Announcements Last Post
Announcement SoC Curricula 09/30/2017 01:08PM
Announcement Demarcation or scoping of examinations and assessment 02/13/2017 07:59AM
Announcement School of Computing Short Learning Programmes 11/24/2014 08:37AM
Announcement Unisa contact information 07/28/2011 01:28PM
avatar Walkthrough 1 - PHP User Authentication
August 07, 2011 12:35AM
Completed Walkthrough 1smiling smiley.
login.php does not work as intended to, it is checking for the encrypted value of the password in the database and the actual password is stored in the database. So I updated the password:

Language: SQL
UPDATE login SET L2 = md5('passwordTest') WHERE L1 = 'usernameTest';

I 1st tested it out by removing the md5 function and then it worked normally.
avatar Re: Walkthrough 1 - PHP User Authentication
August 09, 2011 07:45PM
Picked up quite a couple of good tips from this walkthrough smiling smiley

I also just dropped the 'md5' for the first couple of exercises on the login.php page - but you need to put it back when you work on the signup.php page, otherwise if you try to log in with your newly registered un/pw it wont log you in.
Re: Walkthrough 1 - PHP User Authentication
August 15, 2011 12:12PM
Completed this walkthrough.
Really cleared things up for me.
Great info for the prac.

For me it is frustrating if your login details is send via email and
you need te click on a hyperlink to verfy details.
Is there any good reason for doing this, instead of the way we just learned in this walkthrough?
avatar Re: Walkthrough 1 - PHP User Authentication
August 15, 2011 03:24PM
Hi Chantal,

The reason a lot of websites send you a confirmation email with an activation link via email is to verify that it is a valid email, it does exist and you are the owner of the account smiling smiley

If you don't send a validation email the user is most likely to put in any email not specifically his/her correct email address.

Companies use it as a way of communication for updates, specials e.t.c that they offer, they wouldn't want to be sending it to a non-existent email or to an email address that belongs to someone.
avatar
Mac
Re: Walkthrough 1 - PHP User Authentication
August 16, 2011 07:31AM
And automated spam robots ... If we do not verify user registration on these forums, then robots register themselves here and post millions of automated spam posts here.
avatar Re: Walkthrough 1 - PHP User Authentication
August 16, 2011 09:32AM
Absolutely Mac smiling smiley don't know how that slipped my mind, some website forms also use stuff like reCaptcha and the latest released nuCaptcha to stop spam bots from auto posting just like these forums that have the.. Question: how much is 17 + 3..The question is auto generated.
avatar Re: Walkthrough 1 - PHP User Authentication
August 16, 2011 06:33PM
I have some questions, specifically about the ESCAPE DANGEROUS SQL CHARACTER function
Language: PHP
function quote_smart($value, $handle) {   if (get_magic_quotes_gpc()) { $value = stripslashes($value); }   if (!is_numeric($value)) { $value = "'" . mysql_real_escape_string($value, $handle) . "'"; } return $value;

1. firstly the function arguments and the passed variable names do not match. I cant seem to find anything the confirms you can do this
Ie when the function is called, do the passed variable need to match the arguments. like this is passed to the function above and they do not match
Language: PHP
quote_smart($uname, $db_handle); quote_smart($pword, $db_handle);

2.Secondly why does the $db_handle variable need to be escaped from dangerous sql characters?? Obviously the $uname and $pword would need to be checked because they are user inputted. But why the mysql_connect ($db_handle) variable?

3.Thirdly why does the second conditional if in that function, check to see if the variable is not numerical .
Because numerals cannot be used in sql injection? And if its not a numeral then only check it?

4. And finally why does that function only return $value and not both that were passed to it($value , $db_handle)
avatar
Mac
Re: Walkthrough 1 - PHP User Authentication
August 17, 2011 06:45AM
Good question - some a bit difficult to explain sensibly.... smiling smiley

1. It does not have to match - the function takes two parameters - the value and a handle so whatever parameter is passed first is the $value that is used inside the function in the 1st and 2nd if's, and the second parameter is the $handle that is used in the 2nd if

2. The dbhandle
Language: PHP
$db_handle = mysql_connect($server, $user_name, $pass_word);
is a requirement for the (MySQL) function mysql_real_escape_string. It requires the handle (consider it just the way the function is written)

3. The is_numeric function focus on a single quote - thus not a number - which is also used in attacks. It escapes it with a \ so it is rendered useless.

4. It only returns the value because the handle is just a requirement of the mysql_real_escape_string

Suffice to say that you do not need to understand how the functions work - just what it does. Remember you only see the outside part - there is some stuff done by the server which you do not know about when you use, for example, mysql_real_escape_string .

Someone else else can write a class and all you need to know is what parameters you need to pass to it and what it does with those parameters. Saves you lot of time coding.
avatar Re: Walkthrough 1 - PHP User Authentication
August 17, 2011 08:05AM
Quote
Someone else else can write a class and all you need to know is what parameters you need to pass to it and what it does with those parameters. Saves you lot of time coding.

I agree with this, We use a lot of classes without actually knowing what it does. All we need to know is what needs to be passed to it.


Thanks for the explanation mac. thumbs up
Re: Walkthrough 1 - PHP User Authentication
August 20, 2011 09:55PM
Worked through this Walkthrough.

Noticed an error in the code for signup.php.

It uses 2 seperate if statements to test nr 1 if the username length is OK and nr 2 test if the password length is OK. If the 1rst test fails it writes something to $errormessage. If the 2nd test succeeds it then overwrites what it just wrote to $errormessage and makes it blank again.

This results in the user being able to type in any length username as long as the password length is OK. I fixed it by nesting the 2 If statements.

Just a bit of insignificant information. Use it. Don't use it. smile

Useful section.
avatar Re: Walkthrough 1 - PHP User Authentication
August 23, 2011 06:52PM
ok thanks Mac, that takes a load off the shoulders
Re: Walkthrough 1 - PHP User Authentication
August 24, 2011 07:49PM
I have completed the tutorial on 'PHP User Authentication', and am now doing some research for the practical project. Regarding storing passwords in encrypted format - I came across the string function crypt() on php.net. Could this also be used for password protection, instead of md5()? What is the difference between them? Please could someone explain in simple English. I sometimes struggle to understand the wording and way things are explained on php.net.
Thanks in advance.

Student Number: 77334175
Diana
avatar Re: Walkthrough 1 - PHP User Authentication
August 24, 2011 09:29PM
The perils of using PHP crypt()

hmmmm
its would seem crypt() cannot be decrypted

Quote
above link
The PHP crypt() function is a handy tool for encrypting passwords and other data requiring comparison of encrypted strings but not actual decryption

reminds me of some registration systems that cannot retrieve your password but only reset it
maybe even used to encrypt credit card numbers
avatar Re: Walkthrough 1 - PHP User Authentication
August 25, 2011 08:32AM
Not a lot of people use use crypt() most favor md5() or sha1

crypt() works in the same way as md5(), one way algorythms (hash), while md5()
does only support md5-algorythm crypt() does support DES, MD5 and Blowfish (of
course depending on the system PHP is built on).

The disadvantige to use crypt(), is that the system you are developint the PHP
scripts on my support DES while the machine which you later on run the scripts
on may not support DES and then your scripts won't work properly. Otherwise
the two functions are quite the same.

md5() could encrypt password of an finite length, crypt() only up to 8 chars if
I remember correctly.

student no: 77315138
Re: Walkthrough 1 - PHP User Authentication
August 25, 2011 03:18PM
Thanks for your answers Riaz and PeterJ smiling smiley
avatar Re: Walkthrough 1 - PHP User Authentication
August 26, 2011 09:17PM
Finished with Walkthrough 1! Also encountered the problem regarding MD5() password in the script but made the necessary changes in code.I'm really starting to appreciate the wealth of information already out there on PHP, the learning curve is gradually increasing but is becoming so much more fulfilling!
Re: Walkthrough 1 - PHP User Authentication
September 01, 2011 03:57PM
Completed walkthrough 1.
Its a bit confusing for me but everyones comments have helped! will get the hang of it!
avatar Re: Walkthrough 1 - PHP User Authentication
September 17, 2011 11:16AM
Ok, finally completed the first walkthough. To be honest it was a bit of a struggle for me but I finally got everything working thanks to google. On to the next few walkthoughs and then I can finally get started with the project.
Re: Walkthrough 1 - PHP User Authentication
October 04, 2011 03:16PM
Am done with this section thumbs up
Def helps while doing my project to go back and even though I've worked through a section something new is rediscovered time and again.

I will admit, this course is difficult for me but I'm thoroughly enjoying the learning process hot smiley
Re: Walkthrough 1 - PHP User Authentication
October 24, 2011 11:03AM
thumbs up Thanks!
Sorry, only registered users may post in this forum.

Click here to login