I have a sign up page that has input boxes where you would enter your name, email address and password. After submitting that form there is a sign in page where it checks to see if you are in the database by SELECT * FROM users WHERE name = '$_POST[name]' AND email = '[email]'. This all works fine, but when you actually get into the site on your account i want to have a message at the top that says 'Welcome back (name from database). To do this i used $name = mysql_query("SELECT first_name FROM users WHERE email = $email"); and had <?php echo $name ?> at the top. This won't work though. Why?
"mysql_query" has been deprecated, you want to use "mysqli_query" now. See here: http://php.net/manual/en/function.mysql-query.php
To answer your question, performing the query creates an array, you need to followup on that by fetching from the array.
If you are doing this in a procedural style then the final code should look something like this:
$link = mysqli_connect("localhost", "my_user", "my_password"); // connect to the database
$query="SELECT first_name FROM users WHERE email = '".$email."'"; // create the query. Note the quotes arounds the email variable.
$result=mysqli_query($link, $query); // run the query
$row=mysqli_fetch_array($result); // fetch the array that is returned from the query
$name=$row['first_name']; // assign the first_name field to the $name variable
echo "Hello ".$name.","; // output the variable
Related
I have created a booking system which uses a clients username from their log in to auto populate a user name field when making a booking. I am not sure of how to get other information like their full name and ID from the database into these fields. Below is the code I have used to verify log in and store their username:
<?php
// Start up your PHP Session
session_start();
// If the user is not logged in send him/her to the login form
if ($_SESSION["Login"] != "YES_client") {
header("Location: login.php");
}
$username = $_SESSION["username"];
?>
I have also implemented the user name in the field using the following code:
echo "<input type='text' name='name' class='form-control' id='FullInputName' value=" . $username . ">"
Is there something simple I am missing? I have tried various methods to display the full data like using $row["Client_ID"] etc but could not get this to work for only the client who is logged into the system. My SQL statement is as follows:
"SELECT * FROM client WHERE Client_username= $username"
I would like to use the Client_ID in the select statement also to make it Unique. I have tried but got various errors.
Any help would be much appreciated!
EDIT
This is the code I have now tried to implement:
$query = "SELECT * FROM client WHERE Client_username='$username'";
echo $query;
$result = mysql_query($query);
while($row = mysql_fetch_array($result))
{
echo $row['Client_username'];
}
But it is not working correctly - I am receiving this error:
mysql_fetch_array() expects parameter 1 to be resource, boolean given
Starting with your query i think is not correct.
If you are selecting a row and the type is a VARCHAR you need to add single quotes like this:
"SELECT * FROM client WHERE Client_username= '$username'"
Later you can read the results like
(pseudocode) while($row = mysqli_fetch_array) $row['Client_username']
something like that.
Tell me if this works for you
I am making a script for a guy and he uses Advanced Outgoing API (not familiar). He gives me this URL where the POST variable will be stored in http://example.com/your_script.php?email_address={u_email}&firstname={u_firstname}. So here is my php code. The problem is it cannot read the post values. When I echo it, it's empty.
NOTE: This is the instruction from the API Manual.
Advanced Outgoing API
You can have up to 5 URLs for each Product/Podcast/RSS Feed/Membership be notified whenever a subscriber event happens. You can enter these URLs by clicking on "Edit Notifications/Custom Fields" for a particular item. The system will then POST the following variables to the URLs you've entered. You can also include any of the variables below as a "tags" in your URL and the system will replace the tag with the actual value. This way you can post the values to an existing script that expects a variable name to be different than the ones listed below. For example, your notification URL could be: http://example.com/your_script.php?email_address={u_email}&firstname={u_firstname} . The system would then post all the variables below to: http://example.com/your_script.php?email_address=joe#example.com&firstname=Joe
$con = mysql_connect("localhost","xyz","xyz","xyz"); // Establish connection to insert in the first table.
$username = $_POST['paypal_email']; // username of the user.
$rawpass = $_POST['access_code']; // Raw password.
$pass = md5($rawpass); // Password of the user encrypted with md5.
$email = $_POST['email_address']; // E-mail of the user.
$time = date("Y-m-d H:i:s");
echo $username;
echo $pass;
echo $email;
echo $time;
mysql_query("INSERT INTO wpinrootusers ('user_login', 'user_pass', 'user_email', user_registered, 'user_status') VALUES ('$username', '$pass', '$email', '$time', 0), $con"); // Insertion into wpinrootusers table.
mysql_close($con); // Close connection.
$con = mysql_connect("localhost","xyz","xyz","xyz"); // Establish connection to insert in the second table.
mysql_query("INSERT INTO customers ('receipt', 'prod_num', 'email') VALUES ('$rawpass', '6', '$email')", $con); // Insertion into customers table.
mysql_close($con); // Close second connection.
With mysql you have to do:
$con = mysql_connect("localhost","xyz","xyz");
and then select the database:
$db = mysql_select_db("xyz");
The code you used to connect to database works with mysqli (i stands for improved) and you should consider switching from mysql to mysqli
When you send the variable as GET parameters you have to use $_GET of course.
I'm trying to implement a hashtag system into my website. I have it set so user input that has a hashtag gets converted into a link to hashtag.php?q=%23$1 that echo's "Results for '.$_GET["q"].':"; which works fine, but it doesn't actually display any posts.
For example, I have a post saying "This #website sucks" which is echoed out as
This #website sucks
But the following page only displays
Results for #website:
and the rest is blank. Here's my code for hashtag.php:
echo 'Results for '.$_GET["q"].':';
$connect = mysql_connect("localhost","root","");
mysql_select_db("database",$connect);
$mysql = "SELECT * FROM table WHERE input LIKE '".$_GET['q']."' ";
$myData = mysql_query($mysql, $connect);
while ($record = mysql_fetch_array($myData)){
echo $record['input'];
}
I'm working on using mysqli before I make the site public by the way.
Try putting % percentage signs on either side of the $_GET["p"] in your query. Don't forget to escape the $_GET["q"] as well. That'd be more important than using mysqli ;)
$mysql = "SELECT * FROM table WHERE input LIKE '%".mysql_real_escape_string($_GET['q'])."%' ";
The code below is supposed to check if there is a person in the database with a row in the database with the username it gets from the cookie login.And if there is it is supposed to include a page and if there isn't a person in the database with this user_id it is supposed to echo.Here is my code so far please tell me how I would do this.I also already know before someone tells me that mySQL statements like I have it are becoming depreciated.Here is My code:
<?php
include("dbconnect.php");
mysql_select_db("maxgee_close2");
$username = $_COOKIE['maxgee_me_user'];
$result = mysql_query("select user_id from users where username = '$username'");
$row = mysql_fetch_array($result);
mysql_free_result($result);
$check = mysql_query("SELECT * FROM events_main WHERE user_id ='$row['user_id']'") or die(mysql_error());
if(1==1){
if (mysql_num_rows($check)>0)
{
include("example.php");
}
else
{
echo "example";
}
}
?>
In the double-quoted string, your array variable $row['user_id'] is being incorrectly parsed due to the fact that you have quoted the array key without surrounding the whole thing in {}. It is permissible to omit the {} in a double-quoted string if you don't quote the array key, but the {} adds readability.
check = mysql_query("SELECT * FROM events_main WHERE user_id ='{$row['user_id']}'") or die(mysql_error());
//-------------------------------------------------------------^^^^^^^^^^^^^^^^^^
// Also acceptable, but not as tidy, and troublesome with multidimensional
// or variable keys - unquoted array key
check = mysql_query("SELECT * FROM events_main WHERE user_id ='$row[user_id]'") or die(mysql_error());
//-------------------------------------------------------------^^^^^^^^^^^^^^^^^^
As mentioned above, $_COOKIE is never considered a safe value. You must escape its values against SQL injection if you continue to use the old mysql_*() API:
$username = mysql_real_escape_string($_COOKIE['maxgee_me_user']);
2 Things right off the bat, like Waleed said you're open to SQL injection, not very nice thing to have happen to you. I would look into reading tutorials about MySQLi and PDOs, from there try and dive into a better way or running queries.
Also you are choosing to use cookies instead of sessions to store the username? Cookies can be modified client-side to say anything a smart user with firebug would want them to be. Sessions are stored server-side and the client (end-user) is only given an id of the session. They cannot modify the username if you send it as a session. (They could try and change the session id to another random bunch of numbers but thats like pissing into the wind, pardon my french.
Heres some pseduo code that will get you on your way I think
<?php
include("dbconnect.php");
$database = "maxgee_close2"; //Set the database you want to connect to
mysql_select_db($database); //Select database
$username = $_SESSION['maxgee_me_user']; //Grab the username from a server-side stored session, not a cookie!
$query = "SELECT user_id FROM `users` WHERE `username` = '" . mysql_real_escape_string($username) . "' LIMIT 1"; //Note the user of mysql_real_escape_string on the $username, we want to clean the variable of anything that could harm the database.
$result = mysql_query($query);
if ($row = mysql_fetch_array($result)) {
//Query was ran and returned a result, grab the ID
$userId = $row["user_id"];
mysql_free_result($result); //We can free the result now after we have grabbed everything we need
$query_check = "SELECT * FROM `events_main` WHERE `user_id` = '" . mysql_real_escape_string($userId) . "'";
$check = mysql_query($query_check);
if (mysql_num_rows($check)>0) {
include("example.php");
}
else {
echo "example";
}
}
?>
That code may/may not work but the real key change is that fact that you were running
mysql_free_result($result);
before your script had a chance to grab the user id from the database.
All in all, I would really go back and read some more tutorials.
I'm trying to create a forgotten password form that emails users their password. I'm having a problem, though, with the actual password part. You see, I have the email and comparing the email correct, except whenever I send the email I always get either "Your password is ." or "Your password is Array". I'm using:
$check_email = mysql_num_rows(mysql_query("SELECT email FROM userRecovery WHERE email = '$to'"));
if($check_email == 1){
$qtip = mysql_query("SELECT password FROM userRecovery WHERE email = '$to'");
$theirPassword = mysql_fetch_array($qtip);
Rest of the Code...
}
I used to be able to do this correctly, but I haven't done PHP or MySQL in too long so it's slightly annoying (that, and I'm at a beginner-intermediate kind of level). I remember having this exact problem, but I don't have the code with me to find out what I did. If you think I left out a detail, please say so.
Any help if appreciated.
$theirPassword, as you're using it, is an array (as what's being fetched via your mysql_fetch_array command). Try either $theirPassword['password'] or use just `mysql_result($qtip,'password')``
mysql_fetch_array returns an array, so if you're using your $theirPassword it will contain an array. Since you're selecting password from your query, you likely need:
$qtip = mysql_query("SELECT password FROM userRecovery WHERE email = '$to'");
$row = mysql_fetch_array($qtip);
$theirPassword = $row['password'];
What about fetching the email address and the password in one query? SELECT email,password FROM userRecovery WHERE email = '$to'. Then you can get the password just like in the previous 2 answers ($theirPassword['password']).
On top of that you may find this blog post about storing passwords in a db useful - http://blog.moertel.com/articles/2006/12/15/never-store-passwords-in-a-database
$sql = "SELECT password FROM userRecovery WHERE email = '$to'";
$password = mysql_result(mysql_query($sql), 0);