Page 2 of 2
Undefined index error
Posted: Fri Aug 11, 2006 3:37 pm
by richo
Okay guys, i got it working, woo!
One thing is had a problem with was this:
Code: Select all
$username = preg_replace('/[^a-zA-Z0-9]/', '', $_POST['user']);
$password = preg_replace('/[^a-zA-Z0-9]/', '', $_POST['pass']);
But when i changed it to:
Code: Select all
$username = preg_replace('/[^a-zA-Z0-9]/', '', $_POST['username']);
$password = preg_replace('/[^a-zA-Z0-9]/', '', $_POST['password']);
And then set the username and password in the if statement:
Code: Select all
if (($username == 'somethinghere') && ($password == 'andsomminere')) {
It works fine! As for the preg_replace, could someone explain why we're using that bit out of interest?
Also, i'm ready for the next part, i guess we're detecting the session isvalid = 1 and session username = the set username?
Posted: Fri Aug 11, 2006 4:02 pm
by Christopher
First, none of that code is OOP. If you have interest we could refactor the code to be more reusable for any form. Let me know.
Regarding the preg_replace, that regular expression is using the character set notation [], but it is inverting what is matched using the ^ NOT symbol. So what it is doing is replacing all the characters that are NOT in the character set you are giving it with NULL, thereby removing them. The result is that it keeps only characters that are in the character set.
Posted: Fri Aug 11, 2006 4:03 pm
by matthijs
The preg replace strips everything other then a-z, A-Z or 0-9 in username and password. The ^ stands for "not". Check out info about regular expressions
here. So it's a basic check to make sure no "bad" characters are sent to the script.
Posted: Fri Aug 11, 2006 4:15 pm
by RobertGonzalez
An undefined index error is when you try to call an element of an array by using it's index and the index does not exist. Secondly, you should not be replcaing anything in the username and password. If the username only allows letters and numbers, preg_match it and if it fails error out. For passwords, if you are hashing the password, a space will be hashed along with the rest of the string so manipulating the password could lock your users out. Really give some consideration as to what you are doing with this.
Posted: Fri Aug 11, 2006 4:46 pm
by richo
Everah wrote:Secondly, you should not be replcaing anything in the username and password. If the username only allows letters and numbers, preg_match it and if it fails error out. For passwords, if you are hashing the password, a space will be hashed along with the rest of the string so manipulating the password could lock your users out. Really give some consideration as to what you are doing with this.
I don't really understand which bit you think i'm doing wrong, could you explain further?
Regarding the preg_replace, that regular expression is using the character set notation [], but it is inverting what is matched using the ^ NOT symbol. So what it is doing is replacing all the characters that are NOT in the character set you are giving it with NULL, thereby removing them. The result is that it keeps only characters that are in the character set.
This is a really good definition, thanks for all your help.
I managed to get the session detection working, please tell me what you guys think. On the first page I changed it to set this:
Code: Select all
$_SESSION['isvalid'] = 1;
$_SESSION['username'] = $username;
On the second page, i set this to detect the session 'isvalid':
Code: Select all
session_start();
if ($_SESSION['isvalid'] != 1) {
header ('location: index.php');
}else{
echo "hello" . " " . ($_SESSION['username']);
}
?>
(i realise using the hello ['username'] bit is a bit pointless as i'm only using one pre-defined username but i wanted to experiment retreiving the session strings.)
Posted: Fri Aug 11, 2006 4:50 pm
by Christopher
Everah wrote:Secondly, you should not be replcaing anything in the username and password. If the username only allows letters and numbers, preg_match it and if it fails error out.
That is another method. I usually filter, then validate -- but many do the opposite.
Everah wrote:For passwords, if you are hashing the password, a space will be hashed along with the rest of the string so manipulating the password could lock your users out. Really give some consideration as to what you are doing with this.
We could deal with hashing the password with Javascript as an possible option.
Posted: Fri Aug 11, 2006 4:53 pm
by richo
When you say "hashing", i'm not quite sure what you mean?
Also, i've modified the session detection as it came up with errors if no session was set:
Code: Select all
session_start();
if (isset($_SESSION['isvalid'])) {
if ($_SESSION['isvalid'] != 1) {
header ('location: index.php');
}else{
echo "hello" . " " . ($_SESSION['username']);
}
}else{
header ('location: index.php');
}
Posted: Fri Aug 11, 2006 4:56 pm
by richo
and now stripped it down to:
Code: Select all
session_start();
if (! isset($_SESSION['isvalid'])) {
header ('location: index.php');
}
Any pointers would be helpful for improvement to any of the code we've used but i'm really happy it's working! Thanks for all your help.
Posted: Fri Aug 11, 2006 4:59 pm
by RobertGonzalez
richo wrote:Everah wrote:Secondly, you should not be replcaing anything in the username and password. If the username only allows letters and numbers, preg_match it and if it fails error out. For passwords, if you are hashing the password, a space will be hashed along with the rest of the string so manipulating the password could lock your users out. Really give some consideration as to what you are doing with this.
I don't really understand which bit you think i'm doing wrong, could you explain further?
What I mean is, on a login script, you don't want to try to guess what the user should have entered. They should be entering correctly formatted data or the script should kill its process. For example, my logins are always going to be either alphanumeric or numeric. Spaces and special characters are not allowed. So in my script, I
preg_match() the passed username against a pattern that matches my settings, and if it passes that step, then I move on to checking the password. If not, then I error out at that point.
For passwords, you should be hashing your passwords.
md5() or
sha1(), or better yet, Feyd's sha256 would be a good choice as a hashing mechanism (using a salt of course, but we can cover that later). When you hash, you are taking the password and running it through a one way algorithm that makes it difficult or impossible to unhash. This is a security precaution for protecting your users information.
When hashing, each character has a value in the algorithm, even a space. So if my password was 'my password' and you removed the space, then m login would fail because a hashed 'my password' would not equal a hashed 'mypassword'. Again, straight hash to hash match and if it fails, error out.
Posted: Sat Aug 12, 2006 10:05 am
by richo
Cheers for the advice. I implemented some of your preg_match technique:
Code: Select all
if ((preg_match("/\buser\b/" , $username)) && (preg_match("/\bpass\b/", $password))) {
And it works good. I understand it, it insures a definite precise match with \b.
Now for the hash!
Posted: Sat Aug 12, 2006 10:19 am
by richo
Hello again, i'm struggling to find a good example of the sha1() method on the internet.
The only thing i find is the
Code: Select all
<?php
$str = 'apple';
if (sha1($str) === 'd0be2dc421be4fcd0172e5afceea3970e2f3d940') {
echo "Would you like a green or red apple?";
exit;
}
?>
example, but i'm not really getting it and how it could be utilised.
Posted: Sun Aug 13, 2006 12:11 am
by RobertGonzalez
When you add a user, you take the password they choose and hash it with the hash function. This is an example using md5()...
Code: Select all
<?php
// Assume all checks for POST have been done
$password = md5($_POST['user_password']); // Now there posted password is md5() hashed
$sql = 'INSERT INTO `users` (`userid`, `username`, `userpassword`) VALUES (\'\', \'' . $username . '\', \'' . $password . '\')';
// finishing processing
?>
Then, when you pull the information from the database on login, check the value in the database against the hashed password used by the user to login...
Code: Select all
<?php
$row = mysql_fetch_array($sql_result);
if ($row['userpassword'] == md5($_POST['password']))
{
// We have a match!
}
else
{
/ Password matching failed
}
?>
Posted: Sun Aug 13, 2006 5:18 am
by richo
thanks, this is really useful.
Although, in my case, i have only one set username and password. Does this still need to be hashed? If so, how, as the username, password aren't coming out of a database?
Posted: Sun Aug 13, 2006 10:13 am
by RobertGonzalez
In my opinion, all passwords should be hashed. And passwords are not meant to be returned, they are meant to be checked against.
Posted: Sun Aug 13, 2006 10:54 am
by richo
Okay, thanks for all your advice and help, it's been really useful and i've learned allot.
