|
Greetings experts.
I think I made this more complicated than it needs to be.
Users are required to log in to take a test.
If a user tries logging in, the system checks to see if the user has taken the test or not.
If the user has taken the test, s/he is redirected to a page called registered.php which displays benefits of membership.
If no record exists for this user, the user is taken to the called register.php so s/he can take the test.
The scenarios described above works fine.
However, we are running into a problem where if a user mistakenly enters incorrect username/password, the system assumes the user has logged in correctly but has not taken the test and redirects her to register.php.
We would like to modify the code to perform three checks.
If username/password is not correct, display a message to user that either username or password is incorrect.
If username/password is correct and the user has not taken the test, redirect to register.php.
If username/password is correct and the user has taken the test, redirect user to registered.php.
Any ideas how to modify the code below?
I have spent so much time trying to fix this but it is not working for me.
Thanks a lot in advance for your help.
$strSQL = "SELECT u.empl_first, u.username, u.empl_first +' '+ empl_last as fullname, e.Department, e.UnitName, e.empnum FROM users u inner join Employee e on u.Employee_Id = e.EmpNum inner join tblTBA t on u.Employee_Id = t.Employee_Id WHERE USERNAME = '".ms_escape_string($_POST['user'])."'
and PASSWORD = '".ms_escape_string($pass)."' ";
$sqll = sqlsrv_query($con, $strSQL);
if ($objResult = sqlsrv_fetch_array($sqll, SQLSRV_FETCH_ASSOC)) {
$firstname = $objResult["empl_first"];
$_SESSION["username"] = $objResult["username"];
header('location:registered.php?user=' . urlencode($firstname));
}
If ($user == $_SESSION["username"]) {
header("location:register.php?user='".ms_escape_string($user)."'&pass='".ms_escape_string($pass)."' ");
}
else
{
echo "Username and Password Incorrect!";
}
|
|
|
|
|
First off, your urgently need to fix the SQL Injection[^] vulnerabilities in your code.
Everything you wanted to know about SQL injection (but were afraid to ask) | Troy Hunt[^]
How can I explain SQL injection without technical jargon? | Information Security Stack Exchange[^]
Query Parameterization Cheat Sheet | OWASP[^]
Next, fix your password storage. You're currently storing password in plain text, which is an extremely bad idea. You should only ever store a salted hash of the user's password, using a unique salt per record.
Secure Password Authentication Explained Simply[^]
Salted Password Hashing - Doing it Right[^]
Also, NEVER put the user's password in the URL. The browser retains a history of every URL visited, making it trivial for someone with access to the user's history to discover their password.
Finally, to fix your problem, you need to split your validation into two steps:
- Is the username and password valid?
- Has the user completed the test?
Currently, you're trying to do both at once, which is why you're getting confused.
"These people looked deep within my soul and assigned me a number based on the order in which I joined."
- Homer
|
|
|
|
|
You to the rescue again. Thank you very much sir.
First off, I am using a hash.
$pass = md5($pass);
I did not paste it as part of my initial code.
Second, I created this custom script that I thought helps keep my code from sql injection attack:
</<pre lang="PHP">
function ms_escape_string($data) {
if ( !isset($data) or empty($data) ) return '';
if ( is_numeric($data) ) return $data;
$non_displayables = array(
'/%0[0-8bcef]/',
'/%1[0-9a-f]/',
'/[\x00-\x08]/',
'/\x0b/',
'/\x0c/',
'/[\x0e-\x1f]/'
);
foreach ( $non_displayables as $regex )
$data = preg_replace( $regex, '', $data );
$data = str_replace("'", "''", $data );
return $data;
} pre>
However, I can change it to use parameterized query:
$strSQL = "SELECT u.empl_first, u.username, u.empl_first +' '+ empl_last as fullname, e.Department, e.UnitName, e.empnum FROM users u inner join Employee e on u.Employee_Id = e.EmpNum inner join tblTBA t on u.Employee_Id = t.Employee_Id WHERE USERNAME = ?
and PASSWORD = ? ";
$params = array($_POST["user"], $_POST["pass"]);
$sqll = sqlsrv_query($con, $strSQL, $params);
Now, if I am on the right track on those two, could please be kind to help with the last part where I am trying to check whether username and / or password is correct and redirecting to appropriate page as described?
Thanks again for your help.
|
|
|
|
|
samflex wrote: First off, I am using a hash.
$pass = md5($pass);
An unsalted MD5 hash doesn't offer much protection:
Troy Hunt: Our password hashing has no clothes[^]
samflex wrote: check whether username and / or password is correct and redirecting to appropriate page
As I said, use two steps:
1) Validate the username and password:
SELECT
u.empl_first,
u.username,
u.empl_first +' '+ u.empl_last as fullname,
e.Department,
e.UnitName,
e.empnum
FROM
users u
INNER JOIN Employee e
ON u.Employee_Id = e.EmpNum
WHERE
u.USERNAME = ?
And
u.PASSWORD = ?
If no data is returned, then the username or password is invalid.
2) Check whether the user has completed the test:
SELECT Employee_Id FROM tblTBA WHERE Employee_Id = ?
If no data is returned, then the user has not taken the test.
NB: If the Employee record doesn't get created until the user has taken the test, then you'll need to move that part of the query from step 1 to step 2.
"These people looked deep within my soul and assigned me a number based on the order in which I joined."
- Homer
|
|
|
|
|
ahhh got!
I am slow.
Thanks so much. I learn so much when I am fortunate to get your help.
I would not have thought of doing it this way.
Thanks a lot Richard.
|
|
|
|
|
Sorry Richard,
I tried doing it separately like you spec'ed it out and it is just not working.
The first part which validates username/password works but when I added the second part, then it doesn't matter whether I have correct username and password, it just takes me to login page.
The code you see here shows I am doing them together again with if...else but that's just what I am trying since separating them isn't working.
$user = trim($_POST["user"]);
$pass = trim($_POST["pass"]);
$tsql = "SELECT u.empl_first, u.username, u.empl_first +' '+ empl_last as fullname FROM users u WHERE u.USERNAME = ? and u.PASSWORD = ? ";
$params = array($user, $pass);
$result = sqlsrv_query( $con, $tsql, $params, array(), array( "Scrollable" => 'static' ));
$row_count = sqlsrv_num_rows($result);
if ($row_count == 0){
header('location:login.php?msg=1');
exit;
}
else
{
$tSQL = "SELECT u.empl_first, u.username FROM users u inner join tblTBA t on u.Employee_Id = t.Employee_ID WHERE USERNAME = '".ms_escape_string($user)."'
and PASSWORD = '".ms_escape_string($pass)."' ";
echo $strSQL;
$sqll = sqlsrv_query($con, $tSQL);
}
if ($objResult = sqlsrv_fetch_array($sqll, SQLSRV_FETCH_ASSOC)) {
$firstname = $objResult["empl_first"];
$_SESSION["username"] = $objResult["username"];
header('location:donetba.php?user=' . urlencode($firstname));
}
else
header("location:registered.php?user='".ms_escape_string($user)."'&pass='".ms_escape_string($pass)."' ");
sqlsrv_close($con);
?>
|
|
|
|
|
Nothing obvious in the code, although you still need to parameterize the second query in the same way as the first, and you're still passing the password in the query-string to the registered.php page.
You could probably remove the else , since you've got an exit; in the if block.
Are you sure it's this page that's redirecting the user to the login page? Try tracing the network requests in your browser's developer tools, to see if either registered.php or dotnetba.php is doing the redirection instead.
"These people looked deep within my soul and assigned me a number based on the order in which I joined."
- Homer
|
|
|
|
|
That was it!!!
Removing the else since I have exit seems to have fixed it.
I have fixed the parameterized query stuff.
Thanks so much Richard.
I really, really am grateful for your help.
|
|
|
|
|
I'm not sure what I'm doing wrong, but for some reason my page works fine only after hitting the submit button twice.
Below is the code. Any help or a point in the right direction would be greatly appreciated.
The removejob.php is a small page that just makes a connection and updates a single field based on the jobid.
<html>
<head>
<title>Phoenix Metals Job Interface</title>
<script src="//ajax.googleapis.com/ajax/libs/jquery/1.10.2/jquery.min.js"></script>
<script type="text/javascript">
function like(Job)
{
$.ajax({
url: "RemoveJob.php",
type: "POST",
data: { 'JobID': Job },
success: function()
{
window.location.reload();
}
});
}
</script>
<style>
body
{
font-size: 200%;
}
table
{
width: 900px;
font-size:40px;
font-weight: bold;
}
td
{
text-align: center;
vertical-align: center;
border: 1px solid black;
padding: 10px;
}
.button
{
background-color: #ff3386;
color: white;
width: 175px;
height: 65px;
text-align: center;
vertical-align: middle;
font-size: 20px;
font-weight: bold;
}
</style>
</head>
<body>
<?php
$con=mysqli_connect('localhost', 'xxxxxxx', 'xxxxxxx','xxxxxxx');
if (mysqli_connect_errno())
{
echo "Failed to connect to MySQL: " . mysqli_connect_error();
}
$JobResults = mysqli_query($con,"SELECT * FROM JobInterface WHERE Completed is null ORDER BY JobNumber");
echo"<table>";
echo"<tr>";
echo"<tr><td colspan='3'>Phoenix Metals Job Interface</td></tr>";
echo"<td>";
echo"Job Number";
echo"</td>";
echo"<td>";
echo"Project Name";
echo"</td>";
echo"<td>";
echo"Account";
echo"</td>";
echo"<td>";
echo"Edit";
echo"</td>";
echo"<td>";
echo"Remove";
echo"</td>";
echo"</tr>";
$JobRow = array();
while($JobRow = mysqli_fetch_array($JobResults))
{
$back = 'white';
$message = 'Not Finished';
if(($JobRow['Sheets'] != 1) && ($JobRow['Burned'] != 1) && ($JobRow['FormUp'] != 1) && ($JobRow['CoilLine'] != 1) && ($JobRow['Liner'] != 1) && ($JobRow['Vanes'] != 1) && ($JobRow['Assembled'] != 1) && ($JobRow['Wrapped'] != 1) && ($JobRow['HandFab'] != 1) && ($JobRow['Welded'] != 1) && ($JobRow['Supplies'] != 1) && ($JobRow['WardFrames'] != 1) && ($JobRow['Special'] != 1))
{
$back = 'aqua';
$message = 'Possibly Done';
}
echo"<tr>";
echo"<td>";
echo $JobRow['JobNumber'];
echo"</td>";
echo"<td>";
echo $JobRow['ProjectName'];
echo"</td>";
echo"<td>";
echo $JobRow['AccountName'];
echo"</td>";
if ($JobRow['RTS'] == 0)
{
echo"<td style='background-color:".$back.";'>";
echo"<form style='margin-bottom:0; align:center;' name='EditJob' action='JobEdit.php' method='POST'><input type='hidden' name='JobID' value='".$JobRow['IDJob']."'/><input class='button' type='submit' name='submit-btn' value='Details'/></form>";
echo"</td>";
echo"<td>".$message."</td>";
}
if ($JobRow['RTS'] == 1)
{
echo"<td style='background-color:aqua;'>";
echo"RTS";
echo"</td>";
echo"<td bgcolor='#FF0000'>";
echo"<form style='margin-bottom:0; align:center;' name='ReloadJob' action='JobInterfaceMain.php' method='POST'>";
echo"<input class='button' type='submit' name='submit-btn' onclick='like(".$JobRow['IDJob'].")' value='Gone'/>";
echo"</form>";
echo"</td>";
}
echo"</tr>";
}
echo"</table>";
?>
</body>
</html>
|
|
|
|
|
What do you see in console?
|
|
|
|
|
I am in a PHP project, which is needs to pass the parameter to the next page. But only using the values, not with the variable name.
index.php/1+2
And in the next page, i want to get the values in different variable.
Santhosh Kumar
|
|
|
|
|
I don't know if php has something different but the easy way to do this in any web language is to use the querystring. index.php?var1=1&var2=2. Then on the next page you can read then from the querystring.
There are only 10 types of people in the world, those who understand binary and those who don't.
|
|
|
|
|
Hello there. I am trying to get data from 3 different tables based on simple join. One of the tables can have multiple values against one primary key. Here are the table designs
Table 1 - EmployeeDetails
EmployeeId INT, FirstName VARCHAR, SurName VARCHAR, SexId INT
Table 2 - EmployeeSex
SexId INT, Sex VARCHAR
Table 3 - EmployeeContacts
EmployeeId INT, Contact VARCHAR
I am using following query
SELECT ED.EmployeeId, ED.FirstName, ED.SurName, GROUP_CONCAT(EC.Contact)
FROM EmployeeDetails ED, EmployeeSex ES, EmployeeContacts EC
WHERE ED.SexId = ES.SexId AND ED.EmployeeId = EC.EmployeeId AND ED.EmployeeId = 'emp_password';
Now this query works fine if we have at least one contact number. But if there are not contacts, then this results in empty set. What is wrong with this query ? How can I improve so that it works in all scenarios (regardless of number of contacts in EmployeeContacts table). Thanks for any input.
modified 19-Aug-16 7:10am.
|
|
|
|
|
This question would probably be better posted in the DataBase forum.
|
|
|
|
|
Well I am using MySQL as my database, that is why posted here). Can copy there as well.
|
|
|
|
|
I appreciate that, but most of the DB experts don't visit this forum that often.
|
|
|
|
|
|
Can anyone help me with the following two PHP scripts on the machine running Centos 7. Scripts written on a command line editor
1) a PHP script that will connect to the database and create the tables and populate default data, this script will be executed from command line using PHP -f createdatabase.php
2) the databasename will be the same as your username
3) a PHP script that will load from a browser and use HTML and CSS to display the populated information, the script will be loaded as http://localhost/myname/showme.php, you will get extra points for having fewer lines code, less SQL queries, and for commenting and indenting your code nicely.
The database contains the following tables with attributes:
Class, Students, and Marks
|
|
|
|
|
Sorry, no. This site does not provide code to order, as you would see if you had read the forum guidelines.
|
|
|
|
|
Quote:
I want to add Google Translate facility on my PHP application
How?, Can you give me the source code?
, Please ..
Thank you for your attention
|
|
|
|
|
Member 12643825 wrote: Can you give me the source code? Sorry, no. This site does not provide code to order. Go to Google Translate and check there how to do it.
|
|
|
|
|
Hai frnds, One of my frnd is searching for the vaccancy of fresher linux admin for last 1 & half year. till now he didnt get any job as trainee. He completed the b.tech in 2014. and he done the whole courses about that. kindly pls help me... any one know about that vaccancy..... pls tell me.. we are in banglore...
~abi~
|
|
|
|
|
Sorry, this forum is for technical questions, not job searches. If you live in Banglore then you should know that there are many IT companies there.
|
|
|
|
|
how to get(echo) paypal amount from particular paypal account using PHP?
|
|
|
|
|
|