php mysql help

[malin]

Hi all,

I have been playing around with php webservice for livecode, but need some help/explation as i am stuck.
I want t try the login but i guess its something wrong with my code.

php code*****
// make connection to database
mysql_connect($hostName, $userName, $password) or die("Unable to connect to host $hostName");
mysql_select_db($dbName) or die( "Unable to select database $dbName");
// echo "Connected to MySQL";

// username and password sent from form
$myusername=$_POST['myusername'];
$mypassword=$_POST['mypassword'];

// To protect MySQL injection (more detail about MySQL injection)
$myusername = stripslashes($myusername);
$mypassword = stripslashes($mypassword);
$myusername = mysql_real_escape_string($myusername);
$mypassword = mysql_real_escape_string($mypassword);
$sql="SELECT * FROM $tbl_name WHERE username='$myusername' and password='$mypassword'";
$result=mysql_query($sql);

// Mysql_num_row is counting table row
$count=mysql_num_rows($result);

// If result matched $myusername and $mypassword, table row must be 1 row
if($count==1){

// Register $myusername, $mypassword and redirect to file "login_success.php"
session_register("myusername");
session_register("mypassword");
//header("location:login_success.php");
echo "Connection sucess";
}
else {
echo "Wrong Username or Password";
}
?>

livecode***
on mouseUp
put field "uname" into tNam
put field "pword" into tWord
--put tWord && tNam into field "lf"
put tNam into myusername
put tWord into mypassword
put myusername && mypassword into myparameter
put "myparameter="&urlencode(myParameter) into leMessage
post leMessage to url "http://jaasnetworks.se/dbconnect.php"
put it into myResults
answer myResults
end mouseUp

please am i coding wrongly?

Your kind help will be appreciated

Happy coding to all

/Malin

[AxWald]

Hi,

I may be wrong, but I read in your PhP:
> mysql_connect($hostName, $userName, $password) or die("Unable to connect to host $hostName");
> mysql_select_db($dbName) or die( "Unable to select database $dbName");

and in your LC:
> put myusername && mypassword into myparameter

Possible that you need to provide $hostName and/or $dbName, too?
Additionally, you're delimiting with double-spaces. Is this correct?

I'm no PhP coder, so this is just a guess.

Good luck!

[malin]

hello,

thank you for your reply, i have provided the host name and other info for connection.
i tried without the double space but still the same.
can you kindly give an example of your you would have script on livecode (for my educational purpose)

thanks

[AxWald]

Hi,

[...]
i tried without the double space but still the same.

I had another look in your code and tried to rewrite it, maybe this helps:

Code: Select all

on mouseUp
put field "uname" into tNam  -- this be the string "sNam"
put field "pword" into tWord  -- this be the string "sWord"
-- no need to juggles the variables from one to the other
put "myparameter="&urlencode(tNam && tWord) into leMessage 
-- leMessage: "myparameter=sNam++sWord"

Ah, here I see a mistake!
Shouldn't this be: "myparameter%3DsNam++sWord"?
I guess the whole leMessage should be URLEncoded for a post, right?

So let's try again:

Code: Select all

on mouseUp
put field "uname" into tNam  -- this be the string "sNam"
put field "pword" into tWord  -- this be the string "sWord"
put urlencode("myparameter="& tNam && tWord) into leMessage
-- leMessage: "myparameter%3DsNam++sWord"
post leMessage to url "http://jaasnetworks.se/dbconnect.php"
-- should work now. But we need to check for errors:
put it && "/" && the result into myResults
-- the result contains possible error messages!
answer myResults
end mouseUp

That's what I guess would be correct. But I'm no PhP coder, can only judge the LC part :/
And I rarely use "post", when I have to talk to PhP I usually use sockets.

Another thing:
It's widely regarded as not clever to store passwords on a server, and to send them over the internet, as long as they are in plain text.
You'll want to store/ send the passwords in a more secure form. Example:

Code: Select all

-- we replace this:
-- put urlencode("myparameter="& tNam && tWord) into leMessage
-- with those 2 lines:
put SHAencode(tNam & tWord) into tHash
-- tHash: "296011f0c6048f6df1a04e6f576a83b95e8d2e1d"
-- tNam is used as a "salt" here, to make it more difficult to break the password
-- Let's go on:
put urlencode("myparameter="& tNam && tHash) into leMessage
-- leMessage is now:
--"myparameter%3DsNam++296011f0c6048f6df1a04e6f576a83b95e8d2e1d"

If your PhP works alike, you're rather safe - all that is stored and transmitted is a username and a salted hash.

For sure there's something still lacking - the SHA1 hash generation:

Code: Select all

------- SHA1 Hash function---------------
function SHAencode tString
   get sha1digest(tString)
   put empty into tVar
   get binarydecode("H*",it,tVar)  -- so that it becomes readable ...
   return tVar
end SHAencode

In PhP it should look like this:
$hash = sha1($myusername . $mypassword);

I don't know if this helps, at least you should have some food for thought now

Have a good time!

PS: The code above is not tested, it may contain typos!

[malin]

Thanks Axwald,

Been fighting with it since. But would reply this tread if I have any luck.

Thanks for helping out

[malin]

hi,
got it figured out.. it was quite straight forward though.

here is the code that worked

on mouseUp
put urlEncode(fld "uname") into tName
put urlencode(fld "pword") into tWord

put ("myusername=" & tName & "&mypassword=" & tWord) into leMessage
post leMessage to URL "http://jaasnetworks.se/checklogin.php"

put it into tFormResults
answer tFormResults
end mouseUp

thank you Axwald