Jump to content

Neo73

Member
  • Posts

    11
  • Joined

  • Last visited

Everything posted by Neo73

  1. I found a solution, but I would appreciate your advise regarding security: Without having to import the password_compat-library via Composer, you can obviously replicate the same hashing algorithm in PHP 5.3.7 with the following code: <?php $password = 'admin'; // sample password $salt = mcrypt_create_iv(22, MCRYPT_DEV_URANDOM); $salt = base64_encode($salt); $salt = str_replace('+', '.', $salt); // Salt is stored in the authentication class echo "</br>"; echo "</br>"; echo $hashed_password = crypt($password, '$2y$10$'.$salt.'$'); // This value is stored in the database. You then safe the randomly generated $salt in the authentication class and change the validate_login-function from MD5() to crypt() as follows: ... // create query if ($stmt = $Database->prepare("SELECT * FROM users WHERE username = ? AND password = ?")) { $stmt->bind_param("ss", $user, crypt($pass, '$2y$10$'. $this->salt.'$')); ... I would appreciate your feedback. I will try as well to implement the password_compat-library.
  2. As the OOP login tutorial is using the unsafe MD5-algorithm (despite the salt), that is potentially prone to brute-force attacks, I would like to improve the code a bit using the crypt()-function with blowfish (most servers still don't run PHP 5.5 with the new password_hash()-function). In the end of the day, it is probaly the best way to use a secure library, but for the sake of learning, I tried to proceed with the following: So let's say for simplicity if we don't randomize the creation of a salt and just use a fixed value we would generate a hashed password according to the PHP-manual in the following way: $password = 'admin'; // just an example password $salt = '$2a$07$usesomesillystringforsalt$'; // our static salt echo $hashed_password = crypt($password . $salt); // This will generate a random hashed password: // e.g. '$6$cZ87nSyraocT$29HKRGHlIu3nDTKVtlGWBAHd5/DKw9ecwoohshkRT7yWrJosNNvIExnpOIUrd2tMCzvMoioACqha6sLisnyOC1' Every time we run this setting with the above variables, we will get a different value for the $hashed_password, which we store once in the database as the password value. The PHP-manual then recommends to validate user input and stored password in the following way: if (crypt($user_input, $hashed_password) == $hashed_password) { // $user_input would be $password echo "Password verified!"; } else { echo "Error!"; } If I am running this verification test, with the above variables, I am always getting the "Error!", i.e. the comparison test fails. So I don't really see, how to include this in the existing validate_login-function within the authentication class (m_auth.php): class Auth { private $salt = '$2a$22$usesomesillystringforsalt$'; /* Constructor */ function __construct() {} /* Functions */ function validate_login($user, $pass) { // access database global $Database; // create query if ($stmt = $Database->prepare("SELECT * FROM users WHERE username = ? AND password = ?")) { $stmt->bind_param("ss", $user, md5($pass . $this->salt)); $stmt->execute(); $stmt->store_result(); // check for num rows if ($stmt->num_rows > 0) { // success $stmt->close(); return TRUE; } else { // failure $stmt->close(); return FALSE; } } else { die("ERROR: Could not prepare MySQLi statement."); } } function login_status() { if (isset($_SESSION['loggedin'])) { return TRUE; } else { return FALSE; } } function logout() { session_destroy(); session_start(); } } I would appreciate your help on this.
  3. Hi, I tried to use the authentication class from the OOP login tutorial in combination with the OOP shopping cart. The problem is that both tutorials use different template methods, in particular getData(). Out of the box, the OOP login classes, just work fine, I can log in and out without problems. However, in combination with the m_template.php of the shopping cart, the login credentials (although correct) are posted at the top of the page and the 'access-denied' error message is displayed. I tracked the problem down to the getData()-function in m_template.php, which seems to cause the issue: getData() within login tutorial: function getData($name) { if (isset($this->data[$name])) { return $this->data[$name]; } else { return ''; } } getData() within shopping cart tutorial: public function getData($name, $echo = TRUE) { if (isset($this->data[$name])) { if ($echo) { echo $this->data[$name]; } else { return $this->data[$name]; } } return ''; } When I replace the getData()-function of the original login tutorial with the one in the shopping cart tutorial, I am able to log in and out, but no content is displayed any longer (i.e. no menus, no products). I would appreciate your help on how to integrate this properly.
  4. You go to https://developer.paypal.com/ to create a new developer account. Once you have logged in you go to 'Applications' -> 'Sandbox accounts', where you create new seller- and buyer-test-accounts. After that you select the seller account and click on 'Enter Sandbox Site', where you login with the credentials of your test account. Within the PayPal Sandbox you go to 'Merchant Services' and click on 'Create payment buttons for your website' and then 'Create a button'. That leads you to the original html-form-generator. The rest works as described in the videos. Hope that helps.
  5. Hi Stefan, after searching for quiet some time for the relevant links on PayPal's website this morning, I was able to implement your original solution. They really made a step back in user-friendly design and their documentation is quiet a mess. The older website was much clearer. Once you find your way through their chaos and you find the original button generator, your video explanations are very straight forward. However, I assume that your original solution addresses the classic API, so if you have an update on the incorporation of the REST API that would be much appreciated. Yes, I know basic PHP. Thanks.
  6. Hey guys, PayPal changed it's APIs and website some time ago, which unfortunately makes the PayPal integration videos (33-39) of your Shopping Cart Tutorial obsolete. I bought your tutorial with the expectation of getting a beginner's explanation how to effectively integrate PayPal. PayPal now seems to differentiate between the new REST API and the old Classic API, which will only be supported until further notice. Their documentation / website is pretty confusing and not really clear as the information is all over the place. I would appreciate your guidance how to implement PayPal with the working PHP cart I built. Are you planning to update the videos on PayPal? I assume that would take a Pro only a couple of hours and would surely be appreciated by everyone who bought the tutorial with the expectation of succesfully implementing PayPal. Thanks for your feedback.
  7. Hi, thanks for your response. My e-mail should work normally. I have no problems to receive anything... Please let me know when you have a solution. Thanks.
  8. Hi, there seems to be a bug in the shopping cart tutorial: Have a look at the demo-version on http://www.killervideostore.com/video-courses/live-demos/PHPCARTOOP/ If you put only 1 item in the cart and you manually change the quantity in the input field from 1 to 0, you will get 2 error messages: Warning: mysqli::query() [mysqli.query]: (42000/1064): You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ') ORDER BY name' at line 1 in /home/killervi/public_html/video-courses/live-demos/PHPCARTOOP/app/models/m_products.php on line 165 Warning: mysqli::query() [mysqli.query]: (42000/1064): You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ') ORDER BY name' at line 1 in /home/killervi/public_html/video-courses/live-demos/PHPCARTOOP/app/models/m_products.php on line 47 This seems to relate to the following MySQL-query in m_products.php within the functions get() and get_prices(): ... if ($result = $this->Database->query("SELECT id, name, description, price, image FROM $this->db_table WHERE id IN ($items) ORDER BY name")) { ... } Does anyone know how to fix this?
×
×
  • Create New...