I have this code.
$stmt4 = $conn->prepare("SELECT likedFour FROM UserData WHERE username = 'jim'");
Right now, this should find the value of the row LikeFour when username = jim.
I have this if statement.
if ($stmt4 == '') {
}
Shouldn't this check if that value is empty?
It's not working.
This is the full code.
$stmt = $conn->prepare("SELECT * FROM UserData WHERE username = ?");
$stmt->bind_param('s',$username);
//$username = $_POST["username"];
$username ="jim";
$stmt->execute();
$stmt->store_result();
$stmt1 = $conn->prepare("SELECT likedOne FROM UserData WHERE username = ?");
$stmt1->bind_param('s',$username);
//$username = $_POST["username"];
$username ="jim";
echo "debug 2";
if ($stmt->num_rows == 0){ // username not taken
echo "debug 2.5";
die;
}else{
$result = mysqli_num_rows($stmt1);
echo "debug 2.7";
echo var_dump($stmt1);
if ($stmt1 == 00000){
echo "debug 3";
$sql = $conn->prepare("UPDATE UserData SET likedOne=? WHERE username=?");
$sql->bind_param('ss',$TUsername,$Username);
// $TUsername = $_POST["TUsername"];
// $Username = $_POST["username"];
$TUsername = "test";
$Username = "jim";
}
}
I would do this:
$stmt4 = $conn->prepare("SELECT * FROM UserData WHERE username = 'jim'");
//This should grab the entire row where username == jim
Then
if(!$stmt4[likedFour]){
echo "Nothing has been found";
}
If everything else is all good that should work perfectly.
Try placing two equals signs instead of one. The first equals sign indicates that you are setting the condition while the second equals indicates you are checking to see if something is equal to the first variable.
Related
This code should check if the row col intersection of LikedOne and the row where username is jim equals text "empty".
$stmt1 = $conn->prepare("SELECT likedOne FROM UserData WHERE username = ?");
$stmt1->bind_param('s',$username);
//$username = $_POST["username"];
$username ="jim";
$stmt1->execute();
$stmt1->store_result();
$res = $stmt1->fetch();
if ( $res == "empty"){
echo "debug 3";
$sql = $conn->prepare("UPDATE UserData SET likedOne=? WHERE username=?");
$sql->bind_param('ss',$TUsername,$Username);
// $TUsername = $_POST["TUsername"];
// $Username = $_POST["username"];
$TUsername = "test";
$Username = "jim";
$sql->execute();
}
The first time it does change it to test but then it still prints debug 3 meaning it it still registering the $res as "empty" even though it should be "test".
Edit that is not working!
$stmt1 = $conn->prepare("SELECT likedOne FROM UserData WHERE username = ?");
$stmt1->bind_param('s',$username);
//$username = $_POST["username"];
$username ="jim";
$stmt1->execute();
$stmt1->bind_result($res);
$found_row = $stmt1->store_result();
if ( $found_row && $res == "empty"){
echo "debug 3";
$sql = $conn->prepare("UPDATE UserData SET likedOne=? WHERE username=?");
$sql->bind_param('ss',$TUsername,$Username);
// $TUsername = $_POST["TUsername"];
// $Username = $_POST["username"];
$TUsername = "test";
$Username = "jim";
$sql->execute();
}
$stmt1->fetch() doesn't return the contents of the likedOne column. It returns TRUE if a row was returned, NULL if there are no more rows in the result set, or FALSE if an error occurred.
To retrieve the data returned by a prepared statement, you need to use $stmt1->bind_result().
$stmt1 = $conn->prepare("SELECT likedOne FROM UserData WHERE username = ?");
$stmt1->bind_param('s',$username);
//$username = $_POST["username"];
$username ="jim";
$stmt1->execute();
$stmt1->bind_result($res);
$found_row = $stmt1->store_result();
if ($found_row && $res == "empty") {
...
}
I'm not sure why your code that does this isn't working, but it's not necessary to do two queries, you can do it in one.
$sql = $conn->prepare("UPDATE UserData SET likedOne=? WHERE username=? AND likedOne = 'empty'");
$sql->bind_param('ss',$TUsername,$Username);
//$TUsername = $_POST["TUsername"];
//$Username = $_POST["username"];
$TUsername = "test";
$Username = "jim";
$sql->execute();
How to get the value of the column 'ProfilePicture' for the current user (which is stored in a session) from a database and save it into a variable?
Here is an example of a possible structure for the query:
if($email="iahmedwael#gmail.com" show 'ProfilePicture' value for that username) //declare a variable to save the value of ProfilePicture
<?php
$posted = true;
if (isset($_REQUEST['attempt'])) {
$link = mysqli_connect("localhost", "root", "", 'new1') or die('cant connect to database');
$email = mysqli_escape_string($link, $_POST['email']);
$password = mysqli_escape_string($link, $_POST['Password']);
$query = mysqli_query($link, " SELECT *
FROM 360tery
WHERE Email='$email'
OR Username= '$email'
AND Password='$password' "
) or die(mysql_error());
$total = mysqli_num_rows($query);
if ($total > 0) {
session_start();
$_SESSION['email'] = $email;
header('location: /html/updatedtimeline.html');
} else {
echo "<script type='text/javascript'>alert('Wrong username or Password!'); window.location.href='../html/mainpage.html';</script>";
}
}
For security purposes, it's my recommendation that you use PDO for all your database connections and queries to prevent SQL Injection.
I have changed your code into PDO. It should also get the value from the column ProfilePicture for the current user and save it to the variable $picture
Note: you will need to enter your database, name and password for the database connection.
Login Page
<?php
session_start();
$posted = true;
if(isset($_POST['attempt'])) {
$con = new PDO('mysql:host=localhost;dbname=dbname', 'user', 'pass');
$email = $_POST['email'];
$password = $_POST['Password'];
$stmt = $con->prepare("SELECT * FROM 360tery WHERE Email=:email OR Username=:email");
$stmt->bindParam(':email', $email);
$stmt->execute();
if($stmt->rowCount() > 0) {
$row = $stmt->fetch();
if(password_verify($password, $row['Password'])) {
$_SESSION['email'] = $email;
header('location: /html/updatedtimeline.html');
}else{
echo "<script type='text/javascript'>alert('Wrong username or Password!'); window.location.href='../html/mainpage.html';</script>";
}
}
}
?>
User Page
<?php
session_start();
$con = new PDO('mysql:host=localhost;dbname=dbname', 'user', 'pass');
$stmt = $con->prepare("SELECT ProfilePicture FROM 360tery WHERE username=:email OR Email=:email");
$stmt->bindParam(':email', $_SESSION['email']);
$stmt->execute();
if($stmt->rowCount() > 0) {
$row = $stmt->fetch();
$picture = $row['ProfilePicture'];
}
?>
Please let me know if you find any errors in the code or it doesn't work as planned.
Can someone please take a look at this block of code? I am very new to the PDO method, for some reason this keeps causing a 500 error whenever I submit.
I have narrowed it down to this:
Could it be this part? $hash = $stmt['hash'];
if(empty($response['error'])){
$stmt = $db->prepare("SELECT * FROM Login WHERE username= :username"); // Prepare the query
// Bind the parameters to the query
$stmt->bindParam(':username', $username);
//Carry out the query
$stmt->execute();
$hash = $stmt['hash'];
$affectedRows = $stmt->rowCount(); // Getting affected rows count
if($affectedRows != 1){
$response['error'][] = "No User is related to the Username";
}
if(password_verify($password, $hash))
{
$_SESSION['username'] = $_POST['username'];
$_SESSION['userid'] = $stmt['ID'];
}
else
{
$response['error'][] = "Your password is invalid.";
}
}
If you need more info please ask I will be happy to supply anything I can.
You need to fetch the result of the query to have it accessible. I'm not sure this is your issue, I'd think $hash would just be set to Resource Id#x, not what you want but not a 500. Here's how to fetch (http://php.net/manual/en/pdostatement.fetch.php) though
$stmt = $db->prepare("SELECT * FROM Login WHERE username= :username"); // Prepare the query
// Bind the parameters to the query
$stmt->bindParam(':username', $username);
//Carry out the query
$stmt->execute();
//if you will only be getting back one result you dont need the while or hashes as an array
while($result = $stmt->fetch(PDO::FETCH_ASSOC)){
$hashes[] = $result['hash'];
}
Here's a thread on enabling error reporting PHP production server - turn on error messages
Also you don't have to bind to pass values with the PDO. You also could do
$stmt = $db->prepare("SELECT * FROM Login WHERE username= ?"); // Prepare the query
$stmt->execute(array($username));
Your code is really messy. Just to help you with start point:
if (empty($response['error'])) {
if (isset($_POST['username'])) {
$username = $_POST['username'];
$password = $_POST['password'];
$stmt = $db->prepare("SELECT * FROM Login WHERE username= :username");
$stmt->bindParam(':username', $username);
$stmt->execute();
if ($row = $stmt->fetch(PDO::FETCH_ASSOC)) {
$hash = $row['hash'];
if(password_verify($password, $hash)) {
$_SESSION['username'] = $username;
$_SESSION['userid'] = $stmt['ID'];
} else {
$response['error'][] = "Your password is invalid.";
}
} else {
$response['error'][] = "No User is related to the Username";
}
} else {
$response['error'][] = "Username is not set!";
}
}
when the user enters their details they click on login but its not working, my connection to the database is fine its this file that is not working, any help would be appreciated, thanks
include '../connection.php'; //used to include connection file that is 1 level higher in the directory
$username = $_REQUEST['username'];
$password = $_REQUEST['password'];
$fquery = 'SELECT Username FROM login LIMIT 0, 30 ';
$squery = 'SELECT Password FROM login LIMIT 0, 30 ';
$username_query = mysqli_query($dbc, $fquery);
$password_query = mysqli_query($dbc, $squery);
$username_row = mysqli_fetch_array($username_query);
$password_row = mysqli_fetch_array($password_query);
if($username == $username_row && $password == $password_row) {
echo 'username and password correct';
}
?>
<?php
include '../connection.php'; //used to include connection file that is 1 level higher in the directory
$username = $_REQUEST['username'];
$password = $_REQUEST['password'];
$query = 'SELECT Username FROM login WHERE Username = ? AND Password = ?';
/* set a default value to check against */
$valid_user = '';
/* use prepared statement */
$stmt = mysqli_stmt_init($dbc);
if (mysqli_stmt_prepare($stmt, $query)) {
/* set question marks equal to values */
mysqli_stmt_bind_param($stmt, 'ss', $username, $password);
mysqli_stmt_execute($stmt);
/* get the valid username only if query is successful */
mysqli_stmt_bind_result($stmt, $valid_user);
mysqli_stmt_fetch($stmt);
/* close the statment */
mysqli_stmt_close($stmt);
}
/* check if default was overwritten */
if($valid_user != '') {
echo 'username and password correct';
}
?>
Try this out, should accomplish what you are trying to do.
$username_query = mysqli_query($dbc, $fquery);
$password_query = mysqli_query($dbc, $squery);
$username_row = $username_query->fetch_array(MYSQLI_ASSOC);
$password_row = $password_query->fetch_array(MYSQLI_ASSOC);
if($username == $username_row['username'] && $password == $password_row['Password']) {
echo 'username and password correct';
}
$username = mysqli_real_escape_string($dbc, $_REQUEST['username']);
$password = mysqli_real_escape_string($dbc, $_REQUEST['password']);
$query = "SELECT * FROM login WHERE Username = '$username' AND Password = '$password' LIMIT 1";
if(mysqli_num_rows($query) > 0)
echo 'username and password correct';
i have a php login script which is accessed with a simple form:
<?php
session_start();
try{
$user = 'root';
$pass = null;
$pdo = new PDO('mysql:host=localhost; dbname=divebay;', $user, $pass);
if(isset($_SESSION['loggedin'])){
echo "1"; //already logged in
}
else{
$username = $_POST['username'];
$password = sha1($_POST['password']);
$ucheck = $pdo->prepare('SELECT * FROM user WHERE username = ?');
$ucheck->bindValue(1, $username);
$ucheck->execute();
if($ucheck->fetch(PDO::FETCH_OBJ)){
$stmt = $pdo->prepare('SELECT * FROM user WHERE username = ? AND password = ?');
$stmt->bindValue(1, $username);
$stmt->bindValue(2, $password);
if($stmt->fetch(PDO::FETCH_OBJ)){
$row = $stmt->fetch(PDO::FETCH_ASSOC);
$_SESSION['username'] = $row['username'];
$_SESSION['loggedin'] = 'YES';
$_SESSION['location'] = $row['location'];
echo "2"; //logged in
}
else{
echo "3"; //password incorrect
}
}
else{
echo "4"; //user does not exist
}
}
}catch(PDOException $e){
echo $e->getMessage();
}
?>
but when i attempt to run it using an account that i just created and have confirmed to exist within the database, i get no response from this script. i would expect it to echo 2 given that the login information is correct, but i get nothing
can anyone suggest what ive done wrong here?
It looks like you forgot to execute() the statement:
if($ucheck->fetch(PDO::FETCH_OBJ)){
$stmt = $pdo->prepare('SELECT * FROM user WHERE username = ? AND password = ?');
$stmt->bindValue(1, $username);
$stmt->bindValue(2, $password);
// Execute it!!!
if ($stmt->execute()) {
$row = $stmt->fetch(PDO::FETCH_OBJ);
if ($row) {
// And don't call fetch() again, since you would already have advanced
// the record pointer in the first fetch() above. If one record was returned,
// this one would always be FALSE.
//$row = $stmt->fetch(PDO::FETCH_ASSOC);
$_SESSION['username'] = $row['username'];
$_SESSION['loggedin'] = 'YES';
$_SESSION['location'] = $row['location'];
echo "2"; //logged in
}
// else execute failed...
}
are you sure session.use_cookies = 1 in php.ini?
please make sure have name is PHPSESSION cookie.