Jump to content

Beginners Questions


Virtual-Instructor

Recommended Posts

Ok so now that I am working with PHP Logins I have a simple question to ask. The table that I have attached to this post is my members table. In the examples in the PHP Login videos the table contains an ID and a password. Here again I built this table with a little forethoght in mind. Because my site will incorperate several different levels of user, I needed to make sure that I could distinguish between the various roles and then display the appropriate information based on the data returned. What I would like to know is should I continue to use this table for my log in's, or should I keep that seperate. The reason that I ask this is because I will eventually be working with emails and I figured that grabbing that infromation would be very simple if I already have it stored on the dbase for the members table? Anyone have any insight on this?

members table.PDF

Link to comment
Share on other sites

Ok so now that I am working with PHP Logins I have a simple question to ask. The table that I have attached to this post is my members table. In the examples in the PHP Login videos the table contains an ID and a password. Here again I built this table with a little forethoght in mind. Because my site will incorperate several different levels of user, I needed to make sure that I could distinguish between the various roles and then display the appropriate information based on the data returned. What I would like to know is should I continue to use this table for my log in's, or should I keep that seperate. The reason that I ask this is because I will eventually be working with emails and I figured that grabbing that infromation would be very simple if I already have it stored on the dbase for the members table? Anyone have any insight on this?

Sounds like what you are doing is fine so far. I wouldn't separate out that information unless you have a lot of personal information to store. I believe in video 17/18 I talk about creating different member roles, so that should help you out.

  • Upvote 1
Link to comment
Share on other sites

Sounds like what you are doing is fine so far. I wouldn't separate out that information unless you have a lot of personal information to store. I believe in video 17/18 I talk about creating different member roles, so that should help you out.

 

I figured as much, and I will be looking forward to those videos when I get there. On to part 4!

Edited by Virtual-Instructor
Link to comment
Share on other sites

Ok this should be working, but for some reason I can't get it to work. I'm trying to work through video 4 of the login series. I've got a pretty good idea of what is going on, but when it comes to the log in errror in refrence to the username and password, I can't seem to get the page to display correctly. I've attached what I get when I enter in the wrong username and password. Below I have copied the code that I am using.

 

if (isset($_POST['submit']))

{

//Process the form

if($_POST['usernmae'] == '' || $_POST['password'] == '')

{

//both fields need to be filled in

if ($_POST['username'] == '') {$error['user'] = 'required!';}

if ($_POST['password'] == '') {$error['pass'] = 'required!';}

$error['alert'] = 'Please fill in the Required Fields';

 

$input['user'] = $_POST['username'];

$input['pass'] = $_POST['password'];

 

include('views/v_login.php');

}

else

{

$input['user'] = htmlentities($_POST['username'], ENT_QUOTES);

$input['pass'] = htmlentities($_POST['password'], ENT_QUOTES);

 

// create query

if ($stmt = $mysqli->prepare("SELECT * FROM members WHERE username=? AND password=?"))

{

$stmt->bind_param("ss", $input['user'], md5($input['pass'] . $config['salt']));

$stmt->execute();

$stmt->store_result();

 

if ($stmt->num_rows > 0)

{

// set session variable

$_SESSION['username'] = $input['user'];

 

header('Location: members.php');

}

else

{

// username/password incorrect

$error['alert'] = "Username or password incorrect!";

include('views/v_login.php');

}

}

else

{

echo "ERROR: Could not prepare MySQLI statement.";

}

}

}

else

{

include('views/v_login.php');

}

 

 

 

?>

 

I'm not seeing any coding errors so this should work.

Link to comment
Share on other sites

I'm not seeing any attachment, but I'm seeing an incorrect spelling here:

 

if($_POST['usernmae'] == '' || $_POST['password'] == '')

 

That isn't necessarily the issue (I can't see the error message you are getting) but that's the first thing I would fix.

 

Seems to me like a lot of your current mistakes come down to misspellings, forgetting a character or adding in an unnecessary character... perhaps you'd be better off putting the project aside for five minutes and coming back to it with fresh eyes, rather than posting to the forum immediately? I'm happy to help, but you should be able to catch these sort of errors yourself. Hopefully the more you work with PHP, the easier it will be to spot these sort of things.

  • Upvote 1
Link to comment
Share on other sites

$stmt->bind_param("ss", $input['user'], md5($input['pass'] . $config['salt']));

 

How about a little clarification here. I've got a pretty firm grip on sql statments and binding the parameters. In this example the addition of the . $config['salt'] is making me take a double take. We set the md5 up in the temp folder then used that code in the config.php. If we are setting the string as an md5, why do we need to append the string with .$config['salt']?

 

md5($input['pass'] . $config['salt'])). I am assuming that the md5 is telling php that this is an encrypted input and for the input we will use the pass variable that we assigned; that makes sence. Adding the . $config['salt'] to the statement tells me that while we have 32 characters, our password is only 5, therefore we will fill in the remaining 27 with the remainder of the random string. This is the way that I am seeing this work in my mind, but I'm not sure if that is correct. Can someone help me out on this one?

Link to comment
Share on other sites

Basically, the salt is there to make the user's chosen password a bit more secure when stored within the database. You are concatenating the user's input ($input['pass']) with the salt ($config['salt']) and then doing the md5 encryption on the entire string, which then converts it to a 32 character string.

 

An example:

 

salt: 4jdJhdv?l

user's password: admin

 

so you are binding md5("admin4jdJhdv?l") into the MySQLi statement.

 

The goal of this isn't really to make the user's password more secure (since the user themselves have control over that) but adding a salt to the user's password makes storing the password in the database more secure. If someone manages to break into/get a hold of the database, it makes breaking the stored passwords harder, since they have a longer/more random string to deal with.

 

Recent advice seems to suggest that if you want strong encryption, you actually don't use md5(), since computers nowadays are powerful enough that it is easier to do a brute force attack to find the password... but I'll leave it at that for now. For the moment, this is good enough -- I don't want to confuse things by throwing too much information at you -- and you can look at encryption again in the future if you need something that is more secure.

  • Upvote 1
Link to comment
Share on other sites

Basically, the salt is there to make the user's chosen password a bit more secure when stored within the database. You are concatenating the user's input ($input['pass']) with the salt ($config['salt']) and then doing the md5 encryption on the entire string, which then converts it to a 32 character string.

 

An example:

 

salt: 4jdJhdv?l

user's password: admin

 

so you are binding md5("admin4jdJhdv?l") into the MySQLi statement.

 

 

Ok that clears things up a bit more. Now I just two follow on questions and I should be good.

1. What does the actual encryption, the md5 or the salt. In this case it seems like it would be the md5.

2. Does the same salt work for all user passwords, or do I have to generate another salt for each password that is loaded to the dbase?

Link to comment
Share on other sites

Thanks Ben that clears that up a great deal and it now makes sense.

 

I would like to ask a side question about the videos. In each file I have several other files. For example in the PHP Login folder, I have the following files. PHP Login Part 1, 2 and 3. I also have PHP Loin Project files Part 1, 2, 3 & 4. This is common through out most of the video files that I have. What I am trying to figure out is what the Project files are for. When looking at them they look like the code that is being covered in the videos, but what is the purpose of that? Should I be printing these out and taking notes on them as I go, or do they serve another function that I am not aware of as of yet?

Link to comment
Share on other sites

The project files are there as a reference. They contain the completed code from the videos, so if you want to compare your code against mine, or want to be able to look at the code without watching the videos, you can. I usually create a zip of the code after the series is complete, or after every major revision if I record a couple videos at a time. For example, you should have a couple different project code files:

 

Simple PHP Login System Source Files (Parts 1-7)

Simple PHP Login System Source Files (Parts 8-9)

Simple PHP Login System Source Files (Parts 10-16)

Simple PHP Login System Source Files (Parts 17-18)

 

In this case, I did that because I recorded the series in a couple different sections and added to it later. I don't want users to have to view the entire video series to view the source code.

  • Upvote 1
Link to comment
Share on other sites

In video 7 you talked about php secuity. In particular you said something to the effect that when we are using a mysqli prepare stmt that it automatically escapes the entries so we really don't need to use the htmlentities ENT_QUOTES code. I am wondering, if I leave that code in there will it still work the same. My thinking here is that you can never have too much security.

Link to comment
Share on other sites

In watching these last videos in the part 1 folder for the php login series, its talking about automatically logging out a user if they show inactivity for a certain period of time. I have two questions on this matter.

 

1. This is alot of addtional code to place into these documents and it seems that they are beginning to clog things up a bit. I'm wondering if I can write the code once and then drop it in with an includes statement. If this is true, then would you call them with the rest of the includes statements when the code opens or only when needed?

2. I understand that last active variable is looking for a time duration of inactivity, but I'm wondering what exactly defines that inactivity. I suppose what I am really asking is will this execute if someone is using the mouse and looking at the page, or do they actually have to be typing in something on the page.

Link to comment
Share on other sites

1) Yes, you can use an include. However, it's only necessary when the user is logged in, so you may not want to include it in all pages.

 

2) Inactivity is defined -- with this code, at least -- as the period of time between page loads. So, if the amount of inactivity is set to 5 minutes, that means that if the user does not refresh the page/change pages within five minutes, when the page is next changed/refreshed, they will be asked to log in again. This is simply time oriented -- if the user is logged in on the same page for five minutes and is actually typing in something the entire time, it will still log the user out. I would suggest that it only automatically logs out members after a semi-significant amount of time, so you can be just about sure that they are actually inactive. You always remove this functionality if you don't find it useful.

  • Upvote 1
Link to comment
Share on other sites

1) Yes, you can use an include. However, it's only necessary when the user is logged in, so you may not want to include it in all pages.

 

2) Inactivity is defined -- with this code, at least -- as the period of time between page loads. So, if the amount of inactivity is set to 5 minutes, that means that if the user does not refresh the page/change pages within five minutes, when the page is next changed/refreshed, they will be asked to log in again. This is simply time oriented -- if the user is logged in on the same page for five minutes and is actually typing in something the entire time, it will still log the user out. I would suggest that it only automatically logs out members after a semi-significant amount of time, so you can be just about sure that they are actually inactive. You always remove this functionality if you don't find it useful.

 

 

Thanks Ben, that helps.

Link to comment
Share on other sites

I'll leave this one open to anyone that can make it work.

 

I've been doing some research lately trying to make some functionality work. Specifically date and time functions. Both will be used in several places through out the site, but I believe that if I can make it work in one I can make it work anywhere. Let me explain some specifics.

 

I have a new request form that I am building. In the form the time and date fields are hidden.

 

<?php

// Grab and Format Date

$current_date=date('Y-m-d');

// Grab and format time

$current_time=strftime('%H:%M:%S');

?>

<h1>Welcome to BVA Share the Cockpit</h1>

 

<hr />

 

<!--Create Hidden filed for the Recieved Date-->

<input type="hidden" name="date" value="<?php echo $current_date ?>" />

 

<!--Create Hidden field for the Recieved Time-->

<input type="hidden" name="time" value="<?php echo $current_time ?>" />

 

I'm happy to say that through research and a lot of trial and error, I am successfully collecting and storing the data in the dbase. Where I am having a problem, is that both time and date are showing up in GMT. Because the community is based out of Boston, all the times that we use are on eastern time zone. It therefore it stands to reason that our times need to be in that same time. I've been doing some research on the DateTimeZone::getOffset function but can't seem to get it right. If anyone can help me with the syntax I'd appriciate it. I think that my problem is the way I'm entering variables, but I can't quite figure out why. Any thoughts anyone.

Link to comment
Share on other sites

I think there are a couple different ways you can handle this:

 

1) If you simply want to put all times in Boston time, you can set the default time zone using http://php.net/manual/en/function.date-default-timezone-set.php and I believe that will automatically set all uses of date/time functions to use the correct timezone. Alternately, you can specify the default timezone and default timezone offset in a configuration file for your application, and then adjust any dates/times based on that offset within the config file.

 

2) If you want the site to be able to show different times for different users, and have those times adjusted by their local timezone, then you may need to make that a per-user setting, allowing each user to choose their default time zone, and then store all dates/times in one standard time (probably GMT or UTC) and then adjust any dates/times based on their set timezone using the getOffset() function.

 

Also, search http://stackoverflow.com/ for "php timezone" and you may be able to find some posts/solutions to this issue. I usually look there first when I am having issues with something.

 

I should also point out... I don't believe there is any reason for those hidden date/time fields. You should be able to use PHP to get the current date/time when you are processing the form, before you update the database.

  • Upvote 1
Link to comment
Share on other sites

 

I should also point out... I don't believe there is any reason for those hidden date/time fields. You should be able to use PHP to get the current date/time when you are processing the form, before you update the database.

 

:clap: Ben thanks again. The date_default_timezone_set was the solution.

 

date_default_timezone_set('America/New_York');

$current_time = strftime('%H:%M:%S');

echo $current_time;

 

I was trying to solve this one on my own but kept hitting the brick wall. (Anyone have any Asprin?) I want to make sure I am clear on your last statement. Are you saying that I don't even have to put the fields in the form, but just add the code into the php that captures the rest of the variables from the form?

Link to comment
Share on other sites

Are you saying that I don't even have to put the fields in the form, but just add the code into the php that captures the rest of the variables from the form?

If I am understanding what you are trying to do correctly, yes. If you are simply trying to get the current date/time to add to the database, there's no reason that needs to be added as a hidden field in the form. You can do that after you have validated the form (so you know all the form values are valid and the form has been submitted successfully) but just before you update the database.

 

Also, keep in mind that MySQL has some time functions built in. It's possible you could use the NOW() function to get the current time, rather than having to do that with PHP. http://www.tizag.com/mysqlTutorial/mysql-time.php However, I'm not sure how that would affect your timezone issue, so you'd need to experiment. It's also possible that MySQL has a function similar to date_default_timezone_set(), but I'd have to do some research and check. At this point though, if what you have is working, you may not want to mess with it.

  • Upvote 1
Link to comment
Share on other sites

You know I did some work with it and it appears to be working as is. The end question will be determining I will be able to get the information out of these later when I get there. I've run into a new problem with time in refrence to getting information out. The dbase says 17:00:00 but when I try to extract the hour and minutes, it spits out 22:12. I'm not sure why just yet, but I am of the opinion that this is most likely due to the way it was initally input. Either way I have something to keep me busy for a while. I'm sure that I will eventually get there, its just a matter of working it out in my brain.

 

You may be intrested to know that I removed the hidden fields and picked up the date and time from the php code and it worked like a charm.

Link to comment
Share on other sites

The dbase says 17:00:00 but when I try to extract the hour and minutes, it spits out 22:12. I'm not sure why just yet, but I am of the opinion that this is most likely due to the way it was initally input.

Sounds like that is an issue with the way you are getting the data from the database, not with how it's being saved (assuming the database contains the correct value).

Link to comment
Share on other sites

  • 1 month later...

I have a question about MVC. While I think I understand the base concept, I am still having a hard time wrapping my brain around this thing. I think what I am having trouble with is what is being view. For example, on the site that I am developing I clearly have a seperation between members and non members and further still, students and mentors among the members. I have content that I want to allow non members to see and further more detailed content for members. Does this constitute simply another view or another model and view for non members. Building on top of that, would my members page be different? I think I've almost got this, but still need a little clarification.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
×
×
  • Create New...