I created a mysql table and the data is inserted in the table by input tag using php. When I insert a password value in table's password column by using <input type="password">. It automatically adds amp; in the end of the string. How to remove it?
<?php
$username = $_POST['username'];
$password = $_POST['password'];
echo $username;
echo $password;
$connection = mysqli_connect("localhost", "root", "", "register");
if (!$connection) {
die("can not connect to database");
}
$sql = "SELECT * FROM signupinfo WHERE username= '" . $username . "' AND password ='" . $password . "' ";
$result = mysqli_query($connection, $sql);
if (!$result) {
die(mysqli_error($connection));
}
if (mysqli_num_rows($result) == 1) {
echo "login successfull";
} else {
echo "sorry incorrect password or username";
}
There could 3 possibilities:
1) Check the character set of your password field, it should be utf8_general_ci
OR
2) Remove unwanted spaces like:
SELECT * FROM signupinfo WHERE username='".$username."' AND password='".$password."'
OR
3) Decode your password variable like:
SELECT * FROM signupinfo WHERE username='".$username."' AND password='".html_entity_decode($password)."'
Can you please share your PHP code for submitting it on DB.
I think you are sending it via GET method.
And it is similar like -
submitdemo.php?username=test & password=test &
Or may be something like this in POST method.
Please check that you are not sending extra & on the last of the parameter string.
Related
I want to select the password data of a user so they can log in on my website (for a member only website). I have a hash of the password and the username written to a table called "users" upon account creation. I do not know how to select a row on the table, so I get the error when the code looks for, something?
I found this on w3, but I don't understand what each part of the code means.
I tried to edit the code so it would match my user case, but I don't know how to.
$servername ="127.0.0.1";
$dbusername = "root";
$dbpassword = "";
$dbname = "users";
//create connection to db
$conn = new mysqli($servername, $dbusername, $dbpassword, $dbname);
$sql = "SELECT id, username, password FROM users";
$result == $conn->query($sql);
if ($result->num_rows > 0) {
// output data of each row
while($row == $result->fetch_assoc()) {
echo $userid = $row["id"] && $serverpassword = $row["password"] && $serverusername = $row["username"];
}
} else {
echo "User Lookup Failed";
}
$conn->close();
You don't need to select all records from database and then iterate all of them to check correct user. Besides, you should only select user by username and password as below:
$sql = "SELECT id, username, password FROM users WHERE username = '".$serverusername."' AND `password` = '".serverpassword."' ";
Apart, you should use data binding instead of variable to avoid SQL injection.
While giving the correct login ID and Password which is there in the databse "tutorial" in table "users", it is giving me an error on the login.php which is being redirected.
Error is:
You have an error in your SQL syntax; check the manual that
corresponds to your MySQL server version for the right syntax to use
near ''users' WHERE 'user' = 'XYZ'' at line 1
where XYZ is the username given from the user.
<?php
$inputuser = $_POST["user"];
$inputpass = $_POST["pass"];
$user = "root";
$password = "";
$database = "tutorial";
$connect = mysql_connect("localhost", $user, $password);
#mysql_select_db($database) or die("Database not found");
$query = "SELECT * FROM 'users' WHERE 'user' = '$inputuser'";
$querypass = "SELECT * FROM 'users' WHERE 'password' = '$inputpass'";
$result = mysql_query($query) or die(mysql_error());
$resultpass = mysql_query($querypass) or die( mysql_error());
$row = mysql_fetch_array($result);
$rowpass = mysql_fetch_array($resultpass);
$serveruser = $row["user"];
$serverpass = $row["password"];
if ($serveruser && $serverpass){
if(!$result){
die("Username Name or Password is invalid");
}
echo "<br><center>Database Output</b> </center><br><br> ";
mysql_close();
echo $inputpass;
echo $serverpass;
if($inputpass == $serverpass){
header('Location: home.php');
} else {
echo "Sorry, bad Login";
}
}
?>
Abhik Chakraborty is correct.
If you want to enclose field/column or table names you have to use backticks (so ` instead of '). The backtick is the diagonal quote on the button next to the "1", above "Tab".
To enclose field values you should use quotes the way you did.
Your corrected query: SELECT * FROM `users` WHERE `user` = '$inputuser';
HOWEVER, you should never, ever insert input gotten from a user directly into a query. If they type in something like a';DROP TABLE your_table_name; they can cause your database to start deleting tables, requesting records, etc.
Use correct escaping of user input: see this StackOverflow article on how to safely escape user input.
Instead of single quotes you should use back ticks (`)
<?php
//CONNECT TO DATABASE
$db_host="localhost";
$db_username="root";
$db_pass="";
$db_name="admin";
#mysql_connect("$db_host","$db_username","$db_pass","$db_name")
or die ("not connect");
#mysql_select_db("$db_name") or die ("no database");
echo "succesful connection";
//THEN I CHECK THE VALUES FROM MY FORM
if($_SERVER ['REQUEST_METHOD']=='POST'){
$username=$_POST['username'];
$password=$_POST['password'];
$username=htmlspecialchars($username);
$password=htmlspecialchars($password);
//SEARCH INTO MY DATABASE TABLE
$SQL="SELECT * FROM members WHERE`` username=$username AND password=$password ";
$result=mysql_query($SQL);
//BASED ON MY RESULTS I GIVE TO SESSION VARIABLE A VALUE 1 OR "" AND REDIRECT TO INDEX.PHP
if($result){
$num_rows=mysql_num_rows($result);
if($num_rows>0){
session_start();
$_SESSION['check']="1";
header ("Location:index.php");
}
else{
session_start();
$_SESSION['check']="";
header ("Location:index.php");
}
}
}
?>
#mysql_connect and #mysql_select_db: Please don't do that,
Use mysqli instead of the deprecated mysql extension, see Why shouldn't I use mysql_* functions in PHP?
There is a reason why functions maybe throws errors, you should handle it, instead of using # so they don't show up.
To your problem:
Look at your sql statement:
$SQL="SELECT * FROM members WHERE`` username=$username AND password=$password ";
That doesn't work, you pass $password as plain text for the password, not the value of this var, try:
$SQL='SELECT * FROM members WHERE username="' . $username . '" AND password="' . $password . '";
I think you have issue in your sql query. So try this
$SQL="SELECT * FROM members WHERE `username`='".$username."' AND `password`='".$password."' ";
Issue :
1) You are using direct $username without single quote so if username is string it will not work
2) check that special character you are using after WHERE
My script is supposed to log the user into my database.
it does this by checking whether or not the username and password matches a row on the staff table.
if it is discovered that the username and password does exist it stores the username and password on the cookie.
The problem that I'm getting is that users are not being logged in.
It has been identified via the echo method that the following variables have the following values upon clicking the button
$row = 0
$username = whatever is in the username field on the form
this seems to indicate that there is something wrong with the query
<?php
$dbhost = 'localhost';
$dbuser = 'root';
$dbpass = '';
$conn = mysql_connect($dbhost, $dbuser, $dbpass) or die ('Error connecting to mysql');
$dbname = 'the_shop';
mysql_select_db($dbname);
if(isset($_GET['submit']))
{
$username = $_GET['username'];
$password = md5($_GET['password']);
echo "$username + $password <br />";
// insert user into db
// $sql = "INSERT INTO `logindb`.`users` (`id`, `username`, `password`) VALUES (NULL, '".$username."', '".$password."');";
// echo $sql;
// $result = mysql_query($sql);
// getting user from db
$query = "SELECT Username, Password FROM staff WHERE `Username`='.$username.'";
$result = mysql_query($query)
or die(mysql_error());
$num=mysql_numrows($result);
echo $num;
if($num <= 0) {
echo "login not successful";
echo "$username";
}
else
{
$_SESSION['username'] = '$username';
$_SESSION['password'] = '$password';
//header("Location:Admin_Control_panel.php");
}
}
?>
For starters your $query has unwanted characters (.) in there.
"SELECT Username, Password FROM staff WHERE `Username`='.$username.'"
^ ^
Should be.
"SELECT Username, Password FROM staff WHERE `Username`= '$username'"
Without the dots.
This line:
$query = "SELECT Username, Password FROM staff WHERE `Username`='.$username.'";
Needs to be:
$query = "SELECT Username, Password FROM staff WHERE `Username`='$username'";
There is no need to concatenate the string since you're using double-quotes and PHP is parsing the $ values inside a double quoted string.
Your query should be:
$query = 'SELECT Username, Password FROM staff WHERE Username = ' . $username;
I suggest looking into PDO (PHP Data Objects) as an alternative to the method you are using and parameterising your variables.
http://php.net/manual/en/book.pdo.php
$query = "SELECT Username, Password FROM staff WHERE `Username`='$username'";
I've spent quite a long time trying to figure out why this block of code is not working. After logging in (on an html page that uses post to send the data to this php document) it says: "cannot select the database!!" (without quotes). Please help! Thank you!
<?php
$host="localhost";
$username="root";
$password="";
$db_name="firstTestLogins";
$tbl_name="members";
mysql_connect("$host", "$username, $password") or die("cannot connect to the database!!");
mysql_select_db("firstTestLogins") or die("cannot select the database!!");
$username=$_POST['username'];
$password=$_POST['password'];
$username=stripslashes($username);
$password=stripslashes($password);
$username=mysql_real_escape_string($username);
$password=mysql_real_escape_string($password);
$password = md5($password);
echo "This is a debug statement. User = $username and password = $password <br><br><br>";
if(!($sql="SELECT * FROM $tbl_name WHERE username = '$username' and password = '$password")) {die(mysql_error());}
$result = mysql_query($sql);
$test3 = mysql_num_rows(/*$result*/mysql_query($sql));
echo "$test3";
if(mysql_num_rows(/*$result*/mysql_query($sql))) { //should be true because only one row should match the user and pass
$_SESSION['username'] =1;
$_SESSION['password'] =1;
header("location:login_success.php");
}
else {
echo "The incorrect username or password was inserted";
}
?>
This is wrong:
mysql_connect("$host", "$username, $password");
it needs to be
mysql_connect($host, $username, $password);
you will see the exact problem by outputting mysql_error().
mysql_select_db("firstTestLogins")
or die("cannot select the database! ".mysql_error());
please change the code from:
mysql_select_db("firstTestLogins") or die("cannot select the database!!");
to:
mysql_select_db("firstTestLogins") or die(mysql_error());
This will help you to figure out why MYSQL cannot select the DB
In addition to the comments about selecting the database:
if(!($sql="SELECT * FROM $tbl_name WHERE username = '$username' and password = '$password")) {die(mysql_error());}
Silly doing a test with a mysql_error if the $sql string isn't being set... this won't generate a mysql error
You're also missing a closing ' in your $sql
$sql="SELECT * FROM $tbl_name WHERE username = '$username' and password = '$password'";
$result = mysql_query($sql);
if(!$result)
die(mysql_error());
Only thing I can think of is that the firstTestLogins database either doesn't exist on the database or is not accessible by the username/password combination you're using.