I am new to PDO and I am a bit lost in the functions and how to make them work correctly!
I already created the functions to insert new users and now, I am trying to do the login function.
I crypted my password with this :
function create_salt($username,$timestamp)
{
$hashed = sha1($username.$timestamp) ;
$randomized = '';
for ($i = 0 ; $i <= 40 ; $i++)
{
$randomChar = $hashed[rand(0, strlen($hashed)-1)];
$randomized.=$randomChar;
}
return $randomized;
}
and for the user insert :
function userRegister($password,$email,$role,$title,$first_name,$last_name,$phone,$mobile_phone,$address,
$postal_code,$postal_case,$city,$country,$agent_number)
{
// generate username
$username = createUsername($first_name,$last_name,$email);
// create salt
$password_salt = create_salt($username,time());
// encrypt password
$cryptedPassword = sha1($password);
// create new pdo object
$pdo = dbConnect();
try
{
$pdo->beginTransaction();
// create the account, allowing the user to log in
$req = $pdo->prepare("INSERT INTO t_accounts (a_creation,a_last_change,a_username,a_password,a_password_salt,a_email)
VALUES (NOW(),NOW(),:username,:cryptedPassword,:password_salt,:email)");
$req->execute(array(
'username' => $username,
'cryptedPassword' => $cryptedPassword,
'password_salt' => $password_salt,
'email' => $email
));
echo 'Account added';
$lastAccountID = $pdo->lastInsertId();
// create the user
$req2 = $pdo->prepare("INSERT INTO t_users (t_roles_role_id,t_accounts_account_id,u_creation,u_last_change,
u_title,u_first_name,u_last_name,u_phone,u_mobile_phone,u_address,u_postal_code,
u_postal_case,u_city,u_country,u_agent_number)
VALUES (:role,LAST_INSERT_ID(),NOW(),NOW(),:title,:first_name,:last_name,:phone,
:mobile_phone,:address,:postal_code,:postal_case,:city,:country,:agent_number)");
$req2->execute(array(
'role' => $role,
'title' => $title,
'first_name' => $first_name,
'last_name' => $last_name,
'phone' => $phone,
'mobile_phone' => $mobile_phone,
'address' => $address,
'postal_code' => $postal_code,
'postal_case' => $postal_case,
'city' => $city,
'country' => $country,
'agent_number' => $agent_number
));
echo 'User added';
$lastUserID = $pdo->lastInsertId();
// open the logs for this account
$req3 = $pdo->prepare("INSERT INTO t_accounts_logs (al_date,al_ipv4,al_ipv6,al_description,al_username)
VALUES (NOW(),:al_ipv4,:al_ipv6,:al_description,:al_username)");
$req3->execute(array(
'al_ipv4' => $_SERVER['REMOTE_ADDR'],
'al_ipv6' => '',
'al_description' => 'Création du user '.$lastUserID.'/'.$first_name.' '.$last_name.' avec le compte '.$lastAccountID.'/'.$username,
'al_username' => $username
));
echo 'Log added';
$pdo->commit();
echo 'tout s\'est bien passé.';
}
catch(Exception $e)
{
// rollback the transaction
$pdo->rollback();
// display error message and datas
echo 'Tout ne s\'est pas bien passé, voir les erreurs ci-dessous<br />';
echo 'Erreur : '.$e->getMessage().'<br />';
echo 'N° : '.$e->getCode();
// exit the catch to avoid the next errors
exit();
}
}
and everything is working just fine.
Now, I am trying to do the login function and I need to check if the username, the email and the password are good.
Where I am :
function loginUser($fusername,$fpassword,$femail)
{
$pdo = dbConnect();
$encryptedPassword = sha1($fpassword);
// create the account, allowing the user to log in
try
{
$req = $pdo->prepare("SELECT a_username, a_password, a_password_salt,a_email
FROM t_accounts WHERE t_accounts.a_username = :username
AND t_accounts.a_email = :email
AND t_accounts.a_password = :password;");
$req->execute(array(
":username" => $fusername,
":email" => $femail,
":password" => $encryptedPassword
));
if ($req->rowCount() == 1)
{
while ($get = $req->fetch(PDO::FETCH_OBJ))
{
echo 'logged in';
}
}
else
{
echo 'user does not exist';
}
}
catch (Exception $e)
{
echo "could not retrieve data from database" ;
}
}
I was looking for some tutorial like this one : https://x10hosting.com/community/threads/question-log-in-pages-with-pdo.192294/#post-923672 but he is not testing the password with the salt.
What should I change in the test if I need to check the salt too and is the function good?
My final script, working fine, if someone needs it in the future
function userRegister($password,$email,$role,$title,$first_name,$last_name,$phone,$mobile_phone,$address,
$postal_code,$postal_case,$city,$country,$agent_number)
{
// generate username
$username = createUsername($first_name,$last_name,$email);
// encrypt password
$cryptedPassword = password_hash($password, PASSWORD_BCRYPT, array("cost" => 11));
// create new pdo object
$pdo = dbConnect();
try
{
$pdo->beginTransaction();
// create the account, allowing the user to log in
$req = $pdo->prepare("INSERT INTO t_accounts (a_creation,a_last_change,a_username,a_password,a_email)
VALUES (NOW(),NOW(),:username,:cryptedPassword,:email)");
$req->execute(array(
'username' => $username,
'cryptedPassword' => $cryptedPassword,
'email' => $email
));
echo 'Account added';
$lastAccountID = $pdo->lastInsertId();
// create the user
$req2 = $pdo->prepare("INSERT INTO t_users (t_roles_role_id,t_accounts_account_id,u_creation,u_last_change,
u_title,u_first_name,u_last_name,u_phone,u_mobile_phone,u_address,u_postal_code,
u_postal_case,u_city,u_country,u_agent_number)
VALUES (:role,LAST_INSERT_ID(),NOW(),NOW(),:title,:first_name,:last_name,:phone,
:mobile_phone,:address,:postal_code,:postal_case,:city,:country,:agent_number)");
$req2->execute(array(
'role' => $role,
'title' => $title,
'first_name' => $first_name,
'last_name' => $last_name,
'phone' => $phone,
'mobile_phone' => $mobile_phone,
'address' => $address,
'postal_code' => $postal_code,
'postal_case' => $postal_case,
'city' => $city,
'country' => $country,
'agent_number' => $agent_number
));
echo 'User added';
$lastUserID = $pdo->lastInsertId();
// open the logs for this account
$req3 = $pdo->prepare("INSERT INTO t_accounts_logs (al_date,al_ipv4,al_ipv6,al_description,al_username)
VALUES (NOW(),:al_ipv4,:al_ipv6,:al_description,:al_username)");
$req3->execute(array(
'al_ipv4' => $_SERVER['REMOTE_ADDR'],
'al_ipv6' => '',
'al_description' => 'Création du user '.$lastUserID.'/'.$first_name.' '.$last_name.' avec le compte '.$lastAccountID.'/'.$username,
'al_username' => $username
));
echo 'Log added';
$pdo->commit();
echo 'tout s\'est bien passé.';
}
catch(Exception $e)
{
// rollback the transaction
$pdo->rollback();
// display error message and datas
echo 'Tout ne s\'est pas bien passé, voir les erreurs ci-dessous<br />';
echo 'Erreur : '.$e->getMessage().'<br />';
echo 'N° : '.$e->getCode();
// exit the catch to avoid the next errors
exit();
}
}
And the second
function loginUser($fusername,$fpassword,$femail)
{
$pdo = dbConnect();
// create the account, allowing the user to log in
try
{
$req = $pdo->prepare("SELECT *
FROM t_accounts WHERE t_accounts.a_username = :username
AND t_accounts.a_email = :email;");
$req->execute(array(
":username" => $fusername,
":email" => $femail
));
if ($req->rowCount() == 1)
{
while ($get = $req->fetch(PDO::FETCH_OBJ))
{
//$hash = password_hash($get->a_password,PASSWORD_BCRYPT,array("cost" => 11));
if (password_verify($fpassword,$get->a_password))
{
echo 'Identifiants corrects';
}
else
{
echo 'Identifiants incorrects';
echo "\r\n";
echo '<a href="'.$_SERVER["HTTP_REFERER"].'" />Retourner au formulaire</a>';
}
}
}
else
{
echo 'user does not exist';
}
}
catch (Exception $e)
{
echo "could not retrieve data from database" ;
}
}