Pin Number Login

[Panta]

i'm designing a site that requires pin number to login.i have my script but is not given me what i want

PINLOGIN STARTS<?php//start the session so you would stay logged in//always must be on topsession_start();//include config.php fileinclude('config.php');?><!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><title>The site</title></head><body><center><a href="?p=idx">Home</a> - <a href="?p=page">Protected page</a><?php$p=$_GET['p'];//see my ?id= browsing tutorial?><form action='testing.php' method='POST'>Serial: <input type='text' name='serial'><br>Pin: <input type='password' name='pin'><br><input name="login" type="submit" value="Submit"><br> <a href="register.php">Not registered</a>?</form></center></body></html>PINLOGIN.PHP ENDS<?php    error_reporting(E_ALL);    ini_set('display_errors', 1);    include 'config.php';    $submit = isset($_POST['login']) ? $_POST['login'] : "";    $serial = isset($_POST['serial']) ? $_POST['serial'] : "";    $serial = mysql_real_escape_string(strip_tags(htmlspecialchars($serial) ) );    $pin = isset($_POST['pin']) ? md5($_POST['pin']) : "";    if ($submit){        if ((!$serial) || (!$pin) || ($serial=='') || ($pin=='') ) {            header("Refresh: 2;".$_SERVER['HTTP_REFERER']);            echo '<center>Please enter both - serial and password!</center>';            exit;        }	        $result = mysql_query("SELECT logins FROM users WHERE serial='$serial'");        if (!$result) {            echo mysql_error();            exit;        }        $row = mysql_fetch_array($result);        if (!$row) {            echo mysql_error();            exit;        }        $cnt = $row['logins'];        if ($cnt != 3) {            $cnt++;            $result = mysql_query("UPDATE users SET logins='$cnt' WHERE serial='$serial'");            if (!$result) {                echo mysql_error();                exit;            }            echo "worked";        }        else {            echo "Password was used three times.";        }    }    else {        echo "something";    }?>

the is my script but when submit it will not display anythig can some one help me out

[justsomeguy]

You're not displaying an error message if the user wasn't found in the database, that might be the issue.

[Panta]

You're not displaying an error message if the user wasn't found in the database, that might be the issue.

i want the it to verify the serial and pin and if exist it should update the logins

[justsomeguy]

Yeah, that's what I thought you wanted. When you get the user from the database you check if it returned a row but you don't display an error if it didn't. If it didn't return a row that means the serial wasn't found in the database. You do this:

		$row = mysql_fetch_array($result);		if (!$row) {			echo mysql_error();			exit;		}

But mysql_error won't output an error in that case. It's not a MySQL error if you run a query that doesn't return any rows, it's just a query that didn't return any rows. If that's what is happening then you would just see a blank screen, it wouldn't show any error message. It also looks like you're not checking the password, you get the user from the database but you don't check to see if the password they typed matches the password from the database.

[Panta]

 $result = mysql_query("SELECT logins FROM users WHERE serial='$serial' And pin='$pin'");        if (!$result) {            echo mysql_error();            exit;        }        $row = mysql_fetch_array($result);        if (!$row) {            echo "No such pin or serial no"             exit;

hope this takes care of what u meant

[Panta]

 $result = mysql_query("SELECT logins FROM users WHERE serial='$serial' And pin='$pin'");        if (!$result) {            echo mysql_error();            exit;        }        $row = mysql_fetch_array($result);        if (!$row) {            echo "No such pin or serial no"             exit;

hope this takes care of what u meant but still is not working

[justsomeguy]

If you're still seeing a blank page, print things out to debug. Print out the serial and pin you get from the form, print the MD5 of the pin so that you can compare with what's in the database, etc. You need to get information about why the page is blank, it's not a good use of time to try to guess what the problem might be. Print everything out so that you can verify what's happening. And make sure error reporting is enabled, if there's a syntax error in the file and error reporting is disabled you'll never know what the problem is. If you don't know if error reporting is enabled, create a phpinfo page where you can check the settings. If errors are going to a log the phpinfo page will be able to tell you where the error log is.

[Panta]

$serial = mysql_real_escape_string(strip_tags(htmlspecialchars($serial) ) );$pin = isset($_POST['pin']) ? md5($_POST['pin']) : "";I think the pin are not in md5 thats why, so this is what i did and it worked $serial = isset($_POST['serial']) ? $_POST['serial'] : ""; $pin = isset($_POST['pin']) ? $_POST['pin'] : "";But i don't understand why it worked.please can u explain it for me

[justsomeguy]

Explain what? Why the pins aren't MD5-encoded?

[Panta]

Explain what? Why the pins aren't MD5-encoded?

YES I WANT TO KNOW WHERE TO PUT MD5-encoded and the reason

[justsomeguy]

It's a good idea to store passwords in the database as a hash because it improves security if anyone gets ahold of the database, they can't figure out any passwords. You can use MD5 if you want, it's probably better to use SHA-1 though. You need to hash the user's password when they register so that you store the hashed password in the database, and each time someone logs in you hash whatever they typed in and compare the two hashes. If they entered the same password then the hashes will match.

[Panta]

It's a good idea to store passwords in the database as a hash because it improves security if anyone gets ahold of the database, they can't figure out any passwords. You can use MD5 if you want, it's probably better to use SHA-1 though. You need to hash the user's password when they register so that you store the hashed password in the database, and each time someone logs in you hash whatever they typed in and compare the two hashes. If they entered the same password then the hashes will match.

Thanks but assuming i have generated a numbers through "ran()" and want to use it as a scratch card,that is users are expected to login with it,begin that i have to print it out before given it to the users, do i need to hash since i cant print the hash numbers correctely

[justsomeguy]

I'm not quite sure what your question is, but this is the general process:1. Create the password2. Show or email the original password to the user3. Hash the password and store it in the databaseSo it's probably best not to use the database rand function to generate the password. If you did that, you would need to create the user record first with the random password un-hashed, then select the password so you can send it to the user, then update the record to hash the password. It may be easier to just generate the random number outside of the database, then insert the new record with the hashed password.