Duke Posted September 14, 2014 Share Posted September 14, 2014 Chapter 13 page 421 creating a receipt page.... Wondering if anyone else had this issue or if anyone can recommend a work around... For the query to grab the order info .. this is not working "SHA1(email)=?".. I have echo out $email_hash and and I have echo out echo sha1(email address in the order)....they are the same... I am wondering if there is a mysqli issue when using sha1? Link to comment Share on other sites More sharing options...
Duke Posted September 14, 2014 Author Share Posted September 14, 2014 For some reason sha1() not working in my query on page 423 Here is what I did.. In chapter 10 I used http://www.larryullman.com/forums/index.php?/topic/3373-chapter-10-checkoutphp/ in chapter 13 I am not verifying the correct email address in the query on page 423... I am verifying the customer_id that is set in checkout.php I am setting a session y using customer_id value then on final.php I am using this session in the url-not sha1(email). on receipt.php I changed the IF statement that validates required parameter-page 422 step 3 I then changed the query-page 423 to check y which is now customer_id.....changed sha1(email)=? to . c.customer_id=?';..... Seems to be working...not sure how secure this is... I hope this is not total confusion..... Link to comment Share on other sites More sharing options...
Larry Posted September 22, 2014 Share Posted September 22, 2014 Where do things stand with this? Do you still need help? Link to comment Share on other sites More sharing options...
Duke Posted September 24, 2014 Author Share Posted September 24, 2014 Larry, Thank you for checking. So far it is working fine. If I find this not working I will post here. I am not sure on how secure this is. Link to comment Share on other sites More sharing options...
Larry Posted September 25, 2014 Share Posted September 25, 2014 If I understand correctly, you're using the customer ID in the URL? If so, that's not great. Database primary keys should be kept hidden as much as possible. To test it security-wise, what happens when you change the customer ID in the URL manually? Link to comment Share on other sites More sharing options...
Duke Posted September 25, 2014 Author Share Posted September 25, 2014 Yes Larry you understand correctly... Yes I was thinking using primary key or any information from database in URL is not too cool....If I change either the x or y in the url the page will display: -------------------------------------------------- OOpps! Error!This page has been accessed in error. ----------------------------------------------------- maybe I should add a header redirection and exit(); Thank you for your interest in this thread..... Link to comment Share on other sites More sharing options...
Larry Posted September 26, 2014 Share Posted September 26, 2014 I think we should go back to the original approach and SHA1(). You've done some debugging work there, but I would pursue it further. Let me know if you need help with that. Link to comment Share on other sites More sharing options...
Duke Posted September 30, 2014 Author Share Posted September 30, 2014 I believe my issue has to do with my hosting. I found this. I am not that tech savey so not sure. I also tried using MD5 ..same issue. I hard coded the hash from the url into the query ie... WHERE o.id=? AND 'url hash'=?';.......this works. also hard coded email address for order....and changed query to ...AND c.email=?...this works...... and of course using customer_id works.... Everything seems to work until I use sha1 or md5....My only fix is to go back and add a column to orders called email_hash and create the hash in the php when the order is added to the customers table....then use in the query WHERE o.id=? AND c.email_hash=? Link to comment Share on other sites More sharing options...
Larry Posted October 2, 2014 Share Posted October 2, 2014 I think your solution is close, although you could just retrieve the email address (i.e., run the query without using in in the WHERE clause), then hash it in PHP and compare it to the received hash. It's a bit laborious, but doesn't require a change to the database. Link to comment Share on other sites More sharing options...
Duke Posted October 2, 2014 Author Share Posted October 2, 2014 AAhhh..Many thanks Larry...I am going to try your solution... Link to comment Share on other sites More sharing options...
Duke Posted October 9, 2014 Author Share Posted October 9, 2014 Larry, Hi...I used your solution...working great...Many Thanks.... Link to comment Share on other sites More sharing options...
Larry Posted October 14, 2014 Share Posted October 14, 2014 Awesome. Thanks for letting me know! Link to comment Share on other sites More sharing options...
Recommended Posts