<?php
$output = NULL;
$ip = $_SERVER['REMOTE_ADDR'];
if (isset($POST['submit'])) {
$username = $mysqli->real_escape_string($_post['username']);
$password = $mysqli->real_escape_string($_post['password']);
$rpassword = $mysqli->real_escape_string($_post['rpassword']);
$email = $mysqli->real_escape_string($_post['email']);
$query = $mysqli->query("SELECT * FROM users WHERE username = '$username'");
if (empty($username) OR empty($password) OR empty($email) or empty($rpassword)) {
$output = "Please fill in all fields!";
} elseif ($query->num_rows != 0) {
$output = "That username is already taken!";
} elseif ($rpassword != $password) {
$output = "Password does not match!";
}
}
?>
Later on in the script, I use this:
<?php
echo $output;
?>
It does not echo, and yes, I have added the mysqli query, but I removed it for the safety of the database. You can also see that it does not echo at the website:
vobern.com
PHP is a case-sensitive Language. There is a difference between $_POST AND $_post. You may also want to take that into consideration. Now why don't you try doing it like below?
<?php
$output = NULL;
$ip = $_SERVER['REMOTE_ADDR'];
if(isset($_POST['submit'])){
// FOR THE VARIABLES BELOW, THERE IS A DIFFERENCE BETWEEN
// $_POST AND $_post (AS YOU WROTE)....
$username = htmlspecialchars(trim($_POST['username']));
$password = htmlspecialchars(trim($_POST['password']));
$rpassword = htmlspecialchars(trim($_POST['rpassword']));
$email = htmlspecialchars(trim($_POST['email']));
$query = $mysqli->query("SELECT * FROM users WHERE username = '$username'");
if (empty($username) || empty($password) || empty($email) || empty($rpassword)){
$output = "Please fill in all fields!";
}elseif($query->num_rows != 0){
$output = "That username is already taken!";
}elseif ($rpassword != $password){
$output = "Password does not match!";
}
}else{
// IF THIS POINT IS REACHED, THEN EVERYTHING SHOULD BE OK
$output = "Login Data is Correct";
}
var_dump($output);
?>
as pointed by DarkBee in comment you have many errors
if(isset($POST['submit'])) replace this with if(isset($_POST['submit']))
All $_post in your code should be $_POST in upper case.
You add one more else to the last
elseif ($rpassword != $password){
$output = "Password does not match!";
}else{
$output = "Valid input!";
}
Related
I cannot make the register to work with recaptcha but it work normally without it
<?php
require_once("database.php");
$conn= pdo_con();
ini_set('SMTP','smtp.intnet.mu');
ini_set('smtp_port',25);
ini_set('sendmail_from','admin#example.co.uk');
if(!empty($_POST) || isset($_POST['regis_submit'])){
// Should the code be place here cause I already try it. //
$errors = array();
if (empty($_POST['firstname']) || empty($_POST['regis_username']) || empty($_POST['lastname']) || empty($_POST['inputEmail'])
|| empty($_POST['phone_num']) || empty($_POST["gender"]) || empty($_POST['regis_pass']) || empty($_POST["postal_address"])
|| empty($_POST["DateField"]) ){
$errors[] = 'Value(s) in the form missing, please fill them all out!';
exit();
} else if(!preg_match ('%^[A-Za-zÀàÂâÇçÉéÈèÊêËëÔôÙùÎîÏïÛûÜü\.\' \-]{2,15}$%', $_POST['firstname'])){
$errors['firstname'] = '<p><font color="red">Please enter your first name!</font></p>';
exit();
} else if ( etc...
}
else if (count($errors) > 0) {
foreach($errors as $error) {
echo $error;
}
} else {
$firstname = escape_data($_POST['firstname']);
$username = escape_data($_POST['regis_username']);
$lastname = escape_data($_POST['lastname']);
$email = escape_data($_POST['inputEmail']);
$telephone = escape_data($_POST['phone_num']);
$password = escape_data($_POST['regis_pass']);
$address = escape_data($_POST['postal_address']);
$gender = escape_data($_POST['gender']);
$date = escape_data($_POST['DateField']);
//check if user already exist
$exist = "";
$query = $heidisql->prepare("SELECT user_id as 'exist' FROM users WHERE user_username='$username' OR email_address='$email' ");
$query->execute();
while($userRow = $query->fetch(PDO::FETCH_ASSOC)) {
$exist = $userRow['exist'];
}
if(strlen($exist) > 0){
echo 'Account already exist!';
exit();
} else {
$sql = "";
$stmt = $heidisql->prepare($sql);
$token = bin2hex(random_bytes(20));
$hash = password_hash($password, PASSWORD_BCRYPT);
$stmt->execute(array ( ... ));
my email here
if (mail($to, $subject, $message, $headers)) { // Sending email // email_to, subject, body,email_from
echo 'Thank you for your registration. Check your email, and click on the link to activate your account ';
exit();
} else {
echo'Server failed to sent message, please try again later.';
exit();
}
}
} // END of else statement
exit();
}
debug($errors);
}
WHere exactly should I put the captcha code below into my code... I already try to put it on top but I get an error. Undefined $responseKey or something like that.
$secretKey = "xxxx";
$responseKey = $_POST['g-recaptcha-response'];
$userIP = $_SERVER['REMOTE_ADDR'];
$url = "https://www.google.com/recaptcha/api/siteverify";
$response = file_get_contents($url."?secret=".$secretKey."&response=".$responseKey."&remoteIP=".$userIP);
$data_response = json_decode($response);
if(isset($data_response->success) AND $data_response==true){
} else {
}
The and div are properly place into my form. I just cant pinpoint where the code should be placed exactly.
I'm working on a log in form that users a text file (users.txt) to validate username/password against. I cannot use MYSQL for this.
The text file records are in this format:
user one:user1#email.com:user1:password1
user two:user2#email.com:user2:password2
If it validate just the USERNAME only, then it successfully checks the user: if ($currUser == $userUsername) {$valid = true; break;}BUT if I then try to validate both username and password I get the wrong result.($currUser == $userUsername && $currPass == $userPass) {$valid = true; break;} Results in "Invalid username or password"
I can't figure out what I'm doing wrong? When I echo the username and passwords they are a match!!!
SCRIPT:
if(isset($_POST['submit'])){
$form_is_submitted = true;
//FORM PROCESSING
if(isset($_POST['userName']) && isset($_POST['password'])) {
$currUser = $_POST['userName'];
$currPass = $_POST['password'];
$valid = false;//flag
while (!feof($fileHandle)) {
$userRow = fgets($fileHandle);
$userDetails = explode(':', $userRow);
if (!isset($userDetails[2])) {
$userDetails[2] = null;
}
if (!isset($userDetails[3])) {
$userDetails[3] = null;
}
$userUsername = $userDetails[2];
$userPass = $userDetails[3];
if ($currUser == $userUsername /*&& $currPass == $userPass*/) {
$valid = true;
//break;
}
}
if ($valid) {
echo "<br> $userUsername logged in sucessfully<br>";
} else {
echo "<br>Invalid user name or password<br>";
//FOR DEGUGGING ONLY!
echo $currUser . $userUsername;
echo $currPass . $userPass;
echo $_POST['password'];
echo $_POST['userName'];
}
} else {
$errors_detected = true;
$errors['not set'] = "Please enter username and password";
}
}
the fgets() function returns a line INCLUDING the linefeed \n (and the carriage return \r if its there). that means you have to remove those.
just change this:
$userPass = $userDetails[3];
to this:
$userPass = trim($userDetails[3]);
and it should work
I am trying to create an account registration page and when I add a system to check the database and make sure that there are not multiple rows with the same username, I get a 500 error.
Here's the code that works:
<?php
if(isset ($_POST['submit']))
{
include( 'connection.php' );
$username = $_POST['username'];
$password = $_POST['password'];
$email = $_POST['email'];
if(empty($username) || empty($email) || empty($password))
{
echo 'Please check the required fields.';
}
elseif(!filter_var($email,FILTER_VALIDATE_EMAIL))
{
echo 'Please enter a correct email address.';
}
else
{
$password = md5($password);
$sql = mysql_query("INSERT INTO users (email,username,password) VALUES ('$email','$username','$password')") or die(mysql_error());
if($sql)
{
echo 'Successfully submitted.';
}
}
}
?>
Here's the code that gives me a 500 error:
<?php
error_reporting(E_ALL)
if(isset ($_POST['submit'])) {
include( 'connection.php' );
$username = $_POST['username'];
$password = $_POST['password'];
$email = $_POST['email'];
$fetch = mysql_query("SELECT * FROM users WHERE username = '$email'") or die(mysql_error();
$num_rows = mysql_num_rows($fetch);
if(empty($username) || empty($email) || empty($password)) {
echo 'Please check the required fields.';
}
elseif(!filter_var($email,FILTER_VALIDATE_EMAIL)) {
echo 'Please enter a correct email address.';
}
elseif($num_rows >= 1);
{
echo 'This username is taken.';
else
}
$password = md5($password);
$sql = mysql_query("INSERT INTO users (email,username,password) VALUES ('$email','$username','$password')") or die(mysql_error());
if($sql)
{
echo 'Successfully submitted.';
}
}
}
?>
Maybe add a semi colon:
error_reporting(E_ALL);
EDIT:
You are also missing a ) on die(mysql_error();
Remove the ; from elseif($num_rows >= 1);
And then fix your else block to be } else {
You missed a semi-colon off your first statement
you have
else }
in your code. That's a syntax error. You're looking for
}
else {
instead.
What is the wrong in my code. it's say... (1) Username required (2) Password is not correct if i click Log in button without username and password, but it' should be show All filed required.
<?php
if(isset($_POST['action']) && isset($_POST['action']) == "Sign in")
{
include("../secure/content/database/db.php");
$uname = mysql_real_escape_string(trim($_POST['uname']));
$pass = md5(mysql_real_escape_string(trim($_POST['pass'])));
/// check user name
$sql = mysql_query("SELECT uname FROM members WHERE uname = '$uname'");
$num_u = mysql_num_rows($sql);
// check user password
$sql2 = mysql_query("SELECT pass FROM members WHERE pass = '$pass'");
$num_p = mysql_num_rows($sql2);
$err = array();
if(isset($uname) && isset($pass))
{
if( empty($uname) && empty($pass))
{
$err[] = "All field required";
}
else
{
if(empty($uname))
{
$err[] = "Username required";
}
else
{
if($num_u == 0) $err[] = "Username is not correct";
}
if(empty($pass))
{
$err[] = "Password required";
}
else
{
if($num_p == 0)
$err[] = "Password is not correct";
}
}
if(!empty($err))
{
foreach($err as $er)
{
echo "<font color=red>$er</font><br>";
}
}
else
{
include("content/include/newsession.php");
$tm = date("Y-m-d H:i:s");
$ip = $_SERVER['REMOTE_ADDR'];
$rt = mysql_query("insert into plus_user_login(id,uname,ip,tm, status, tm_out) values ('$_SESSION[id]','$_SESSION[uname]','$ip','$tm', 'ON', '')");
echo mysql_error();
print "<script>";
print " self.location='content/index.php';";
print "</script>";
}
}
}
Any idea or Solution..
On this line:
$pass = md5(mysql_real_escape_string(trim($_POST['pass'])));
You are calling md5() which will always return a value, even if $_POST['pass'] was empty. So empty($pass) will never be true.
The md5() sum of an empty string or NULL does not result in an empty value, so you always have a value in $pass, even if $_POST['pass'] was empty.
// Never empty
$pass = md5(mysql_real_escape_string(trim($_POST['pass'])));
// Because:
var_dump(md5(""));
string(32) "d41d8cd98f00b204e9800998ecf8427e"
When you check for the presence of $uname & $pass, use the $_POST values instead:
// instead of
if( empty($uname) && empty($pass))
// do
if(empty($uname) && empty($_POST['pass']))
please remove this md5 from following line, md5 create a string if pass is empty.
md5(mysql_real_escape_string(trim($_POST['pass'])));
use this.
mysql_real_escape_string(trim($_POST['pass']));
use md5 in another.
Your are running into this problem because empty strings are hashable see this.
Change
if(isset($uname) && isset($pass))
to
if(isset($uname) && isset($_POST['pass']))
In my php login script i used md5() function to select the password from db(database), but it's doesn't work. iT'S SHOW " Password is not correct!!!!!! " Although I'm insert the password to the db WITH md5() function. what is the problem in my script? And is it 100% secure script?
<?php
include("include/session.php");
include("header.php");
include("db.php");
?><head>
<link href="content/admincss/styleadmin.css" rel="stylesheet" type="text/css" />
</head>
<div id="container">
<br />
<?php
if ($_POST['admin'] = "Submit") {
$uname = mysql_real_escape_string(trim($_POST['uname_ad']));
$pass = md5(mysql_real_escape_string(trim($_POST['pass'])));
$u_ch = mysql_query("SELECT uname_ad FROM admin WHERE uname_ad = '$uname'") or die(mysql_error());
$u_ch_rel = mysql_num_rows($u_ch);
$p_ch = mysql_query("SELECT pass FROM admin WHERE pass = '$pass'") or die(mysql_error());
$p_ch_rel = mysql_num_rows($p_ch);
if (isset($uname, $pass)) {
$err = array();
if (empty($uname) && empty($pass))
$err[] = 'All field required.';
else {
if (empty($uname))
$err[] = 'Please write your username';
else {
if ($u_ch_rel !== 1)
$err[] = 'Username is not correct';
}
if (empty($pass))
$err[] = 'Please write your password';
else {
if ($p_ch_rel !== 1)
$err[] = 'Password is not correct';
}
}
if (!empty($err)) {
foreach ($err as $er) {
echo "<font color=red>$er</font><br>";
}
}
else {
if ($u_ch_rel = 1 && $p_ch_rel = 1) {
include "include/newsession.php"; //user session
$tm = date("Y-m-d H:i:s");
$ip = $_SERVER['REMOTE_ADDR'];
echo $ip;
$rt = mysql_query("insert into plus_login(id,uname,ip,tm)
values('$_SESSION[id]','$_SESSION[uname_ad]','$ip','$tm')");
echo mysql_error();
print "<script>";
print " self.location='content/index.php';";
print "</script>";
}
}
}
}
?>
</div>
The line below will always evaluate to TRUE because = is an assignment operatordocs, not a comparison operatordocs:
if($_POST['admin'] = "Submit")
It should be:
if($_POST['admin'] == "Submit") or if($_POST['admin'] === "Submit")
Also, there's probably no such thing as "100% secure" ... just varying degrees of difficulty for malicious persons. You could improve the security by adding a "salt" to your MD5 call like this:
$pass = md5('secret_sauce' . mysql_real_escape_string(trim($_POST['pass'])));
Though sha1()docs is emerging as a better way to store passwords.