Register

If this is your first visit, please click the Sign Up now button to begin the process of creating your account so you can begin posting on our forums! The Sign Up process will only take up about a minute of two of your time.

Page 1 of 2 1 2 LastLast
Results 1 to 10 of 18
  1. #1
    Senior Member
    Join Date
    Nov 2013
    Posts
    146
    Member #
    37737
    Liked
    15 times

    Hashing, Sanitation, IP, and Session

    Hello,
    I have a somewhat working login system but I need a bit of help.

    Sanitation
    Right now when I add
    PHP Code:
    mysql_real_escape_string 
    to
    PHP Code:
    $email = ($_POST['email']); 
    I get a bunch of errors, as soon as I remove it again it works fine. Is there a different way I should be doing this? I'm using MySQLi, so I put the i in the command as well.
    PHP Code:
    Warningmysqli_real_escape_string() expects exactly 2 parameters1 given in /home/frxlsltns/public_html/helpdesk/login.php on line 114

    Warning
    mysqli_real_escape_string() expects exactly 2 parameters1 given in /home/frxlsltns/public_html/helpdesk/login.php on line 115

    Warning
    Cannot modify header information headers already sent by (output started at /home/frxlsltns/public_html/helpdesk/login.php:114in /home/frxlsltns/public_html/helpdesk/login.php on line 120 
    Hashing
    Currently I store passwords in plaintext. Since this application could hold passwords to servers or other private information I need at least a minimal amount of security. I'd like to hash the passwords. I could use MD5, or is there a better way to do it? I know there is like sha1 but is there a benefit to this?

    Last Login IP
    I am trying to store the latest IP the visitor used to log in, into the database. Currently at the top of the page I have $lastloginip = $_SERVER['REMOTE_ADDR']; which when I echo it, works great! However later in the page I have $sql="INSERT INTO users (lastloginip) VALUES ('$lastloginip')"; which doesn't erro but does absolutely nothing. Hopefully I'm just making a dumb mistake here!

    Session
    Well, the login form works in the redirect
    PHP Code:
    if (!$result->num_rows == 1) {
            
    header ('Location:login.php?error=1');
        } else {
            
    $sql="INSERT INTO users (lastloginip) VALUES ('$lastloginip')";
            
    header ('Location:index.php');
        } 
    But that's not really helpful, because if they just go to index.php it lets them without logging in. I believe I need to use PHP sessions in cookies to do this but I'm a bit lost, hopefully somebody here can point me in the right direction.

    Thanks in advance for any possible assistance! Here is the entire code of the page:
    PHP Code:
    <?php
        $pageTitle 
    'Log In';
        
    $lastloginip $_SERVER['REMOTE_ADDR'];
    ?>
    <?php
    if (!isset($_POST['submit'])){
    ?>
    <!-- The HTML login form -->
        <!DOCTYPE html>
    <html lang="en">
      <head>
        <meta charset="utf-8">
        <meta http-equiv="X-UA-Compatible" content="IE=edge">
        <meta name="viewport" content="width=device-width, initial-scale=1">
        <meta name="description" content="">
        <meta name="author" content="">
        <link rel="shortcut icon" href="favicon.ico">
        <title>Helpdesk - <?php echo $pageTitle ?></title>
        <link href="css/bootstrap.min.css" rel="stylesheet">
        <!-- <link href="css/bootstrap-theme.min.css" rel="stylesheet"> -->
        <!--<link href="css/stylesheet.css" rel="stylesheet">-->
        <link href="css/datepicker.css" rel="stylesheet">
        <script type="text/javascript" src="http://code.jquery.com/jquery-2.1.1.min.js"></script>
        <script language="JavaScript" src="js/bootstrap-datepicker.js"></script>
        <script language="JavaScript" src="js/bootstrap.min.js"></script>

        <link rel="stylesheet" href="//code.jquery.com/ui/1.11.0/themes/smoothness/jquery-ui.css">
        <script src="//code.jquery.com/jquery-1.10.2.js"></script>
        <script src="//code.jquery.com/ui/1.11.0/jquery-ui.js"></script>

        <style>
          body {
            padding-top: 40px;
            padding-bottom: 40px;
            background-color: #eee;
            background-image: url('img/loginbg.png');
          }

          .form-signin {
            max-width: 330px;
            padding: 15px;
            margin: 0 auto;
          }
          .form-signin .form-signin-heading,
          .form-signin .checkbox {
            margin-bottom: 10px;
          }
          .form-signin .checkbox {
            font-weight: normal;
          }
          .form-signin .form-control {
            position: relative;
            height: auto;
            -webkit-box-sizing: border-box;
               -moz-box-sizing: border-box;
                    box-sizing: border-box;
            padding: 10px;
            font-size: 16px;
          }
          .form-signin .form-control:focus {
            z-index: 2;
          }
          .form-signin input[type="email"] {
            margin-bottom: -1px;
            border-bottom-right-radius: 0;
            border-bottom-left-radius: 0;
          }
          .form-signin input[type="password"] {
            margin-bottom: 10px;
            border-top-left-radius: 0;
            border-top-right-radius: 0;
          }

          .form-signin-heading {
            color: #FFFFFF;
          }
        </style>

        <!-- HTML5 shim and Respond.js IE8 support of HTML5 elements and media queries -->
        <!--[if lt IE 9]>
          <script src="https://oss.maxcdn.com/libs/html5shiv/3.7.0/html5shiv.js"></script>
          <script src="https://oss.maxcdn.com/libs/respond.js/1.4.2/respond.min.js"></script>
        <![endif]-->
      </head>
      <body>

      <div class="container">
      <form class="form-signin" role="form" action="<?=$_SERVER['PHP_SELF']?>" method="post">
        <center><h2 class="form-signin-heading">Helpdesk</h2></center>
        <?php
            
    if (isset($_GET['error'])) {
                echo 
    "<div class=\"alert alert-warning\" role=\"alert\">Invalid email or password, or account is disabled.</div>";
            }

        
    ?>
        <input type="email" class="form-control" name="email" placeholder="Email" required autofocus>
        <input type="password" class="form-control" name="password" placeholder="Password" required>
        <button class="btn btn-lg btn-primary btn-block" name="submit" type="submit">Submit</button>
      </form>

    </div> <!-- /container -->
      </body>
    </html>
    <?php
    } else {
        require_once(
    "system/db.php");
        
    $mysqli = new mysqli(DB_HOSTDB_USERDB_PASSDB_NAME);
        
    # check connection
        
    if ($mysqli->connect_errno) {
            echo 
    "<p>MySQL error no {$mysqli->connect_errno} : {$mysqli->connect_error}</p>";
            exit();
        }
     
        
    $email mysqli_real_escape_string($_POST['email']);
        
    $password mysqli_real_escape_string($_POST['password']);
     
        
    $sql "SELECT * from users WHERE email LIKE '{$email}' AND password LIKE '{$password}' LIMIT 1";
        
    $result $mysqli->query($sql);
        if (!
    $result->num_rows == 1) {
            
    header ('Location:login.php?error=1');
        } else {
            
    $sql="INSERT INTO users (lastloginip) VALUES ('$lastloginip')";
            
    header ('Location:index.php');
        }
    }
    ?>

  2.  

  3. #2
    Junior Member Jetstorm's Avatar
    Join Date
    Aug 2014
    Posts
    22
    Member #
    39972
    You're using mysqli_real_escape_string instead of mysql_real_escape_string and that's why you get the error... those are different functions for different mysql extensions. For mysql you need to specify the database link variable as one of the function parameters. You can read more about it here:
    PHP: mysqli::real_escape_string - Manual

    As for the hashing - you should not only hash the passwords but add salt to them, to make them stronger against rainbow tables.
    The best algorithm at the moment according to most people is BCrypt.
    You can read a great and more detailed explanation on the topic in the official PHP manual:
    PHP: Password Hashing - Manual
    Last edited by Jetstorm; Aug 31st, 2014 at 01:01 PM.

  4. #3
    Senior Member
    Join Date
    Nov 2013
    Posts
    146
    Member #
    37737
    Liked
    15 times
    Okay, I read that page but honestly their example are insanely complicated. I now understand that I'm not supposed to use it in the same way but I don't see how. Thanks.

  5. #4
    Junior Member Jetstorm's Avatar
    Join Date
    Aug 2014
    Posts
    22
    Member #
    39972
    The db link variable in the code you posted is called $mysqli
    All you have to do is add it inside mysqli_real_escape_string
    So instead of doing mysqli_real_escape_string ( $email )
    you have to change it to
    mysqli_real_escape_string ( $mysqli , $email )


    EDIT:
    The last login IP is not stored in the database because you've just created the query but haven't run it through $mysqli->query as the one above it.

    Also if you haven't seen it check my previous post for the hashing info since I added it before seeing your reply.
    Last edited by Jetstorm; Aug 31st, 2014 at 01:14 PM.

  6. #5
    Senior Member
    Join Date
    Nov 2013
    Posts
    146
    Member #
    37737
    Liked
    15 times
    Hi, now that I made it like this it doesn't work at all. It just says the login is always wrong!

    PHP Code:
        $email mysqli_real_escape_string $mysqli $email );
        
    $password mysqli_real_escape_string $mysqli $password ); 

  7. #6
    Senior Member
    Join Date
    Nov 2013
    Posts
    146
    Member #
    37737
    Liked
    15 times
    Okay, so here's where I'm at.
    The only things I need to work on now are the last login IP and the santitation. I got the session and the hashing worked out.
    Can you help with this? thanks.

  8. #7
    Junior Member Jetstorm's Avatar
    Join Date
    Aug 2014
    Posts
    22
    Member #
    39972
    The code I gave you was an example you should have adapted to your own.
    Using your original code the correct change would be this:

    PHP Code:
        $email mysqli_real_escape_string($mysqli $_POST['email']); 
        
    $password mysqli_real_escape_string($mysqli $_POST['password']); 
    For the last login IP all you had to add was

    PHP Code:
           $mysqli->query($sql); 
    after

    PHP Code:
            $sql="INSERT INTO users (lastloginip) VALUES ('$lastloginip')"
    Last edited by Jetstorm; Aug 31st, 2014 at 07:35 PM.

  9. #8
    Senior Member
    Join Date
    Nov 2013
    Posts
    146
    Member #
    37737
    Liked
    15 times
    Quote Originally Posted by Jetstorm View Post
    The code I gave you was an example you should have adapted to your own.
    Using your original code the correct change would be this:

    PHP Code:
        $email mysqli_real_escape_string($mysqli $_POST['email']); 
        
    $password mysqli_real_escape_string($mysqli $_POST['password']); 
    For the last login IP all you had to add was

    PHP Code:
           $mysqli->query($sql); 
    after

    PHP Code:
            $sql="INSERT INTO users (lastloginip) VALUES ('$lastloginip')"
    Haha, it's not saving the IP into the right place, how do I fix this?? it's pretty funny though!
    Attached Images Attached Images

  10. #9
    Junior Member Jetstorm's Avatar
    Join Date
    Aug 2014
    Posts
    22
    Member #
    39972
    Something like that... I haven't tested the code so there might be errors...

    PHP Code:
    <?php 
    } else { 
        require_once(
    "system/db.php"); 
        
    $mysqli = new mysqli(DB_HOSTDB_USERDB_PASSDB_NAME); 
        
    # check connection 
        
    if ($mysqli->connect_errno) { 
            echo 
    "<p>MySQL error no {$mysqli->connect_errno} : {$mysqli->connect_error}</p>"
            exit(); 
        } 
      
        
    $email mysqli_real_escape_string($_POST['email']); 
        
    $password mysqli_real_escape_string($_POST['password']); 
      
        
    $sql "SELECT * from users WHERE email LIKE '{$email}' AND password LIKE '{$password}' LIMIT 1"
        
    $result $mysqli->query($sql); 
        
    $user_id mysqli_insert_id $mysqli );
        if (!
    $result->num_rows == 1) { 
            
    header ('Location:login.php?error=1'); 
        } else { 
            
    $sql="INSERT INTO users (lastloginip) VALUES ('$lastloginip') WHERE id = '$user_id'"
            
    header ('Location:index.php'); 
        } 

    ?>
    Basically you get the id of the last inserted user and add it to the last ip query.
    If this doesn't work try the object oriented style. More info about mysqli_insert_id can be found here:
    PHP: mysqli::$insert_id - Manual

  11. #10
    Senior Member
    Join Date
    Nov 2013
    Posts
    146
    Member #
    37737
    Liked
    15 times
    Quote Originally Posted by Jetstorm View Post
    Something like that... I haven't tested the code so there might be errors...

    PHP Code:
    <?php 
    } else { 
        require_once(
    "system/db.php"); 
        
    $mysqli = new mysqli(DB_HOSTDB_USERDB_PASSDB_NAME); 
        
    # check connection 
        
    if ($mysqli->connect_errno) { 
            echo 
    "<p>MySQL error no {$mysqli->connect_errno} : {$mysqli->connect_error}</p>"
            exit(); 
        } 
      
        
    $email mysqli_real_escape_string($_POST['email']); 
        
    $password mysqli_real_escape_string($_POST['password']); 
      
        
    $sql "SELECT * from users WHERE email LIKE '{$email}' AND password LIKE '{$password}' LIMIT 1"
        
    $result $mysqli->query($sql); 
        
    $user_id mysqli_insert_id $mysqli );
        if (!
    $result->num_rows == 1) { 
            
    header ('Location:login.php?error=1'); 
        } else { 
            
    $sql="INSERT INTO users (lastloginip) VALUES ('$lastloginip') WHERE id = '$user_id'"
            
    header ('Location:index.php'); 
        } 

    ?>
    Basically you get the id of the last inserted user and add it to the last ip query.
    If this doesn't work try the object oriented style. More info about mysqli_insert_id can be found here:
    PHP: mysqli::$insert_id - Manual
    i dont get what the unique ids have to do with it im just trying to save the user's ip address every time they log in.


Page 1 of 2 1 2 LastLast

Remove Ads

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
All times are GMT -6. The time now is 06:24 AM.
Powered by vBulletin® Version 4.2.3
Copyright © 2021 vBulletin Solutions, Inc. All rights reserved.
vBulletin Skin By: PurevB.com