This is the code for my log in forum. The problem with it is that it only accepts as correct credentials the first username and password (basically only the first row) any ideas as to how i could change it ?!
<?php
session_start();
include_once("connect.php");
$token = "";
if($con->connect_error){
die("Connection failed: ".$con->connect_error);
}
$sql = "SELECT * FROM authme";
$result = mysqli_query($con, $sql) or die(mysqli_error($con));
while(mysqli_num_rows($result)>0){
while($row = $result->fetch_assoc()){
if(isset($_POST['realname']))
$username = $_POST['realname'];
if($result->num_rows>1){
if(mysqli_num_rows($result)>1){
$_SESSION['uid'] = $row['id'];
$_SESSION['realname'] = $row['realname'];
}
$password = '$SHA$'.substr($row['password'],5,16).'$'.hash('sha256', hash('sha256',$_POST['password']).substr($row['password'],5,16));
if($password == $row['password'] ){
header("Location: index.php");
exit();
}
else {
echo "INVALID INFORMATION, PLEASE RETURN!";
// header("location: index.php");
session_destroy();
exit();
}
}
}
}
?>
?
I decided to try to make a log in forum that uses a database which encrypts the passwords it receives through a register form. This code only takes as correct the first username and password i give in and its not enough, as you could imagine.
Welcome to programming with PHP. I'm going to try to share a few principles that may help you solve your problem.
1.) One of the best features in PHP is the print_r() function. Using this function you can output almost anything to text in the browser. So in this case you may want to insert a print_r($result) immediately following this line "$result = mysqli_query($con, $sql) or die(mysqli_error($con));". This will output the results of the query that PHP is receiving. This can be used to help you troubleshoot and determine why your code isn't working. Once you're done troubleshooting delete that line.
2.) You seem to have multiple checks for the number of rows inside the while loop. I'm not sure why you have thoose there, but you may want to check if those are causing your trouble by using echo or print to display to values in the browser for troubleshooting. Once you're done troubleshooting delete that line.
3.) Another overall concept for the data you are querying. It is inefficient to send a query that gets the entire table and returns it to the program, that then loops through every row looking for the data. Instead you should write an SQL query to return only the row of data the you want. Make sure you do use prepared statements.
4.) Your coding standards could use some improvement, if you clearly tabbed your statements it would be easier to read. Consider reading PSR-2. For example this code seems to be missing {}'s.
if(isset($_POST['realname']))
$username = $_POST['realname'];
I'm trying to use a delete function for my sql table, but the php backend code throws lots of errors. Ive tried it several ways and non seem to work.
session_start(); //starts the session
if($_SESSION['user']){ //checks if user is logged in
}
else
{
header("location:index.php"); // redirects if user is not logged in
}
if($_SERVER['REQUEST_METHOD'] == "GET")
{
mysql_connect("localhost", "root","") or die(mysql_error()); //Connect to server
mysql_select_db("first_db") or die("Cannot connect to database"); //Connect to database
$StaffID=$_GET['StaffID'];
$sql = "DELETE FROM volunteer WHERE StaffID = '$StaffID'" ;
if(mysql_query($sql))
{
echo"Record deleted successfully.";
}
else
{
echo "ERROR: Could not execute $sql.";
mysql_error ($link);
}
mysql_close();
}
This seemed to work, how would I then get this function to return me to the original table with the record deleted?
You should consider to recycle your PHP knowledge. There is a lot of things in it that are not used anymore, for example mysql library. Try to use PDO in the next projects.
There are a few problems with your code.
1- In mysql_query function you are passing a variable $link that apparently is not defined before. So, you should check it.
2 - The order of the variables in mysql_query function is not correct. See the link below:
http://php.net/manual/pt_BR/function.mysql-query.php
3 - You are using a constant or a string in your where clause. You should to use the variable defined one line before.
I saw theses problems. Fix them, try again and post the results,
Regards,
I'm about to use mysqli instead of mysql for the first time in my procedural PHP application.
index.php
include(db_conn.php);
<html>
<body>
<?php include(content.php);?>
</body>
</html
db_conn.php
<?php
$con=mysqli_connect("localhost","my_user","my_password","my_db");
// Check connection
if (mysqli_connect_errno())
{
echo "Failed to connect to MySQL: " . mysqli_connect_error();
}
content.php
mysqli_query($con,"SELECT * FROM Persons");
mysqli_query($con,"INSERT INTO Persons (FirstName,LastName,Age)
# more code...
mysqli_query necessarily requires the connection variable and my connection is stored in variable $con in the included db_conn.php file which is unavailable in another included content.php file.
Within your content.php use require(db_conn.php); And if you have a function defined in there, you're going to have to put require(db_conn.php); INSIDE that function.
The database connection doesn't seem to have exactly the same scoping as a standard variable.
I know when coding it, you feel like "I should only have to include this once!" but shrug get everything else working first, and if someone wants to pay you to go back and try to "fix" this... work on it then. ;)
I have researched my question but there just isn't much help out there for MySQLI functions. I'm also new here so, please bear with me.
I have a test database named "website" and it contains a table called "users" which has data for all of the members of my website. In a separate file I have the php code that connects to my localhost and selects the database "website." I'm using the newest functions of MySQL so instead of the connection string containing mysql_connect it contains mysqli_connect. The registration process works great and I can find no error in any of the other code that uses the mysqli functions.
My include file (connect.php)
<?php
$link = mysqli_connect("localhost", "useracc", "useracc1", "website");
?>
I set up a test script for the login section.
<?php
include('connect.php');
$user = $_POST['user'];
$query = "SELECT birthday FROM users";
$result = mysqli_query($link, $query) or die ("RESULT ERROR");
echo "$user";
echo "$result";
?>
There is a password box on the previous page but for the test script I left that out and so far, only the $user is shown on the page. I get no error even when I replace "RESULT ERROR" with mysqli_error($link). I've tried interchanging ' for " in every part of the code that uses quotes but that didn't work. I've tried rewording the $query line but that also had no effect. I'm really new to MySQL and php so if you guys could tell me where I'm going wrong I'd really appreciate it.
Thanks for reading my question. Have a great day.
Add the following lines to the connect.php after you connect line
if (mysqli_connect_errno()) {
printf("Can't connect Errorcode: %s\n", mysqli_connect_error());
exit;
}
this will ensure the connection is made without any errors and return them if there are ...
I am developing a web application that allows a user to add entries to a MySQL database through a web form. The web form posts to the same page, some PHP code captures that data and sends it to MySQL. For whatever reason, nothing ever makes it to MySQL. This is the code I have so far that isn't working:
<?php
include("config.inc.php");
$Name=$_POST['AddName'];
$Group=$_POST['AddGroup'];
$Grade=$_POST['AddGrade'];
$Position=$_POST['AddPosition'];
$Email=$_POST['AddEmail'];
$HomeAddress=$_POST['AddHomeAddress'];
$City=$_POST['AddCity'];
$State="SC";
$Zip=$_POST['AddZIP'];
$CellPhone=$_POST['AddCellNumber'];
$HomePhone=$_POST['AddHomeNumber'];
$FirstPeriod=$_POST['AddFirstPeriod'];
$SecondPeriod=$_POST['AddSecondPeriod'];
$ThirdPeriod=$_POST['AddThirdPeriod'];
$FourthPeriod=$_POST['AddFourthPeriod'];
$FifthPeriod=$_POST['AddFifthPeriod'];
$SixthPeriod=$_POST['AddSixthPeriod'];
$SeventhPeriod=$_POST['AddSeventhPeriod'];
$Homeroom=$_POST['AddHomeroom'];
$dbpassword=$_POST['AddPassword'];
$con = mysql_connect("127.0.0.1","$username","******");
if (!$con)
{
die();
}
mysql_select_db("$database", $con);
$sql="INSERT INTO names (Name,Grp,Grade,Position,Email,HomeAddress,City,State,Zip,CellPhone,HomePhone,FirstPeriod,SecondPeriod,ThirdPeriod,FourthPeriod,FifthPeriod,SixthPeriod,SeventhPeriod,Homeroom)
VALUES('$Name','$Group','$Grade','$Position','$Email','$HomeAddress,'$City','$State','$Zip','$CellPhone','$HomePhone','$FirstPeriod','$SecondPeriod','$ThirdPeriod','$FourthPeriod','$FifthPeriod','$SixthPeriod','$SeventhPeriod','$Homeroom')";
if (!mysql_query($sql,$con))
{
die();
}
echo "1 record added";
mysql_close($con)
?>
</body>
</html>
Try this and see what it says:
if (!mysql_query($sql,$con))
{
die(mysql_error());
}
Try inserting echo mysql_error();. This should give you at least a starting place to where your query is incorrect.
mysql_close($con) should have a semi-colon at the end.
check your log for errors.
use mysql_real_escape_string
PHP hides errors. To debug, start by placing these two lines as the first lines within the <?php tag
error_reporting(E_ALL);
ini_set('display_errors', '1');
Also in case the error was in mysql you can do:
print_r(mysql_fetch_array(mysql_query("SHOW WARNINGS", $con)));
or
print_r(mysql_fetch_array(mysql_query("SHOW ERRORS", $con)));
Directly after the mysql query you think may have failed.
die(mysql_error());
will fix it.
Also have a look at escaping. It would be very easy to inject into the current code.
If you are not going to escape (I don't know when you would do that) you might as well use the $_POST rather than assigning to a variable and using the variable.
change your database selection to
mysql_select_db("database name")
or
mysql_select_db($database);
your are trying to select a database named "$database" with a dollar sign as a string, not the name in that variable.
also, use
mysql_real_escape_string($sql) to escape those variables.(avoiding sql injecion) you can find links about it in other comments.
change
$sql="INSERT INTO names (Name,Grp,Grade,Position,Email,HomeAddress,City,State,Zip,CellPhone,HomePhone,FirstPeriod,SecondPeriod,ThirdPeriod,FourthPeriod,FifthPeriod,SixthPeriod,SeventhPeriod,Homeroom)
VALUES('$Name','$Group','$Grade','$Position','$Email','$HomeAddress,'$City','$State','$Zip','$CellPhone','$HomePhone','$FirstPeriod','$SecondPeriod','$ThirdPeriod','$FourthPeriod','$FifthPeriod','$SixthPeriod','$SeventhPeriod','$Homeroom')";
to
$sql="INSERT INTO names (Name,Grp,Grade,Position,Email,HomeAddress,City,State,Zip,CellPhone,HomePhone,FirstPeriod,SecondPeriod,ThirdPeriod,FourthPeriod,FifthPeriod,SixthPeriod,SeventhPeriod,Homeroom)
VALUES('$Name','$Group','$Grade','$Position','$Email','$HomeAddress','$City','$State','$Zip','$CellPhone','$HomePhone','$FirstPeriod','$SecondPeriod','$ThirdPeriod','$FourthPeriod','$FifthPeriod','$SixthPeriod','$SeventhPeriod','$Homeroom')";