#1
  1. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jun 2012
    Posts
    156
    Rep Power
    13

    Forgot password help


    In my login.php file I got a forgot password text field as well so the user can put their email address in and have a email sent containing their password

    But am getting the following error and have no idea why

    Login Failed. You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' WHERE 'username' ='.'' at line 1

    Any ideas

    Thank you in advance

    Ian
  2. #2
  3. Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Aug 2011
    Location
    The Pleiades
    Posts
    299
    Rep Power
    8
    There's an error with your mysql query. It's a syntax error. Can you post your whole code and I might be able to re-write the query for you so it works.

    I believe it's your use of the 3rd single quote. Try something like:

    PHP Code:
    "WHERE username={$username} AND password={$password}
    Kind regards,

    NM.
  4. #3
  5. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jun 2012
    Posts
    156
    Rep Power
    13
    Hi Nanomech

    Thank you for the reply, I have pasted the whole code from the login.php page below

    [CODE]
    <?php

    // First we execute our common code to connection to the database and start the session
    require("common.php");

    // This variable will be used to re-display the user's username to them in the
    // login form if they fail to enter the correct password. It is initialized here
    // to an empty value, which will be shown if the user has not submitted the form.
    $submitted_username = '';

    // This if statement checks to determine whether the login form has been submitted
    // If it has, then the login code is run, otherwise the form is displayed
    if(!empty($_POST))
    {
    // This query retreives the user's information from the database using
    // their username.
    $query = "
    SELECT
    id,
    username,
    password,
    salt,
    email
    FROM users
    WHERE
    username = :username
    ";

    // The parameter values
    $query_params = array(
    ':username' => $_POST['username']
    );

    try
    {
    // Execute the query against the database
    $stmt = $db->prepare($query);
    $result = $stmt->execute($query_params);
    }
    catch(PDOException $ex)
    {
    // Note: On a production website, you should not output $ex->getMessage().
    // It may provide an attacker with helpful information about your code.
    die("Failed to run query: " . $ex->getMessage());
    }

    // This variable tells us whether the user has successfully logged in or not.
    // We initialize it to false, assuming they have not.
    // If we determine that they have entered the right details, then we switch it to true.
    $login_ok = false;

    // Retrieve the user data from the database. If $row is false, then the username
    // they entered is not registered.
    $row = $stmt->fetch();
    if($row)
    {
    // Using the password submitted by the user and the salt stored in the database,
    // we now check to see whether the passwords match by hashing the submitted password
    // and comparing it to the hashed version already stored in the database.
    $check_password = hash('sha256', $_POST['password'] . $row['salt']);
    for($round = 0; $round < 65536; $round++)
    {
    $check_password = hash('sha256', $check_password . $row['salt']);
    }

    if($check_password === $row['password'])
    {
    // If they do, then we flip this to true
    $login_ok = true;
    }
    }

    // If the user logged in successfully, then we send them to the private members-only page
    // Otherwise, we display a login failed message and show the login form again
    if($login_ok)
    {
    // Here I am preparing to store the $row array into the $_SESSION by
    // removing the salt and password values from it. Although $_SESSION is
    // stored on the server-side, there is no reason to store sensitive values
    // in it unless you have to. Thus, it is best practice to remove these
    // sensitive values first.
    unset($row['salt']);
    unset($row['password']);

    // This stores the user's data into the session at the index 'user'.
    // We will check this index on the private members-only page to determine whether
    // or not the user is logged in. We can also use it to retrieve
    // the user's details.
    $_SESSION['user'] = $row;

    // Redirect the user to the private members-only page.
    header("Location: loginsuccess.php");
    die("Redirecting to: loginsuccess.php");
    }
    else
    {
    // Tell the user they failed
    print("Login Failed.");

    // Show them their username again so all they have to do is enter a new
    // password. The use of htmlentities prevents XSS attacks. You should
    // always use htmlentities on user submitted values before displaying them
    // to any users (including the user that submitted them). For more information:
    // http://en.wikipedia.org/wiki/XSS_attack
    $submitted_username = htmlentities($_POST['username'], ENT_QUOTES, 'UTF-8');
    }
    }
    ?>

    <?php
    if(isset($_POST['submit']))
    {
    mysql_connect("", "", "") or die(mysql_error());
    mysql_select_db("") or die(mysql_error());

    $username = $_POST['username'];
    $sql = "SELECT 'username', 'password' FROM users' WHERE 'username' ='$username.'";

    $query = mysql_query($sql);

    if(!$query)
    {
    die(mysql_error());
    }

    if(mysql_affected_rows() != 0)
    {
    $row=mysql_fetch_array($query);
    $password=$row["password"];
    $email=$row["email"];
    $subject="your password";
    $header="from:noreply@cptevents4.co.uk";
    $content="your password is $pass";
    mail($email, $subject, $row, $header);
    print "An email containing the password has been sent to you";
    }
    else
    {
    echo("no such login in the system. please try again.");
    }
    }
    ?>
    <html>
    <head>
    <title>Login</title>
    <link rel="stylesheet" type="text/css" href="css/overlay.css" />
    <style type="text/css">
    #login {
    font-family:Verdana;
    font-size:14px;
    color: #000000;
    margin-left:190px;
    margin-top:50px;
    }

    ul {
    list-style-type:none;
    }

    li {
    font-family:Verdana;
    font-size:14px;
    color: #000000;
    background: #66F;
    padding:4px;
    }

    a:hover {
    color: #000000;
    }

    a:active {
    color: #0CF;
    }

    /* Step 1: Main navigation styles */

    #navigation {
    width: 240px;
    margin-left: 130px;
    margin-top: 5px;
    padding: 0;
    list-style: none;
    background: #4a4b8e;
    color: #fff;
    font-family: Verdana;
    font-size:12px;
    border-radius: 20px;
    -moz-border-radius: 20px;
    -webkit-border-radius: 20px;
    }

    #navigation > li {
    display: block;
    width: 210px;
    background: #4a4b8e;
    font-family: Verdana;
    font-size: 12px;
    border-radius: 20px;
    -moz-border-radius: 20px;
    -webkit-border-radius: 20px;
    }

    #navigation > li > a {
    display: block;
    height: 10px;
    padding: 1em;
    font-family: Verdana;
    font-size: 12px;
    font-weight: bold;
    text-transform: uppercase;
    color: #ffff84;
    text-decoration: none;
    }

    #navigation > li > a:hover {
    border-radius: 20px;
    -moz-border-radius: 20px;
    -webkit-border-radius: 20px;
    background: #000e8c;
    color: #ffbf00;
    }

    /* Step 2: Submenu styles */

    #navigation > li.sub {
    position: relative;
    border-radius: 20px;
    -moz-border-radius: 20px;
    -webkit-border-radius: 20px;
    }

    #navigation > li.sub ul {
    margin: 0;
    padding: 0;
    width: 255px;
    list-style: none;
    font-family: Verdana;
    font-size:12px;
    color: #fff;
    position: absolute;
    left: -1120em;
    border-radius: 20px;
    -moz-border-radius: 20px;
    -webkit-border-radius: 20px;
    }

    #navigation > li.sub ul li {
    display: block;
    width: 100%;
    border-radius: 20px;
    -moz-border-radius: 20px;
    -webkit-border-radius: 20px;
    }

    #navigation > li.sub ul li a {
    height: 10px;
    display: block;
    color: #000000;
    font-size: 12px;
    font-weight: bold;
    text-decoration: none;
    padding: 1em;
    border-radius: 20px;
    -moz-border-radius: 20px;
    -webkit-border-radius: 20px;
    background: #e6f2ff;
    }

    #navigation > li.sub ul li a:hover {
    border-radius: 20px;
    -moz-border-radius: 20px;
    -webkit-border-radius: 20px;
    font-family: Verdana;
    font-size: 12px;
    color: #FFFFFF;
    background: #0030bf;
    }

    /* Step 3: Hover effect */

    #navigation > li.sub:hover ul {
    border-radius: 20px;
    -moz-border-radius: 20px;
    -webkit-border-radius: 20px;
    top: 0;
    left: 215px;
    }

    #forgotpw {
    font-family: Verdana;
    font-size: 14px;
    color: #000000;
    margin: 0 0 0 19%;
    }

    #registerbtn {
    margin: 0 0 0 0;
    }
    </style>

    <script type="text/javascript" src="js/aJax.js"></script>

    </head>
    <body>

    <img src="images/header.png" style="margin-left:130px;" alt="CPT Events" title="CPT Events">

    <div class="popOverlay"></div>
    <div class="loginPass">
    <button class="profileButton"></button>
    </div>
    <div id="register">
    <div style="width:900px;">

    <div id="login">
    <h1>Welcome to the Login page</h1>
    <div id="registerbtn">
    You must have registered. If you have not registered, <a href="register.php">click here</a>
    </div>
    <br>
    <form action="login.php" method="post">
    Username:<br />
    <input type="text" name="username" id="username" value="<?=$submitted_username; ?>" />
    <br /><br />
    Password:<br />
    <input type="password" name="password" id="password" value="" />
    <br>
    <input type="submit" name="login" id="login" class="buttons" value="Log In Now" style="margin-left: -1px; margin-top:8px;" onClick="validLogin()" />
    <br /><br />
    When registered, we sent a email containing your username and password
    </form>
    </div>
    </div>
    <br />
    <div id="forgotpw">
    Forgot Password - use form below to reset the password
    <br>
    <form name="forgot" method="post" action="<?php $_SERVER['PHP_SELF'];?>">
    <p><label for="email">Email:</label>
    <input name="email" type="text" value="<?=$email; ?>" size="25"/>
    </p>
    <input type="submit" name="submit" value="submit"/>
    <input type="reset" name="reset" value="reset"/>
    </form>
    </div>
    </body>
    </html>
    [CODE]
  6. #4
  7. Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Aug 2011
    Location
    The Pleiades
    Posts
    299
    Rep Power
    8
    Switch your query to this.

    Although the error is apparently at line 1. :S

    PHP Code:
    $sql "SELECT 'username', 'password' FROM users WHERE 'username'={$username}"
    Let me know!

    Regards,

    NM.
  8. #5
  9. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jun 2012
    Posts
    156
    Rep Power
    13
    I changed that line of coding and got the following error

    Login Failed. You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 1
  10. #6
  11. Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Aug 2011
    Location
    The Pleiades
    Posts
    299
    Rep Power
    8
    Can you post the whole error message please?

    In the meantime try this:
    PHP Code:
    $sql "SELECT username, password FROM users WHERE username={$username}"
    Check the error message for the file in which the error is located.

    Regards,

    NM.
    Last edited by Nanomech; January 27th, 2013 at 05:33 AM.
  12. #7
  13. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jun 2012
    Posts
    156
    Rep Power
    13
    I put in the following

    $sql = "SELECT username, password FROM users WHERE username={$username}";

    and got this error, that is all I see in the error message

    Login Failed. You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 1
  14. #8
  15. Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Aug 2011
    Location
    The Pleiades
    Posts
    299
    Rep Power
    8
    Hmm I'm stumped then dude. The error message is indicating line 1 but there is absolutely no syntactical errors which I can see, we've tried modifying the query and it's still not worked.

    I think the error could possibly lie in another file?

    It's bugging me! I've got to go in 10 minutes. Have a quick look round your included files.

    Regards,

    NM.
  16. #9
  17. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jun 2012
    Posts
    156
    Rep Power
    13
    Only other php files is the common.php and register.php file

    To be honest, I am not too sure what I am looking for
  18. #10
  19. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,957
    Rep Power
    1046
    Hi,

    the SQL error comes from the single quotes everywhere, which shouldn't be there. Identifiers in SQL (table names, column names etc.) must not be in single quotes. They either have no quotes at all or backticks: ``.

    But that should actually be your least concern. No offense, but your script looks pretty weird and has massive security holes -- it's like you copied and pasted two completely different codes and simply merged them. The first part uses PDO and looks good (I guess that's from E-Oreo?). The second part suddenly opens a new database connection and uses the old MySQL extension. And that part is wide open to SQL injections, so anybody can fetch all your members' passwords. And are those stored as plaintext??? That would be a disaster. I really hope this code isn't online yet.
  20. #11
  21. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jun 2012
    Posts
    156
    Rep Power
    13
    I have just purchased a all in one, it has got a login, registration and forgot password form all built in

    I got it from codecanyon so hopefully is all secure

    Just implementing it now

    Ian
  22. #12
  23. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,957
    Rep Power
    1046
    What? The first part is clearly by E-Oreo, so how could you have bought it from codecanyon?

    If you actually did buy that like it is, it's a complete rip-off. They've obviously stolen stuff from the internet and added some terrible code to it.

    No, it's not secure. Any moron can "hack" this in a matter of minutes.
  24. #13
  25. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jun 2012
    Posts
    156
    Rep Power
    13
    This is the one I got

    http://codecanyon.net/item/secure-loginregister-and-user-management/2826719?sso?WT.ac=search_item&WT.seg_1=search_item&WT.z_author=jakweb

IMN logo majestic logo threadwatch logo seochat tools logo