I have this script. Everything works fine except that the first "if" condition does not evaluate as expected because it does not echo out the code that proves that it evaluated properly.I have a page(index.php) containing a form with post action from where the $_POST['pincode'] is coming from. So when if($pincode !== $_POST['pincode']) evaluates to true, instead of header location to echo the error message and come back to index.php page, what happens is that it routes to my checkpin.php (this script) and stays there.
NB: $_POST['pincode'] is a number input type in HTML.
$_SESSION['pincode']= $_POST['pincode'];
$conn = new mysqli("localhost","user","pass",'db');
if ($conn->connect_error) {
die("Connection failed: " . $conn->connect_error);
}
$sql = $conn->query("SELECT pincodex, pinmatch FROM voters_reg WHERE pincodex = '{$_SESSION['pincode']}'");
$row_count = $sql->num_rows;
if ($row_count == 1)
{
while($row = $sql->fetch_assoc()){
$pinmatch = $row['pinmatch'];
$pincode = $row['pincodex'];
if($pincode !== $_POST['pincode']){
$_SESSION['error'] = "first error message";
header('Location: index.php');
exit();
} elseif ($pinmatch == $_POST['pincode']){
$_SESSION['error'] = "second error message";
header('Location: index.php');
exit();
} else {
$_SESSION['success'] = "success message";
header('Location: pinsuccess.php');
exit();
}
}
}
$conn->close();
Logically, $pincode should never be able to be not equal to $_POST['pincode']. Consider the following steps:
$_SESSION['pincode'] is set to $_POST['pincode'];
Rows are selected from your database WHERE pincodex = '{$_SESSION['pincode']}'
At this point, because of the WHERE clause, every row returned by your query will have pincodex == $_POST['pincode'].
You set $pincode = $row['pincodex'];
If there is a row, $row['pincodex'] will always equal $_POST['pincode'].
So, regardless of type checking, the condition if($pincode !== $_POST['pincode']){ can never evaluate to true, and your code will never enter that if block.
If a pincode is entered that is not found in your database, $sql->num_rows will return 0 and the code will not enter the if ($row_count == 1) block at all. I think this is most likely why your script is not redirecting as expected.
Try changing the if statement to if($pincode !== (int)$_POST['pincode']){
Related
<?php
session_start();
$link = mysqli_connect(database connection info);
if (mysqli_connect_error()) {
echo "Could not connect to database";
die;
}
if (isset($_POST['submit'])) {
$query = "SELECT * FROM users WHERE email = '".$_POST['email']."'";
$result = mysqli_query($link, $query);
if ($row = mysqli_fetch_array($result)) {
if ($_POST['email'] == $row['email'] && password_verify($_POST['password'], $row['password']))
{
$success .= "We're in baby";
} else {
$error .= "didn't work boi";
}
}
}
?>
Basically for some reason the else statement in this code
if ($_POST['email'] == $row['email'] && password_verify($_POST['password'], $row['password']))
{
$success .= "We're in baby";
} else {
$error .= "send help";
}
is not working at all. The problem isn't within the error variable as echo does not work either. I can't get the else statement to output any response whatsoever if the original if statement returns false. The if statement executes perfectly fine if it returns true!
Please help.
As per my comment, to get the else statement executed, enter a valid email address from your database and a wrong password. That should get to the else statement.
To echo $error, define $error = ''; at the top of the script and then add
echo $error; //Below the closing `}` of the `if($row....) ` statement
Also your query is not safe at all. You're directly injecting a variable that can be easily manipulated by anyone. You should never trust such. Hence why we have prepared statements. They help prevent SQL injection attacks as well as those pesky quoting issues. Visit the link below for a tutorial on how to use them with the mysqli_ API.
https://phpdelusions.net/mysqli
Add an else part for the if ($row = mysqli_fetch_array($result)) - perhaps your query fails or the specified email doesn't exist in the db.
The condition $_POST['email'] == $row['email'] is useless as it's already part of the SQL statement.
Also, important(!): your code is vulnerable to SQL injection. Do not put unescaped values from POST to an SQL query.
Every time i am trying to run the following PHP code on 000Webhost, i keep getting this error
-- mysqli_num_rows() expects parameter 1 to be mysqli_result.
The same code had been run successfully without errors on my localhost, XAMPP, i have looked through many examples and only found out that this error is caused by an error in the query, but as mentioned, the query works perfectly on my localhost.
The error is indicated in the code.
Any help would be appreciated.
<?php
session_start();
//decalre variables
$DeviceID ="";
$productID ="";
//connect to database
$db = mysqli_connect('localhost','id5655845_grocerywatch1234','123456','id5655845_grocerywatch1234');
//validate product id and device id are avaliable
if(isset($_POST['validate_user'])){
$DeviceID = mysqli_real_escape_string($db,$_POST['DeviceID']);
$productID = mysqli_real_escape_string($db,$_POST['productID']);
$query = "SELECT * FROM configuration WHERE DeviceID='$DeviceID' AND productID='$productID'";
$result1 = mysqli_query($db,$query);
echo $query;
//error indicated on the following line.
if(mysqli_num_rows($result1) == 1){
$_SESSION['DeviceID'] = $DeviceID;
$_SESSION['success'] = "You are now logged in";
header('location: register.php');
}
else{
echo "Device Not registered";
echo "Product Doesnt Exist";
}
}
I think your query is likely failing. The return value for mysqli_query is False on failure, otherwise it is mysqli_result. See docs here
Fix by properly formatting string:
...
$query = "SELECT * FROM configuration WHERE DeviceID='".$DeviceID."' AND productID='".$productID."'";
$result1 = mysqli_query($db,$query);
echo $query;
if ($result1 == false){
echo "Error has occurred!";
}
elseif (mysqli_num_rows($result1) == 1){
$_SESSION['DeviceID'] = $DeviceID;
$_SESSION['success'] = "You are now logged in";
header('Location: register.php');
}
else{
echo "Device Not registered";
echo "Product Doesnt Exist";
}
The query either returned no rows or is erroneus, thus FALSE is returned. Change it to
if (!$dbc || mysqli_num_rows($dbc) == 0)
Return Values
Returns TRUE on success or FALSE on failure. For SELECT, SHOW,
DESCRIBE or EXPLAIN mysqli_query() will return a result object.
I am new in PHP and need help with my below code. When I am entering wrong userid instead of giving the message "userid does not exist" it is showing "password/id mismatch. Please guide me where I am wrong.
<?php
session_start();
$id = $_POST['userid'];
$pwd = $_POST['paswd'];
$con = mysqli_connect("localhost", "????", "????", "??????");
if ($con) {
$result = mysqli_query($con, "SELECT * FROM users WHERE userid=$id");
if ($result) {
$row = mysql_fetch_array($result);
if ($row["userid"] == $id && $row["paswd"] == $pwd) {
echo "Welcome! You are a authenticate user";
if ($id == $pwd)
//my default login id and password are same
{
header("Location: changepwd.html");
} else {
header("Location: dataentry.html");
}
} else {
echo "ID/Password Mismatch";
}
} else {
echo "User does not Exist !!!";
}
} else {
echo "Connection failed - ".mysqli_error()." -- ".mysqli_errno();
}
?>
The main problem you have is that you're mixing up between the mysqli and mysql functions. These two libraries are not compatible with each other; you must only use one or the other.
In other words, the following line is wrong:
$row=mysql_fetch_array($result);
It needs to be changed to use mysqli_.
While I'm here, going off-topic for a moment I would also point out a few other mistakes you're making:
You aren't escaping your SQL input. It would be extremely easy to hack your code simply by posting a malicious value to $_POST['userid']. You must use proper escaping or parameter binding. (since you're using mysqli, I recommend the latter; it's a better technique).
Your password checking is poor -- you don't appear to be doing any kind of hashing, so I guess your passwords are stored as plain text in the database. If this is the case, then your database is extremely vulnerable. You should always hash your passwords, and never store the actual password value in the database.
I've gone off topic, so I won't go any further into explaining those points; if you need help with either of these points I suggest asking separate questions (or searching here; I'm sure there's plenty of existing advice available too).
else
{
echo "ID/Password Mismatch";
}
is connected with the
if($row["userid"]==$id && $row["paswd"]==$pwd)
{
So since you are giving a wrong id. It echo's: ID/Password Mismatch
Also the else at if ($result) { wont ever show since
$result = mysqli_query($con, "SELECT * FROM users WHERE userid=$id");
You need some additionnal checks:
select * return 1 row (not 0, and not more)
you need to protect the datas entered by the html form (for example someone could enter 1 or 1 to return all rows
<?php
session_start();
$con = mysqli_connect("localhost", "????", "????", "??????");
$id = mysqli_real_escape_string($_POST['userid']);
$pwd = mysqli_real_escape_string($_POST['paswd']);
if ($con) {
// don't even do the query if data are incomplete
if (empty($id) || empty($pwd)
$result = false;
else
{
// optionnal : if userid is supposed to be a number
// $id = (int)$id;
$result = mysqli_query($con, "SELECT * FROM users WHERE userid='$id'");
}
if (mysqli_num_rows($result) != 1)
$result = false;
if ($result) {
$row = mysqli_fetch_assoc($result);
if ($row["userid"] == $id && $row["paswd"] == $pwd) {
echo "Welcome! You are a authenticate user";
if ($id == $pwd)
//my default login id and password are same
{
header("Location: changepwd.html");
} else {
header("Location: dataentry.html");
}
} else {
echo "ID/Password Mismatch";
}
} else {
echo "User does not Exist, or incomplete input";
}
} else {
echo "Connection failed - " . mysqli_error() . " -- " . mysqli_errno();
}
?>
Try with isset() method while you are checking if $result empty or not.
that is in line
if ($result) {.......}
use
if (isset($result)) { .......}
$result is always true, because mysqli_query() only returns false if query failed.
You could check if $result has actual content with empty() for example.
You can use this sql compare password as well with userid
$sql= "SELECT * FROM users WHERE userid='".$id.", and password='".$pwd."'";
I am using the header function to locate to another page based on certain conditions. I am monitoring a mailbox and the code redirects to another page based on the sender address. All headers are working except one. If the sender does not belongs to any existing group, I wanted to redirect it to new.php. But it is not redirecting. I am unable to figure out why. Please help me.
<?php
session_start();
$server = '{server}INBOX';
$username = 'aaa#bbb.com';
$password = 'password';
require_once '../swift/lib/swift_required.php';
include('connection.php');
$connection = imap_open($server,$username,$password) or die('Cannot connect to Gmail: ' . imap_last_error());
$_SESSION['connection']=$connection;
$result = imap_search($connection,'UNSEEN');
if($result) {
rsort($result);
foreach($result as $email_number)
{
$header = imap_headerinfo($connection, $email_number);
$fromaddr = $header->from[0]->mailbox . "#" . $header->from[0]->host;
$query = "select * from usergroup where email='$fromaddr'";
$_SESSION['fromaddr']=$fromaddr;
$result1 = mysql_query($query) or die($query."<br/><br/>".mysql_error());
while($line=mysql_fetch_array($result1,MYSQL_ASSOC))
{
$email=$line['email'];
$group=$line['group'];
if(mysql_num_rows($result1) == 1){
if($group == 1){
header("Location: facilitator.php");
}
elseif($group == 2){
header("Location: learner.php");
}
}
elseif (mysql_num_rows($result1) == 0) {
header("Location: new.php");
}
}
}
}
elseif (!$result)
{
echo "No unread messages found";
}
?>
It appears as though you are nesting that redirection inside the while loop. Since there are no rows, the while condition mysql_fetch_array() will immediately return FALSE and skip the whole block, including the redirection you intended it to follow.
Move the test for mysql_num_rows() outside the while loop.
// Test for rows and redirect BEFORE entering the while loop.
if (mysql_num_rows($result1) === 0) {
header("Location: new.php");
// Always explicitly call exit() after a redirection header!
exit();
}
// Otherwise, there are rows so loop them.
while($line=mysql_fetch_array($result1,MYSQL_ASSOC))
{
$email=$line['email'];
$group=$line['group'];
if($group == 1){
header("Location: facilitator.php");
}
}
You actually may not need a while loop at all, depending on how many rows you are expecting to fetch. If you only expect one group per email, then forego the loop and just call $line = mysql_fetch_array() once. However, if you are expecting multiple rows but want to redirect on the first one encountered where $group == 1, then your logic works. In that case however, since you are only doing the redirection and no other action, you might as well just put that condition in your query:
// Test the group in your query in the first place.
$query = "select * from usergroup where email='$fromaddr' AND group = 1";
$result1 = mysql_query($query) or die($query."<br/><br/>".mysql_error());
if (mysql_num_rows($result1) === 0) {
// you didn't match a row, redirect to new.php
}
else {
// you had a match, redirect to facilitator.php
}
Easy one:
change:
elseif (mysql_num_rows($result1) == 0){
to:
else {
The condition in the else if is probably false - so you don't get in there and thus the redirection doesn't occur.
This code only redirects to notenrolled.php even if the input value is correct. I want it to continue the process if the value entered is correct. Is there something wrong with my code?
<?php
//Setup connection to the database
$connect = mysql_pconnect("localhost", "root", "")
or die(mysql_error());
//Connect to the database
mysql_select_db("dbgis", $connect) or die(mysql_error());
$query = "SELECT * from tbl_student WHERE stud_id= '$stud_id' ";
$result = mysql_query($query);
$totalrows = mysql_num_rows($result);
while($row = mysql_fetch_array($result))
{
header("Location: yesno.php");
}
if($totalrows != 0)
{
header("Location: notenrolled.php");
}
?>
I tried the die(); and it seems to be working because it just says a redirection looping error with yesno.php. So I think I might have put the code in the wrong .php page.
The flow is like this: I have a guard.php page where I could search a query(stud_id) using my search form in the page. I then want to check whether the query exists and if it doesn't, I want it to redirect to notenrolled.php else if the query is found, I want it to proceed to yesno.php.
When you set a Location header, you ALWAYS immediately follow it with exit or die().
(Only if you truly understand what you are doing, might you not immediately use it, but at your own risk.)
if ($totalrows > 0)
{ // has results
header("Location: yesno.php");
exit(0);
}
else
{ // no result
header("Location: notenrolled.php");
exit(0);
}
You should not use while just to evaluate if there is a record.
while($row = mysql_fetch_array($result))
{
header("Location: yesno.php");
}
Your code always redirects to notenrolled.php because of the codition:
if($totalrows != 0)
{
header("Location: notenrolled.php");
}
//this block will always be true if your $totalrows is greater than 0
The solution: check $totalrows if is greater than 0
if ($totalrows > 0){
header("Location: yesno.php");
} else {
header("Location: notenrolled.php");
}
u can use php function mysql_affected_rows to see number off affected rows in SELECT,
if (mysql_affected_rows() == 0){
header("Location: notenrolled.php");
} else {
header("Location: yesno.php");
}
The correct way to do it is this:
if($totalrows>0)
header("Location: yesno.php");
else
header("Location: notenrolled.php");
try this
if($totalrows == 0)
{
header("Location: notenrolled.php");
die();
}