Cannot Login

  • (3 Pages)
  • +
  • 1
  • 2
  • 3

44 Replies - 1137 Views - Last Post: 28 June 2014 - 11:29 AM Rate Topic: -----

#31 astonecipher  Icon User is offline

  • Major DIC Head
  • member icon

Reputation: 725
  • View blog
  • Posts: 3,161
  • Joined: 03-December 12

Re: Cannot Login

Posted 27 June 2014 - 11:21 AM

Your not understanding how prepared statements work.

You have a placeholder for what you are looking for. It then passes that variable into the query as a string. You bind the variables by place holders, either symbols, ? , or other strings, : name.
  $query = "SELECT adminId, email, pass 
                      FROM admin WHERE email=? AND pass=?";
  $stmt = $mysqli->prepare($query);
  $stmt->bind_param('iss', $adminId, $email, $pass);


Your placeholders are the TWO ?'s in the statement, not what you are selecting. Here you are binding 3 variables of int, string, string type with only 2 placeholders.
Was This Post Helpful? 0
  • +
  • -

#32 Viper2KX  Icon User is offline

  • D.I.C Head

Reputation: 1
  • View blog
  • Posts: 195
  • Joined: 25-January 09

Re: Cannot Login

Posted 27 June 2014 - 03:31 PM

View Postastonecipher, on 27 June 2014 - 01:21 PM, said:

Your not understanding how prepared statements work.


Of course I don't, and ready to resort to $mysqli->real_escape_string's because there is not a good source on the internet that is not PDO for making prepared SELECT statements -> and I'm reading that SELECT statements don't make really good prepared statements. That is why I am using this website for help.

View Postastonecipher, on 27 June 2014 - 01:21 PM, said:

You have a placeholder for what you are looking for. It then passes that variable into the query as a string. You bind the variables by place holders, either symbols, ? , or other strings, : name.
  $query = "SELECT adminId, email, pass 
                      FROM admin WHERE email=? AND pass=?";
  $stmt = $mysqli->prepare($query);
  $stmt->bind_param('iss', $adminId, $email, $pass);

In a book I have by Larry Ullman only touch on prepared statements. There is a blurb for a SELECT query to login:
SELECT user_id, first_name FROM users WHERE email='?' AND pass=SHA1('?')

View Postastonecipher, on 27 June 2014 - 01:21 PM, said:

Your placeholders are the TWO ?'s in the statement, not what you are selecting. Here you are binding 3 variables of int, string, string type with only 2 placeholders.

So I should follow the blurb I posted?
Was This Post Helpful? 0
  • +
  • -

#33 modi123_1  Icon User is online

  • Suitor #2
  • member icon



Reputation: 9366
  • View blog
  • Posts: 35,187
  • Joined: 12-June 08

Re: Cannot Login

Posted 27 June 2014 - 04:00 PM

He's not kidding. You are using the question mark as a place holder for a parameter. If you have two ? then you only need to give it two values.. You are giving it three.

Attached Image

Notice the example here: "Running Statements With Parameters ".

http://wiki.hashphp....ySQL_Developers

Here:
http://www.php.net/m...-statements.php
Was This Post Helpful? 0
  • +
  • -

#34 astonecipher  Icon User is offline

  • Major DIC Head
  • member icon

Reputation: 725
  • View blog
  • Posts: 3,161
  • Joined: 03-December 12

Re: Cannot Login

Posted 27 June 2014 - 04:09 PM

Blurb taken from PHP Docs:

if (mysqli_connect_errno()) {
    printf("Connect failed: %s\n", mysqli_connect_error());
    exit();
}

$city = "Amersfoort";

/* create a prepared statement */
if ($stmt = $mysqli->prepare("SELECT District FROM City WHERE Name=?")) {

    /* bind parameters for markers */
    $stmt->bind_param("s", $city);                            // Binds the ? placeholder to the string var $city

    /* execute query */
    $stmt->execute();

    /* bind result variables */
    $stmt->bind_result($district);                       // If you notice, District is requested from the table
                                                         // that result is now bound to the var $district

    /* fetch value */
    $stmt->fetch();                                      // Now the value in $district is fetched

    printf("%s is in district %s\n", $city, $district);

    /* close statement */
    $stmt->close();



Comments are in the code on the right.
Was This Post Helpful? 0
  • +
  • -

#35 Viper2KX  Icon User is offline

  • D.I.C Head

Reputation: 1
  • View blog
  • Posts: 195
  • Joined: 25-January 09

Re: Cannot Login

Posted 27 June 2014 - 05:02 PM

Undefined indexes: 'adminId', 'fname', 'lname' & 'salt'

<?php 
    // signin function - start 
    function signin() { 
        global $mysqli; 
  
        if(isset($_POST['signin'])) { 
            $adminId = $_REQUEST['adminId']; 
            $fname = $_REQUEST['fname']; $lname = $_REQUEST['lname']; 
            $email = $_REQUEST['email']; $pass = $_REQUEST['pass']; $salt = $_REQUEST['salt']; 
  
            if($stmt = $mysqli->prepare("SELECT * FROM admin WHERE email=? AND pass=?")) { 
                $stmt->bind_param('ss', $email, $pass); 
                $stmt->execute(); 
                $stmt->bind_result($adminId, $fname, $lname, $email, $pass, $salt); 
                $stmt->fetch(); 
  
                $hash = hash('sha512', $salt . hash('sha512', $pass)); 
                  
                if($hash != $pass) { 
                    header('Location: index.php'); 
                } else { 
                    session_regenerate_id(); 
                    $_SESSION['sess_user_id'] = $adminId; $_SESSION['sess_email'] = $email; 
                    session_write_close(); 
                    header('Location: dashboard.php'); 
                } 
            } 
  
            $stmt->close(); 
        } 
?> 
  
        <form action="" method="post" class="form-horizontal col-xs-12 col-sm-4 col-sm-offset-1"
              enctype="application/x-www-form-urlencoded" role="form">
            <fieldset>
                <h2>Sign In</h2>
                <div class="form-group">
                    <input type="email" name="email"
                           id="email" class="form-control"
                           placeholder="Email Address">
                </div>
                <div class="form-group">
                    <input type="password" name="pass"
                           id="pass" class="form-control"
                           placeholder="Password">
                </div>
                <span class="button-checkbox">
                    <button type="button" class="btn" data-color="info">Remember Me</button>
                    <input type="checkbox" name="rememberMe"
                           id="rememberMe" class="hidden">
                    <a href="forgot.php" class="btn btn-link pull-right">Forgot Password?</a>
                </span>
                <div class="row">
                    <div class="col-xs-4 pull-right">
                        <button type="submit" name="signin"
                                class="btn btn-success btn-block">
                            Sign In
                        </button>
                    </div>
                </div>
            </fieldset>
        </form> 
  
<?php 
        $mysqli->close(); 
    } 
    // signin function - end 
?>


This post has been edited by Viper2KX: 27 June 2014 - 05:03 PM

Was This Post Helpful? 0
  • +
  • -

#36 astonecipher  Icon User is offline

  • Major DIC Head
  • member icon

Reputation: 725
  • View blog
  • Posts: 3,161
  • Joined: 03-December 12

Re: Cannot Login

Posted 27 June 2014 - 05:05 PM

Try,

"SELECT adminId, fname, lname, email, pass, salt FROM admin WHERE email=? AND pass=?"


Assuming everything is in the same table.
Was This Post Helpful? 0
  • +
  • -

#37 astonecipher  Icon User is offline

  • Major DIC Head
  • member icon

Reputation: 725
  • View blog
  • Posts: 3,161
  • Joined: 03-December 12

Re: Cannot Login

Posted 27 June 2014 - 05:06 PM

Or is the error coming from here,

Quote

07 $adminId = $_REQUEST['adminId'];
08 $fname = $_REQUEST['fname']; $lname = $_REQUEST['lname'];
09 $email = $_REQUEST['email']; $pass = $_REQUEST['pass']; $salt = $_REQUEST['salt'];


???
Was This Post Helpful? 0
  • +
  • -

#38 Viper2KX  Icon User is offline

  • D.I.C Head

Reputation: 1
  • View blog
  • Posts: 195
  • Joined: 25-January 09

Re: Cannot Login

Posted 27 June 2014 - 05:10 PM

No errors, but not redirecting to dashboard.php
Was This Post Helpful? 0
  • +
  • -

#39 macosxnerd101  Icon User is offline

  • Self-Trained Economist
  • member icon




Reputation: 10647
  • View blog
  • Posts: 39,539
  • Joined: 27-December 08

Re: Cannot Login

Posted 27 June 2014 - 05:18 PM

Not sure if this was mentioned already, but I'd suggest avoiding $_REQUEST. It contains $_COOKIE, $_GET, and $_POST variables, and so it leaves you open to cross-site scripting and cookie injection attacks.

Quote

No errors, but not redirecting to dashboard.php

Do some debugging. What info are you providing? Are the appropriate records in your database? How far does your code get? Does it redirect you to index.php? Note that this will help give you (and us) more insight into what is going wrong. It helps us cut to the chase rather than playing 20 questions with you to get the info we need. In short, it saves everyone some time. And please remember to post your revised code.
Was This Post Helpful? 0
  • +
  • -

#40 astonecipher  Icon User is offline

  • Major DIC Head
  • member icon

Reputation: 725
  • View blog
  • Posts: 3,161
  • Joined: 03-December 12

Re: Cannot Login

Posted 27 June 2014 - 05:19 PM

That means your prepare statement is returning false. Get it out of the if statement.
Was This Post Helpful? 0
  • +
  • -

#41 Viper2KX  Icon User is offline

  • D.I.C Head

Reputation: 1
  • View blog
  • Posts: 195
  • Joined: 25-January 09

Re: Cannot Login

Posted 27 June 2014 - 05:35 PM

macosxnerd101 It is returning me to index.php (initial page I am on)

<?php 
    // signin function - start 
    function signin() { 
        global $mysqli; 
  
        if(isset($_POST['signin'])) { 
            /* 
            $adminId = $_REQUEST['adminId']; 
            $fname = $_REQUEST['fname']; $lname = $_REQUEST['lname']; 
            $email = $_REQUEST['email']; $pass = $_REQUEST['pass']; $salt = $_REQUEST['salt']; 
            */
  
            $stmt = $mysqli->prepare("SELECT adminId, fname, lname, email, pass, salt 
                                         FROM admin WHERE email=? AND pass=?");  
                $stmt->bind_param('ss', $email, $pass); 
                $stmt->execute(); 
                $stmt->bind_result($adminId, $fname, $lname, $email, $pass, $salt); 
                $stmt->fetch(); 
  
                $hash = hash('sha512', $salt . hash('sha512', $pass)); 
                  
                if($hash != $pass) { 
                    header('Location: index.php'); 
                } else { 
                    session_regenerate_id(); 
                    $_SESSION['sess_user_id'] = $adminId; $_SESSION['sess_email'] = $email; 
                    session_write_close(); 
                    header('Location: dashboard.php'); 
                } 
  
            $stmt->close(); 
        } 
?> 
  
        <form action="" method="post" class="form-horizontal col-xs-12 col-sm-4 col-sm-offset-1"
              enctype="application/x-www-form-urlencoded" role="form">
            <fieldset>
                <h2>Sign In</h2>
                <div class="form-group">
                    <input type="email" name="email"
                           id="email" class="form-control"
                           placeholder="Email Address">
                </div>
                <div class="form-group">
                    <input type="password" name="pass"
                           id="pass" class="form-control"
                           placeholder="Password">
                </div>
                <span class="button-checkbox">
                    <button type="button" class="btn" data-color="info">Remember Me</button>
                    <input type="checkbox" name="rememberMe"
                           id="rememberMe" class="hidden">
                    <a href="forgot.php" class="btn btn-link pull-right">Forgot Password?</a>
                </span>
                <div class="row">
                    <div class="col-xs-4 pull-right">
                        <button type="submit" name="signin"
                                class="btn btn-success btn-block">
                            Sign In
                        </button>
                    </div>
                </div>
            </fieldset>
        </form> 
  
<?php 
        $mysqli->close(); 
    } 
    // signin function - end 
?> 


Was This Post Helpful? 0
  • +
  • -

#42 astonecipher  Icon User is offline

  • Major DIC Head
  • member icon

Reputation: 725
  • View blog
  • Posts: 3,161
  • Joined: 03-December 12

Re: Cannot Login

Posted 27 June 2014 - 05:46 PM

It looks like you are comparing a double hashed password against the bound password you retrieved from the database.

If this is still on a dev server, for shits and giggles, print the retrieved password against this $hash = hash('sha512', $salt . hash('sha512', $pass));
Was This Post Helpful? 0
  • +
  • -

#43 Viper2KX  Icon User is offline

  • D.I.C Head

Reputation: 1
  • View blog
  • Posts: 195
  • Joined: 25-January 09

Re: Cannot Login

Posted 28 June 2014 - 09:37 AM

View Postastonecipher, on 27 June 2014 - 07:46 PM, said:

It looks like you are comparing a double hashed password against the bound password you retrieved from the database.

If this is still on a dev server, for shits and giggles, print the retrieved password against this $hash = hash('sha512', $salt . hash('sha512', $pass));

It is live.


And I've resorted back to using real_escape_string because I've lost all patience trying to get prepared statements to work - at least for logging in.

This worked when it was on just a single page, out of my function -> as the script and form where on a page called login.php.

With the function, my Sign In form vanishes from the page.
<?php 
    // signin function - start 
    function signin() { 
        global $mysqli; 
  
        if(isset($_POST['signin'])) { 
            include $mysqli; 
  
            $email = $_POST['email']; 
            $pass = $_POST['pass']; 
  
            $email = $mysqli->real_escape_string($email); 
            $pass = $mysqli->real_escape_string($pass); 
  
            $query = "SELECT * FROM admin WHERE email='$email' AND pass='$pass'"; 
            $result = $mysqli->query($query); 
  
            if($result->num_rows == 0) { header('Location: index.php'); } 
            $row = $result->fetch_assoc(); 
              
            $hash = hash('sha512', $row['salt'] . hash('sha512', $pass)); 
              
            if($hash != $row['pass']) { 
                header('Location: index.php'); 
            } else { 
                session_regenerate_id();
                $_SESSION['adminId'] = $row['adminId'];
                $_SESSION['email'] = $row['email'];
                $_SESSION['fname'] = $row['fname']; $_SESSION['lname'] = $row['lname']; 
                session_write_close(); 
                header('Location: dashboard.php'); 
            } 
        } 
?> 
  
        <form action="" method="post" class="form-horizontal col-xs-12 col-sm-4 col-sm-offset-1"
              enctype="application/x-www-form-urlencoded" role="form">
            <fieldset>
                <h2>Sign In</h2>
                <div class="form-group">
                    <input type="email" name="email"
                           id="email" class="form-control"
                           placeholder="Email Address">
                </div>
                <div class="form-group">
                    <input type="password" name="pass"
                           id="pass" class="form-control"
                           placeholder="Password">
                </div>
                <span class="button-checkbox">
                    <button type="button" class="btn" data-color="info">Remember Me</button>
                    <input type="checkbox" name="rememberMe"
                           id="rememberMe" class="hidden">
                    <a href="forgot.php" class="btn btn-link pull-right">Forgot Password?</a>
                </span>
                <div class="row">
                    <div class="col-xs-4 pull-right">
                        <button type="submit" name="signin"
                                class="btn btn-success btn-block">
                            Sign In
                        </button>
                    </div>
                </div>
            </fieldset>
        </form> 
  
<?php 
        $mysqli->close(); 
    } 
    // signin function - end 
?>


Was This Post Helpful? 0
  • +
  • -

#44 andrewsw  Icon User is online

  • It's just been revoked!
  • member icon

Reputation: 3608
  • View blog
  • Posts: 12,398
  • Joined: 12-December 12

Re: Cannot Login

Posted 28 June 2014 - 10:01 AM

You have placed your form directly within your signin() function. It doesn't belong there.
Was This Post Helpful? 0
  • +
  • -

#45 Viper2KX  Icon User is offline

  • D.I.C Head

Reputation: 1
  • View blog
  • Posts: 195
  • Joined: 25-January 09

Re: Cannot Login

Posted 28 June 2014 - 11:29 AM

View Postandrewsw, on 28 June 2014 - 12:01 PM, said:

You have placed your form directly within your signin() function. It doesn't belong there.


Whoops. My mistake, small feeling. I can fix that later.
Would this also be why my prepared statements never worked?
Was This Post Helpful? 0
  • +
  • -

  • (3 Pages)
  • +
  • 1
  • 2
  • 3