Friday, 16 May 2014

Login, Session, Cookies and Logout

The login process took a very long time as when I user tested this section the echo error message kept appearing even though the information was correct. I run the error report function but no errors appeared it seemed that the underlying issue was with the password hash as I would the system would echo out valid email however without any specific error messages within the document I struggled to solve this issue quickly. 



I looked over the login code but I couldn't find any errors or misspelt variables.





Due the amount of time left to solve this problem and the fact that I needed to finish other sections within the project I decided to attempt another login structure.


When it came down to testing this code there were several issues, basically since I used a different approach it also meant changing the register document. I decided not to do this as time was running short therefore I went back to the original document and tried to sort out the problem. This process again took various days and overlapped with other tasks however I did managed to solve the issue basically the database was set to only store 6 character whereas the encryption consisted of 60. Due to this factor when it came down to logging in the system wasn't able to match the passwords. 

Sources

Aass, O. (2013). Two step password hashing with hmac and bcrypt. [online] Worldofwebcraft.com. Available at: http://www.worldofwebcraft.com/blog.php?id=255 [Accessed 18 May. 2014].

Free source code, tutorials and articles, (2013). How to Create Login Page in PHP/MySQL using PDO Query. [online] Available at: http://www.sourcecodester.com/tutorials/php/6102/how-create-login-page-phpmysql-using-pdo-query.html [Accessed 18 May. 2014].

Mackay, C. (2005). SQL Injection Attacks and Some Tips on How to Prevent Them - CodeProject. [online] Codeproject.com. Available at: http://www.codeproject.com/Articles/9378/SQL-Injection-Attacks-and-Some-Tips-on-How-to-Prev [Accessed 18 May. 2014].

Price·, I. (2013). PHP Tutorial: Secure Password Hashing using crypt(). [video] Available at: https://www.youtube.com/watch?v=wIRtl8CwgIc [Accessed 18 May. 2014].

YouTube, (2012). How To Create A Secure Login System In Php. [online] Available at: https://www.youtube.com/watch?v=dy5sYbbWYvE [Accessed 18 May. 2014].

Thursday, 15 May 2014

Upload Process Extended

Okay, so now that I have a functional register process the next step was to add extra features such as:
  • Size limit
  • Check if file exists


Ideally I would have used the code below to display the users folder however due to issues with the login the file security and file sharing hasn't been completed so i'm displaying all files together.




The links are useful to access the documents so I went ahead and created a download document that accesses the path were all the files are stored and enables users to download the document to their device.




Sources
Css-tricks.com, (2012). [online] Available at: http://css-tricks.com/snippets/php/display-styled-directory-contents/ [Accessed 18 May. 2014].

Juul Hansen, N. (2013). Listing files with PHP. [video] Available at: https://www.youtube.com/watch?v=HA9dQLUxa38 [Accessed 18 May. 2014].

php, D. (2013). Download files from server php - Stack Overflow. [online] Stackoverflow.com. Available at: http://stackoverflow.com/questions/12094080/download-files-from-server-php [Accessed 18 May. 2014].

Worldofwebcraft.com, (2012). How to list all files in a dir as links to the file (download). [online] Available at: http://www.worldofwebcraft.com/topic.php?id=6336 [Accessed 18 May. 2014].

Thursday, 1 May 2014

Register Process Continued

The last process within the register form is to develop the activation email:
  • Here I used an auto responder to mail the activation link to the users
  • The subject and link are displayed within the email
  • This is followed by a confirmation email on the success of the registration and a notice for them to activate their accounts




Wednesday, 30 April 2014

Register Process

I started of the register process by 


I then went ahead and started validating the fields, here I checked various factors:
  • All fields have been filled in, if they are not (==  "") then the echo message will notify them
  • Email fields 1 and 2 (email and confirm email) need to match if they don't (!=) another echo will notify them about this error. Here I carried out the same process for password 1 and 2 (password and confirm password)


  • I also verified the emails to see if they were valid address, important for the process of activating accounts
  • I used a hmac for the password encryption
  • sha512 was used although it is not the best method combining it with bcrypt and salt would enforce it
  • The unique key created for the website was linked to this section as it is the unique character set for the password security
  • I then create a prepare statement that checks to see if the email and chosen username exist within the database if they do they will need to change the details 

  • After all the validations are made a try catch block is created where a prepared statement executes the query that inserts all the information inserted within the form onto the database
  • The last usersid from the login table is gathered so that the system allocated the next usersid to the new registered individual
  • This id is stored within the activation table along with the users unique token, this id and token are set within the email activation link therefore only valid once and for that user


Monday, 28 April 2014

Register Page: Key

The register page was too simple in terms of the ability to add security therefore other fields were added to the form:
  • confirm email address
  • confirm password
Both of these extra fields would enable the ability to create queries that check various elements and enforces them:
  • checks passwords match
  • checks emails match
  • checks all fields are filled in
  • checks to see of the email exists within the database

This process undertook a large portion of this terms time as I had to read up a lot on PDO luckily there were several YouTube tutorials that went through the stages of developing prepare statements, bind values and executing them. These video not only speeded up production time as they gave me an insight of what needed to be done it also helped me learn through a piratical process.

Key
I started of by creating the key, this is part of the password securing method that will work alongside the hmac and bcrypt.


I run this code on the browser to produce the unique key for this website, this key was then saved onto a text file in the textfiles folder. 


I then developed a .htaccess that secures the file with the sensitive information from being accessed by unauthorised personnel.




Sources
Price, I. (2013). PHP Lesson: PDO: Error Handling, Try/Catch, Querying Database Results. [video] Available at: https://www.youtube.com/watch?v=ncrjieoiTrg&index=2&list=PL0BBakFmJ-JlELdmy9LX7c_l7V4XMad84 [Accessed 28 Apr. 2014].

Price, I. (2013). PHP Lesson: PDO: Getting Organized. [video] Available at: https://www.youtube.com/watch?v=iZlasj41KSY&list=PL0BBakFmJ-JlELdmy9LX7c_l7V4XMad84&index=4 [Accessed 28 Apr. 2014].

Price, I. (2013). PHP Lesson: PDO: Introduction To Prepared Statements. [video] Available at: https://www.youtube.com/watch?v=bvxid3DoLjE&list=PL0BBakFmJ-JlELdmy9LX7c_l7V4XMad84&index=5 [Accessed 28 Apr. 2014].

Price, I. (2013). PHP Lesson: PDO: More Error Handling. [video] Available at: https://www.youtube.com/watch?v=ybVwU9rg32Q&index=3&list=PL0BBakFmJ-JlELdmy9LX7c_l7V4XMad84 [Accessed 28 Apr. 2014].

Price, I. (2013). PHP Lesson: PDO: More On Prepared Statements. [video] Available at: https://www.youtube.com/watch?v=dJ7NAD4IZMg&list=PL0BBakFmJ-JlELdmy9LX7c_l7V4XMad84&index=6 [Accessed 28 Apr. 2014].

Price, I. (2013). PHP Lesson: PDO: OOP Explained, How To Create A Simple Class. [video] Available at: https://www.youtube.com/watch?v=TUtblDPw9UI&index=7&list=PL0BBakFmJ-JlELdmy9LX7c_l7V4XMad84 [Accessed 28 Apr. 2014].

Price, I. (2013). PHP Lesson: PDO: Transactions. [video] Available at: https://www.youtube.com/watch?v=6jWzMnmGsvk&index=8&list=PL0BBakFmJ-JlELdmy9LX7c_l7V4XMad84 [Accessed 28 Apr. 2014].

Saturday, 26 April 2014

Converting conninfo.php to PDO

Since I am adapting the project to PDO one of the important adaptations was to the conninfo.php file that connects and access the database. Within PDO is the procedure is slightly differently however it is not a drastic change therefore by following a quick tutorial I was able to adapt this document fairly quickly.



Sources
Price, I. (2014). PHP Lesson: PDO: Connecting To A Database. [video] Available at: https://www.youtube.com/watch?v=cbiLi0CBHNM&list=PL0BBakFmJ-JlELdmy9LX7c_l7V4XMad84 [Accessed 26 Apr. 2014].

Friday, 18 April 2014

jQuery Password Strength Checker

Apart from echoing out messages about functions and processes that the user has requested it is also important to add such feedback within other sections. I decided to implement a password strength checker within the register form using a jQuery function. The purpose of this is as the user enters their chosen password the system with provide them with feedback as to how safe and effective it is, not only does it show the user but also encourages them to adapt it if it is a weak combination. The process was quite quick as the register form had already been developed, I only needed to add an id name to the password field and referenced it on the jQuery function at the top of the page. I then download the jQuery script, saving it to my js folder with the rest of the jQuery functions, this document was linked to the web pages through the script tag. I used a tutorial as a guideline as it was just an addition to the rest of the functionality