administrator login script trouble :/

[rootKID]

ok this dosen't makes any sence to me... i litterally to created a new user in the database with the username "MA_01" and password "WebKode1234", crypt is

$6$rounds=959000$SimpleSourceMade$rDHvP/nvcww3SlQcbaGZzeCHC74xpyRiY76eokE5CJEmn3DNZ.jcfzVo2C2wkYEJXbgp.6NiokqfA/vN7ts0i.

I even tried the way you said Ingolme, the only problem is that whenever i tried to login with the password "WebKode1234", it only sends me back to the login screen with the error from the else statement i made on the login screen (No users were found in our database).

 

So not sure because i can't select anything at the moment :/

 

Ideas? :/

Edited December 10, 2014 by rootKID

[justsomeguy]

Well, how are you going to troubleshoot that? Maybe you should select the record from the database with that username, print out the password hash from the database, print the hash that you calculated from the password entered on the login form, and compare them.

[rootKID]

ok lol this explains alot... i double checked my SQL... forgot i changed the "usersname & password" to "user_username & user_password"....

 

now i have another problem. Ok not a problem, more like a question.

If i wanted to check INSIDE the if statement like before, if there was a user then run else send the user back to the login page with an error?

 

Is there a way?

 

I did try this one:

//if ($stmt = $mysqli->prepare($query) && $mysqli->num_rows == 1)

but since that was on the actual if statement line, i commented out. Besides, i had a feeling it would not work, that i'm aware off? Wrong?

 

If anyone of you has any ideas that would be awsome!

Thanks!

[Ingolme]

First you execute the query, then you do comparisons with whatever data has been returned from the query.

[justsomeguy]

You could combine all of those things into a single if statement, but it's going to make error checking difficult and if you see that in the future you might not have any idea what you're doing. It's better to just separate them into individual statements for clarity rather than trying to jam everything into an if statement.

[rootKID]

hmm, ok, not sure if i understood this one correct but this is my code:

// Query$query = "SELECT user_id, user_username, user_first_name, user_last_name, user_password FROM users WHERE user_username=? AND user_password=?";if ($stmt = $mysqli->prepare($query))//if ($stmt = $mysqli->prepare($query) && $mysqli->num_rows == 1){	// Catch user details!	$username = $_POST['username'];	$password = crypt( $_POST['password'], '$6$rounds=959000$SimpleSourceMadeReal$' ); // Make the salt unique for each password		// Input parameters that are put into the query before you execute it	$stmt->bind_param('ss', $username, $password);		// execute statement	$stmt->execute();		// Set output variables, these are the data from the database fields:	// -> user_id, user_username, user_first_name, user_last_name and user_password	$stmt->bind_result($user_id, $user_username, $user_firstname, $user_lastname, $user_password);		// Fetch data from the query	$stmt->fetch(); // Thats it, nothing more.		//$count = $stmt->num_rows;	if($stmt->num_rows == 1)	{		$_SESSION['admin'] = array();		$_SESSION['admin']['u_id'] = $user_id;		$_SESSION['admin']['username'] = $user_username;		$_SESSION['admin']['firstname'] = $user_firstname;		$_SESSION['admin']['lastname'] = $user_lastname;		$_SESSION['admin']['password'] = $user_password;				// close statement		$stmt->close();				// close connection		$mysqli->close();				header("location: index.php");	}	else	{		// Send user back to login page with error		// ERR MSG: No match found in DB! Try again!		header("location: login.php?err=match");	}}else{	// Send user back to login page with error	// ERR MSG: We have a problem with our database! Try again later!	header("location: login.php?err=dbsqlerr");}

I execute like you say, i even make the "fetch" part... however, i still get back to the login page for some reason, did i get this wrong Oo?

[justsomeguy]

Which error do you get? Do you have PHP set to display and report all errors?

[rootKID]

i dont get any errors, that is one of the problems actually. It's just sending me to the login page with the error without telling me if it's because of the details i was writing wrong? Or because the code was wrong :/

 

And yes, i have enabled ALL errors to report

[justsomeguy]

I meant which one of these is it doing:header("location: login.php?err=match");header("location: login.php?err=dbsqlerr");

[rootKID]

sorry for late reply, this is the error URL it gives me:

login.php?err=match

ideas Oo?

 

This is my code:

// Query$query = "SELECT user_id, user_username, user_first_name, user_last_name, user_password FROM users WHERE user_username=? AND user_password=?";if ($stmt = $mysqli->prepare($query))//if ($stmt = $mysqli->prepare($query) && $mysqli->num_rows == 1){	// Catch user details!	$username = $_POST['username'];	$password = crypt( $_POST['password'], '$6$rounds=959000$SimpleSourceMadeReal$' ); // Make the salt unique for each password		// Input parameters that are put into the query before you execute it	$stmt->bind_param('ss', $username, $password);		// execute statement	$stmt->execute();		// Set output variables, these are the data from the database fields:	// -> user_id, user_username, user_first_name, user_last_name and user_password	$stmt->bind_result($user_id, $user_username, $user_firstname, $user_lastname, $user_password);		// Fetch data from the query	$stmt->fetch(); // Thats it, nothing more.		//$count = $stmt->num_rows;	if($stmt->num_rows == 1)	{		$_SESSION['admin'] = array();		$_SESSION['admin']['u_id'] = $user_id;		$_SESSION['admin']['username'] = $user_username;		$_SESSION['admin']['firstname'] = $user_firstname;		$_SESSION['admin']['lastname'] = $user_lastname;		$_SESSION['admin']['password'] = $user_password;				// close statement		$stmt->close();				// close connection		$mysqli->close();				header("location: index.php");	}	else	{		// Send user back to login page with error		// ERR MSG: No match found in DB! Try again!		header("location: login.php?err=match");	}}else{	// Send user back to login page with error	// ERR MSG: We have a problem with our database! Try again later!	header("location: login.php?err=dbsqlerr");}

[justsomeguy]

Well, look at where that redirection happens. It's in an else statement, so obviously the if statement isn't true. Maybe print out the value you're testing to see why. If the query isn't returning any results then print out the values you're using for it and compare against the database.

[funbinod]

can u please explain what are these 'i' or 'ss' (or any other available options) used in stmt->bind_param? how and when are these used?

 

I've got confused about this ever since I've heard about the prepared staments....

 

[Ingolme]

It's right in the manual: http://php.net/manual/en/mysqli-stmt.bind-param.php

 

Scroll down to "types"

[rootKID]

First of all, thanks for the answers, second of all regarding the "types", what i b and d? All it says are "blob and double"... not sure what those are?

Third of all, i will test the thing you said SomeGuy when home, im out atm

 

Will update you later and tell you all what i figure out

Thanks

[Ingolme]

"blob" is binary data (Binary Large OBject), which is like a string of characters with codes from 0 to 255. You would use this if you were storing data from binary files, like images and other media.

 

"double" is for numbers with decimals. It's called that because it has double the precision of an ordinary floating point number. I don't think PHP actually has normal floats, just doubles.

[funbinod]

thank u! it helped me a lot. another question regarding d same topic...

 

at http://php.net/manual/en/mysqli-stmt.bind-param.php

there is a prepared statement as example...

 

$stmt = $mysqli->prepare("INSERT INTO CountryLanguage VALUES (?, ?, ?, ?)");$stmt->bind_param('sssd', $code, $language, $official, $percent);

what I didn't understand is --- how can this statement understand that in which column will d values be inserted???

[Ingolme]

The order of the parameters tells it where to put things. Since "d" is the fourth parameter then it will be put where the fourth placeholder is.

[funbinod]

I got a error on same type of query..

 

this is my first try on prepared statements so please consider my mistake...

$username = mysqli_real_escape_string($mysqli, $_POST['username']);if($rstmt = $mysqli->prepare("SELECT salt,active FROM user WHERE username='$username'")) {	$rstmt->execute();	$rstmt->bind_result('ss', $salt,$active);	$rstmt->fetch();}$password = hash('sha512', mysqli_real_escape_string($mysqli, $_POST['password'] . $salt));

this query returned error

 

Fatal error: Cannot pass parameter 1 by reference

 

please guide....

[Ingolme]

You seem to have mistaken bind_result() for bind_params(). The syntax is different. bind_result() does not use the first parameter for data types. Read the manual: http://php.net/manual/en/mysqli-stmt.bind-result.php

 

 

Don't put variables in the query string, put placeholders:

'SELECT salt,active FROM user WHERE username=?'

 

If you put a variable in the query string you're missing half of the purpose of prepared statements.

[funbinod]

thank u. I understood d problem.

but i'm encountering problem still

 

please find some error on following if any----

$username = mysqli_real_escape_string($mysqli, $_POST['username']);if($rstmt = $mysqli->prepare("SELECT salt,password FROM user WHERE username=?")) {	$rstmt->bind_param('s', $username);	$rstmt->execute();	$rstmt->bind_result($salt,$dbPass);	$rstmt->fetch();}$password = hash('sha512', mysqli_real_escape_string($mysqli, $_POST['password']).$salt);if($stmt=$mysqli->prepare("SELECT uid,cid,name,username,password,type FROM user WHERE username=? AND password=?")){	$stmt->bind_param('ss', $username, $password);	$stmt->execute();	$stmt->store_result();	if($stmt->num_rows()!=0) {		$stmt->bind_result($uid1, $cid1, $name, $uname, $dbPass, $typ);		$stmt->fetch();	} else {		$_SESSION['error']="Username and Password didnot match on our database!";		return false;	}}

[Ingolme]

What is it doing and what did you expect it to do?

 

Don't use mysqli_real_escape_string with prepared statements. Just forget that that function exists, it's only there for backwards compatibility with the old mysql library.

 

Are you doing the exact same hashing procedure you did when adding the password to the database?

[funbinod]

oh ok. I will remove escape string.

 

yes I did the exact hashing procedure while adding the password to the database. it worked before with MySQLi query method. I tried to change it with prepared statements but it did not give the return the data for the columns...

 

EDIT:

I found that it is showing error on this statement query---

if($stmt = $mysqli->prepare("SELECT uid,cid,name,username,password,type FROM user WHERE username=? AND password=?")) {

Edited December 22, 2014 by funbinod

[Ingolme]

What does the error say?

[funbinod]

I dunno!

but it returns the query on "else" segment not on "if" segment. see the following---

if($stmt = $mysqli->prepare("SELECT uid,cid,name,username,password,type FROM user WHERE username=? AND password=?")) {	$stmt->bind_param('ss', $username, $password);	$stmt->execute();	$stmt->bind_result($uid1, $cid1, $name, $uname, $dbPass, $typ);	$stmt->fetch();	echo 'result:'.$uid1.','.$cid1;} else {	echo 'error'; // it returns this block.....}

Edited December 22, 2014 by funbinod

[Ingolme]

} else {    echo $mysqli->error;}