I have a login form that works like if user email password and 2 pic is correct then echo logged in but problem is my email is match password is match but how can i match images with single [select html tag]. here is my html form....
<select name="image" multiple="multiple">
<?php
for($i=0;$i<5;$i++)
echo"<option data-img-src=\"$pic[$i]\" value=\"$pic[$i]\" ></option>";
?>
</select>
And mysql query is here .......
$mysql=mysql_query("SELECT * FROM `table` WHERE `email`='$email' AND `password`='$pass' AND `image1`='$image' AND `image2`='$image'") or die(mysql_error());
if(mysql_num_rows($mysql) ==1){
$_SESSION['user']= $email;
header("location: home.php");
} else {
echo "error";
session_destroy();
}
If both images are match then he is successfully logged in otherwise not
The idea would be that each 'image' is tied to an ID in your code and/or database.
When a person selects an image they're actually selecting the ID which that image represents.
Users, setting up their profile, go through a similar process, selecting an image (which saves the image's ID in their user row).
When it comes to logging in, it's just a simple case of comparing the ID of the image selected to the ID stored in the user's row.
This is the BASIC premise, and doesn't cover the security aspect of this feature.
I also see that your HTML supports the user being able to select multiple images (though you only use/reference up to two in your SQL query). The implementation for that doesn't change much compared to selecting a single image, so this answer still applies.
(Please excuse my terminology)
As Sean's answer suggests, every image should be tied with an id.
During registration, before inserting the values into database, you can generate a random number and rename the image to that generated number and add that number into the database.
File structure would be something like this
users/images/random_id.jpeg
How i would go about doing the login process is,
On change of input, i would perform an ajax request to fetch the unique id associated with the user's email or username, and image associated with the that id and four other random images.
Then the rest is simple, the user would select an image. We'd of course be matching its unique identifier to the identifier that exists in the database.
If its a match, log in.
This is just the logical approach.
Unless this is a learning exercise, switch to prepared statements.
Related
I am trying to finish this website I am currently creating, but I am kind of stuck.
I want to create a table called "orders" in my DB. I want this table to be related to my users table so that when the user goes to his "orders.php" page (once logged in already) he sees all his current and previous orders.
These would be my table fields/cols:
id
username
ordernumber
description
quantity
total
This is my approach:
Whenever a new order is created, insert all the table fields/cols depending on the user's choice (selected stuff for the order), but the username would be the only value gathered from a $_SESSION or $_COOKIE variable, which holds the username. Then, once the user goes to orders.php, I will execute a query to show all the orders that only that username has ordered. Please note that I do sanitize all my input/output and I do not store sensitive data in my cookies. My system is designed so it only uses the session as the method of authentication, therefore you need to login every time you close the browser but that is fine.
1) Is this a safe approach? Do you have any suggestions/comments?
2) Could you help me construct the query?
I haven't really worked with relational databases, so I am kind of lost. How can I call all the orders from table "orders" where username = "username from the session"?
So far I have this:
"SELECT * FROM orders WHERE username = ? " //(Using PDO)
I know that this will work but my concern is in case of getting a session hijacked or something like that, then a user would be able to retrieve any users' orders, or not?
Thank you for explaining this a little bit further and helping me out!
Cheers!
Be careful! Please don't create a plain text cookie containing a human-readable user id (like user2345995 or OllieJones). It's far too easy for a badguy to fake a cookie like that just by guessing, and then your users' information leaks out.
You're working in php. Therefore you can use php's session mechanism to store your userid and other values. php uses hard-to-guess session ids (SIDs) and stores them in either a cookie or as a sid=1234abcd9875 parameter in URLs.
For the sake of your system's integrity, please read up on this. It's actually a pretty well-designed feature and it's been in the wild for fifteen years or so: it's debugged.
http://php.net/manual/en/session.idpassing.php
If you're using the session system, you basically do this in your first page, your login page.
session_start();
...
$_SESSION['username'] = $username; /* which you get by logging in */
...
On your order lookup page you do something similar to retrieve the username and use it in a query.
session_start();
...
$orderstmt = $pdoconn->prepare("SELECT * FROM orders WHERE username = :username");
$orderstmt->execute( array(':username' => $_SESSION['username']) );
...
while ($row = $orderstmt->fetch()) {
/* use the row's data */
}
$orderstmt->closeCursor();
I am looking for the best way to write out a php/mysql query to create unique user id's rather than using the autoincrement method in mysql.
Ex: Facebook gives users a long string of numbers as a user id when singing up before you can assign a username. This string of numbers can be used to view your profile OR you can use username. I want users to be able to change username in the future, so don't want to design my system based on username.
I don't know how big the site will get, so please take that into consideration with the solution. I don't want something that is going to be server intensive if there are alot of users signing up.
There isn't really a best route for something like this. Essentially you need to ask yourself what your system requires. You may be able to use an email address as the ID, an auto-incremented number, MD5 hash, or even a heavy-entropy GUID.
Keep in mind that email addresses may change, auto-incremented numbers can be leveraged in automated exploits, and there's technically some chance of hashes colliding.
If you decided to go the route of generating a high-entropy GUID using PHP, you could do so using a function like uniqid.
echo uniqid(); // 513ac40699d85
echo uniqid("_", true); // _513ac3e00bfe46.78760239
The second line shows the two arguments you can provide; a prefix, and a request for more entropy, which will result in a more unique result.
You should follow some algorithm like this:
Enter your new user into the database.
Get the record ID
Generate the userID
Insert the userID next to the name into the sql database.
Enter your new user into the database.
//get username from previous form
$user=$_POST['user'];
// login into mysql server and prepare data for writing
$connect=mysql_connect('localhost', $user, $pass);
$selectdb = mysql_select_db('mydb');
$query = "insert into users_table set
username='$user';";
$run_query=mysql_query($query);
Get the record ID
$id=mysql_insert_id();
Generate the userID
$first_chars=substr($user, 2);
$year=date('y');
$new_user_id= $first_chars.$year.$id;
Insert the UserID next to the name into the sql database
$query="update users_table set userid='$new_user_id' where id='$id';";
$run_query=mysql_query($query);
if (!$run_query) {
echo mysql_error();
}
else {
echo 'your user name is '.$user.' and user id is '.$new_user_id ; }
You can use mysql as a database. Wampserver combines everything and makes it easy. However, i'm not sure if I can help you very much because your question is very vague. Add some more detail please.
Use a hexdigest like sha or md5 to generate an id something like sha1($uname+$timestamp+$salt)
By doing this your will be storing a lot of data for each entry as sha1 takes up 40 bytes.You have already mentioned that the site is may go big,making it a huge amount of data.Decide whether its worth that lot of space.
PS:you can always slice the string,but the collision chance is more that way.
My friends and I are creating a petition board and i'm adding a like/dislike function to it. I intend to make it such that only users can like/dislike it. Problem is, I do not know how to ensure that the users do not spam the button multiple times and how to register which user has liked/disliked which topic. Below is my code so far.
EDIT: Thanks I am creating the likes/dislikes table right now. But now I have to compare the users with the database to see if they have previously liked a comment. I know I have to use WHERE (to check both likes and dislikes table) but i am not sure how to combine it with IF.
<?php
include connect.php
if (isset($_POST['like']) || isset($_POST['dislike']))
{
if($_SESSION['signed_in']){
if (isset($_POST['like'])) {
$sql="UPDATE
topics
SET
likes=likes+1,
WHERE
id=topic_id";
echo "You liked it";
}
elseif (isset($_POST['dislike'])) {
$sql="UPDATE
topics
SET
dislikes=dislikes+1,
WHERE
id=topic_id";
echo "You disliked it";
}
}
else{
echo 'Please log in.'
}
?>
You should have a table of "likes" with the following columns.
"article_id", "user_id", the primary key should contain both columns
Every time a user likes an article, INSERT INTO likes VALUES($article_id, $user_id);
It will fail if someones Likes twice, thanks to the primary key.
Every time a user dislikes, DELETE FROM likes WHERE article_id = $article_id AND user_id = $user_id. That will allow the user to like again if he wants.
To get the number of Likes for an article, run a SELECT COUNT(*) as nb_of_likes FROM likes WHERE article_id = $article_id instead of storing the number in the article table.
Makes sense ?
The following solutions are possible, which can be used together:
If you use a registration/login mechanism, then you could internally setup some counting mechanism so each user can like once per petition (like Bgi suggested).
You could store a cookie, preventing him for further liking, even if he creates a new user.
Of course people can delete cookies or use other browsers, so you could hash their IP with e.g. md5 and compare the hash if that hash was already using the petition.
Of course multiple people can share the same IP, so IP hashing might not always be a good solution. Alternatively, you could use facebook API, and require that people have some amount of friends or something in order to verify their authenticy.
You will never fully be able to get rid of spammers, depends on how specific is your petition. Hence the more you want to prevent exploiting from using the petition, the less anonymous it will be.
I have a page that retrieves records from 1 table in a database when a certain condition is met.
What I want to achieve is to provide the use to with an opportunity to update each record displayed using text boxes.
I am having trouble interpreting what logic to proceed with after the user hits the 'submit' button.
Normally, if I'm updating one record (or a static number of records), I will use the apporpriate amount of SQL statements.
Since the amount of records are dynamically generated, what is the best way to update all at once? How would I know which records were retrieved in the first place to update?
FOR EXAMPLE:
OK, We have a table with student ids (ID), names (SNAME), subjects (SUBJ), grade for each subject (GRADE) and general remarks (COMMENTS).
I want to retrieve information about all students that got an 'A', and write UNIQUE congratulatory remarks for each student (such as 'good job', or 'congratulations', or etc.)
I'd retrieve the records and lay them out on the page, with a text box next to each student record for the comments to be entered. Because I don't know how many text boxes to make, I give the text boxes dynamically generated names using the student ID. The user now enters unique comments for each student, and clicks on submit.
Now, how am I supposed to update these records with the values entered in each text box?
I wouldn't know which students were retrieved in the first place - how would I know what names to use? I'm trying to avoid having to execute the query again after submitting - but is there any other way?
Hope this question was not too confusing.
thanks
Further expanding earlier answers:
You need a loop (e.g. foreach) to display and save the textareas. If the names of the textareas include the students ID, you don't need to know the name, because the text is inserted to the database by the primary key (the students ID). You may name your form-elements as array, to iterate over them, for example (where the numbers are the IDs):
<textarea name="comment[2345234]"></textarea>
<textarea name="comment[8957485]"></textarea>
Read it out as described by #evan:
foreach((array)$_POST['comment'] as $studentId => $studentComment)
{
var_dump($studentId, $studentComment);
}
And if you implement this whole thing as self-requesting form (Affenformular in german), you may also use just one single loop to save and output the textareas.
"I don't think you're understanding what I'm trying to ask." Maybe you don't understand the answers, even you stated it. You don't need a students name to save a database record. But if you really want to submit it, you may also use hidden inputs.
Use foreach() to find the values you care about, put them in an array, and process the array.
Expanding on #Ignacio's answer to make it more easily understandable:
foreach($_POST as $name_of_input => $value_of_input)
{
// do stuff - here is something so you can see the results after the submit
echo "$name_of_input :: $value_of_input <br>";
}
Can someone advise me if I am performing the below steps correctly:
When a user wants to register on the website, register.php handles his/her request. Below is some of the code from register.php:
$sql="INSERT INTO Members (fldFullName, fldEmail, Password, Gender, DOB)
VALUES
('$fname','$email','$pass', '$gender', '$date')";
Particularly when I wrote the above code, I was somewhat new to PHP/MySQL and still am. Therefore, I made all of the fields above manually in the table via phpmyadmin. Furthermore, I also added the ID field manually via phpmyadmin, as the first field with auto increment and primary key of course. Why I did it manually, I can't remember the reason of. But I'm pretty sure that this may be the reason why I'm having problems.
What I'm trying to do is, when a user registers on the website, I want a profile URL to be created for him/her. For example, the field in the table could be named ProfileURL, whereas the actual value could be http://www.domain.com/profile.php?id=1, where the id is inherited from the actual ID in the table. How can I do this with my above code? Did I do something wrong when I decided to save all the fields manually via phpmyadmin? Note: I've also been creating tables, databases, fields manually via phpmyadmin. However, its values are INSERTed automatically of course. Am I even on the right track?
Thank you.
As stated above, you don't need to save a profile URL to the database. I'm guessing all profile URLs are going to follow some standard form (i.e. www.example.com/profile.php?id=1)?
Well, if you saved all of those in your database and then you decided you were going to change the format to something like www.example.com/profile/1 you're going to have a lot of out-of-date data in your database. You're going to have to go through each record and update it, and that could be dangerous on a database table with say, millions of rows.
Therefore, the solution is to have a script that takes a parameter. Say profile.php. As above, you would check for the profile using the data in the $_GET array:
<?php
if (isset($_GET['id'])) {
$id = mysql_real_escape_string($_GET['id']);
$sql = "SELECT * FROM members WHERE id = '$id' LIMIT 1";
$res = mysql_query($sql);
if (mysql_num_rows() > 0) {
$member = mysql_fetch_object($res);
// handle displaying of member's profile here
}
else {
// member does not exist with ID
}
}
?>
That way, if you decide to change the script name or use search engine-friendly URLs, you don't need to change your database structure.
In profile.php, check for $_GET['id'], then if it exists, use a SELECT query for the same ID in the database. It would look something like this.
<?php
if (isset($_GET['id']))
{
$id = (int) $_GET['id'];
$sql = 'SELECT * FROM Members WHERE ID = ' . $id;
// Then the rest of the code to check the results goes here
}
?>
A user with an ID of 1 would be profile.php?id=1
You are doing right. Now write SQL like this:
$sql = sprintf("SELECT * FROM Members WHERE ID=%d", mysql_real_escape_string($_GET['id']));
And you'll be able to get userdata by $_GET['id']. Remember to use mysql_real_escape_string to protect your queries against SQL injection. sprintf is also a good thing to substitute right data types like numbers or strings.
You don't heed to save profile url.
You have to build it dynamically.
Because most of the url remains the samy, only id is changing.
So, get id from the database and add it to the url.