not functioning in while($row->$statement->fetch()) using php PDO - php

if(isset($_POST['btnLogin']))
{
$username = $_POST['txtusername'];
$pass_word = $_POST['txtpassword'];
$hashed_password = crypt(sha1($pass_word));
$sqlQuery = "SELECT * from users WHERE username = :username AND password = :password" ;
$statement = $conn->prepare($sqlQuery);
$statement->execute(array(':username' =>$user , ':password'=>$hashed_password));
while($row->$statement->fetch())
{
$id = $row['id'];
$username = $row['username'];
$password = $row['password'];
if(strcmp('$password', '$hashed_password') == 0)
{
echo "<script type='text/javascript'>console.log("Sucess");</script>";
}
else
{
echo "<script type='text/javascript'>console.log("Failed");</script>";
}
}
}
In here I am implementing the Sign in a page using PHP PDO codes.
I have no previous experience in using PHP PDO.I do the Sign up page without any errors but unfortunately program is not execute after
while($row->$statement->fetch())
here are the HTML codes
<section>
<div class="container">
<div class="login-form">
<h1>Sign In</h1>
<form id="login-form" method="post" action="">
<div class="form-group">
<input type="text" name="txtusername" placeholder="Username" data-validation="required">
</div>
<div>
<input type="password" name="txtpassword" placeholder="Password" data-validation="required">
</div>
<input type="submit" name="btnLogin" value="Login">
</form>
</div>
</div>
</section>
PHP VERSION : 5.3.8
Please give any suggestion to me for solve it


Try the below. If it doesn't work, wrap your query in this and turn error reporting on.
if(isset($_POST['btnLogin']))
{
$username = $_POST['txtusername'];
$pass_word = $_POST['txtpassword'];
$hashed_password = crypt(sha1($pass_word));
$sqlQuery = "SELECT * from users WHERE username = :username AND password = :password" ;
$statement = $conn->prepare($sqlQuery);
$statement->execute(array(':username' =>$user , ':password'=>$hashed_password));
while($row = $statement->fetch_object())
{
$id = $row->id;
$username = $row->username;
$password = $row->password;
if(strcmp('$password', '$hashed_password') == 0)
{
echo '<script type="text/javascript">console.log("Success");</script>';
}
else
{
echo '<script type="text/javascript">console.log("Failed");</script>';
}
}
}

Related

How can i display the User's name after loggin in using PHP?

I want to show the name of the user after logging in (e.g. Hey User!) using PHP, i tried the $username = $_SESSION['username']; but it keeps giving me nothing (Hey !).
Here's my PHP code:
<?php
session_start();
$connection = mysqli_connect('localhost','root','admin');
mysqli_select_db($connection, 'user_registration');
$email = $_POST['email'];
$password = $_POST['password'];
$verify_emailpass = " select * from user_table where email = '$email' && password = '$password'";
$result = mysqli_query($connection, $verify_emailpass);
$num = mysqli_num_rows($result);
if($num == 1){
$_SESSION['loggedin'] = true;
$username = $_SESSION['username'];
echo "Hey $username !";
}else{
echo "<b>Incorrect Email or Password.</b>";
}
?>
Here's the Html log in From:
<form action="validation.php" method="post">
<div class="row content">
<div class="col-12">
<b><p class="text-align">Se connecter:</p></b>
</div>
<div class="col-12">
<input name="email" type="text" class="input-box shadow-sm" placeholder="Adresse E-mail" required/>
</div>
<div class="col-12">
<input name="password" type="password" class="input-box shadow-sm" placeholder="Mot de passe" required/>
</div>
</div>
<div class="button-2">
<button id="loginButton" type="submit" class="next-button shadow-sm"><img src="res/icons/button-arrow.svg" width="45px" height="45px" /></button>
</div>
</form>
And I was wondering how can i get any information i want from the user after he logs in in order to place it in other pages like Profile page or so?

If this page is login than session is empty
I think it's check mysql email and password
Than this code
$data['username'] username is mysql name column name
<?php
session_start();
$connection = mysqli_connect('localhost','root','admin');
mysqli_select_db($connection, 'user_registration');
$email = $_POST['email'];
$password = $_POST['password'];
$verify_emailpass = " select * from user_table where email = '$email' && password = '$password'";
$result = mysqli_query($connection, $verify_emailpass);
$num = mysqli_num_rows($result);
if($num == 1){
$data = $result->fetch_assoc()
$_SESSION['username'] = $data['username'];
$_SESSION['loggedin'] = true;
$username = $_SESSION['username'];
echo "Hey $username !";
}else{
echo "<b>Incorrect Email or Password.</b>";
}
?>```

Update this line with
$username = $_SESSION['username'];
With this
$username = $result[‘username’]; $_SESSION['username'] =
$username;

Login form doesn't verify the password

I am working on a login form and the password doesn't get verified from some reason. The user supposed to log in into system with email and password. I am matching user based on the email with the data in database. Could you please look at it?
Customer table
HTML form in file index.php
<div id="test-popup" class="white-popup mfp-hide col-sm-4 col-sm-offset-4 col-xs-10 col-xs-offset-1 align-center">
<img src="images/logo-white.png" alt="" height="120px" width="120px" />
<h5 class="font-alt">Login to Your Account</h5>
<br/>
<form method="post" action="login.php" class="form">
<div class="mb-20 mb-md-10">
<input type="text" name="email" id="email" class="input-md form-control" placeholder="Email" required />
</div>
<div class="mb-20 mb-md-10">
<input type="password" name="password" id="password" class="input-md form-control" placeholder="Password" required />
</div>
<div class="mb-20 mb-md-10">
<input type="submit" name="login" class="login btn btn-mod btn-medium" id="btnLogIn" value="Login" />
</div>
</form>
</div>
File login.php
<?php
require_once 'connection_db.php';
$response = new stdClass;
if (empty($_POST['email']) || empty($_POST['password'])) {
$response->success = false;
$response->message = 'Email and password cannot be empty.';
} else {
$sql = 'SELECT * FROM `customer` WHERE `email` = ? ';
$email = $_POST['email'];
$password = $_POST['password'];
$password = password_hash($password, PASSWORD_DEFAULT);
// print_r($password, true);
try {
$stmt = $db->prepare($sql);
$stmt->bind_param('s', $email);
$stmt->execute();
$result = $stmt->get_result();
$array = $result->fetch_array(MYSQLI_ASSOC);
// print_r($array, true);
if (count($array)) {
$response->success = true;
$response->message = 'Login successful.';
session_start();
$_SESSION['email'] = $email;
$_SESSION['id'] = $id;
$_SESSION['current_page'] = $_SERVER['HTTP_REFERER'];
header("Location: ". $_SESSION['current_page']);
} else {
$response->success = false;
$response->message = 'Wrong username or password.';
header("Location: index.php#test-popup");
}
}
catch (Exception $e) {
$response->success = false;
$response->message = "Error.";
}
}
// unset($db);
?>

Here's a generic setup of how your login script should look:
if (isset($_POST['submit']))
{
$email = $_POST['email'];
$password = $_POST['password'];
if (!empty($email) && !empty($password))
{
$res = $dbh->prepare("SELECT * FROM `customer` WHERE `email` = ?");
$res->execute([$email]);
$row = $res->fetch(MYSQLI_ASSOC);
if ($res->rowCount() > 0)
{
if (password_verify($password, $row['password']))
{
$_SESSION['user_session'] = $row['uid'];
header('Location: loggedIn.php');
} else {
// echo incorrect pass
}
} else {
// echo no such user...
}
} else {
// echo something...
}
}
You should be using password_verify for your login script. You only use password_hash for registering to hash the password that has been submitted.

Why can't this be SQL injected?

I have to make an application that can be SQL injected, but I can't make it possible to SQL inject. I tried everything to SQL inject it, but I didn't succeed. It's possible to write the username like admin'# because that comments out the line.
I hope you can help me. You see my code just underneath.
<?php
include('include/config.php');
include('parts/header.php');
$submit = $_POST['submit'];
$username = $_POST['username'];
$password = $_POST['password'];
if ($submit) {
if(!empty($username OR !empty($password))) {
$sqlQuery = mysql_query("SELECT * FROM users WHERE username = '$username' AND password = '$password'");
if(mysql_num_rows($sqlQuery) == 1) {
// Success - admin'#
echo "LOGGEDIN";
$_SESSION['loggedin'] = 1;
}
else {
echo "Wrong password or username";
}
}
else {
echo "You didn't fill every field.";
}
}
?>
<div id="container">
<form action="login.php" method="POST">
<input type="text" name="username" placeholder="Type user name...">
<input type="password" name="password" placeholder="Type password...">
<input type="submit" name="submit" value="Log in">
</form>
</div>

<?php
include('include/config.php');
include('parts/header.php');
$submit = $_POST['submit'];
$username = (int)$_POST['username'];
$password =(int)$_POST['password'];
if ($submit) {
if(!empty($username OR !empty($password))) {
$sqlQuery="SELECT * FROM users WHERE user_login = '$username' AND password = '$password'";
//SELECT * FROM `wp_users` WHERE `user_login`='1' OR '1' = '1' AND `user_pass`='1' OR '1' = '1'
//$sqlQuery = mysql_query("SELECT * FROM users WHERE username = '$username' AND password = '$password'");
echo $sqlQuery;
exit;
if(mysql_num_rows($sqlQuery) == 1) {
// Success - admin'#
echo "LOGGEDIN";
$_SESSION['loggedin'] = 1;
} else {
echo "Wrong password or username";
}
} else {
echo "You didn't fill every field.";
}
}
?>
<div id="container">
<form method="POST">
<input type="text" name="username" placeholder="Indtast brugernavn..">
<input type="password" name="password" placeholder="Indtast kodeord..">
<input type="submit" name="submit" value="Log ind">
</form>
</div>
You Query output will be this and always true,
SELECT * FROM wp_users WHERE user_login = '7' AND user_pass = '7'

You can use the mysql_real_escape_string function to make a variable secure:
$username = mysql_real_escape_string($_POST['username']);
$password = mysql_real_escape_string($_POST['password']);

When button is submit, PHP doesn't know

<html>
<div class="panel-body">
<form method="post" action="index.php">
<div class="form-group">
<input class="form-control" placeholder="username" name="username" type="text" autofocus>
</div>
<div class="form-group">
<input class="form-control" placeholder="password" name="password" type="password" value="">
</div>
<input type='submit' name="submit" value='Login'>
</form>
<?php
if(isset($_POST['submit']))
{
$username = sanitize($_POST['username']);
$password = sanitize($_POST['password']);
if($username && $password)
{
$query = mysql_query("SELECT Name, Password FROM users WHERE Name = '$username' LIMIT 1");
if(mysql_num_rows($query) == 1)
{
while($row = mysql_fetch_assoc($query))
{
$dbusername = $row['Name'];
$dbpassword = $row['Password'];
}
$somename = hash( 'whirlpool', $password);
$somename = strtoupper($somename);
if($username == $dbusername && $somename == $dbpassword)
{
$_SESSION['username'] = $dbusername;
header('location: /pcp/home.php');
}
else $error = "Wrong password!";
}
else $error = "Username doesn't exist!";
}
else $error = "Type name and password!";
}
?>
</div>
</html>
When I submit the button with correct password and user, it doesn't go to home.php but when I reload, it goes.
It's using bootstrap, is this the reason why? If so or not, could you help me fix it.

If you want to add your php code together with form elements, you need to write
<form method="post" action="<?php echo $_SERVER['PHP_SELF']; ?>" >
or not. Simply separate form page & php page.
It means that
index.php
<html>
<div class="panel-body">
<form method="post" action="check.php">
<div class="form-group">
<input class="form-control" placeholder="username" name="username" type="text" autofocus>
</div>
<div class="form-group">
<input class="form-control" placeholder="password" name="password" type="password" value="">
</div>
<input type='submit' name="submit" value='Login'>
</form>
</div>
</html>
ckeck.php
<?php
if(isset($_POST['submit']))
{
$username = sanitize($_POST['username']);
$password = sanitize($_POST['password']);
if($username && $password)
{
$query = mysql_query("SELECT Name, Password FROM users WHERE Name = '$username' LIMIT 1");
if(mysql_num_rows($query) == 1)
{
while($row = mysql_fetch_assoc($query))
{
$dbusername = $row['Name'];
$dbpassword = $row['Password'];
}
$somename = hash( 'whirlpool', $password);
$somename = strtoupper($somename);
if($username == $dbusername && $somename == $dbpassword)
{
$_SESSION['username'] = $dbusername;
header('location: /pcp/home.php');
}
else $error = "Wrong password!";
}
else $error = "Username doesn't exist!";
}
else $error = "Type name and password!";
}
?>

PHP update rows in table

Hello I am having some issue here i created a script to update users account details but when the form is filled in and submit button clicked no errors come up but at the same time no changes are made in the table
THIS IS ONLY A DUMMY APPLICATION SO EVERYTHING IS KEEP BASIC
<?php
session_start();
include('connect_mysql.php');
if(isset($_POST['update']))
{
$usernameNew = stripslashes(mysql_real_escape_string($_POST["username"]));
$passwordNew = stripslashes(mysql_real_escape_string($_POST["password"]));
$first_nameNew = stripslashes(mysql_real_escape_string($_POST["first_name"]));
$last_nameNew = stripslashes(mysql_real_escape_string($_POST["last_name"]));
$emailNew = stripslashes(mysql_real_escape_string($_POST["email"]));
$user_id = $_SESSION['user_id'];
$editQuery = mysql_query("UPDATE users SET username='$usernameNew', password='$passwordNew', first_name='$first_nameNew', last_name='$last_nameNew' , email='$emailNew' WHERE user_id='$user_id'");
if(!$editQuery)
{
echo mysql_error($editQuery);
die($editQuery);
}
}
?>
<html>
<head>
<title>Edit Account</title>
<meta http-equiv="content-type" content="text/html; charset=iso-8859-1" />
<link href="style.css" rel="stylesheet" type="text/css" />
</head>
<body>
<div id="wrapper">
<header><h1>E-Shop</h1></header>
<article>
<h1>Welcome</h1>
<h1>Edit Account</h1>
<div id="login">
<ul id="login">
<form method="post" name="editAccount" action="userEditAccount.php" >
<fieldset>
<legend>Fill in the form</legend>
<label>Select Username : <input type="text" name="username" /></label>
<label>Password : <input type="password" name="password" /></label>
<label>Enter First Name : <input type="text" name="first_name" /></label>
<label>Enter Last Name : <input type="text" name="last_name" /></label>
<label>Enter E-mail Address: <input type="text" name="email" /></label>
</fieldset>
<br />
<input type="submit" value="Edit Account" class="button">
<input type="hidden" name="update" value="update">
</form>
</div>
<form action="userhome.php" method="post">
<div id="login">
<ul id="login">
<li>
<input type="submit" value="back" onclick="index.php" class="button">
</li>
</ul>
</div>
</article>
<aside>
</aside>
<div id="footer">Text</div>
</div>
</body>
</html>
SOrry for some reason the I forgotten to copy this part faceslap
login.php:
<?php
session_start();
require('connect_mysql.php');
if($_SERVER['REQUEST_METHOD'] == 'POST')
{
$username = $_POST["username"];
$password = $_POST["password"];
$username = stripslashes($username);
$password = stripslashes($password);
$username = mysql_real_escape_string($username);
$password = mysql_real_escape_string($password);
$query = mysql_query("SELECT * FROM users WHERE Username='$username' AND Password='$password'");
$numrow = mysql_num_rows($query);
if($username && $password){
$query = mysql_query("SELECT * FROM users WHERE username='$username'");
$numrow = mysql_num_rows($query);
if($numrow !=0){
while($row = mysql_fetch_assoc($query)){
$dbusername = $row['username'];
$dbpassword = $row['password'];
}
if($username == $dbusername && $password == $dbpassword ){
$_SESSION['user_id'] = $user_id;
header("Location: userhome.php");
}
else{
echo "Incorect password";
}
}
else{
die("This user dosent exists");
}
}
else{
$reg = die("Please enter username and password");
}
}
?>

You haven't called session_start() at the beginning of the file, so $username will be an empty string, and the update command will only update rows where the username is an empty string.
Edit: In fact, that code won't even be run, because you haven't called session_start(), isset($_SESSION['update']) will evaluate to false.
Did you mean to write $_SESSION['update']? Shouldn't that be $_POST['update']?
Last but not least, personally I would replace this:
<input name="update" type="submit" submit="submit" value="Edit Account" class="button">
with this:
<input type="submit" value="Edit Account" class="button">
<input type="hidden" name="update" value="update">
At least for clarity. I don't know if it's still the case, but in time gone by not all browsers submitted the name/value of the submit button.

Sir from the code given above i think you have error in your login.php
$_SESSION['user_id'] = $user_id;
You are not assigning value to $user_id that why it is setting blank value to $_SESSION['user_id'].
<?php
session_start();
require('connect_mysql.php');
if($_SERVER['REQUEST_METHOD'] == 'POST')
{
$username = $_POST["username"];
$password = $_POST["password"];
$username = stripslashes($username);
$password = stripslashes($password);
$username = mysql_real_escape_string($username);
$password = mysql_real_escape_string($password);
$query = mysql_query("SELECT * FROM users WHERE Username='$username' AND Password='$password'");
$numrow = mysql_num_rows($query);
if($username && $password){
$query = mysql_query("SELECT * FROM users WHERE username='$username'");
$numrow = mysql_num_rows($query);
if($numrow !=0){
$user_id = 0;
while($row = mysql_fetch_assoc($query)){
$dbusername = $row['username'];
$dbpassword = $row['password'];
$user_id = $row['user_id'];
}
if($username == $dbusername && $password == $dbpassword ){
$_SESSION['user_id'] = $user_id;
header("Location: userhome.php");
}
else{
echo "Incorect password";
}
}
else{
die("This user dosent exists");
}
}
else{
$reg = die("Please enter username and password");
}
}
?>

Categories