm ready for the next part, i guess we're detecting the session isvalid = 1 and session username = the set username?
User avatar
Christopher
Site Administrator
Posts: 13596
Joined: Wed Aug 25, 2004 7:54 pm
Location: New York, NY, US

Post by Christopher »

First, none of that code is OOP. If you have interest we could refactor the code to be more reusable for any form. Let me know.

Regarding the preg_replace, that regular expression is using the character set notation [], but it is inverting what is matched using the ^ NOT symbol. So what it is doing is replacing all the characters that are NOT in the character set you are giving it with NULL, thereby removing them. The result is that it keeps only characters that are in the character set.
(#10850)
matthijs
DevNet Master
Posts: 3360
Joined: Thu Oct 06, 2005 3:57 pm

Post by matthijs »

The preg replace strips everything other then a-z, A-Z or 0-9 in username and password. The ^ stands for "not". Check out info about regular expressions here. So it's a basic check to make sure no "bad" characters are sent to the script.
User avatar
RobertGonzalez
Site Administrator
Posts: 14293
Joined: Tue Sep 09, 2003 6:04 pm
Location: Fremont, CA, USA

Post by RobertGonzalez »

An undefined index error is when you try to call an element of an array by using it's index and the index does not exist. Secondly, you should not be replcaing anything in the username and password. If the username only allows letters and numbers, preg_match it and if it fails error out. For passwords, if you are hashing the password, a space will be hashed along with the rest of the string so manipulating the password could lock your users out. Really give some consideration as to what you are doing with this.
richo
Forum Commoner
Posts: 58
Joined: Sun Aug 06, 2006 11:56 am

Post by richo »

Everah wrote:Secondly, you should not be replcaing anything in the username and password. If the username only allows letters and numbers, preg_match it and if it fails error out. For passwords, if you are hashing the password, a space will be hashed along with the rest of the string so manipulating the password could lock your users out. Really give some consideration as to what you are doing with this.
I don't really understand which bit you think i'm doing wrong, could you explain further?
Regarding the preg_replace, that regular expression is using the character set notation [], but it is inverting what is matched using the ^ NOT symbol. So what it is doing is replacing all the characters that are NOT in the character set you are giving it with NULL, thereby removing them. The result is that it keeps only characters that are in the character set.
This is a really good definition, thanks for all your help.

I managed to get the session detection working, please tell me what you guys think. On the first page I changed it to set this:

Code: Select all

$_SESSION['isvalid'] = 1;
            $_SESSION['username'] = $username;
On the second page, i set this to detect the session 'isvalid':

Code: Select all

session_start();
	
	if ($_SESSION['isvalid'] != 1) {
		header ('location: index.php');
	}else{
	echo "hello" . " " . ($_SESSION['username']);
	}
?>
(i realise using the hello ['username'] bit is a bit pointless as i'm only using one pre-defined username but i wanted to experiment retreiving the session strings.)
User avatar
Christopher
Site Administrator
Posts: 13596
Joined: Wed Aug 25, 2004 7:54 pm
Location: New York, NY, US

Post by Christopher »

Everah wrote:Secondly, you should not be replcaing anything in the username and password. If the username only allows letters and numbers, preg_match it and if it fails error out.
That is another method. I usually filter, then validate -- but many do the opposite.
Everah wrote:For passwords, if you are hashing the password, a space will be hashed along with the rest of the string so manipulating the password could lock your users out. Really give some consideration as to what you are doing with this.
We could deal with hashing the password with Javascript as an possible option.
(#10850)
richo
Forum Commoner
Posts: 58
Joined: Sun Aug 06, 2006 11:56 am

Post by richo »

When you say "hashing", i'm not quite sure what you mean?

Also, i've modified the session detection as it came up with errors if no session was set:

Code: Select all

session_start();
	
	if (isset($_SESSION['isvalid'])) {
		if ($_SESSION['isvalid'] != 1) {
			header ('location: index.php');
		}else{
		echo "hello" . " " . ($_SESSION['username']);
		}
	}else{
		header ('location: index.php');
	}
richo
Forum Commoner
Posts: 58
Joined: Sun Aug 06, 2006 11:56 am

Post by richo »

and now stripped it down to:

Code: Select all

session_start();
	
	if (! isset($_SESSION['isvalid'])) {
		header ('location: index.php');
	}
Any pointers would be helpful for improvement to any of the code we've used but i'm really happy it's working! Thanks for all your help.
User avatar
RobertGonzalez
Site Administrator
Posts: 14293
Joined: Tue Sep 09, 2003 6:04 pm
Location: Fremont, CA, USA

Post by RobertGonzalez »

richo wrote:
Everah wrote:Secondly, you should not be replcaing anything in the username and password. If the username only allows letters and numbers, preg_match it and if it fails error out. For passwords, if you are hashing the password, a space will be hashed along with the rest of the string so manipulating the password could lock your users out. Really give some consideration as to what you are doing with this.
I don't really understand which bit you think i'm doing wrong, could you explain further?
What I mean is, on a login script, you don't want to try to guess what the user should have entered. They should be entering correctly formatted data or the script should kill its process. For example, my logins are always going to be either alphanumeric or numeric. Spaces and special characters are not allowed. So in my script, I preg_match() the passed username against a pattern that matches my settings, and if it passes that step, then I move on to checking the password. If not, then I error out at that point.

For passwords, you should be hashing your passwords. md5() or sha1(), or better yet, Feyd's sha256 would be a good choice as a hashing mechanism (using a salt of course, but we can cover that later). When you hash, you are taking the password and running it through a one way algorithm that makes it difficult or impossible to unhash. This is a security precaution for protecting your users information.

When hashing, each character has a value in the algorithm, even a space. So if my password was 'my password' and you removed the space, then m login would fail because a hashed 'my password' would not equal a hashed 'mypassword'. Again, straight hash to hash match and if it fails, error out.
richo
Forum Commoner
Posts: 58
Joined: Sun Aug 06, 2006 11:56 am

Post by richo »

Cheers for the advice. I implemented some of your preg_match technique:

Code: Select all

if ((preg_match("/\buser\b/" , $username)) && (preg_match("/\bpass\b/", $password))) {
And it works good. I understand it, it insures a definite precise match with \b.

Now for the hash!
richo
Forum Commoner
Posts: 58
Joined: Sun Aug 06, 2006 11:56 am

Post by richo »

Hello again, i'm struggling to find a good example of the sha1() method on the internet.

The only thing i find is the

Code: Select all

<?php
$str = 'apple';
                    
if (sha1($str) === 'd0be2dc421be4fcd0172e5afceea3970e2f3d940') {
   echo "Would you like a green or red apple?";
   exit;
}
?>
example, but i'm not really getting it and how it could be utilised.
User avatar
RobertGonzalez
Site Administrator
Posts: 14293
Joined: Tue Sep 09, 2003 6:04 pm
Location: Fremont, CA, USA

Post by RobertGonzalez »

When you add a user, you take the password they choose and hash it with the hash function. This is an example using md5()...

Code: Select all

<?php
// Assume all checks for POST have been done
$password = md5($_POST['user_password']); // Now there posted password is md5() hashed

$sql = 'INSERT INTO `users` (`userid`, `username`, `userpassword`) VALUES (\'\', \'' . $username . '\', \'' . $password . '\')';
// finishing processing
?>
Then, when you pull the information from the database on login, check the value in the database against the hashed password used by the user to login...

Code: Select all

<?php
$row = mysql_fetch_array($sql_result);
if ($row['userpassword'] == md5($_POST['password']))
{
    // We have a match!
}
else
{
    / Password matching failed
}
?>
richo
Forum Commoner
Posts: 58
Joined: Sun Aug 06, 2006 11:56 am

Post by richo »

thanks, this is really useful.

Although, in my case, i have only one set username and password. Does this still need to be hashed? If so, how, as the username, password aren't coming out of a database?
User avatar
RobertGonzalez
Site Administrator
Posts: 14293
Joined: Tue Sep 09, 2003 6:04 pm
Location: Fremont, CA, USA

Post by RobertGonzalez »

In my opinion, all passwords should be hashed. And passwords are not meant to be returned, they are meant to be checked against.
richo
Forum Commoner
Posts: 58
Joined: Sun Aug 06, 2006 11:56 am

Post by richo »

Okay, thanks for all your advice and help, it's been really useful and i've learned allot. :)
Post Reply