Skip to content

Instantly share code, notes, and snippets.

@Y0lan

Y0lan/cli.db

Last active March 13, 2018 14:08
Show Gist options
  • Save Y0lan/89055ea083970be1eae59ed6378d8b57 to your computer and use it in GitHub Desktop.
Save Y0lan/89055ea083970be1eae59ed6378d8b57 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
cli.db
MariaDB [TP_PHP]> SHOW COLUMNS FROM users;
+---------------+--------------+------+-----+---------+----------------+
| Field | Type | Null | Key | Default | Extra |
+---------------+--------------+------+-----+---------+----------------+
| id | int(11) | NO | PRI | NULL | auto_increment |
| pseudo | varchar(128) | YES | | NULL | |
| password | varchar(128) | YES | | NULL | |
| email | varchar(128) | YES | | NULL | |
| country | varchar(128) | YES | | NULL | |
| gender | int(1) | YES | | NULL | |
| birthday | varchar(32) | YES | | NULL | |
| creation_date | date | YES | | NULL | |
+---------------+--------------+------+-----+---------+----------------+
8 rows in set (0.01 sec)
Raw
config.php
<?php
$username = "root";
$password = "";
$host = "localhost";
$dbname = "TP_PHP";
$options = array(
PDO::MYSQL_ATTR_INIT_COMMAND => 'SET NAMES utf8'
);
try
{
$db = new PDO("mysql:host={$host};dbname={$dbname};charset=utf8", $username, $password, $options);
}
catch(PDOException $ex)
{
die("Failed to connect to the database: " . $ex->getMessage());
}
$db->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
$db->setAttribute(PDO::ATTR_DEFAULT_FETCH_MODE, PDO::FETCH_ASSOC);
if (function_exists('get_magic_quotes_gpc') && get_magic_quotes_gpc())
{
function undo_magic_quotes_gpc(&$array)
{
foreach($array as & $value)
{
if (is_array($value))
{
undo_magic_quotes_gpc($value);
}
else
{
$value = stripslashes($value);
}
}
}
undo_magic_quotes_gpc($_POST);
undo_magic_quotes_gpc($_GET);
undo_magic_quotes_gpc($_COOKIE);
}
header('Content-Type: text/html; charset=utf-8');
session_start();
Raw
error_log.log
[Tue Mar 13 15:05:41.069409 2018]
[proxy_fcgi:error] [pid 881:tid 140461578602240] [client 127.0.0.1:45426] AH01071:
Got error 'PHP message: PHP Notice: Undefined variable: req in
/home/dev/Documents/ESGI/D__veloppement_Web/PHP/www/Udemy/PHP_CHAT/auth/login.php on line 55\nPHP message:
PHP Fatal error: Uncaught Error: Call to a member function fetch() on null in
/home/dev/Documents/ESGI/D__veloppement_Web/PHP/www/Udemy/PHP_CHAT/auth/login.php:55\nStack trace:
\n#0 {main}\n thrown in /home/dev/Documents/ESGI/D__veloppement_Web/PHP/www/Udemy/PHP_CHAT/auth/login.php on line 55\n',
referer: http://localhost/Udemy/PHP_CHAT/auth/login.php
Raw
login.php
<?php
// First we execute our common code to connection to the database and start the session
require("../config.php");
// This variable will be used to re-display the user's username to them in the
// login form if they fail to enter the correct password. It is initialized here
// to an empty value, which will be shown if the user has not submitted the form.
$submitted_username = '';
// This if statement checks to determine whether the login form has been submitted
// If it has, then the login code is run, otherwise the form is displayed
if(!empty($_POST))
{
// This query retreives the user's information from the database using
// their username.
$query = "
SELECT
id,
pseudo,
password,
email
FROM users
WHERE
pseudo = :pseudo
";
// The parameter values
$query_params = array(
':pseudo' => $_POST['pseudo']
);
try
{
// Execute the query against the database
$stmt = $db->prepare($query);
$result = $stmt->execute($query_params);
}
catch(PDOException $ex)
{
// Note: On a production website, you should not output $ex->getMessage().
// It may provide an attacker with helpful information about your code.
die("Failed to run query: " . $ex->getMessage());
}
// This variable tells us whether the user has successfully logged in or not.
// We initialize it to false, assuming they have not.
// If we determine that they have entered the right details, then we switch it to true.
$login_ok = false;
$password = $_POST['password'];
$password_db = $req->fetch();
if($password_db)
{
// Using the password submitted by the user and the salt stored in the database,
// we now check to see whether the passwords match by hashing the submitted password
// and comparing it to the hashed version already stored in the database.
$login_ok= password_verify($password,$password_db['password']);)
}
// If the user logged in successfully, then we send them to the private members-only page
// Otherwise, we display a login failed message and show the login form again
if($login_ok)
{
unset($password_db['password']);
// This stores the user's data into the session at the index 'user'.
// We will check this index on the private members-only page to determine whether
// or not the user is logged in. We can also use it to retrieve
// the user's details.
$_SESSION['user'] = $password_db;
// Redirect the user to the private members-only page.
header("Location: ../chat.php");
die("Redirecting to: chat.php");
}
else
{
// Tell the user they failed
print("Login Failed.");
// Show them their username again so all they have to do is enter a new
// password. The use of htmlentities prevents XSS attacks. You should
// always use htmlentities on user submitted values before displaying them
// to any users (including the user that submitted them). For more information:
// http://en.wikipedia.org/wiki/XSS_attack
$submitted_username = htmlentities($_POST['pseudo'], ENT_QUOTES, 'UTF-8');
}
}
?>
<h1>Login</h1>
<form action="login.php" method="post">
Username:<br />
<input type="text" name="pseudo" value="<?php echo $submitted_username; ?>" />
<br /><br />
Password:<br />
<input type="password" name="password" value="" />
<br /><br />
<input type="submit" value="Login" />
</form>
<a href="register.php">Register</a>
Raw
register.php
<?php
require("../config.php");
if(!empty($_POST))
{
// Ensure that the user has entered a non-empty username
if(empty($_POST['pseudo']))
{
// Note that die() is generally a terrible way of handling user errors
// like this. It is much better to display the error with the form
// and allow the user to correct their mistake. However, that is an
// exercise for you to implement yourself.
die("Please enter a username.");
}
// Ensure that the user has entered a non-empty password
if(empty($_POST['password']))
{
die("Please enter a password.");
}
// Make sure the user entered a valid E-Mail address
// filter_var is a useful PHP function for validating form input, see:
// http://us.php.net/manual/en/function.filter-var.php
// http://us.php.net/manual/en/filter.filters.php
if(!filter_var($_POST['email'], FILTER_VALIDATE_EMAIL))
{
die("Invalid E-Mail Address");
}
// We will use this SQL query to see whether the username entered by the
// user is already in use. A SELECT query is used to retrieve data from the database.
// :username is a special token, we will substitute a real value in its place when
// we execute the query.
$query = "
SELECT
1
FROM users
WHERE
pseudo = :pseudo
";
// This contains the definitions for any special tokens that we place in
// our SQL query. In this case, we are defining a value for the token
// :username. It is possible to insert $_POST['username'] directly into
// your $query string; however doing so is very insecure and opens your
// code up to SQL injection exploits. Using tokens prevents this.
// For more information on SQL injections, see Wikipedia:
// http://en.wikipedia.org/wiki/SQL_Injection
$query_params = array(
':pseudo' => $_POST['pseudo']
);
try
{
// These two statements run the query against your database table.
$stmt = $db->prepare($query);
$result = $stmt->execute($query_params);
}
catch(PDOException $ex)
{
// Note: On a production website, you should not output $ex->getMessage().
// It may provide an attacker with helpful information about your code.
die("Failed to run query: " . $ex->getMessage());
}
// The fetch() method returns an array representing the "next" row from
// the selected results, or false if there are no more rows to fetch.
$row = $stmt->fetch();
// If a row was returned, then we know a matching username was found in
// the database already and we should not allow the user to continue.
if($row)
{
die("This username is already in use");
}
// Now we perform the same type of check for the email address, in order
// to ensure that it is unique.
$query = "
SELECT
1
FROM users
WHERE
email = :email
";
$query_params = array(
':email' => $_POST['email']
);
try
{
$stmt = $db->prepare($query);
$result = $stmt->execute($query_params);
}
catch(PDOException $ex)
{
die("Failed to run query: " . $ex->getMessage());
}
$row = $stmt->fetch();
if($row)
{
die("This email address is already registered");
}
// An INSERT query is used to add new rows to a database table.
// Again, we are using special tokens (technically called parameters) to
// protect against SQL injection attacks.
$query = "
INSERT INTO users (
pseudo,
password,
email,
country,
gender,
birthday,
) VALUES (
:pseudo,
:password,
:email,
:country,
:gender,
:birthday,
)
";
$password = password_hash("$_POST['password']", PASSWORD_DEFAULT);
// Here we prepare our tokens for insertion into the SQL query. We do not
// store the original password; only the hashed version of it. We do store
// the salt (in its plaintext form; this is not a security risk).
$query_params = array(
':pseudo' => $_POST['pseudo'],
':password' => $password,
':email' => $_POST['email']
':country' => $_POST['country']
':gender' => $_POST['gender']
':birthday' => $_POST['birthday']
);
try
{
// Execute the query to create the user
$stmt = $db->prepare($query);
$result = $stmt->execute($query_params);
}
catch(PDOException $ex)
{
// Note: On a production website, you should not output $ex->getMessage().
// It may provide an attacker with helpful information about your code.
die("Failed to run query: " . $ex->getMessage());
}
// This redirects the user back to the login page after they register
header("Location: login.php");
// Calling die or exit after performing a redirect using the header function
// is critical. The rest of your PHP script will continue to execute and
// will be sent to the user if you do not die or exit.
die("Redirecting to login.php");
}
?>
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<title>Inscription</title>
<link rel="stylesheet" href="css/styles.css" type="text/css">
</head>
<body>
<?php include('../header.php') ?>
<main>
<form action="register.php" method="post">
<input type="text" name="pseudo" placeholder="Pseudo"><br>
<input type="text" name="email" placeholder="Email"><br>
<input type="password" name="password" placeholder="Mot de passe"><br>
<input type="date" name="birthday" placeholder="Date de naissance"><br><br>
<input type="radio" name="gender" value="homme" checked> Homme
<input type="radio" name="gender" value="femme"> Femme<br><br>
<select name="country">
<option value="fr" selected>France</option>
<option value="en">England</option>
<option value="sp">Spain</option>
<option value="ge">Germany</option>
</select><br>
<input type="submit" value="Inscription">
</main>
<?php include('../footer.php') ?>
</body>
</html>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment