Password_Verify Wont Return a Value - passwords

im trying to make a Login System for my Website, i am able to Hash a password and insert the Hashed Data into the Database, however retrieving it is a little bit different.
I Am Making my Page search for the (Hashed Password) for the Given Username in the previous page, as well as the given Password from the previous page. Then getting my code to see if the two passwords match, however, i don't get a value return. And Yes, i am Echoing it, and suggestions?
<?php
session_start();
include 'dbh.php';
$Username = $_POST['Username'];
$Password = $_POST['Password'];
$sql = "SELECT * FROM account WHERE Username='$Username'";
$result = $conn->query($sql);
while ($row = $result->fetch_assoc()) {
$UsernameActualhashedPassword = $row['Password'];
}
$input = $Password;
echo $input;
echo $UsernameActualhashedPassword;
echo password_verify($input, $UsernameActualhashedPassword);


Try this one and look for Sanitizing user for secure login
<?php
session_start();
include 'dbh.php';
$Username = $_POST['Username'];
$Password = $_POST['Password'];
$hashpass = hash_fun($password); // use the same hash function which you have used in the signup
$sql = "SELECT count(*) FROM account WHERE Username='$Username' and
password='$hashpass'";
$result = $conn->query($sql);
if($result>0)
echo "Login success";
else echo "wrong username or password";
?>

Related

user Login web service required using prestashop api

I am working on prestashop web services for my android app, i searched a lot in google, but i did not find proper document/proper explanation. Can any one please guide me how to do user login/authentication using prestashop web services?.

You can make a call to the customer endpoint filtering by the customer's email. The result would have a "passwd" field, which is a hashed password which could either be md5 or bcrypt since Prestashop supports both. You can then hash the customer's password input and compare with the "passwd" field in the response. If the length of the "passwd" field is 32 (md5), you'll need parameter _COOKIE_KEY_ set in /app/config/parameters.php as a salt to generate your hash;
Make the call like this https://yourprestashopurl.com/api/customers?filter[email]=email#email.com&display=full
For md5 (if passwd is 32 characters long):
$hash = md5(_COOKIE_KEY_ . $input_password);
You can then compare $hash with passwd
For bcrypt (if passwd is 60 characters long):
Option 1:
$verify = password_verify($input_password, passwd);
You can accept $input_password when this returns true, otherwise $input_password is invalid
Option 2:
$hash = password_hash($input_password, PASSWORD_BCRYPT);
You can then compare $hash with passwd
Note: password_hash and password_verify are both built-in php functions since PHP 5.5.0

Use the PrestaShop webservices and filter with email and password like below:
http://localhost/api/customers/?filter[email]=test#prestashop.com&filter[password]=19910794b7c0b413e80f58298a8d8300

For those who are still searching for this answer:
<?php
if (isset($_GET["email"]) && isset($_GET["password"]))
{
$email = $_GET["email"];
$password = $_GET["password"];
$COOKIE_KEY = 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX';
$jsonurl = "https://XXXXXXXXXXXXXXXXXXXX#example.com/api/customers?filter[email]=".$email."&display=[passwd]&output_format=JSON";
$json = file_get_contents($jsonurl);
$json_a = json_decode($json, true);
$loopone = $json_a['customers'];
$looptwo = $loopone[0];
$loopthree = $looptwo['passwd'];
$ZCpassword = md5($COOKIE_KEY . $password);
if (strcmp($loopthree, $ZCpassword) == 0) {
echo "sucess";
} else {
echo "fail";
}
}
else
{
echo "Error";
}
?>

PDO LastInsertId returning nothing

For some reason I cannot get the LastInsertId from my PDO insert. I am receiving nothing back, if I place it inside the execute I get -1 because the insert query hasn't run. However when just after the execute to grab the last ID inserted nothing is returned.
php 5.1.6
PECL pdo = 0.1.0
I have looked at following questions and many other stack exchange questions.
lastInsertId does not work in Postgresql
PDO lastInsertId() returns 0
PDO lastInsertId issues, php
However the difference is nothing is returned compared to 0. No errors are recorded either. See the code below.
Connection
try {
$conn = new PDO("pgsql:host=localhost port= dbname=", "", "");
echo "PDO connection object created";
}
catch(PDOException $e) {
echo $e->getMessage();
}
insert / return the last id
$stmt = $conn ->prepare("INSERT INTO sheet_tbl (site_id, username, additionalvolunteers) VALUES(?,?,?)");
$stmt->bindParam(1,$site_id);
$stmt->bindParam(2,$username1);
$stmt->bindParam(3,$additionalvolunteers);
$site_id = $_POST['site_id'];
$username1 = $user->name;
$additionalvolunteers = $_POST['additionalvolunteers'];
$stmt ->execute();
$newsheetID = $conn->lastInsertId('sheet_id');
echo $newsheetID . "last id";

You should be using
$newsheetID = $conn->lastInsertId('sheet_id_**seq**');
Just add _seq after id.

Assumming sheet_id type is SERIAL you can use LASTVAL()
TRY (Not tested as I dont have postgresql)
$newsheetID = $conn->query("SELECT LASTVAL()");
echo $newsheetID . "last id";

I use postgresql in C# with the "RETURNING rowkey" and its has always worked for me.
I also use pdo/php in a lot of applications.
However i dont have a postgres database open to the server right now for testing.
This could should work but it is not tested.
$site_id = $_POST['site_id'];
$username1 = $user->name;
$additionalvolunteers = $_POST['additionalvolunteers'];
$stmt = $conn ->prepare("INSERT INTO sheet_tbl (site_id, username, additionalvolunteers) VALUES(:site_id, :username1, :additionalvolunteers) RETURNING row_id");
$success = $stmt->execute([
'site_id' => $site_id,
'username1' => $username1,
'additionalvolunteers' => $additionalvolunteers
]);
// unsure about this
$newsheetID = $stmt->fetchColumn();
echo $newsheetID . " last id";

Custom Wordpress user which was created directly through SQL does not work for Wordpress login

I used the following code to hash the password:
$password = $_POST['user_pass'];
$hash = wp_hash_password('$password');
What am I missing? The error I get is
ERROR: The password you entered for the username willshatner is incorrect.

This code will not input the password you have sent, because of the single quotes:
$hash = wp_hash_password('$password'); // here the password is set to the string $password
use this code instead:
$hash = wp_hash_password($password); // here the password is set to the value of the variable $password

Since the password is MD5 encrypted, you'd prob have to encrypt the POST to match the db
$password = MD5($_POST['user_pass']);

Username and password are correct but I'm still getting ERROR: SQLSTATE[28000] [1045]

I'm switching from mySql to PDO, but I'm having trouble creating the correct connection to the database. The username and password work in mySql, but I get this error message when I try to connect using the code shown below:
ERROR: SQLSTATE[28000] [1045] Access denied for user 'sean'#'localhost' (using password: NO)
I'm not really sure why it's saying password 'NO' because I'm definitely using the correct password, and there aren't any users named Sean. Is there something wrong with the syntax I'm using for the username or password?
This is the code I'm using (I'm swapping out 'MyPassword' for the actual password)
<?php
session_start();
try {
$conn = new PDO('mysql:host=localhost;dbname=MyDatabase', $clickfi4_root, $MyPassword);
$stmt = $conn->prepare('SELECT * FROM customer_info WHERE id = :id');
$stmt->execute(array('id' => $id));
$result = $stmt->fetchAll();
if ( count($result) ) {
foreach($result as $row) {
print_r($row);
}
} else {
echo "No rows returned.";
}
} catch(PDOException $e) {
echo 'ERROR: ' . $e->getMessage();
}
?>

The error message said:
(using password: NO)
Which means a password was not used in the login attempt.
Check the value of $MyPassword.
Also, try using an account other than the root. It's not the best practice anyway.

Sometimes username#127.0.0.1 does the trick instead of username#localhost.

Turns out that the syntax in the net tuts tutorial I was using was slightly wrong. It works when I remove the '$' before the username and password :-)
$conn = new PDO('mysql:host=localhost;dbname=MyDatabase', clickfi4_root, MyPassword);

For future Googlers, I had the same problem just now and I was pretty sure that password was correct. Yes password was correct indeed but the problem is how I generate password and how I keep password in config file.
If you use a random password generator like me make sure you don't have $ dollar sign in your password.
If you have $ in you password then make sure you keep you password in config file like this
$pass = 'randomchars$morerandom';
but not like this
$pass = "randomchars$morerandom";

How to do mysql_fetch_array in Magento

I want to create a drop down option using Magento module that populate the data from the database I created.
Previously, I have this code in My IndexController.php which is work. This is the first code.
public function dropdownAction() {
if (file_exists('./app/etc/local.xml')) {
$xml = simplexml_load_file('./app/etc/local.xml');
$tblprefix = $xml->global->resources->db->table_prefix;
$dbhost = $xml->global->resources->default_setup->connection->host;
$dbuser = $xml->global->resources->default_setup->connection->username;
$dbpass = $xml->global->resources->default_setup->connection->password;
$dbname = $xml->global->resources->default_setup->connection->dbname;
}
else {
exit('Failed to open ./app/etc/local.xml');
}
$link = mysql_connect($dbhost,$dbuser,$dbpass);
mysql_select_db($dbname) or die("Unable to select database");
$tblname = $tblprefix.'my_db_table';
$result = mysql_query("SELECT dropdowndata FROM ".$tblname."");
echo '<select>';
while ($ary = mysql_fetch_array($result)){
echo "<option>" . $ary['dropdowndata '] . "</option>";
}
echo "</select>";
mysql_close($link);
}
But I think the code above is not the Magento way. Do you agree?
Now, I want to populate the data with this code in IndexController.php. This is the second code.
public function dropdownAction() {
$options= Mage::getModel('my/model')->getCollection();
foreach($options as $option){
$optionData = $option->getDropdowndata ();
echo "<select>";
echo "<option>" .$optionData."</option>";
echo "</select>";
}
}
Using the code above, the data was populated but one data with one drop down option. So there are so many drop down options appear on the browser, each drop down option will contain only one data.
I think I am missing the while ($ary = mysql_fetch_array($result)). But I confuse how to include that code?
So, my question is how to do mysql_fetch_array in Magento? Or can somebody please explain how to make the second code above work like the first code.

getData() function returns an array of the whole data, and of course need move 'select' nodes out of the foreach
echo "<select>";
foreach($options as $option){
$optionData = $option->getData();
echo "<option>" .$optionData['somekey'] ."</option>";
}
echo "</select>";
But I think would be better use the magento magic functions, for example if you have 'entity_id' column in DB you can get value using $option->getEntityId(), etc...

And why do you have select inside of foreach? I think something like this will solve your problem:
public function dropdownAction() {
$options= Mage::getModel('my/model')->getCollection();
echo "<select>";
foreach($options as $option){
$optionData = $option->getDropdowndata ();
echo "<option>" .$optionData."</option>";
}
echo "</select>";
}