Hey!
I managed to make the script working by putting: ob_start();
I don't know why.. but it works
Originally Posted by djr33
CSS Codes
Junior Coders
Hey!
I managed to make the script working by putting: ob_start();
I don't know why.. but it works
Junior Coders
Everyone was of great help and I managed to make my registration script exactly how I wanted it.
However, I again got a little problem, this time with md5. The script works totally fine when I doesn't encrypt the password with md5. However when I do encrypt it.. I am redirected all the time to my login failed page. I tried to make changes over and over again but it's not working :S
This is my final login script:
PHP Code:<?php
//Start session
session_start();
//Include database connection details
require_once('config.php');
//Array to store validation errors
$errmsg_arr = array();
//Validation error flag
$errflag = false;
//Connect to mysql server
$link = mysql_connect(DB_HOST, DB_USER, DB_PASSWORD);
if(!$link) {
die('Failed to connect to server: ' . mysql_error());
}
//Select database
$db = mysql_select_db(DB_DATABASE);
if(!$db) {
die("Unable to select database");
}
//Function to sanitize values received from the form. Prevents SQL injection
function clean($str) {
$str = @trim($str);
if(get_magic_quotes_gpc()) {
$str = stripslashes($str);
}
return mysql_real_escape_string($str);
}
//Sanitize the POST values
$name = clean($_POST['name']);
//Input Validations
if($name == '') {
$errmsg_arr[] = 'Username missing';
$errflag = true;
}
if($pw == '') {
$errmsg_arr[] = 'Password missing';
$errflag = true;
}
//If there are input validations, redirect back to the login form
if($errflag) {
$_SESSION['ERRMSG_ARR'] = $errmsg_arr;
session_write_close();
header("location: login-form.php");
exit();
}
//Create query
$qry="SELECT * FROM mfc WHERE name='$name' AND pw='".md5($_POST['pw'])."'";
$result=mysql_query($qry);
//Check whether the query was successful or not
if($result) {
if(mysql_num_rows($result) == 1) {
//Login Successful
session_regenerate_id();
$member = mysql_fetch_assoc($result);
$_SESSION['SESS_MEMBER_ID'] = $member['member_id'];
$_SESSION['SESS_FIRST_NAME'] = $member['firstname'];
$_SESSION['SESS_LAST_NAME'] = $member['lastname'];
session_write_close();
header("location: member-index.php");
exit();
}else {
//Login failed
header("location: login-failed.php");
exit();
}
}else {
die("Query failed");
}
?>
Global Moderator
1. Output buffers: usually they are a bad idea because they make the page run slower. However, since this is a limited page (not much text, and it will only be seen once in a while), that is probably ok. Usually there is a better way to rewrite the page to avoid using an output buffer, but the problem with header() vs. text is actually one of the cases where this can be very difficult, so it's not a really bad idea. Now that it's working, I think that's fine, though I wouldn't recommend usually using that. Instead, try to write scripts with header() content first, then text output, if possible. Of course an output buffer can fix this if you can't find another way...
2. md5: My guess is that the script already uses md5 somewhere else, maybe? I don't see this, but that would explain it. Alternatively, you might need to rewrite the system to allow for using md5. Perhaps it's another hash generator, like sha1? There are a few like that. Also, sometimes various scripts use "salt", which means that they don't use only the password, but also the username. For example, one method I have seen is:md5($username.md5($password))
If it works now, though, I am guessing that it's the correct method. Look at your database directly (using phpmyadmin, perhaps) and check to see if you are storing the passwords as md5 (as a "hash string") or in their original form. For security, it's a little better to use md5 or a similar algorithm, so maybe that could be a next step if you are not doing that already.
Daniel - Freelance Web Design | <?php?> | <html>| español | Deutsch | italiano | português | català | un peu de français | some knowledge of several other languages: I can sometimes help translate here on DD | Linguistics Forum
Junior Coders
Thanks for the reply! Yes, it is indeed true that I use md5 also on a different place. Namely, to encrypt the confirmation code the users receive when they register. Do you think it is not necessary to encrypt the password because I already use this confirmation email system?
Global Moderator
It's for a different reason. Basically using md5 on a password means that if your server or database is hacked, the passwords are still hidden (encrypted). And as administrator you can't view them so it is a little more privacy for the users. Generally it isn't a problem though.
Daniel - Freelance Web Design | <?php?> | <html>| español | Deutsch | italiano | português | català | un peu de français | some knowledge of several other languages: I can sometimes help translate here on DD | Linguistics Forum
Posting Permissions
Reply With Quote
Bookmarks