PHP file to GET url variables, process them, write to a mysql database, help!

ClevelandSlim

Hello,

This is my first time posting here. I need a php file that when called to via GET url with variables, the php file will have to encrypt a password, whichj will be one of the variables. Then I need the resulting info written to a specific MySQL database table.

So far this is what I have.

php GET variables and write to database code...

<?php 
$db=mysql_connect("localhost", "usrnm", "pswd") or die("Could not connect to localhost."); mysql_select_db("visitors", $db) or die("Could not find visitors."); 

// The above lines establishes a connection with the // database. Keep localhost as is unless something different // is mentioned by your sql host. usrnm is user name and pswd is // password. What I want to say is, copy these lines as they are // and just replace the required fields and it should connect. 

$querySQL = "insert into visinfo (d_name, d_email, 
d_city) values ($name, $email, $city)"; 
if(!$querySQL) error_message(sql_error()); 

// The above statement generates an error if you have setup the table in such a way that there should not be a duplicate entry. 
?>

I can see how that will work. But what I don't see in the above code is how to clarify which table the data will be written to. I NEED TO SPECIFY TABLE.

Here is a bit of the code from the help file that encrypts the password with the correct encryption...

    /**
     * Formats a password using the current encryption.
     *
     * @access    public
     * @param    string    $plaintext    The plaintext password to encrypt.
     * @param    string    $salt        The salt to use to encrypt the password. []
     *                                 If not present, a new salt will be
     *                                 generated.
     * @param    string    $encryption    The kind of pasword encryption to use.
     *                                 Defaults to md5-hex.
     * @param    boolean    $show_encrypt  Some password systems prepend the kind of
     *                                 encryption to the crypted password ({SHA},
     *                                 etc). Defaults to false.
     *
     * @return string  The encrypted password.
     */
    function getCryptedPassword($plaintext, $salt = '', $encryption = 'md5-hex', $show_encrypt = false)
    {
        // Get the salt to use.
        $salt = JUserHelper::getSalt($encryption, $salt, $plaintext);

    // Encrypt the password.
    switch ($encryption)
    {
        case 'plain' :
            return $plaintext;

        case 'sha' :
            $encrypted = base64_encode(mhash(MHASH_SHA1, $plaintext));
            return ($show_encrypt) ? '{SHA}'.$encrypted : $encrypted;

        case 'crypt' :
        case 'crypt-des' :
        case 'crypt-md5' :
        case 'crypt-blowfish' :
            return ($show_encrypt ? '{crypt}' : '').crypt($plaintext, $salt);

        case 'md5-base64' :
            $encrypted = base64_encode(mhash(MHASH_MD5, $plaintext));
            return ($show_encrypt) ? '{MD5}'.$encrypted : $encrypted;

        case 'ssha' :
            $encrypted = base64_encode(mhash(MHASH_SHA1, $plaintext.$salt).$salt);
            return ($show_encrypt) ? '{SSHA}'.$encrypted : $encrypted;

        case 'smd5' :
            $encrypted = base64_encode(mhash(MHASH_MD5, $plaintext.$salt).$salt);
            return ($show_encrypt) ? '{SMD5}'.$encrypted : $encrypted;

        case 'aprmd5' :
            $length = strlen($plaintext);
            $context = $plaintext.'$apr1$'.$salt;
            $binary = JUserHelper::_bin(md5($plaintext.$salt.$plaintext));

            for ($i = $length; $i > 0; $i -= 16) {
                $context .= substr($binary, 0, ($i > 16 ? 16 : $i));
            }
            for ($i = $length; $i > 0; $i >>= 1) {
                $context .= ($i & 1) ? chr(0) : $plaintext[0];
            }

            $binary = JUserHelper::_bin(md5($context));

            for ($i = 0; $i < 1000; $i ++) {
                $new = ($i & 1) ? $plaintext : substr($binary, 0, 16);
                if ($i % 3) {
                    $new .= $salt;
                }
                if ($i % 7) {
                    $new .= $plaintext;
                }
                $new .= ($i & 1) ? substr($binary, 0, 16) : $plaintext;
                $binary = JUserHelper::_bin(md5($new));
            }

            $p = array ();
            for ($i = 0; $i < 5; $i ++) {
                $k = $i +6;
                $j = $i +12;
                if ($j == 16) {
                    $j = 5;
                }
                $p[] = JUserHelper::_toAPRMD5((ord($binary[$i]) << 16) | (ord($binary[$k]) << 8) | (ord($binary[$j])), 5);
            }

            return '$apr1$'.$salt.'$'.implode('', $p).JUserHelper::_toAPRMD5(ord($binary[11]), 3);

        case 'md5-hex' :
        default :
            $encrypted = ($salt) ? md5($plaintext.$salt) : md5($plaintext);
            return ($show_encrypt) ? '{MD5}'.$encrypted : $encrypted;
    }
}

So that's that. I am at a point where I could use the first piece of code posted above, except I can't figure how to specify the table. And as far as the encrypting of the password... I am totally lost.

Please help.

All the best,
~Slim~

Oh... attached is the text file with all the code need for this file, I guess

bradgrafelman

The first code you posted has two problems:
a.) It appears to rely on register_globals being set. For example, where is the $name variable ever defined? If it's coming via the URL (e.g. the GET method), then you should be using the $_GET superglobal array (more info: [man]variables.superglobals[/man])
b.) User-supplied data should never be placed directly inside a SQL query. Instead, it should first be sanitized with a function such as [man]mysql_real_escape_string/man.
ClevelandSlim wrote:
But what I don't see in the above code is how to clarify which table the data will be written to.
"INSERT INTO visinfo ..." Where's the data going? visinfo. Learn more about how to INSERT at the MySQL manual page INSERT Syntax

Cleveland Slim wrote:
And as far as the encrypting of the password... I am totally lost.

Well, to be semantically correct, it looks like you're trying to use a hashed password, not an encrypted password (e.g. one can't be reversed, one is meant to be reversed/"decrypted").

As far as the average login system goes, using [man]sha1/man (plus a salt, perhaps) is sufficient enough. Example:

// a "salt" is a secret value you add to the password to reduce hash collision/rainbow tables/etc. attacks
// e.g. if a malicious user gets a DB dump and sees the password hashes,
// and a user used a simple password e.g. "god", that hash is probably in
// a "rainbow table" that the malicious user has and all he/she has to do is
// look up the hash.
$salt = '$1#@*..6mn__=';
// now the hash isn't of "god", it's of "$1#@*..6mn__=god"



// user registration details POST'ed, create account:
$username = isset($_POST['username'] ? $_POST['username'] : '');
$password = isset($_POST['password'] ? sha1($salt . $_POST['password']) : sha1($salt));

$query = sprintf('INSERT INTO users (username, password) VALUES (\'%s\', \'%s\')',
    mysql_real_escape_string($username),
    $password
);

// same thing - take posted password and get the hash
// $hash could be a global variable you house in a central "config" script
// that all other scripts in this application load and initialize
$password = isset($_POST['password'] ? sha1($salt . $_POST['password']) : sha1($salt));

EDIT: In reply to your "test post", yes, you can post; at PHPBuilder we employ a spam filter that will flag new user accounts when it detects one of numerous phrases/words/URLs/etc. in a post. A moderator has to approve that post before it will be displayed (which I did just before replying).

ClevelandSlim

Brad, thanks for the quick and very informative reply.

The password will be coming to my php file directly from a third party cc processor. I'm sure the password will already be encrypted using .htacess - .htpasswd method.

So I guess for me, the plot thickens. LOL. Your post was beyond my scope, my brain is like a fried egg right now, LOL.

~Slim~
:queasy:

ClevelandSlim

Ok, so I am going to give it a shot. Thanks to Brad's reply... this is what I have now.

<?php 
$db=mysql_connect("localhost", "usrnm", "pswd") or die("Could not connect to localhost."); mysql_select_db("sha0818911585312", $db) or die("Could not find visitors."); 

$querySQL = "insert into jos_users (id,name,email,username,password,usertype,registerDate) values (--,--,$email,$username,$password,--,$start_date)"; 
if(!$querySQL) error_message(sql_error()); 

?>

I am understanding that the VALUES (values (--,--,$email,$username,$password,--,$start_date) came from the GET url that's going to call the PHP file.

Here is another spin on things...

The id variable won't be coming from the GET url string, so I will have to set that variable via the PHP file AND I will need it set at auto_incrememnts and it can't be a duplicate on the database. Maybe I could go in and add that to the database before hand, say at like 300 - 500 ready id's?
I left the value for name blank as well, because coming from the GET url I will have two varibles for name (customer_fname "first name" and customer_lname "last name") so I will need to know how to combine the two and make them into the one value.
I left the usertype value blank. All entries to the database thru this file will all be one type of user. the default for this value is going to be registered
Finally, the password will be coming in the GET url string already encrypted in .htpasswd. I will need to decrypt it first, then encrypt it with the proper method.

If I can figure out these last 4 steps, I can go ahead and start testing this!

All the best,
~Slim~

ClevelandSlim

Okay... this is what I am going to test with.

<?php 
$db=mysql_connect("localhost", "usrnm", "pswd") or die("Could not connect to localhost."); mysql_select_db("sha0818911585312", $db) or die("Could not find visitors."); 

$encrypted_pass = md5($password);
$usertype = Registered;
$username = $customer_fname.' '.$customer_lname;

$querySQL = "insert into jos_users (name,email,username,password,registerDate) values ($name,$email,$username,$encrypted_pass,$start_date)"; 
if(!$querySQL) error_message(sql_error()); 

?>

Come to find out, the password will be pased as plain text. So that means I don't have to worry about decrypting it, just adding the md5 spin on it. As is .htpasswd encryption can't be decrypted. It's a one way algorithm.

If you see ANYTHING that may keep my test from being succesful, please let me know.

Thanks for your replies.

All the best,
~Slim~