1. Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Feb 2013
    Posts
    372
    Rep Power
    8
    try

    Code:
    -moz-border-radius: 15px;
    border-radius: 15px;
    from: http://www.css3.info/preview/rounded-border/

    it will round the corners
  2. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Aug 2013
    Posts
    1
    Rep Power
    0
    login system is nice. i had setup wamp server and used this code.my only problem is id no. is 0 in all the new registrations.
    what i mean to say is id is not auto incrementing. it is always showing 0 in all the records.... pls tell me the solution.
  3. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Aug 2013
    Posts
    4
    Rep Power
    0

    no salt in field list


    Hi,
    I am having trouble getting past this
    Failed to run query: SQLSTATE[42S22]: Column not found: 1054 Unknown column 'salt' in 'field list'

    I have tested with ' " and ´ in the query, but have not found some solution to get past the error in register.php.
    $query = "INSERT INTO users (username, password, salt, email) VALUES ( :username , assword, :salt, :email)";

    I got past a PDO-errormessage by enabling some features on the server
    (MySQL Software version: 5.0.96 - PHP version 5.4.14).

    Any tips on how to get past this error?
  4. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,957
    Rep Power
    1046
    It's telling you that you have no column named "salt". Well, do you have this column?
    The 6 worst sins of securityHow to (properly) access a MySQL database with PHP

    Why can’t I use certain words like "drop" as part of my Security Question answers?
    There are certain words used by hackers to try to gain access to systems and manipulate data; therefore, the following words are restricted: "select," "delete," "update," "insert," "drop" and "null".
  5. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Aug 2013
    Posts
    4
    Rep Power
    0
    Yes, I ran this:

    CREATE TABLE `users` (
    `id` int(11) NOT NULL AUTO_INCREMENT,
    `username` varchar(255) COLLATE utf8_unicode_ci NOT NULL,
    `password` char(64) COLLATE utf8_unicode_ci NOT NULL,
    `salt` char(16) COLLATE utf8_unicode_ci NOT NULL,
    `email` varchar(255) COLLATE utf8_unicode_ci NOT NULL,
    PRIMARY KEY (`id`),
    UNIQUE KEY `username` (`username`),
    UNIQUE KEY `email` (`email`)
    ) ENGINE=InnoDB DEFAULT CHARSET=utf8 COLLATE=utf8_unicode_ci AUTO_INCREMENT=1;

    It created the columns: id, username, password, salt, email
    that are present in the mysql-database. As a new user I am not allowed to post link to image her. But there is salt on there
  6. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,957
    Rep Power
    1046
    First of all: Get rid of all the stupid backticks ``, delete the table and run the CREATE statement again without the backticks.

    The backticks are an endless source of errors and confusion, because they cover up typos and invalid characters. Don't use them.

    Try again. If you still get the same error, run the statement by hand in phpmyadmin: echo the query and all variables and then replace the placeholders with the values. What does phpmyadmin say?

    Comments on this post

    • larseb agrees
    The 6 worst sins of securityHow to (properly) access a MySQL database with PHP

    Why can’t I use certain words like "drop" as part of my Security Question answers?
    There are certain words used by hackers to try to gain access to systems and manipulate data; therefore, the following words are restricted: "select," "delete," "update," "insert," "drop" and "null".
  7. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Aug 2013
    Posts
    4
    Rep Power
    0
    Thanx, got it working in phpmyadmin first.
    PHP Code:
    INSERT INTO users (usernamepasswordsaltemailVALUES (:username,:password,:salt,:email
    works fine now

    BUT, now I get "Login failed" when I try to login.
    New users are added to the database with all the info.
  8. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,957
    Rep Power
    1046
    Since we don't have access to your PC, you have to do the basic debugging yourself and then give us concrete info.

    "Login failed" is what the user sees, but you're a programmer, so you can actually analyze what's happening behind the scenes.

    Does PHP even find the row? In other words, does the if statement in line 55 of login.php get executed? Is $_POST['password'] correct? What does $check_password after the hashing procedure look like? What does it look like compared to $row['password']?

    Find that out and tell us the results.

    Actually, you shouldn't even be copypasting someone else's code. E-Oreo clearly stated that this is for learning, not for duplicating it and putting it in some application. But I guess this is an impossible request in the PHP world...
    The 6 worst sins of securityHow to (properly) access a MySQL database with PHP

    Why can’t I use certain words like "drop" as part of my Security Question answers?
    There are certain words used by hackers to try to gain access to systems and manipulate data; therefore, the following words are restricted: "select," "delete," "update," "insert," "drop" and "null".
  9. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Aug 2013
    Posts
    4
    Rep Power
    0
    Stupid me, typo. char(30) instead of char(64) on the password-column. Now I get logged in.

    It's not in any application btw, pure testing. A great proof of concept. I have learned a lot while reading this tread. Never to late to learn something new, specially in this business - it's required
  10. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Aug 2013
    Posts
    3
    Rep Power
    0

    Cool derplumo


    Hey, derplumo.

    I just signed up for forums. Anyway I can take a peek at the forgot password scripts? I would like to see them in action as I have followed this tutorial. You scripts would help me.

    Thanks, Please PM me.
  11. Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Feb 2013
    Posts
    372
    Rep Power
    8
    sure

    but notice that I use an other crypt than the one that is used in the tutorial. For this we'll have to search in the previous posts but that will be allright.

    for the scripts:

    forgot_password.php:
    PHP Code:
    <?php   

        
    require("common.php");   
        require(
    "lib/rnum.php");  
        require(
    "lib/mail.php");  
        require(
    "lib/password.php");   

        if(!empty(
    $_POST))   
        {

            if(
    filter_var($_POST['email'], FILTER_VALIDATE_EMAIL))   
            {      

                
    $hash hash('sha256'$_POST['email']);  
                
    $time = new DateTime('24 hours ago');   
                
    $time_formatted $time->format('Y-m-d H:i:s');   

                
    $count_stmt $db->prepare('    
                    SELECT COUNT(*)  as count  
                    FROM sent_emails  
                    WHERE email_address = :email_address AND timestamp >= :time   
                '
    );   
                
    $count_stmt->execute(array(    
                    
    ':email_address' => $hash,   
                    
    ':time' => $time_formatted    
                
    ));    

                
    $times $count_stmt->fetch();   
                
    $email $_POST['email'];  
                
    $user_stmt $db->prepare('   
                    SELECT   
                        user_id   
                    FROM   
                        users   
                    WHERE   
                        email = :email   
                '
    );   
                
    $user_stmt->execute(array(   
                    
    ':email' => $_POST['email']   
                ));   
                
    $user_id $user_stmt->fetchColumn();   
                if(
    $user_id)  // is the mail of a user?
                
    {         
                    if(
    $times['count'] < 10)  
                    {  
                        
    $deactivation_stmt $db->prepare('   
                        UPDATE   
                        responses   
                        SET   
                        active = 0   
                        WHERE   
                        user = :user   
                        '
    );   
                        
    $deactivation_stmt->execute(array(   
                        
    ':user' => $user_id   
                        
    ));   

                        
    $password_token rnum();  

                        
    $query "   
                        INSERT INTO responses (   
                        reset_key,  
                        user,  
                        secret,  
                        request_timestamp,  
                        request_ip  
                        ) VALUES (   
                        :reset_key,  
                        :user,  
                        :secret,  
                        NOW(),  
                        :request_ip  
                        )"
    ;  

                        
    $secret password_hash($password_tokenPASSWORD_BCRYPT, array("cost" => 10));    
                        
    $reset_key rnum();  
                        
    $user $user_id['user_id'];  
                        
    $request_ip getenv('REMOTE_ADDR');  

                        
    $query_params = array(   
                        
    ':reset_key' => $reset_key,  
                        
    ':user' => $user,  
                        
    ':secret' => $secret,  
                        
    ':request_ip' => $request_ip  
                        
    );   

                        
    $stmt $db->prepare($query);   
                        
    $result $stmt->execute($query_params);                   

                        
    $mail_to      $email;  
                        
    $mail_subject 'Forgot password';  
                        
    $mail_body "Hallo, 
                            <br><br> 
                            you or somebody else requested a password reset for your user account at http:/domain.com. 
                            <br><br> 
                            To set a new password, please visit this link: 
                            <br><br> 
                            http://www.domain.com/password_reset.php?reset_key=" 
    $reset_key "&user=" $user "&password_token=" $password_token .
                            <br><br> 
                            Do not share the secret code in this link until you've used it. The code will expire in 30 minutes.  
                            <br><br> 
                            If the request was not from you, simply ignore this email. Your password will _not_ be changed. 
                            <br><br> 
                            Do you have further questions? Please contact us at info@domain.com. 
                            <br><br> 
                            Best regards, 
                            <br><br> 
                            domain.com"
    ;


                        if(
    mail_f ($mail_to$mail_subject$mail_body) == 1)  
                        {  
                            
    $new_stmt $db->prepare('    
                            INSERT INTO sent_emails (  
                            email_address,  
                            timestamp  
                            ) VALUES (  
                            :email_address,  
                            NOW()  
                            )'
    );   
                            
    $new_stmt->execute(array(    
                            
    ':email_address' => $hash          
                            
    ));         
                        }  
                    }  
                }  
                else{ 
    // is the mail not in the system 
                    
    if($times['count'] < 1)  
                    {  
                        
    $email_adress $_POST["email"];    
                        
    $hash hash('sha256'$email_adress);  
                        
    # the following is for an unregistered address that hasn't reached its request limit yet  

                        # you only need one query  
                        
    $unsub_data_stmt $db->prepare('    
                            SELECT   
                                unsubscribed  
                                , email_key  
                            FROM   
                                unsubscribed_email_addresses   
                            WHERE  
                                email_address = :hash  
                        '
    );  
                        
    $unsub_data_stmt->execute(array(    
                            
    ':hash' => $hash   
                        
    ));    
                        
    $unsub_data $unsub_data_stmt->fetchColumn();  

                        
    // If we don't have a record of the address yet, or if the address isn't unsubscribed,  
                        // send an email; in case of a new record, generate a new token, otherwise, use the old one;  
                        // $valid_token determines whether the newly generated token has been stored and can actually  
                        // be used; if not, it shouldn't be in the mail  
                        
    $send_mail $valid_token false;  
                        if ( 
    $unsub_data === false )  
                        {  
                            
    $send_mail true;  
                            
    $unsub_token rnum();  
                            
    $unsubscribe_stmt $db->prepare('    
                                INSERT INTO unsubscribed_email_addresses (    
                                    email_address  
                                    , email_key  
                                ) VALUES (    
                                    :email_key  
                                    , :email_address   
                                ) 
                            '
    );    
                            
    $valid_token $unsubscribe_stmt->execute(array(  
                                
    ':email_address' => $email_hash  
                                
    ':email_key' => $unsub_token  
                            
    ));  
                        }  
                        elseif ( !
    $unsub_data['unsubscribed'] )  
                        {  
                            
    $send_mail $valid_token true;  
                            
    $unsub_token $unsub_data['email_key'];  
                        }  

                        if ( 
    $send_mail )  
                        {  
                            
    $email_adress $_POST["email"]; 
                            
    $mail_subject "Forgot password"
                            
    $mail_body "Hallo, 
                                <br><br> 
                                you or somebody else entered your email address into the password reset form at http://domain.com, but your address is not registered in our system. 
                                <br><br> 
                                If you have an account on our website, you must have used a different email address. Please try again with your other addresses. 
                                <br><br> 
                                If you did not use our form, we apologize for this email. Please ignore it. If you never want to receive the email again, you can mark your address as blocked in our system: 
                                <br><br> 
                                http://www.domain.com/no_mail.php?email_key=" 
    $unsub_token 
                                <br><br> 
                                Do you have further questions? Please contact us at info@spellenengames.com. 
                                <br><br> 
                                Best regards, 
                                <br><br> 
                                domain.com"
    ;  

                            
    # put the mail text into an external template; only append the token if $valid_token  
                            
    if( mail_f($email_adress$mail_subject$mail_body) )   
                            {   
                                
    $sent_stmt $db->prepare('     
                                    INSERT INTO sent_emails (  
                                        email_address,   
                                        , timestamp   
                                    ) VALUES (   
                                        :email_address  
                                        , NOW()   
                                    )  
                                '
    );    
                                
    $sent_stmt->execute(array(     
                                    
    ':email_address' => $hash           
                                
    ));  
                            }  
                        } 
                    }  
                }  
                echo 
    "Unless your limit has been reached, we'll send you an email"
            }  
            else{  
                echo 
    "This emailadress is invalid!";  
            }                 
        }  
    ?> <html>
        <body>
            <h1>Forgot password</h1>
            <form action="forgot_password.php" method="post">   
                Email:  
                <input type="text" name="email" value="" />   
                <br /><br />   
                <input type="submit" value="Recover" />   
            </form>   
                        
        </body>
    </html>
    password_reset.php:
    PHP Code:
    <?php   

          
        
    require("common.php");   
        require(
    "lib/password.php");  



        
    $reset_key $_GET["reset_key"];  
        
    $user $_GET["user"];  
        
    $password_token $_GET["password_token"];  
          

        if(!empty(
    $_POST))   
        {   
            
    $reset_echo true;
            
    $reset_successful false
            
    $reset_key $_POST['reset_key'];  
            
    $user $_POST['user'];  
            
    $password_token $_POST['password_token'];  

            
    $query "   
                SELECT   
                    user  
                    , secret 
                    , request_timestamp 
                FROM 
                    responses  
                WHERE   
                    reset_key = :reset_key 
                    AND user = :user 
                    AND NOT used 
                    AND active 
                "

               
            
    $query_params = array(   
                
    ':reset_key' => $reset_key
                
    ':user' => $user  
            
    );   
               
             
            
    $stmt $db->prepare($query);   
            
    $result $stmt->execute($query_params);   
              
            
    $row $stmt->fetch();   

            if(
    $row)  
            {              
                
    $created DateTime::createFromFormat('Y-m-d G:i:s'$row['request_timestamp']);   
                if ( 
    $created >= new DateTime('30 minutes ago') )   
                {  
                    if ( 
    password_verify($password_token$row['secret']) )  
                    {  
                        
    $query "   
                            UPDATE users   
                            SET   
                                password = :password  
                            WHERE  
                            user_id = :user_id   
                            "
    ;   

                        
    $hash password_hash($_POST['password'], PASSWORD_BCRYPT, array("cost" => 10));           

                        
    $query_params = array(   
                            
    ':password' => $hash,   
                            
    ':user_id' => $row['user']  
                        );   


                        
    $stmt $db->prepare($query);   
                        
    $result $stmt->execute($query_params);   
                        
    $reset_successful true
                    }   
                }                       
            }          
        }  
    ?> <html>
        <body>
            <h1>Reset password</h1>
            <?php  
                
    if ($reset_echo) {
                    if (
    $reset_successful
                        echo 
    'Your password has been reset!'
                    else
                        echo 
    'This token has already been used, expired or inactive, please request a new one';  
                }
            
    ?>
            <form action="password_reset.php" method="post">    
                New password:  
                <input type="text" name="password" value="" />   
                <br /><br />   
                <input type="hidden" name="reset_key" value="<?php echo $reset_key?>" />  
                <input type="hidden" name="user" value="<?php echo $user?>" />  
                <input type="hidden" name="password_token" value="<?php echo $password_token?>" />  
                <input type="submit" value="Login" />   
            </form>  
        </body>
    </html>
    no_mail.php:
    PHP Code:
    <?php 

    require("common.php"); 


    if( !empty(
    $_GET['email_key']) ) 

        
    $key_stmt $db->prepare(
            SELECT 
                unsubscribed 
            FROM 
                unsubscribed_email_addresses 
            WHERE 
                email_key = :email_key 
        '
    ); 
        
    $key_stmt->execute(array( 
            
    ':email_key' => $_GET['email_key'
        )); 
        
    $unsub $key_stmt->fetchColumn(); 
        if ( 
    $unsub === false )            // key doesn't exist 
            
    echo 'Invalid email key. Please check the URL in your previous notification email.'
        else                            
    // key exists 
        

            if ( !
    $unsub )                // not unsubscribed yet 
            

                
    $unsub_stmt $db->prepare(
                    UPDATE 
                        unsubscribed_email_addresses 
                    SET 
                        unsubscribed = 1 
                    WHERE 
                        email_key = :email_key 
                '
    ); 
                
    $unsub_stmt->execute(array( 
                    
    ':email_key' => $_GET['email_key'
                )); 
                if ( 
    $unsub_stmt->rowCount() ) 
                    
    $unsub true
            } 
            if ( 
    $unsub 
                echo 
    'Your email address has been blocked in our system. You will no longer receive notification emails.'
            else 
                echo 
    'There was a technical issue. Please try again later.'
        } 

    else 
        echo 
    'Missing email key. Please check the URL in your previous notification email. It must have the form http://domain.com/no_mail.php?email_key=...';
  12. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Aug 2013
    Posts
    3
    Rep Power
    0

    Q


    Great and Thank You!

    I see you changed the login structure to use new crypt right?

    What are you using for these includes?

    require("lib/rnum.php");
    require("lib/mail.php");
    require("lib/password.php");

    I found rnum in the previous posts I believe. Do you have this live? I am learning from you as you were learning lol
  13. Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Feb 2013
    Posts
    372
    Rep Power
    8
    mail:

    PHP Code:
    <?php
    function mail_f ($mail_to$mail_subject$mail_body)
    {
    require 
    'class.phpmailer.php';

    $mail             = new PHPMailer(); 

    $body             preg_replace('/\[\]/','',$mail_body);

    $mail->SetFrom('noreply@domain.com''Domain');

    $mail->AddReplyTo("noreply@domain.com","Domain");

    $mail->AddAddress($mail_to);

    $mail->Subject    $mail_subject;

    $mail->AltBody    "To view the message, please use an HTML compatible email viewer!"// optional, comment out and test

    $mail->MsgHTML($body);

    if(!
    $mail->Send()) {
      
    $succes 0;

    else {
      
    $succes 1;
    }
    return 
    $succes;

    }

    ?>
    and for password.php go to #179
  14. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Aug 2013
    Posts
    3
    Rep Power
    0

    Q - derplumo


    derplumo,

    OK! I have everything working, however the SQL structure for the tables for forgot password. May I see how you have your table setup. I use phpmyadmin. I guess the "responses" table and any others making it function.
  15. Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Feb 2013
    Posts
    372
    Rep Power
    8
    I use PhpMyAdmin too

    Code:
    CREATE TABLE sent_emails (
    email_address CHAR(64) NOT NULL,
    timestamp DATETIME NOT NULL
    ) ENGINE=InnoDB
    ;
    Code:
    CREATE TABLE responses (
    reset_key CHAR(32) PRIMARY KEY, 
    user INT NOT NULL,
    secret CHAR(60) NOT NULL, 
    request_timestamp DATETIME NOT NULL, 
    request_ip VARCHAR(39) NOT NULL, 
    used BOOLEAN DEFAULT 0 NOT NULL, 
    active BOOLEAN DEFAULT 1 NOT NULL 
    ) ENGINE=InnoDB
    ;
    Code:
    CREATE TABLE unsubscribed_email_addresses (
    email_key VARCHAR(32) PRIMARY KEY,
    email_address CHAR(64) UNIQUE,
    unsubscribed BOOLEAN DEFAULT 0
    ) ENGINE=InnoDB
    ;

IMN logo majestic logo threadwatch logo seochat tools logo