Forums

The forums ran from 2008-2020 and are now closed and viewable here as an archive.

Home Forums Back End Try out my first PHP web app!

  • This topic is empty.
Viewing 15 posts - 46 through 60 (of 211 total)
  • Author
    Posts
  • #177444
    __
    Participant

    If you visit the Forum or Messages page, there doesn’t seem to be any way back to the Dashboard. “Home” sends you back to the login page.

    edit: ahh, it’s a javascript thing. Why are you relying on JS to redirect? Something so simple should work without javascript (especially since the script seems to be conditionally served anyway: just set a Location header instead).

    You also seem to have multiple head elements, several of which are inside the document body.

    edit edit: Actually, all of your pages seem to have very messy (and invalid) HTML markup. This probably points to some disorganization in how your PHP generates the various bits of output.

    #177450
    __
    Participant

    Why wasent my header function working?

    umm… because, {reasons}?

    This is what I was talking about earlier: we can’t troubleshoot or offer advice on code we’ve never seen. I think we’ve reached the point where, if you want more help with this, you’d need to share your code.

    Messy HTML … because on each PHP page i am using a require ‘example.php’

    Which illustrates that you need to plan out how your includes will be used: for example, if any two files might be used on the same page, they should not have duplicate content. Shared content should probably be separated out into its own file.

    The “include, HTML, include” pattern works well on small scales: individual pages with common content. When you’re building a more complex system (e.g., “include, maybe include, HTML, include this-or-that, maybe include”), you need something else. Either very strict separation of content and a well-thought-out control structure, or move to a templates-and-views approach.

    I got an idea where we can test out the integrity of my database structure.

    Good. Though I’m not sure what I could contribute without any knowledge of the database structure itself.

    Lets move this conversation over to a forum post on my website

    To be honest, I’m more comfortable keeping the conversation here.

    #177533
    __
    Participant

    Well, yes, it is; but that’s not what I was referring to. I am active on css-tricks because I enjoy the community here, and helping out people with their projects where I can. I’m not here looking for other sites to frequent (which is not to say that I shun other sites, I’m just not actively seeking them out). Coming here and asking for feedback, or help with coding issues you can’t quite solve on your own, is entirely appropriate. While I know you don’t have any ill intent, please understand that actively trying to move people and conversations away from this site, to your own, is not really “good form.”

    I do understand your desire to get people visiting and active on your site. This will happen naturally over time. In all honesty, right now, your site is not ready; having fewer, less dependent users is probably not a bad thing. What you have done so far seems like you’re on the right track, but the UI and other basic features still need more work. From what I can tell, you’re probably going to come to a point soon (regarding your HTML output issues) where you suddenly find yourself deciding to rewrite the whole thing. Yes, I have been through this myself: the first time I did a content-management-like project I had no idea that I was not ready; and I scrapped the whole codebase twice as I learned new things that did not ‘jive’ with the old things I knew. It’s a long, exciting, frustrating process, but it’s what took me out of the ‘beginner’ stage.

    As always, I’m happy to help where I can.

    #177540
    Alen
    Participant

    In all honesty, right now, your site is not ready; having fewer, less dependent users is probably not a bad thing.

    This + 100%.

    your site is not ready

    This + 10000000%.

    There’s more that goes into developing community than writing code.

    #177545
    chrisburton
    Participant

    So it’s my job to make you and other users feel “comfterble” on the site.

    Well, yes, it is

    +1

    #177556
    __
    Participant

    bcrypt is the better choice. (Almost anything is a better choice, in fact.) PHP 5.5 has password functions that make it simple; there is a userland implementation for PHP 5.4 and earlier. Highly recommended.

    I was just trying to get some people submitting data to the database and see if it could handle it… I was not trying to pull people away from this community at all.

    I didn’t mean to accuse you of anything. As I said, I don’t believe you had any ill intent.

    Once it becomes obvious that the basic functionality works as expected (and I think it does), you won’t typically discover more through usage until you hit a much larger scale: while 1,000 users will probably discover all kinds of stuff “by accident” under normal usage, 10 or 15 users probably won’t. A code review would probably be more helpful at this stage.

    #177574
    Alen
    Participant

    A code review would probably be more helpful at this stage.

    I’ll just keep quoting @traq. He’s on fire!

    PHP 5.5 Password hashing API is just a wrapper for bcrypt().

    
    # Hash password
    $password = password_hash('12345', PASSWORD_BCRYPT, ['cost' => 10]);
    
    # Check password
    if ( password_verify('12345', $password) )
    {
        echo 'Wazzzaaauuupppp';
    }
    

    For older PHP versions: https://github.com/ircmaxell/password_compat

    #177582
    __
    Participant

    PHP 5.5 Password hashing API is just a wrapper for bcrypt().

    hehe… sure makes it easier, though.

    Im pretty sure the password_hash(‘$password_submitted’, PASSWORD_BCRYPT) automatically gives a unique salt. Is this correct?

    Yes, and this is the recommended way to go. Don’t bother with making up your own salts. The only thing you might want to change (eventually) is the cost: time how long it takes to complete, then adjust it until it takes your server about .5 seconds to finish.

    #177587
    __
    Participant

    Basically, yes. However:

    • don’t use select *. Specify the fields you want explicitly.
    • don’t use a loop. There should only be one row in a successful result, so there is no need: it just complicates things.
    select hash from users where username=?
    
    // do your query  . . .
    
    // assuming you get a result, verify:
    if( password_verify( $_POST['password'],$queryResult['hash'] ) ){
        //  valid
    }else{
        //  invalid
    }
    #177593
    __
    Participant

    How do I pull data from the database without a loop?

    Depends on what api you are using. For example, with PDO:

    $DB = new PDO( 
        'mysql:host=localhost;dbname=your_db;charset=UTF8',
        'mysql username',
        'mysql password'
    );
    
    $DB_getHash = $DB->prepare( 'select hash from users where username=?' );
    $DB_getHash->execute( array( $_POST['username'] ) );
    $queryResult = $DB_getHash->fetch();
    
    if( 
        $queryResult 
        && password_verify( $_POST['password'],$queryResult['hash'] )
    ){
        // login successful
    }
    else{
        // login failed
    }
    
    #177600
    __
    Participant

    Basically the same, except you need to bind the parameters manually.

    // assuming you're already connected with $DB
    
    $DB_getHash = $DB->prepare( 'select hash from users where username=?' );
    $DB_getHash->bindParam( 's',$_POST['username'] );
    $DB_getHash->execute();
    $DB_getHash->bindResult( $queryResult );
    $DB_getHash->fetch();
    
    // continue as above
    
    #177605
    __
    Participant

    Yes.

    #177616
    Alen
    Participant

    How do I pull data from the database without a loop?

    Just to clarify this, as it might be source of confusion.

    If you query the database explicitly, meaning you specify what table and field you want to retrieve, there’s no need to loop over anything.

    And looping over set of results is a PHP feature, not SQL.

    #177854
    __
    Participant

    I have honestly never tried brute forcing. Did you use the password functions I referenced earlier? if not, how did you choose your salt? How you go about preparing and computing your hashes most likely indicators of how strong they are.

    How long does each hash take to complete on your server? It’s best to adjust the cost until it takes about a half second.

    #177985
    __
    Participant

    $query = “SELECT username FROM users WHERE username=’$username’”;

    What’s the point of this query?

    And are you escaping $username so it is safe to use in the query? Stored procedures are the best method of preventing SQL injection attacks. I know they take some “getting used to,” but they really should be the only way you ever do it.

    while(

    There should be only one row in your result set (if not, then you still have duplicate usernames); there is no need for a loop.

    Having a very annoying problem with my password_verify() function. It is letting any password that the user enters through and saying that it matches the hash that is stored in the database.

    I don’t see anything in the code you posted that would lead to that particular problem… where does $password come from? what does the retrieved $hashpass look like? Could you show us the entire login script?

Viewing 15 posts - 46 through 60 (of 211 total)
  • The forum ‘Back End’ is closed to new topics and replies.