WampServer
Apache, PHP, MySQL
on Windows
Password Encryption Problem
Posted by:
thevoid
(---.lns2-c8.dsl.pol.co.uk)
Date: February 29, 2008 08:17PM
Hi, I'm working through a book creating a dummy website to learn PHP / MySQL and am using wampserver for this. I'm having a problem with password encryption though. When I enter users and their details manually in phpmyadmin, the passwords are all encrypted differently. However when I use the register.php script from the book to enter the details into the database, the passwords are always encrypted exactly the same no matter what I enter in the html form - da39a3ee5e6b4b0d3255bfef95601890afd80709 every time. I've tried to alter the script (taking out SHA()) to enter an unencrypted password, but this just leaves the password field blank in the "users" table.
This is obviously causing a problem with the next part of the book - a script to change passwords, as the email address / password combination never matches.
I'm posting this here as I've been over the script with a fine toothed comb and have been on the book's own forum, but no-one there could spot anything wrong and indeed tried the script themselves, it worked fine for them. The only difference is that I'm the only one using wampserver. Here is the script, although I don't think it's the problem...
Can anyone shed any light?
Cheers
Paul.
<?php //register.php
$page_title='Register';
include ('./includes/header.html');
//check to see if the form has been submitted
if (isset($_POST['submitted'])) {
//connect to the db
require_once ('../mysql_connect.php');
//create a function for escaping the data
function escape_data ($data) {
global $dbc; //need the connection
if (ini_get('magic_quotes_gpc')) {
$data = stripslashes($data);
}
return mysql_real_escape_string(trim($data),$dbc);
}//end of function
$errors=array();//initialise error array
//check for a first name
if (empty($_POST['first_name'])) {
$errors[]='You forgot to enter your first name';
} else {
$fn = escape_data($_POST['first_name']);
}
//check for a last name
if (empty($_POST['last_name'])) {
$errors[]='You forgot to enter your last name';
} else {
$ln = escape_data($_POST['last_name']);
}
//check for an email address
if (empty($_POST['email'])) {
$errors[]='You forgot to enter an email address';
} else {
$e = escape_data($_POST['email']);
}
//check for a password an match against the confirmed password
if (!empty($_POST['password1'])) {
if ($_POST['password1'] != $_POST['password2']) {
$errors[]='Your password did not match the confirmed password';
}
} else {
$p = escape_data($_POST['password1']);
} else {
$errors[] = 'You forgot to enter your password.';
}
if (empty($errors)) {//if everything's ok
//register the user in the database
require_once ('../mysql_connect.php');//connect to the db
//check for previous registration
$query = "SELECT user_id From users WHERE email='$e'";
$result = mysql_query($query);
if (mysql_num_rows($result) == 0) {
//make the query
$query = "INSERT INTO users (first_name, last_name, email, password, registration_date)
VALUES ('$fn', '$ln', '$e', SHA('$p'), NOW() )";
$result = @mysql_query($query);//run the query
if ($result) {//if it ran ok
//send an email if desired
//$body="Thanks for registering with the site.\nYour password is '{$_POST['password1']}'";
//mail ($_POST['email'], 'Thanks for registering', $body, 'From: admin@site.com');
//print a message
echo '<h1 id="mainhead">Thank You!</h1>
<p>You are now registered. In chapter 9 you will actually be able to log in.
</p><p><br /></p>';
//include the footer and quit the script (to not show the form)
include ('./includes/footer.html');
exit();
} else {//if it didn't run ok
echo '<h1 id="mainhead">System Error</h1>
<p class="error">You could not be registered due to a system error, we apologise for any
inconvenience.</p>';//public message
echo '<p>' . mysql_error() . '<br /><br />Query: ' . $query . '</p>'; //debugging msg
include ('./includes/footer.html');
exit();
}
} else {//already registered
echo '<h1 id="mainhead">Error!</h1>
<p class="error">That email address has already been registered.</p>';
}
} else {//report the errors
echo '<h1 id="mainhead">Error!</h1>
<p class="error">The following error(s) occured:<br />';
foreach ($errors as $msg) {//print each error
echo " - $msg<br />\n";
}
echo '</p><p>Please try again.</p><p><br /><p>';
}//end of if(empty($errors)) IF
mysql_close();//close the db connection
}//end of the main Submit conditional
?>
<h2>Register</h2>
<form action="register.php" method="post">
<p>First Name: <input type="text" name="first_name" size="15" maxlength="15"
value="<?php if (isset($_POST['first_name'])) echo $_POST['first_name']; ?>" /><p>
<p>Last Name: <input type="text" name="last_name" size="15" maxlength="15"
value="<?php if (isset($_POST['last_name'])) echo $_POST['last_name']; ?>" /><p>
<p>Email Address: <input type="text" name="email" size="15" maxlength="40"
value="<?php if (isset($_POST['email'])) echo $_POST['email']; ?>" /><p>
<p>Password: <input type="password" name="password1" size="10" maxlength="20" /></p>
<p>Confirm Pasword: <input type="password" name="password2" size="10" maxlength="20" /></p>
<input type="submit" name="submit" value="Register" /></p>
<input type="hidden" name="submitted" value="TRUE" />
</form>
<?php
include ('./includes/footer.html');
?>
This is obviously causing a problem with the next part of the book - a script to change passwords, as the email address / password combination never matches.
I'm posting this here as I've been over the script with a fine toothed comb and have been on the book's own forum, but no-one there could spot anything wrong and indeed tried the script themselves, it worked fine for them. The only difference is that I'm the only one using wampserver. Here is the script, although I don't think it's the problem...
Can anyone shed any light?
Cheers
Paul.
<?php //register.php
$page_title='Register';
include ('./includes/header.html');
//check to see if the form has been submitted
if (isset($_POST['submitted'])) {
//connect to the db
require_once ('../mysql_connect.php');
//create a function for escaping the data
function escape_data ($data) {
global $dbc; //need the connection
if (ini_get('magic_quotes_gpc')) {
$data = stripslashes($data);
}
return mysql_real_escape_string(trim($data),$dbc);
}//end of function
$errors=array();//initialise error array
//check for a first name
if (empty($_POST['first_name'])) {
$errors[]='You forgot to enter your first name';
} else {
$fn = escape_data($_POST['first_name']);
}
//check for a last name
if (empty($_POST['last_name'])) {
$errors[]='You forgot to enter your last name';
} else {
$ln = escape_data($_POST['last_name']);
}
//check for an email address
if (empty($_POST['email'])) {
$errors[]='You forgot to enter an email address';
} else {
$e = escape_data($_POST['email']);
}
//check for a password an match against the confirmed password
if (!empty($_POST['password1'])) {
if ($_POST['password1'] != $_POST['password2']) {
$errors[]='Your password did not match the confirmed password';
}
} else {
$p = escape_data($_POST['password1']);
} else {
$errors[] = 'You forgot to enter your password.';
}
if (empty($errors)) {//if everything's ok
//register the user in the database
require_once ('../mysql_connect.php');//connect to the db
//check for previous registration
$query = "SELECT user_id From users WHERE email='$e'";
$result = mysql_query($query);
if (mysql_num_rows($result) == 0) {
//make the query
$query = "INSERT INTO users (first_name, last_name, email, password, registration_date)
VALUES ('$fn', '$ln', '$e', SHA('$p'), NOW() )";
$result = @mysql_query($query);//run the query
if ($result) {//if it ran ok
//send an email if desired
//$body="Thanks for registering with the site.\nYour password is '{$_POST['password1']}'";
//mail ($_POST['email'], 'Thanks for registering', $body, 'From: admin@site.com');
//print a message
echo '<h1 id="mainhead">Thank You!</h1>
<p>You are now registered. In chapter 9 you will actually be able to log in.
</p><p><br /></p>';
//include the footer and quit the script (to not show the form)
include ('./includes/footer.html');
exit();
} else {//if it didn't run ok
echo '<h1 id="mainhead">System Error</h1>
<p class="error">You could not be registered due to a system error, we apologise for any
inconvenience.</p>';//public message
echo '<p>' . mysql_error() . '<br /><br />Query: ' . $query . '</p>'; //debugging msg
include ('./includes/footer.html');
exit();
}
} else {//already registered
echo '<h1 id="mainhead">Error!</h1>
<p class="error">That email address has already been registered.</p>';
}
} else {//report the errors
echo '<h1 id="mainhead">Error!</h1>
<p class="error">The following error(s) occured:<br />';
foreach ($errors as $msg) {//print each error
echo " - $msg<br />\n";
}
echo '</p><p>Please try again.</p><p><br /><p>';
}//end of if(empty($errors)) IF
mysql_close();//close the db connection
}//end of the main Submit conditional
?>
<h2>Register</h2>
<form action="register.php" method="post">
<p>First Name: <input type="text" name="first_name" size="15" maxlength="15"
value="<?php if (isset($_POST['first_name'])) echo $_POST['first_name']; ?>" /><p>
<p>Last Name: <input type="text" name="last_name" size="15" maxlength="15"
value="<?php if (isset($_POST['last_name'])) echo $_POST['last_name']; ?>" /><p>
<p>Email Address: <input type="text" name="email" size="15" maxlength="40"
value="<?php if (isset($_POST['email'])) echo $_POST['email']; ?>" /><p>
<p>Password: <input type="password" name="password1" size="10" maxlength="20" /></p>
<p>Confirm Pasword: <input type="password" name="password2" size="10" maxlength="20" /></p>
<input type="submit" name="submit" value="Register" /></p>
<input type="hidden" name="submitted" value="TRUE" />
</form>
<?php
include ('./includes/footer.html');
?>
Re: Password Encryption Problem
Posted by:
stevenmartin99
(---.b-ras1.blp.dublin.eircom.net)
Date: February 29, 2008 08:28PM
should it not be SHA1($p)
anyway id do it like this
$encrypted_password = SHA1($p);
$query = "INSERT INTO users (first_name, last_name, email, password, registration_date)
VALUES ('$fn', '$ln', '$e', $encrypted_password, NOW() )";
Edited 2 time(s). Last edit at 02/29/2008 08:37PM by stevenmartin99.
anyway id do it like this
$encrypted_password = SHA1($p);
$query = "INSERT INTO users (first_name, last_name, email, password, registration_date)
VALUES ('$fn', '$ln', '$e', $encrypted_password, NOW() )";
Edited 2 time(s). Last edit at 02/29/2008 08:37PM by stevenmartin99.
Re: Password Encryption Problem
Posted by:
thevoid
(---.lns2-c8.dsl.pol.co.uk)
Date: February 29, 2008 09:02PM
Thanks for the suggestion, will give it a try :-)
Re: Password Encryption Problem
Posted by:
thevoid
(---.lns2-c8.dsl.pol.co.uk)
Date: February 29, 2008 09:13PM
STEVEN, I COULD KISS YOU... it worked, thanks so much. Have been tearing my hair out. Perhaps this is because the book is a couple of years old and working with older versions or something...
Re: Password Encryption Problem
Posted by:
stevenmartin99
(---.b-ras1.blp.dublin.eircom.net)
Date: February 29, 2008 09:16PM
no problem , your welcome
yes SHA1 in newish
anyway try not to do calculations in a mysql command
always work them out first as a $variable then put the $variables into the mysql command
yes SHA1 in newish
anyway try not to do calculations in a mysql command
always work them out first as a $variable then put the $variables into the mysql command
Sorry, only registered users may post in this forum.
