Registration form

rob · August 17, 2016, 7:14pm

With regards to base64, it’s all about how much you care about your customers data security. If you’re using http:// and not https:// and you don’t encode the data some how, you’re usernames and passwords are in the clear and it’s easy for any hacker in a coffee shop to grab it and since users tend to use the same passwords, there is a good chance they now have their bank info.

It’s up to you.

Also the script above isn’t sending password2 to the server either.

I’m not sure you want to go to the login scene before your registration completes. In your login scene do you destroy the previous scene?

rob · August 17, 2016, 7:15pm

Scott a better choice would be to just:

print( json.prettify( event ) )

It formats it much better.

Rob

Scott_Harrison · August 17, 2016, 7:18pm

Oh yah forget about that api, I am just use to using the encode method.

H.R.H_The_Duke_of_Bi · August 17, 2016, 7:18pm

function scene:show(event) composer.removeScene( "register" ) end -- some code from login scene

I don’t know how to use base64 in my php

Scott_Harrison · August 17, 2016, 7:19pm

http://php.net/manual/en/function.base64-decode.php

Scott_Harrison · August 17, 2016, 7:19pm

or

http://php.net/manual/en/function.base64-encode.php

H.R.H_The_Duke_of_Bi · August 17, 2016, 7:24pm

But I don’t want to secure the username only the password and email

rob · August 17, 2016, 7:24pm

Since you’re removing the scene there is a good chance you’re removing it before the network.request() finishes. I would move that composer.gotoScene(“login”) to inside the network.request() listener function after you get a successful registration.

Rob

rob · August 17, 2016, 7:24pm

Then only encode/decode those values.

H.R.H_The_Duke_of_Bi · August 17, 2016, 7:28pm

$str = 'password'; echo base64\_encode($str);

Is this way good to decode the password values ?

Scott_Harrison · August 17, 2016, 7:29pm

That should work

rob · August 17, 2016, 7:30pm

That would be how you encode the value (turn it into a Base64 character string). If you receive a base64 encoded string you need to decode it like:

$password = base64_decode( $_GET[‘password’]);

H.R.H_The_Duke_of_Bi · August 17, 2016, 7:34pm

$username = $\_GET['username']; $password = base64\_decode( $\_GET['password']); $email= base64\_decode( $\_GET['email']);

Still nothing goes into my database

Scott_Harrison · August 17, 2016, 7:36pm

Are you getting any errors in your website logs?

rob · August 17, 2016, 7:37pm

Did you fix everything else like passing password2? Your PHP script tests to see if password == password2 and if it doesn’t nothing goes into your database.

Rob

H.R.H_The_Duke_of_Bi · August 17, 2016, 7:37pm

No none . Why can’t I use

$password = password\_hash($password, PASSWORD\_BCRYPT, array('cost' =\> 12));

It does the same job that base64 does

Scott_Harrison · August 17, 2016, 7:44pm

I don’t think you can decrypt it in corona but I don’t see why not.

rob · August 17, 2016, 7:46pm

Can we slow down just a bit? We need to focus on one problem at a time.

This line: $password = password_hash($password, PASSWORD_BCRYPT, array(‘cost’ => 12));

takes the unencrypted password once it’s in PHP and makes a one-way non-reversable hash string that you store in the database. That way if a hacker compromises your database, they in theory cannot reverse the passwords. That’s the purpose of that line. But this is only important AFTER the PHP script gets it.

Between your app and your script, you’re transmitting data over the Internet. I don’t know if your URL starts with http:// or https:// since you’re not sharing your real URL. But if it’s http:// and you use: http://mysite.com/myscript.php?username=fred&password=bedrock&password2=bedrock&email=fred@flintstone.com and you use network.request() with that URL

That entire string is visible to any one with a packet sniffer running on their computer connected to the same network.

If you’re using https:// then you’re all set. The network traffic is encrypted before it’s sent and the server decrypts it and you don’t have to worry about it. But if you’re using http:// you really should hide that data behind some obfuscation: i.e. changing the key’s to something other than “username” and “password” and base64 encoding the values.

If you do this, you must change your PHP script to match.

Hopefully that explains it to you.

Now are you including “password2” on your URL? Did you change your PHP script from $_POST[‘password2’] to $_GET[‘password2’]?

H.R.H_The_Duke_of_Bi · August 17, 2016, 7:54pm

if (isset($\_GET['register'])) { if ($\_GET['password'] == $\_GET['password2']) { $username = $\_GET['username']; $password = base64\_decode( $\_GET['password']); $password2 = ( $\_GET['password2']); $email= base64\_decode( $\_GET['email']); // validate and sanitize all of these inputs // and see that they are not blank at the same time // Do your MySqli here to find the $username and // bring out result of find in $username\_result $result = mysqli\_query($con ,"SELECT \* FROM users WHERE username='$username' AND email='$email'"); if(mysqli\_num\_rows($result ) \> 0) { echo "User exist"; } else { // it is not in use so put it in $password = password\_hash($password, PASSWORD\_BCRYPT, array('cost' =\> 12)); $sql = "INSERT into users VALUES(null, '$username', '$password', '$email')"; if(mysqli\_query($con, $result)){ }else{ echo "Sorry something went wrong."; } } }else{ echo "Passwords don't match."; } }

This is my php code currently i’m not saving the password2(confirm password) in my database . I’m just checking it to see if it matches with the password

Scott_Harrison · August 17, 2016, 7:58pm

i don’t see password2 in your previous lua code, has it been added