Vegeta ZA Posted April 10, 2016 Share Posted April 10, 2016 I have a problem inserting passwords from a text file into a database using md5 hashes. It inputs everything else from the text file as it should but I don't know how to get it to input unique hash values using the 'Password' fields from the text file. I know the problem is with the array and it is not done correctly, can anyone help me fix this? //insert from text file $Password = $_POST['Password']; $passwordmd5 = md5 ($Password); mysql_select_db("test") or die ("Unable to select database!"); $file = file('C:\wamp\www\a1\userData.txt'); # read file into array $count = count($file); if($count > 0) # file is not empty { $milestone_query = "INSERT into tbl_User(ID, FName, LName, Email, Password) values"; $i = 1; foreach($file as $row) { $milestone = explode(';',$row); $milestone_query .= "('$milestone[0]', '$milestone[1]', '$milestone[2]', '$milestone[3]', '$passwordmd5')"; $milestone_query .= $i < $count ? ',':''; $i++; } mysql_query($milestone_query) or die(mysql_error()); } echo "Done!"; Link to comment Share on other sites More sharing options...
Ingolme Posted April 10, 2016 Share Posted April 10, 2016 This code is very insecure. MD5 is very easy to crack these days and the mysql_ library is deprecated. See the severe warnings on the PHP manual. On MD5 hashing: http://php.net/md5 Note: Secure password hashing It is not recommended to use this function to secure passwords, due to the fast nature of this hashing algorithm. See here for details On the mysql extension: http://php.net/mysql_query WarningThis extension was deprecated in PHP 5.5.0, and it was removed in PHP 7.0.0. Instead, the MySQLi or PDO_MySQL extension should be used. See also MySQL: choosing an API guide and related FAQ for more information. Alternatives to this function include: mysqli_query() PDO::query() If you don't heed these warnings your site will be hacked. With that out of the way, if the password is coming from a file then hash the value that came out of the file $pdo = new PDO( /* Database connection parameters */ ); $file = file('userData.txt'); $query = $pdo->prepare('INSERT into tbl_User(ID, FName, LName, Email, Password) values (?, ?, ?, ?, ?)'); foreach($file as $row) { $milestone = explode(';',$row); $milestone[4] = password_hash($milestone[4], PASSWORD_DEFAULT); $query->execute($milestone); } Link to comment Share on other sites More sharing options...
Vegeta ZA Posted April 10, 2016 Author Share Posted April 10, 2016 (edited) It doesn't need to be secure because it's just work for college, they want us to do it that way so it's not going to be used for anything else so it doesn't need to do anything but just work. I'll try this method later, thank you for your input! Edited April 10, 2016 by Vegeta ZA Link to comment Share on other sites More sharing options...
Vegeta ZA Posted April 11, 2016 Author Share Posted April 11, 2016 I've changed up my code but I get this error now: Fatal error: Call to a member function execute() on a non-object in C:\wamp\www\a1\createTable.php on line 44 which is $query->execute($milestone); I'm not sure why it has a problem with the execute statement? Here's the code: //insert from text file if(isset($_POST['ID'])){ $ID = $_POST['ID']; } if(isset($_POST['FName'])){ $FName = $_POST['FName']; } if(isset($_POST['LName'])){ $LName = $_POST['LName']; } if(isset($_POST['Email'])){ $Email = $_POST['Email']; } if(isset($_POST['Password'])){ $Password = $_POST['Password']; } $file = file('userData.txt'); $query = $DBConnect->prepare('INSERT into tbl_User(ID, FName, LName, Email, Password) values ($ID, $FName, $LName, $Email, $Password)'); foreach($file as $row) { $milestone = explode(';',$row); $milestone[4] = password_hash($milestone[4], PASSWORD_DEFAULT); $query->execute($milestone); } mysql_query($milestone_query) or die(mysql_error()); echo "Done!"; mysqli_close($DBConnect); Link to comment Share on other sites More sharing options...
Ingolme Posted April 11, 2016 Share Posted April 11, 2016 The query has errors in it. You are supposed to have literal question marks which act as placeholders for data. Don't just copy code without knowing what it does. Read this article about prepared statements to understand what the example code I gave you does: http://php.net/manual/en/pdo.prepared-statements.php Link to comment Share on other sites More sharing options...
Vegeta ZA Posted April 11, 2016 Author Share Posted April 11, 2016 (edited) The query has errors in it. You are supposed to have literal question marks which act as placeholders for data. Don't just copy code without knowing what it does. Read this article about prepared statements to understand what the example code I gave you does: http://php.net/manual/en/pdo.prepared-statements.php I understand what you mean, I've changed it again. Fatal error: Class 'myPDO' not found in C:\wamp\www\a1\createTable.php on line 34 for the line of code? Here's my new code: //insert from text file $host = 'localhost'; $dbname = 'test'; $pdo = new myPDO('mysql:host=$host;dbname=$dbname', 'C:\wamp\www\a1'); $file = file('userData.txt'); $sql = 'INSERT INTO tbl_User (FName, LName, Email, Password) VALUES '; foreach ( $file as $records) { $record = explode(";", $records); $query[] = '(:FName' . $n . ', :LName' . $n . ', :Email' . $n . ', :Password' . $n . ')'; $iData['FName' . $n] = $record[1]; $iData['LName' . $n] = $record[2]; $iData['Email' . $n] = $record[3]; $password = password_hash($record[4], PASSWORD_DEFAULT); $iData['Password' . $n] = $password; $n += 1; } if (!empty( $query)) { $sql .= implode(', ', $query); $stmt = $pdo->prepare($sql); $result = $stmt->execute($iData); } try { } catch ( Exception $exc) { echo $exc->getTraceAsString(); } Edited April 11, 2016 by Vegeta ZA Link to comment Share on other sites More sharing options...
thescientist Posted April 11, 2016 Share Posted April 11, 2016 why are you calling it myPDO? The name of the class is PDO http://php.net/manual/en/book.pdo.php Link to comment Share on other sites More sharing options...
Vegeta ZA Posted April 11, 2016 Author Share Posted April 11, 2016 why are you calling it myPDO? The name of the class is PDO http://php.net/manual/en/book.pdo.php I why are you calling it myPDO? The name of the class is PDO http://php.net/manual/en/book.pdo.php I've changed the code again because when I do it this way, I get everything else to work so it is easier for me to understand. I got everything working besides the hash into the database, is it possible to make it hash the passwords into the array that inserts it into the database? When I do it by using $milestone_query .= "('$milestone[0]', '$milestone[1]', '$milestone[2]', '$milestone[3]', '$milestone[4]')"; it inserts the original passwords into the database but when I do $milestone_query .= "('$milestone[0]', '$milestone[1]', '$milestone[2]', '$milestone[3]', 'password_hash($milestone[4], DEFAULT_PASSWORD)')"; it inserts the string for password_hash etc. Is it possible to make it insert the hash passwords into the database without using the PDO method and by doing it the way I am asking? //insert from text file if(isset($_POST['ID'])) { $ID = $_POST['ID']; } if(isset($_POST['FName'])) { $FName = $_POST['FName']; } if(isset($_POST['LName'])) { $LName = $_POST['LName']; } if(isset($_POST['Email'])) { $Email = $_POST['Email']; } if(isset($_POST['Password'])) { $Password = $_POST['Password']; $Password = password_hash($Password, PASSWORD_DEFAULT); } mysql_select_db("test") or die ("Unable to select database!"); $file = file('C:\wamp\www\a1\userData.txt'); # read file into array $count = count($file); if($count > 0) # file is not empty { $milestone_query = "INSERT into tbl_User(ID, FName, LName, Email, Password) values"; $i = 1; foreach($file as $row) { $milestone = explode(';',$row); $milestone_query .= "('$milestone[0]', '$milestone[1]', '$milestone[2]', '$milestone[3]', '$milestone[4]')"; $milestone_query .= $i < $count ? ',':''; $i++; } mysql_query($milestone_query) or die(mysql_error()); } echo "Done!"; Link to comment Share on other sites More sharing options...
justsomeguy Posted April 11, 2016 Share Posted April 11, 2016 Is it possible to make it insert the hash passwords into the database without using the PDO method and by doing it the way I am asking?It's possible, but there's not much point to learning the wrong way to do something. You're learning something that has been out of date for over 12 years, why not learn the modern way to do it? The way that you want to learn how to do it is easy, vulnerable, and wrong. The way with PDO is correct and secure. Go back to your code in post 6 and create the PDO object normally (not with "myPDO", just "PDO"), and set it to throw an exception if there is a problem: try { $pdo = new PDO('mysql:host=$host;dbname=$dbname', 'username', 'password', array( PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION, )); } catch(PDOException $pe){ echo $pe->getMessage(); } Make sure to fill in the correct username and password to connect to the database (or use variables there). If that connection fails then you will see the exception message printed out. That also tells PDO to throw an exception if there was an error, so run that and see how it goes. Link to comment Share on other sites More sharing options...
Vegeta ZA Posted April 11, 2016 Author Share Posted April 11, 2016 I managed to make it work 100% using the PDO method, thanks everyone for your input! Link to comment Share on other sites More sharing options...
Vegeta ZA Posted April 12, 2016 Author Share Posted April 12, 2016 After making it insert all the hashes into the database, I made a login form which is supposed to use the original FName and Password to log into the system. I have an issue with the password field, if I insert the original password, it does not work, but if I enter the hash that it generated then it is successful. I've altered the code to make it change the string entered into a hash so that it matches the one in the database but it does not work.Can anyone tell me what I did wrong or help me correct the code? include 'DBConn.php'; mysql_select_db("test") or die ("Unable to select database!"); if(isset($_POST['FName'])){ $FName = $_POST['FName']; } if(isset($_POST['Password'])){ $Password = password_hash($Password = $_POST['Password']); } if( empty($FName) || empty($Password) ) echo "Username and Password Mandatory - from PHP"; else { $sql = "SELECT count(*) FROM tbl_User where( FName='$FName' AND Password='$Password')"; $res = mysql_query($sql); $row = mysql_fetch_array($res); if( $row[0] > 0 ) echo "Login Successful"; else echo $sql; } Here's the PDO code for reference: //insert from text file $host = 'localhost'; $dbname = 'test'; $PDO = new PDO("mysql:dbname=$dbname; host=$host"); $file = file('userData.txt'); $query = $PDO->prepare('INSERT into tbl_User(ID, FName, LName, Email, Password) values (?, ?, ?, ?, ?)'); foreach($file as $row) { $milestone = explode(';',$row); $milestone[4] = password_hash($milestone[4], PASSWORD_DEFAULT); $query->execute($milestone); } echo "Done!"; mysqli_close($DBConnect); ?> Link to comment Share on other sites More sharing options...
justsomeguy Posted April 12, 2016 Share Posted April 12, 2016 There's another function for checking a password: http://php.net/manual/en/function.password-verify.php Link to comment Share on other sites More sharing options...
Vegeta ZA Posted April 12, 2016 Author Share Posted April 12, 2016 T There's another function for checking a password:http://php.net/manual/en/function.password-verify.php Thanks, fixed! Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now