MYSql Password Insert

[about2flip]

Hi:

I am creating a table for users via PHPMyAdmin. One of the fields is a password field. What is the correct syntax to create the password field so it will be hashed. i.e, not visible.

Thanks for your help.

 

[jpadie]

it doesn't work that way. the field is just varchar or whatever. you has the data either with the password function in mysql (i don't recommend this) or with some other oneway encryption like md5 or sha.

$sql = "Insert into $table set passwdfld = PASSWORD('sometext');";

or

$pwd = md5("sometext");
$sql = "insert into $table set passwdfld='$pwd'";

 

[about2flip]

so when I create the table for example:

`email` varchar(20)NOT NULL defualt '',
`password` varchar(30) '',

would this just create a field named password? or when my script writes the user information to the DB the script above will create a password field along with the user pw.

$pwd = md5("sometext");

what is sometext?

Thanks

 

[jpadie]

it would just create a field named password. you put into the field whatever you wish.

but - don't call it password otherwise you will always have to use backticks to be sure of referencing the column rather than the function. better to call it pwd or the like.

"sometext" is the user's password! i.e. md5("let_me_in").
md5 is a hashing algorithm (sorry if this is evident).

 

[about2flip]

Here I am again. I have a few issue, needs some advice.

1. How do I get the user password into the table I created via the code below:

2. If the zipcode begins with 0, it does not show up in the zipcode field. Ex: 07017 will look like 7017.

3. my phone number field is not inputting the correct phonenumber. It is displaying something totally different from what I put in.

4. the code below is a verify.php file which should display the user information, have the user submit after verifying, and then it write to the DB. Instead, once the user submits all the information on the first form, it writes the user info to the db w/o displaying the info.

<html>
<head></head>
<body>
<?php
if(isset($_POST['submit'])) {
echo "Please verify your information that you entered:<br><br>
First Name:".$_POST['first_name']."<br>
Last Name:".$_POST['last_name']."<br>
Street Address:".$_POST['street_address']."<br>
City:".$_POST['city']."<br>
State:".$_POST['state']."<br>
Zip Code:".$_POST['zipcode']."<br>
Phone Number:".$_POST['phone_number']."<br>
User Name:".$_POST['username']."<br>
Email:".$_POST['email']."<br>";
}
?>

<form action="<?=$_SERVER['PHP_SELF']?>" method="post">
<input type="hidden" name="first_name" value="<? $_POST['first_name']; ?>">
<input type="hidden" name="last_name" value="<? $_POST['last_name']; ?>">
<input type="hidden" name="street_address" value="<? $_POST['street-address']; ?>">
<input type="hidden" name="city" value="<? $_POST['city']; ?>">
<input type="hidden" name="state" value="<? $_POST['state']; ?>">
<input type="hidden" name="zipcode" value="<? $_POST['zipcode']; ?>">
<input type="hidden" name="phone_number" value="<? $_POST['phone_number']; ?>">
<input type="hidden" name="username" value="<? $_POST['username']; ?>">
<input type="hidden" name="email" value="<? $_POST['email']; ?>">
<input type="submit" value="Submit">

<?php

// form submitted
// server accesss variables
include("dbinfo2.php");

//make sure all fields are filled in

$firstname = empty($_POST['first_name']) ? die ("Error: Enter your First Name") :
mysql_escape_string($_POST['first_name']);

$lastname = empty($_POST['last_name']) ? die ("Error: Enter your Last Name") :
mysql_escape_string($_POST['last_name']);

$address = empty($_POST['street_address']) ? die ("Error: Enter your Street Address") :
mysql_escape_string($_POST['street_address']);

$city = empty($_POST['city']) ? die ("Error: Enter your City") :
mysql_escape_string($_POST['city']);

$state = empty($_POST['state']) ? die ("Error: Enter your State") :
mysql_escape_string($_POST['state']);

$zipcode = empty($_POST['zipcode']) ? die ("Error: Zipcode") :
mysql_escape_string($_POST['zipcode']);

$phonenumber = empty($_POST['phone_number']) ? die ("Error: Enter your Phone Number") :
mysql_escape_string($_POST['phone_number']);

$username = empty($_POST['username']) ? die ("Error: Enter your User Name") :
mysql_escape_string($_POST['username']);

$email = empty($_POST['email']) ? die ("Error: Enter your Email") :
mysql_escape_string($_POST['email']);

//open connection to db
$connection = mysql_connect($host, $user, $pw) or die ("Unable to Connect");

//select db
mysql_select_db($db) or die ("Unable to select database!");

//create query
$query = "INSERT INTO users (first_name, last_name, street_address, city, state, zipcode,
phone_number, username, email) VALUES ('$firstname', '$lastname', '$address', '$city',
'$state', '$zipcode', '$phonenumber', '$username', '$email')";

//execute query
$result = mysql_query($query) or die ("Error in query: $quesry. ".mysql_error());

//print message with ID
echo "New record inserted with ID ".mysql_insert_id();

//close connection
mysql_close($connection);

?>

</form>
</body>
</html>

 

[lgarner]

1. Where's this user password coming from? I don't see any mention of a password in your program.

2. What's the column defition for "zip"? If I create a varchar column and add '09712' it works fine.

3. Try displaying the SQL statement to see what's going in there: "echo $query"

4. Check the value of $_POST['submit']. I don't know- is it case-sensitive? On this form you use "Submit", check the other one.

 

[about2flip]

#2. I was told that zip was int. Is that not right?

#1. Password is coming from the first form, where the user inputs the information. I took it out because when it displayed it showed the user password.(not sure if that was right) Also it would not insert into the DB correctly. I'm not sure If I just say password, $password, or what?

 

[jpadie]

there is nothing magic about the password. it is just plain text.

in html if the type is set to hidden it won't display when the user types it - but it's still there.

in php you just treat it like text. see my loginscript for an example of this working in practice.

 

[lgarner]

If it's an integer, leading zeroes will be dropped. Zip codes and phone numbers should be strings.

The password field should be type "password", not "hidden" on the form where the user types it to have it appear as asterisks. After the form is submitted, as jpadie says, it's just another text field. Set the DB column = the password value like any other field and it should work. You can use crypt(), md5() or MySQL's password() function to encrypt the password before storing it.

 

[jpadie]

Password is coming from the first form, where the user inputs the information. I took it out because when it displayed it showed the user password.(not sure if that was right) Also it would not insert into the DB correctly. I'm not sure If I just say password, $password, or what?

when you say "took it out", does that mean you don't store it anywhere between the password entry field and the verify page? if so, how do you allow the verify page to get hold of it? have you stored it in a session variable when the form is first submitted? (i don't see a session_start() function call in your code)

 

[about2flip]

I want thank all who helped with the issue I was having with the password, so I figured it out. The problem I am having now is info is submitted from form 1, at form two which is the code below, it does not show the info for user to verify before it writes to the DB. I'm figuring I am miss using else if statements or something. I new to php, and learning.
So what the code below does, is it verifies to make sure all fields are filled in, but if all fields are filled in, it is suppose to show the user what they put in. So if all is correct with the user they hit the submit button and then I want it to write to the DB.

Any help is greatly appreciated. Thanks

<html>
<head></head>
<body>
<?php
if(isset($_POST['submit'])) {
echo "Please verify your information that you entered:<br><br>
First Name:".$_POST['first_name']."<br>
Last Name:".$_POST['last_name']."<br>
Street Address:".$_POST['street_address']."<br>
City:".$_POST['city']."<br>
State:".$_POST['state']."<br>
Zip Code:".$_POST['zipcode']."<br>
Phone Number:".$_POST['phone_number']."<br>
User Name:".$_POST['username']."<br>
Password:".$_POST['password']."<br>
Email:".$_POST['email']."<br>";
}
?>

<form action="<?=$_SERVER['PHP_SELF']?>" method="post">
<input type="hidden" name="first_name" value="<? $_POST['first_name']; ?>">
<input type="hidden" name="last_name" value="<? $_POST['last_name']; ?>">
<input type="hidden" name="street_address" value="<? $_POST['street-address']; ?>">
<input type="hidden" name="city" value="<? $_POST['city']; ?>">
<input type="hidden" name="state" value="<? $_POST['state']; ?>">
<input type="hidden" name="zipcode" value="<? $_POST['zipcode']; ?>">
<input type="hidden" name="phone_number" value="<? $_POST['phone_number']; ?>">
<input type="hidden" name="username" value="<? $_POST['username']; ?>">
<input type="hidden" name="password" value="<? $_POST['password']; ?>">
<input type="hidden" name="email" value="<? $_POST['email']; ?>">
<input type="submit" value="submit">

<?php

// form submitted
// server accesss variables
include("dbinfo2.php");

//make sure all fields are filled in

$firstname = empty($_POST['first_name']) ? die ("Error: Enter your First Name") :
mysql_escape_string($_POST['first_name']);

$lastname = empty($_POST['last_name']) ? die ("Error: Enter your Last Name") :
mysql_escape_string($_POST['last_name']);

$address = empty($_POST['street_address']) ? die ("Error: Enter your Street Address") :
mysql_escape_string($_POST['street_address']);

$city = empty($_POST['city']) ? die ("Error: Enter your City") :
mysql_escape_string($_POST['city']);

$state = empty($_POST['state']) ? die ("Error: Enter your State") :
mysql_escape_string($_POST['state']);

$zipcode = empty($_POST['zipcode']) ? die ("Error: Enter your Zipcode") :
mysql_escape_string($_POST['zipcode']);

$phonenumber = empty($_POST['phone_number']) ? die ("Error: Enter your Phone Number") :
mysql_escape_string($_POST['phone_number']);

$username = empty($_POST['username']) ? die ("Error: Enter your User Name") :
mysql_escape_string($_POST['username']);

$password = (md5($password));empty($_POST['password']) ? die ("Error: Please enter a Password"):
mysql_escape_string($_POST['password']);

$email = empty($_POST['email']) ? die ("Error: Enter your Email") :
mysql_escape_string($_POST['email']);

//open connection to db
$connection = mysql_connect($host, $user, $pw) or die ("Unable to Connect");

//select db
mysql_select_db($db) or die ("Unable to select database!");

//create query
$query = "INSERT INTO users (first_name, last_name, street_address, city, state, zipcode,
phone_number, username, password, email) VALUES ('$firstname', '$lastname', '$address', '$city',
'$state', '$zipcode', '$phonenumber', '$username', '$password', '$email')";

//execute query
$result = mysql_query($query) or die ("Error in query: $quesry. ".mysql_error());

//print message with ID
echo "New record inserted with ID ".mysql_insert_id();

//close connection
mysql_close($connection);

?>

</form>
</body>
</html>

 

[jpadie]

i'm assuming that in the first form you are also using a button called "submit". so the first test always hits true.

within the isset($_POST['submit']) conditional try then testing for the value of the element. in the first form, call the value "Submit" and in the second call it "Confirm".

then in your conditional: if the value is submit show the verify data and if it is confirm then do the datbase write.