Board index   FAQ   Search  
Register  Login
Board index php forum :: php coding PHP coding => General

Value is POSTED definitly but isset() says NO....

Ask about general coding issues or problems here.

Moderators: macek, egami, gesf

Value is POSTED definitly but isset() says NO....

Postby vishalonne » Tue Oct 02, 2012 11:43 am

Hi All

See the code give given below. I was fighting with this code since last 5 hours to know why isset() is eveluating the condition as false if value is posted exactly what it shall POST.
If I uncomment the line no. - 4,5,6,7,8 and put rest of the code from line no. 10 to 28 I can see the POSTED value .
Can Anyone help in this by any guidance or suggestion. I will be thankful.

Code: Select all
    <?php
    include 'dbconnection.php';
    include 'functions.php';
    //sec_session_start();
     //  $email = $_POST['logemail'];
     //  $password = $_POST['p'];
    //   echo $password;
    //   echo $email;
     // Our custom secure way of starting a php session.
   
    if(isset($_POST['logemail'], $_POST['p'])) {
       $email = $_POST['logemail'];
       $password = $_POST['p']; // The hashed password.
       if(login($email, $password, $mysqli) === true) {
          // Login success
          //$url = 'mwq';
        //echo '<META HTTP-EQUIV=Refresh CONTENT="0; URL='.$url.'">'; 
       echo $password;
       echo $email;
   
       } else {
          // Login failed
          header('Location: login.php?error=1');
       }
    } else {
       // The correct POST variables were not sent to this page.
       echo 'Invalid Request Data Not POSTED';
    }
    ?>
vishalonne
New php-forum User
New php-forum User
 
Posts: 11
Joined: Fri Jul 27, 2012 9:52 am

Re: Value is POSTED definitly but isset() says NO....

Postby seandisanti » Tue Oct 02, 2012 11:49 am

Where are you posting the data from?

***edit***
Only need to see the
<form> ....
</form>
part of the page posting the data i mean; don't need to see all of your styles and sidebars etc
seandisanti
php-forum Fan User
php-forum Fan User
 
Posts: 838
Joined: Mon Oct 01, 2012 12:32 pm

Re: Value is POSTED definitly but isset() says NO....

Postby vishalonne » Tue Oct 02, 2012 12:06 pm

Hello seandisanti
Thank you for consideration I just add echo var_dump($_POST); //just before isset
and got OUTPUT - array(0) { }

Code: Select all
<tr>
<td>
<FORM ID="Login" ACTION="login.php" METHOD="POST">
<h1>welcome to the login page</h1>
please input the login details to create an account here<br />
<table border="2">
<tr>
<td>email :</td><td><input id="logemail" name="logemail" type="text" size"30"></input></td>
</tr>
<tr>
<td>password :</td><td><input id="logpass1" name="logpass1" type="password" size"20"></input></td>
</tr>
</table>
<input type="button" value="Login" onClick="formhash2(this.form,this.form.logpass1);">
</FORM>
</td>
</tr>


But interesting part of the code is if I remove the comment from these
// $email = $_POST['logemail'];
// $password = $_POST['p'];
// echo $password;
// echo $email;

and rest of the code I commented then I get waht I expect from POST.
vishalonne
New php-forum User
New php-forum User
 
Posts: 11
Joined: Fri Jul 27, 2012 9:52 am

Re: Value is POSTED definitly but isset() says NO....

Postby seandisanti » Tue Oct 02, 2012 12:25 pm

ok, a couple of quick things to change.

1) <input> tags don't need separate closing tags, just throw a slash before the greater than:
<input ... />

2) don't hash with javascript. do it server side in your php code. doing it with javascript allows the visitor to break it by disabling, or even worse by letting them see how it's done. your php code is secure, javascript is transparent.

3) name your submit button. the easiest way to check if a form has been submitted, is to check isset($_POST['submit']). then take the plain text pass and hash it etc.

I know that doesn't exactly answer your question, but you're not actually posting your form unless it happens inside of the formhash2 function.
seandisanti
php-forum Fan User
php-forum Fan User
 
Posts: 838
Joined: Mon Oct 01, 2012 12:32 pm

Re: Value is POSTED definitly but isset() says NO....

Postby vishalonne » Tue Oct 02, 2012 12:44 pm

OK in my index.php there are 2 forms you can see here First Form is giving troble to me :-x but the second form is Cool :D
both the form is going with same process as you can see in the code of functions.js I have only 1 question to know before that take a look in my form -
Code: Select all
<td>
<FORM ID="Login" ACTION="login.php" METHOD="POST">
<h1>welcome to the login page</h1>
please input the login details to create an account here<br />
<table border="2">
<tr>
<td>email :</td><td><input id="logemail" name="logemail" type="text" size"30"></input></td>
</tr>
<tr>
<td>password :</td><td><input id="logpass1" name="logpass1" type="password" size"20"></input></td>
</tr>
</table>
<input type="button" value="Login" onClick="formhash2(this.form,this.form.logpass1);">
</FORM>

<FORM ID="Register" ACTION="register.php" METHOD="POST">
<h1>welcome to the registration page</h1>
please input the registration details to create an account here<br />
<table border="2">
<tr>
<td>email :</td><td><input name="regemail" type="text" size"30"></input></td>
</tr>
<tr>
<td>password :</td><td><input id="regpass1" name="regpass1" type="password" size"20"></input></td>
</tr>
</table>
<input type="button" value="Register" onClick="formhash1(this.form,this.form.regpass1);">
</FORM>
</td>


Now the question - Why these lines of are displaying the POSTED value if I comment the code from isset to down.
vishalonne
New php-forum User
New php-forum User
 
Posts: 11
Joined: Fri Jul 27, 2012 9:52 am

Re: Value is POSTED definitly but isset() says NO....

Postby seandisanti » Tue Oct 02, 2012 1:07 pm

could we see the contents of formhash2? i think that's where the issue is.
seandisanti
php-forum Fan User
php-forum Fan User
 
Posts: 838
Joined: Mon Oct 01, 2012 12:32 pm

Re: Value is POSTED definitly but isset() says NO....

Postby vishalonne » Tue Oct 02, 2012 1:33 pm

Sure this the checkforms.js and here is the code
Code: Select all
// JavaScript Document csnip
function formhash2(form,password) {
    // Create a new element input, this will be out hashed password field.
   alert(form.id + " " + password.value);
   var p = document.createElement("input");
       // Add the new element to our form.
   
   p.name = "p";
   p.type = "hidden"
   p.value = hex_sha512(password.value);
   // Make sure the plaintext password doesn't get sent.
   password.value = "";
   // Finally submit the form.
   form.appendChild(p);
   form.submit();
}

function formhash1(form,password) {
   alert(form.id + " " + password.value);
  // Create a new element input, this will be out hashed password field.
  var pl = document.createElement("input");
  // Add the new element to our form.
   
   pl.name = "pl";
   pl.type = "hidden"
   pl.value = hex_sha512(password.value);
   // Make sure the plaintext password doesn't get sent.
   password.value = "";
   // Finally submit the form.
   form.appendChild(pl);
   form.submit();

}


vishalonne
New php-forum User
New php-forum User
 
Posts: 11
Joined: Fri Jul 27, 2012 9:52 am

Re: Value is POSTED definitly but isset() says NO....

Postby seandisanti » Tue Oct 02, 2012 2:00 pm


p.name = "p";
p.type = "hidden"
p.value = hex_sha512(password.value);

see if adding semi to close second line helps
seandisanti
php-forum Fan User
php-forum Fan User
 
Posts: 838
Joined: Mon Oct 01, 2012 12:32 pm

Re: Value is POSTED definitly but isset() says NO....

Postby vishalonne » Tue Oct 02, 2012 2:15 pm

No change.... :( Actually I got his code from [url]http://www.wikihow.com/Create-a-Secure-Login-Script-in-PHP-and-MySQL
[/url]
vishalonne
New php-forum User
New php-forum User
 
Posts: 11
Joined: Fri Jul 27, 2012 9:52 am

Re: Value is POSTED definitly but isset() says NO....

Postby seandisanti » Tue Oct 02, 2012 2:40 pm

ok, the article telling you that this is secure is wrong for the reasons already given. end users can see and affect hashing because it's done in js. unsetting the plaintext password is an almost laughable security measure because at best it may protect from someone watching unencrypted wifi traffic. completely ignoring all of the other things they could do if someone had direct access to your visitor's traffic like that, you can't make yourself responsible for securing their connection beyond their traffic with your site, and letting the hash happen on their computer is a compromise to YOUR site's security. The proper way to do what you're trying to do, is to hash server side. example:

1. register form sends email and plaintext password.
2. php script generates a $salt (random hex string of pre-determined length)
3. hash is generated like: $hash=md5(hash("sha256",$password.$salt).$salt); //$salt is hashed with pass, and then appended so that same salt will be used to check future login attempts
4. user record is created in database with email and hashed password.

Then when the user attempts to login:

1. login form sends email and password
2. php script locates record in database by email address or user name
3. $salt is taken from stored value, and new test hash is created with same formula:
$testhash=md5(hash("sha256",$password.$salt).$salt);
4. if $testhash===$userrecord['pass_hash'] that was stored at registration, then they've entered the correct password and can proceed.
seandisanti
php-forum Fan User
php-forum Fan User
 
Posts: 838
Joined: Mon Oct 01, 2012 12:32 pm

Re: Value is POSTED definitly but isset() says NO....

Postby vishalonne » Tue Oct 02, 2012 2:52 pm

Thank you very much seandisanti for this great information, unnecessarly I was banging my head on these code.

Can you please tell me from where I can get good security tutorial for php.
So, I can do same job in PHP

Regards
vishalonne
New php-forum User
New php-forum User
 
Posts: 11
Joined: Fri Jul 27, 2012 9:52 am

Re: Value is POSTED definitly but isset() says NO....

Postby seandisanti » Tue Oct 02, 2012 2:56 pm

phpsec.org seems to have a lot of info, here's an article relating specifically to password hashing

http://phpsec.org/articles/2005/password-hashing.html
seandisanti
php-forum Fan User
php-forum Fan User
 
Posts: 838
Joined: Mon Oct 01, 2012 12:32 pm


Return to PHP coding => General

Who is online

Users browsing this forum: Google [Bot] and 5 guests

Sponsored by Sitebuilder Web hosting and Traduzioni Italiano Rumeno and antispam for cPanel.