So I have an SQL database that has a table for accounts and info, and another one for storing comments on articles. I Have a form for submitting comments and it works just fine, but I wanted to implement a feature to prevent spam and non registered accounts. I was trying to find a way to make the following code work so that it would call upon my account table and check to see if the username section matches what was entered in the form.
I want it to check through my username column on the table to see if what was entered in the box is actually in the database as well, that way if it hasn't been registered it won't submit.
My problem I keep running into is that I try this
<?
if ($_POST['Uname']==`username`){
$strSQL="INSERT INTO `comments`
(`name`,`comment`,`date`,`#`) VALUES
('".$_POST['Uname']."','".$_POST['Comment']."',
'".$_POST['Date']."','".$_POST['#']."')";
}
else{
echo "Username invalid";
}
}
?>
But when I do this it thinks that "username" is what the username needs to be in order to submit properly.
I do not want every username to need to be "username" in order for them to submit, I just want it to check through my username column to see if what was entered is one of the registered usernames in the SQL column.
Im not sure if this is possible, or if I am making any sense, but this is my first post on this site and I would appreciate any help I could get.
Full code is below
<?
if ($_POST['Enter']=='Enter'){
$con = mysql_connect
("sql***.*******.com","*****","*******");
$db_selected = mysql_select_db("*********",$con); //My login
$test2=$_GET['ID']; //Ignore
$_POST['#']=$test2; //Ignore
$sql="Select * from `Articles` and `Accounts`"; //For pulling data
mysql_query($strSQL,$con);
if ( ? == ? ){ //What should go here?
$strSQL="INSERT INTO `comments`
(`name`,`comment`,`date`,`#`) VALUES
('".$_POST['Uname']."','".$_POST['Comment']."',
'".$_POST['Date']."','".$_POST['#']."')";
}
else{
echo "Username invalid";
}
}
?>
Edit
So after making the changes needed, should my previous code end up like this?
<?
if ($_POST['Enter']=='Enter'){
$con = mysql_connect
("*******","********","*****");
$db_selected = mysql_select_db("*****",$con);
$test2=$_GET['ID'];
$_POST['#']=$test2;
$username = $_POST['Uname'];
$sql = "Select `id` from `Accounts` where `username` = $username";
mysqli_num_rows($sql,$result);
$row_cnt = mysqli_num_rows($result);
printf("Result set has %d rows.\n", $row_cnt);
echo $result;
if ($row_cnt!=''){
$strSQL="INSERT INTO `comments`
(`name`,`comment`,`date`,`#`) VALUES ('".$_POST['Uname']."',
'".$_POST['Comment']."',
'".$_POST['Date']."',
'".$_POST['#']."')";
}
else{
echo "Username invalid";
}
}
?>
Obviously what you doing is not correct, as of now you are putting condition as :
if ($_POST['Uname']==`username`)
which means you saying any user who's name is 'username' should be able to comment, but what you want to achieve is, any user who is valid user and is exist in db should be able to comment. So for that you should write a select sql to check the user, :
$username = $_POST['Uname'];
$sql = "select id from yourusertable where username = $username";
then,
perform
mysqli_num_rows
to check if you get anything greater than zero. If yes, then allow to submit comments.
Simply apply the check that only loggedIn user can comment. So if the user will not exist in users table it will not be loggedIn nor can comment.
Related
I am very new to PHP and I'm trying to make a Log-In system with MySQL. I have a form where the user registers and it saves in a database table called registers. I already have the Log-In verify and all those things. When only one user is registered, it works perfectly. But when another user registers, the SELECT thing only selects the first ro (first user's pw), so the second user can't log-in because the SELECT doesn't include all the table's rows. Here is my code:
include 'cn.php';
if ($_SERVER["REQUEST_METHOD"] == "POST") {
$user = htmlspecialchars($_REQUEST["user"]);
$u_password = htmlspecialchars($_REQUEST["password"]);
$qry = "SELECT user, password FROM registers";
$result = mysqli_query($conexion, $qry);
$row = mysqli_fetch_array($result);
$db_user = $row["user"];
$db_password = password_verify($u_password, $row["password"]);
if($u_password == $db_password) {
echo "<script>alert('You are in')</script>";
} else {
echo "<script>alert('Error')</script>";
}
}
My question is: How can I select ALL the rows inside registers, since select only detects the first row, that in this case is the first user registered?
In your MYSQL query, you need to specify which username's row you want to extract from MySQL. As you are not specifying a username, it just extracts the first row as you suspect.
Instead of:
$qry = "SELECT user, password FROM registers";
Use this:
$username_requested = mysqli_real_escape_string($conexion, $_REQUEST["user"]);
$qry = "SELECT user, password FROM registers where `user`='username_requested'";
Alright, so I have setup a very simple login in and sign up database, it is working perfectly.
However, one of the page I have created where users can check their acccount information (Username and Email) is not working fully.
I have a database that has four columns ID, username, email and password.
All I am doing is taking the user information from the database (Who is logged in) and displaying their username and email on the page.
The problem is that the code is logging every user within the database, I only want it to select one user (The user that is logged in.)
Code:
<?php
// SQL query
$strSQL = "SELECT * FROM users";
// Execute the query (the recordset $rs contains the result)
$rs = mysql_query($strSQL);
// Loop the recordset $rs
// Each row will be made into an array ($row) using mysql_fetch_array
while($row = mysql_fetch_array($rs)) {
// Write the value of the column FirstName (which is now in the array $row)
echo $row['email'] . "<br />";
echo $_SESSION['username'];
}
// Close the database connection
mysql_close();
?>
I'm thankful for the help !
You probably need to store the username value in a $_SESSION in your login session.
if (!isset($_SESSION)) {
session_start();
$_SESSION['id'] = the_id_of_your_logged_username;
}
Then using the value that is stored in the $_SESSION to retrieve the logged user.
session_start();
$id = $_SESSION['id'];
$query = "SELECT * FROM users WHERE id='$id'";
In these way, you can retrieve the logged user, just commonly on how users login and gets their profile directly.
Your SQL query should look something like this...
"SELECT * FROM users WHERE ID = '$user_id'"
Remember to fix any SQL vulnerabilities
$user_id = mysql_real_escape_string($user_id);
Can someone point me out how can I save the default password if it is blank?
Its an update issue. Im making an update page when the user update their profile.
Its a long profile info. I did not post it all here coz my only problem is the password field.
Even if it is leave as blank it still updating the field on the database.I use md5 for encryption. Below is the code. Please just add the code, your code. Thank you.
The id is=1 because im just testing it. Ill only have one data in the userstest table.
$desire= $_POST['desired'];//username field
$password = md5(trim(mysql_prep($_POST['password'])));//password field
$passconfirm = md5(trim(mysql_prep($_POST['confirmpassword']))); //confirmpasswor field
$sql = mysql_query("UPDATE userstest SET username = '$desire',password='$password',confirmpassword='$passconfirm' WHERE id=1");
if(mysql_affected_rows()==1){
echo "Update Successfull";
}else{
echo "Update Failed" . mysql_error();
}
Add a if condition while building query
$sql = "UPDATE userstest SET username = '$desire'";
if($password) {$sql += ",password='$password',confirmpassword='$passconfirm'";}
$sql += " WHERE id=1";
then run the query mysql_query($sql);
Don't update the password or confirmpassword columns if those fields are blank. Just don't add them to the SQL query in that case.
By the way, why are you even saving the confirmpassword? Shouldn't this always be the same as password? It's usually only used in an if statement in the PHP script to see that the user didn't do a typo.
This question already has answers here:
How to check username and password matches the database values
(3 answers)
Closed 11 months ago.
I have a form which has a textbox with the name attribute username and another one with the name attribute password.
I also have a database with columns called user and pass. When my users signed up it added the username to the user column and password to the pass column.
How would I make a MySQL query to check if the form submitted the right username and password and then if it did have a branch to let me input the code for if it succeeded?
I really need some code, this bit isn't going well I know it should be something like SELECT * FROM table WHERE username == $username AND... but then I'm stuck because I have an MD5 password in the database and that first bit is probably wrong. Please help. :)
Thanks
//set vars
$user = $_POST['user'];
$pass = md5($_POST['pass']);
if ($user&&$pass)
{
//connect to db
$connect = mysql_connect("$server","$username","$password") or die("not connecting");
mysql_select_db("users") or die("no db :'(");
$query = mysql_query("SELECT * FROM $tablename WHERE username='$user'");
$numrows = mysql_num_rows($query);
if ($numrows!=0)
{
//while loop
while ($row = mysql_fetch_assoc($query))
{
$dbusername = $row['username'];
$dbpassword = $row['password'];
}
else
die("incorrect username/password!");
}
else
echo "user does not exist!";
}
else
die("please enter a username and password!");
Instead of selecting all the columns in count count(*) you can limit count for one column count(UserName).
You can limit the whole search to one row by using Limit 0,1
SELECT COUNT(UserName)
FROM TableName
WHERE UserName = 'User' AND
Password = 'Pass'
LIMIT 0, 1
1.) Storage of database passwords
Use some kind of hash with a salt and then alter the hash, obfuscate it, for example add a distinct value for each byte. That way your passwords a super secured against dictionary attacks and rainbow tables.
2.) To check if the password matches, create your hash for the password the user put in. Then perform a query against the database for the username and just check if the two password hashes are identical. If they are, give the user an authentication token.
The query should then look like this:
select hashedPassword from users where username=?
Then compare the password to the input.
Further questions?
I've got a signup/login system on my site, and I've made it so that if someone tries to sign up with a username that is already in use, it posts an error underneath the form. However, instead of posting the error message that I created, it returns a MySQL error "Error: Query was empty". Here is the code that I am trying to use to do this:
// checks if the username is in use
if (!get_magic_quotes_gpc()) {
$_POST['username'] = addslashes($_POST['username']);
}
$usercheck = $_POST['username'];
$check = mysql_query("SELECT username FROM userpass WHERE username = '$usercheck'")
or die(mysql_error());
$check2 = mysql_num_rows($check);
//if the name exists it gives an error
if ($check2 != 0) {
$error = "Sorry, the username ".$_POST['username']." is already in use.";
}
What am I doing wrong?
Thanks
Your query is nonsense (SELECT username ... WHERE username =...)
What you must do is adding UNIQUE constraint on username and trying directly to insert the user in your database. If username does already exist the query will return an error.
ALTER TABLE user ADD UNIQUE (username)
and just try to insert an user with existing id.