Walkthrough 1 - PHP User Authentication

Completed Walkthrough 1.
login.php does not work as intended to, it is checking for the encrypted value of the password in the database and the actual password is stored in the database. So I updated the password:

Language: SQL
UPDATE login SET L2 = md5(';passwordTest';) WHERE L1 = ';usernameTest';;

I 1st tested it out by removing the md5 function and then it worked normally.

Picked up quite a couple of good tips from this walkthrough

I also just dropped the 'md5' for the first couple of exercises on the login.php page - but you need to put it back when you work on the signup.php page, otherwise if you try to log in with your newly registered un/pw it wont log you in.

Completed this walkthrough.
Really cleared things up for me.
Great info for the prac.

For me it is frustrating if your login details is send via email and
you need te click on a hyperlink to verfy details.
Is there any good reason for doing this, instead of the way we just learned in this walkthrough?

Hi Chantal,

The reason a lot of websites send you a confirmation email with an activation link via email is to verify that it is a valid email, it does exist and you are the owner of the account

If you don't send a validation email the user is most likely to put in any email not specifically his/her correct email address.

Companies use it as a way of communication for updates, specials e.t.c that they offer, they wouldn't want to be sending it to a non-existent email or to an email address that belongs to someone.

And automated spam robots ... If we do not verify user registration on these forums, then robots register themselves here and post millions of automated spam posts here.

Absolutely Mac don't know how that slipped my mind, some website forms also use stuff like reCaptcha and the latest released nuCaptcha to stop spam bots from auto posting just like these forums that have the.. Question: how much is 17 + 3..The question is auto generated.

I have some questions, specifically about the ESCAPE DANGEROUS SQL CHARACTER function

Language: PHP
function quote_smart($value, $handle) {
 
   if (get_magic_quotes_gpc()) {
       $value = stripslashes($value);
   }
 
   if (!is_numeric($value)) {
       $value = "';" . mysql_real_escape_string($value, $handle) . "';";
   }
   return $value;

1. firstly the function arguments and the passed variable names do not match. I cant seem to find anything the confirms you can do this
Ie when the function is called, do the passed variable need to match the arguments. like this is passed to the function above and they do not match

Language: PHP
quote_smart($uname, $db_handle);
quote_smart($pword, $db_handle);

2.Secondly why does the $db_handle variable need to be escaped from dangerous sql characters?? Obviously the $uname and $pword would need to be checked because they are user inputted. But why the mysql_connect ($db_handle) variable?

3.Thirdly why does the second conditional if in that function, check to see if the variable is not numerical .
Because numerals cannot be used in sql injection? And if its not a numeral then only check it?

4. And finally why does that function only return $value and not both that were passed to it($value , $db_handle)

Good question - some a bit difficult to explain sensibly....

1. It does not have to match - the function takes two parameters - the value and a handle so whatever parameter is passed first is the $value that is used inside the function in the 1st and 2nd if's, and the second parameter is the $handle that is used in the 2nd if

2. The dbhandle

Language: PHP
$db_handle = mysql_connect($server, $user_name, $pass_word);

is a requirement for the (MySQL) function mysql_real_escape_string. It requires the handle (consider it just the way the function is written)

3. The is_numeric function focus on a single quote - thus not a number - which is also used in attacks. It escapes it with a \ so it is rendered useless.

4. It only returns the value because the handle is just a requirement of the mysql_real_escape_string

Suffice to say that you do not need to understand how the functions work - just what it does. Remember you only see the outside part - there is some stuff done by the server which you do not know about when you use, for example, mysql_real_escape_string .

Someone else else can write a class and all you need to know is what parameters you need to pass to it and what it does with those parameters. Saves you lot of time coding.

Quote
Someone else else can write a class and all you need to know is what parameters you need to pass to it and what it does with those parameters. Saves you lot of time coding.

I agree with this, We use a lot of classes without actually knowing what it does. All we need to know is what needs to be passed to it.


Thanks for the explanation mac.

Worked through this Walkthrough.

Noticed an error in the code for signup.php.

It uses 2 seperate if statements to test nr 1 if the username length is OK and nr 2 test if the password length is OK. If the 1rst test fails it writes something to $errormessage. If the 2nd test succeeds it then overwrites what it just wrote to $errormessage and makes it blank again.

This results in the user being able to type in any length username as long as the password length is OK. I fixed it by nesting the 2 If statements.

Just a bit of insignificant information. Use it. Don't use it.

Useful section.

ok thanks Mac, that takes a load off the shoulders

I have completed the tutorial on 'PHP User Authentication', and am now doing some research for the practical project. Regarding storing passwords in encrypted format - I came across the string function crypt() on php.net. Could this also be used for password protection, instead of md5()? What is the difference between them? Please could someone explain in simple English. I sometimes struggle to understand the wording and way things are explained on php.net.
Thanks in advance.

Student Number: 77334175
Diana

The perils of using PHP crypt()

hmmmm
its would seem crypt() cannot be decrypted

Quote
above link
The PHP crypt() function is a handy tool for encrypting passwords and other data requiring comparison of encrypted strings but not actual decryption

reminds me of some registration systems that cannot retrieve your password but only reset it
maybe even used to encrypt credit card numbers

Not a lot of people use use crypt() most favor md5() or sha1

crypt() works in the same way as md5(), one way algorythms (hash), while md5()
does only support md5-algorythm crypt() does support DES, MD5 and Blowfish (of
course depending on the system PHP is built on).

The disadvantige to use crypt(), is that the system you are developint the PHP
scripts on my support DES while the machine which you later on run the scripts
on may not support DES and then your scripts won't work properly. Otherwise
the two functions are quite the same.

md5() could encrypt password of an finite length, crypt() only up to 8 chars if
I remember correctly.

student no: 77315138

Thanks for your answers Riaz and PeterJ

Finished with Walkthrough 1! Also encountered the problem regarding MD5() password in the script but made the necessary changes in code.I'm really starting to appreciate the wealth of information already out there on PHP, the learning curve is gradually increasing but is becoming so much more fulfilling!

Completed walkthrough 1.
Its a bit confusing for me but everyones comments have helped! will get the hang of it!

Ok, finally completed the first walkthough. To be honest it was a bit of a struggle for me but I finally got everything working thanks to google. On to the next few walkthoughs and then I can finally get started with the project.

Am done with this section
Def helps while doing my project to go back and even though I've worked through a section something new is rediscovered time and again.

I will admit, this course is difficult for me but I'm thoroughly enjoying the learning process

Thanks!