php3 to php5 - DB module password/login

Collapse
X
Collapse
 
  • Page of 1
  • Time
  • Show
Clear All
new posts
Previous template Next
  • phphelpneeded
    New Member
    • Feb 2014
    • 3
    #1

    php3 to php5 - DB module password/login

    Hello I entered a password protection to an admin module for a database a few years back using php3 - now the server has migrated to 5 and it does not work anymore - have looked at php.net but do not really know where to start.

    First page has:
    Code:
    <form method="post" action="ConnectDB.php3" name="connection" onSubmit="return verifChamp(document.forms[0])">
<input type="text" name="login" size="20" maxlength="20">
<input type="password" name="pass" size="20" maxlength="20">
 <input type="submit" name="connect" value="Connecter">
</form>

    the second page : Connect DB.php3 has:
    Code:
    <?
$ok=0;
if( isset ($conn) && $conn=="OK") {
	$ok=1;
}
else {	
	
$u="Uxx";
$p="yyy";
$h="zzz";

mysql_connect($h,$u,$p);

$resPass=mysql(DBxx,"SELECT login, password FROM connection WHERE login = '$login' AND password = '$pass'");
$nbPass=mysql_numrows($resPass);

if( $nbPass < 1 ) 
	$ok=0;
else
	$ok=1;
}

if( !$ok ) :

?>
    Any ideas where I can find the info or even better - where is it wrong..?

    Very grateful for help.
    Last edited by Dormilich; Feb 7 '14, 06:56 AM. Reason: Please use [CODE] and [/CODE] tags when posting code or formatted data.
    Tags: None
    • Dormilich
      Recognized Expert Expert
      • Aug 2008
      • 8694
      #2
      if you’re switching from PHP 3 to PHP 5, I recommend a complete rewrite. so much has changed that simply applying some fixes won’t do it in the long run.

        Comment

        • phphelpneeded
          New Member
          • Feb 2014
          • 3
          #3
          Thank you Support and Dormilich

          Apologies about my incorrect way of posting.

          D- I appreciate the suggestion. Any ideas where I can find and read up on a similar php5 function i.e. password to entering (and changing) a DB?

            Comment

            • Dormilich
              Recognized Expert Expert
              • Aug 2008
              • 8694
              #4
              for working with a DB, you’ll find something in the Manual’s PDO or MySQLi sections (note that the old mysql_* functions are deprecated).

              your other problem—SQL Injection—there Google will provide a plethora of explanations.

              depending of your exact version of PHP 5, you can make advantage of password hashing functions like password_hash(). generally, passwords should never be stored in plain text (a matter of security), therefore you should hash them.

              since register_global s is now removed from PHP (another security matter), you fetch your user-supplied data from one of the superglobals (depending on your transfer method that would primarily be $_GET and $_POST).

              short tags should not be used anyways, typing those three extra letters (i.e. <?php instead of <?) does not have any effect on performance.

              the SQL query itself. since you only want to know, if there is a match or not, return the number of matches via SQL’s COUNT() function (PS. fetching data is more reliable that counting result rows). besides that, in SQL never request data you don’t need. therefore the SQL wildcard * is a no-go.
              a sensible login query looks like
              Code:
              SELECT COUNT(*) FROM mytable WHERE username = ? AND password_hash = ?;
              tip: "connection " is a poor name for a table that stores user data (and not connections)

              tip: make sure to set indexes on the DB table. makes the queries much faster


              note: .php3 is a bad choice for a PHP 5 file extension. just the generic .php suffices.


              JavaScript: event handlers should be defined inside JavaScript. doing that inside HTML makes it more complicated to read and maintain, and cuts down on possibilities.

              e.g.
              Code:
              document.forms[0].addEventListener("submit", verifyChamp);

function verifyChamp(evt) 
{
    // note: the form element is in the variable 'this'

    // do validation

    // cancel submission if something is wrong
    if (!valid) {
        evt.preventDefault();
    }
}

                Comment

                • phphelpneeded
                  New Member
                  • Feb 2014
                  • 3
                  #5
                  Thank thank you thank you :) !! - now I got something to work from

                    Comment

                    Previous template Next
                    Working...