I know how noobish this question is, but I'm really new to PHP and MySQL and I got this code not working...
I'd appreciate if anyone tell me what's the problem:
<?php
$hostname = "localhost";
$username = "root";
$password = "";
$database = "lab";
$con = mysqli_connect($hostname, $username, $password, $database);
$error = "";
$success = "";
$pass = false;
if (isset($_POST["submit"])) {
$query = mysqli_query($con, "SELECT * FROM accounts WHERE username='" . $_POST["username"] . "' password=''");
if (!$query || mysqli_num_rows($query) <= 0) {
$error = "Wrong username or password!";
$success = "";
} else {
while ($row = mysqli_fetch_assoc($query)) {
$pass = password_verify($_POST["password"], $row["password"]);
}
if ($pass) {
$error = "";
$success = "Welcome, " . $_POST['username'] . "!";
}
}
}
?>
<html>
<head>
<title>Lab</title>
<style>
#error {
color: red;
}
#success {
color: green;
}
</style>
</head>
<body>
<fieldset>
<legend>Log into your account</legend>
<form method="post" action="<?php echo htmlspecialchars($_SERVER["PHP_SELF"]); ?>">
<span id="error"><?php echo $error; ?></span>
<br/>
<span id="error"><?php echo $success; ?></span>
<br/>
Username:
<input type="text" name="username" placeholder="Username"/>
<br/>
<br/>
Password:
<input type="password" name="password" placeholder="Password"/>
<br/>
<br/>
<input type="submit" name="submit" value="Login"/>
</form>
</fieldset>
</body>
</html>
But when I write a right username and a right password, it always shows me the error.
"SELECT * FROM accounts WHERE username='" . $_POST["username"] . "' password=''"
This is an invalid query. You shouldn't add password='' and even if you had to, you forgot an and in your query, so it wouldn't work.
Change the query to this:
"SELECT * FROM accounts WHERE username='" . $_POST["username"] . "'"
Please notice that your code is vulnerable to SQL injection. You should not use this code on a public website, until you've fixed your securite hole.
First of all I noticed this.. is this really you intention... I think this means it will query around only those without password setted.
SELECT * FROM accounts WHERE username='" . $_POST["username"] . "' password=''
second what do you mean by (im not sure what you are doing at these point..
!$query
third, you don have password on your database?
$password = "";
I got this from w3schools and I modified it a bit to suit you needs
<?php
$servername = "localhost";
$username = "username";
$password = "password";
$dbname = "lab";
// Create connection
$conn = new mysqli($servername, $username, $password, $dbname);
// Check connection
if ($conn->connect_error) {
die("Connection failed: " . $conn->connect_error);
}
$sql = mysqli_query($con, "SELECT * FROM accounts WHERE username='" .
$_POST["username"] . "'and password=''");
$result = $conn->query($sql);
if ($result->num_rows > 0) {
echo "Welcome"
}
} else {
echo "Failed to login";
}
$conn->close();
?>
Related
I have a form that I want to have record changes update my SQL database-table.
In my index.php-file I have f.ex this:
<?php
$servername = "localhost";
$username = "root";
$password = "password";
$dbname = "myDB";
$tbname = "myVis";
// Create connection
$conn = mysqli_connect($servername, $username, $password, $dbname);
// Check connection
if (!$conn) {
die("Connection failed: " . mysqli_connect_error());
}
$sql = "SELECT * FROM " . $tbname . " WHERE id = '$_POST[id]'";
$result = mysqli_query($conn, $sql);
if (mysqli_num_rows($result) > 0) {
while($row = mysqli_fetch_assoc($result)) {
$id = $row['id'];
$firstname = $row['firstname'];
$lastname = $row['lastname'];
$image = $row['image'];
$course = $row['course'];
$frdate = $row['frdate'];
$todate = $row['todate'];
$email = $row['email'];
$checkout = $row['checkout'];
}
}
mysqli_close($conn);
?>
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
...
</head>
<body>
<form action='' method='post'>
<table>
...
<tr>
<td>Efternamn:</td>
<td>
<input id="lastname2" type="text" value='<?php echo $lastname; ?>' /></td>
</tr>
...
</table>
<?php
if ($_SERVER["REQUEST_METHOD"] == "POST") {
if (isset($_POST['submit2'])) {
...
if (isset($_POST['lastname2'])) {
$lastname = $_POST['lastname2'];
}
...
$servername = "localhost";
$username = "root";
$password = "password";
$dbname = "myDB";
$tbname = "myVis";
// Create connection
$conn = mysqli_connect($servername, $username, $password, $dbname);
// Check connection
if (!$conn) {
die("Connection failed: " . mysqli_connect_error());
}
$sql2 = "UPDATE " . $tbname . " SET firstname='$firstname', lastname='$lastname', image='$image', course='$course', frdate='$frdate', todate='$todate', email='$email', checkout='$checkout' WHERE id ='".$_POST['id']."'";
$result = mysqli_query($conn, $sql2);
if ($result) {
echo "Record updated successfully";
} else {
echo "Error updating record: " . mysqli_error($conn);
}
mysqli_close($conn);
}
}
?>
<input type="submit" name="submit2" id="submit2" value="Spara" />
<input type="button" name="back" id="back" value="Tillbaka" onclick="history.back()" />
</form>
</body>
</html>
When I try to change a value (say lastname) nothing changes and all values are back to the selected record from the db-table.
How can I get PHP to understand and have a changed value update the table?
Don't quite understand the sequence in my index-file.
Please help.
Regards,
/Fredrik.
Put your submit code at the top of the page after your database connection. Then when you submit the form first match the table column with submitted post values. If any column has different post value then update that column.
I am attempting to make my first login system. For some reason when I try to get the password from my database it doesn't give a value? I'm not sure what I'm doing wrong. The error is somewhere between $sql and $db_password.
#LFlare Im not sure what the DESC users thing is. Here is a picture of the table, I wasn't sure how you wanted it. http://i.imgur.com/WkZV7IZ.png
Thanks!
<?php
session_start();
if (isset($_POST['login'])) {
include_once("db.php");
$username = strip_tags($_POST['username']);
$password = strip_tags($_POST['password']);
$username = stripslashes($username);
$password = stripslashes($password);
$username = mysqli_real_escape_string($db, $username);
$password = mysqli_real_escape_string($db, $password);
$password = md5($password);
$sql = "SELECT * FROM users WHERE username = '$username' LIMIT 1";
$query = mysqli_query($db, $sql);
$row = mysqli_fetch_array($query);
$id = $row['id'];
$db_password = $row['password'];
//echo "Password: $password";
//echo "DB Password: $db_password";
if ($password == $db_password) {
$_SESSION['username'] = $username;
$_SESSION['id'] = $id;
header("Location: index.php");
} else {
echo "You didn't enter the correct details!";
}
}
?>
<!DOCTYPE html>
<html>
<head>
<title>Login</title>
</head>
<body>
<h1>Login</h1>
<form action="login.php" method="post" enctype="multipart/form-data">
<input placeholder="Username" name="username" type="text" autofocus>
<input placeholder="Password" name="password" type="password">
<input name="login" type="submit" value="Login">
</form>
</body>
</html>
Your PHP
<?php
session_start();
if (isset($_POST['username']) && isset($_POST['password'])) {
include_once("db.php");
$username = mysqli_real_escape_string($sqlcon, $_POST['username']);
$password = mysqli_real_escape_string($sqlcon, $_POST['password']);
// If you want to make sure username is alphanumeric, you can do
// $username = preg_replace('/[^a-zA-Z0-9]/', '', mysqli_real_escape_string($sqlcon, $_POST['username']));
// Do not use these, mysqli_real_escape_string is enough to prevent injection attacks. Furthermore, you may be compromising user security by remove special characters in passwords.
// $username = strip_tags($_POST['username']);
// $password = strip_tags($_POST['password']);
// $username = stripslashes($username);
// $password = stripslashes($password);
// $password = md5($password); This is very susceptibile to rainbow table attacks, do something like a loop
for ($i = 0; $i < 1000; $i ++) {
$password = md5($password . $username); // Looping the md5 a thousand times and salting it with the username is good practice too.U
}
$userQuery = "SELECT * FROM users WHERE username = '" . $username . "' LIMIT 1";
$user = mysqli_query($sqlcon, $userQuery);
if (mysqli_num_rows($user) > 0) { // If user exists,
$user = mysqli_fetch_assoc($user); // mysqli_fetch_arrays put values into $user[0], $user[1], etc.
$id = $user['id'];
$databasepass = $user['password'];
if ($password === $databasepass) {
$_SESSION['username'] = $username;
$_SESSION['id'] = $id;
header("Location: index.php");
} else {
echo "Password is incorrect";
}
} else {
echo "Username does not exist";
}
} else {
echo "Username or Password not filled in";
}
echo $password;
?>
<!DOCTYPE html>
<html>
<head>
<title>Login</title>
</head>
<body>
<h1>Login</h1>
<form action="login.php" method="post" enctype="multipart/form-data">
<input placeholder="Username" name="username" type="text" autofocus>
<input placeholder="Password" name="password" type="password">
<input name="login" type="submit" value="Login">
</form>
</body>
</html>
Your db.php
<?php
$host = "localhost";
$user = "root";
$pass = "";
$database = "users";
$sqlcon = mysqli_connect($host, $user, $pass, $database);
if (mysqli_connect_errno()) {
die ("MySQL Database Connection Error");
}
?>
You have your $db, and $sql backwards in mysqli_query.
$query = mysqli_query($sql, $db);
http://php.net/manual/en/function.mysql-query.php
Also, try avoid using md5, and use PHP's password_hash, http://php.net/manual/en/function.password-hash.php.
Currently, if the DB gets exploited, it's vulnerable to rainbow table attacks.
I am working on login system. But, i cannot log in. I have set my database table.
login.php
<?php
session_start();
if(isset($_POST['login'])) {
include_once("db.php");
$username = strip_tags($_POST['username']);
$password = strip_tags($_POST['password']);
$username = stripslashes($username);
$password = stripslashes($password);
$username = mysqli_real_escape_string($db, $username);
$password = mysqli_real_escape_string($db, $password);
$password = md5($password);
$sql = "SELECT * FROM users WHERE username='$username' LIMIT 1";
$query = mysqli_query($db, $sql);
$row = mysqli_fetch_array($query);
$id = $row['id'];
$db_password = $row['password'];
if($password == $db_password) {
$_SESSION['username'] = $username;
$_SESSION['id'] = $id;
header("Location: av_pocetna.html");
} else {
echo "You didn't enter the correct details!";
}
}
?>
<html>
<head>
<title>Login</title>
</head>
<body>
<h1 style="font-family: Tahoma;">Login</h1>
<form action="login.php" method="post" enctype="multipart/form-data">
<input placeholder="Username" name="username" type="text" autofocus>
<input placeholder="Password" name="password" type="password">
<input name="login" type="submit" value="Login">
</form>
</body>
</html>
and this is db.php
<? php
$db=mysqli_connect('192.168.1.113:8080','root','hidden','av');
?>
connent of users table
id
username
password
Edit Edit
Copy Copy
Delete Delete
1
a
0cc175b9c0f1b6a831c399e269772661
Your form code look right. Just change like below your login.php code:-
<?php
session_start();
error_reporting(E_ALL);
ini_set('display_errors',1);
$conn = mysqli_connect('host-name','user-name','password','database-name');
if($conn){
if(isset($_POST['username']) && isset($_POST['password'])) {
$username = $_POST['username'];
$password = $_POST['password'];
$username = mysqli_real_escape_string($db, $username);
$password = mysqli_real_escape_string($db, $password);
$password = md5($password);
$sql = "SELECT * FROM users WHERE username='$username' LIMIT 1";
$query = mysqli_query($db, $sql);
if($query){
$row = mysqli_fetch_array($query);
$id = $row['id'];
$db_password = $row['password'];
if($password == $db_password) {
$_SESSION['username'] = $username;
$_SESSION['id'] = $id;
header("Location: av_pocetna.html");
} else {
echo "You didn't enter the correct details!";
}
}else{
echo "query not executed because".mysqli_error($conn);
}
}
}else{
echo "db connection error".mysqli_connect_error();
}
?>
Note:- i have added connection code here only,so change the credentials there. And use this same code to check working or not?
Also if you are working on your local then change ip address to localhost and check. If it will work then it will work with include("db.php") too.I mean to say try with $conn = mysqli_connect('localhost','root','aleksandar','av');
Here is the working login.php
<?php
session_start();
error_reporting(E_ALL);
ini_set('display_errors',1);
$conn = mysqli_connect('localhost','root','aleksandar','av');
$db = new mysqli('localhost','root','aleksandar','av');
if($conn){
if(isset($_POST['username']) && isset($_POST['password'])) {
$username = $_POST['username'];
$password = $_POST['password'];
$username = mysqli_real_escape_string($db, $username);
$password = mysqli_real_escape_string($db, $password);
$password = md5($password);
$sql = "SELECT * FROM users WHERE username='$username' LIMIT 1";
$query = mysqli_query($db, $sql);
if($query){
$row = mysqli_fetch_array($query);
$id = $row['id'];
$db_password = $row['password'];
if($password == $db_password) {
$_SESSION['username'] = $username;
$_SESSION['id'] = $id;
header("Location: av_pocetna.html");
} else {
echo "You didn't enter the correct details!";
}
}else{
echo "query not executed because".mysqli_error($conn);
}
}
}else{
echo "db connection error".mysqli_connect_error();
}
?>
<html>
<head>
<title>Login</title>
</head>
<body>
<h1 style="font-family: Tahoma;">Login</h1>
<form action="login.php" method="post" enctype="multipart/form-data">
<input placeholder="Username" name="username" type="text" autofocus>
<input placeholder="Password" name="password" type="password">
<input name="login" type="submit" value="Login">
</form>
</body>
</html>
Oh Okay.
Lets try debugging one step at a time then.
In your db.php file, use this:
// Connecting to mysql database
$db = new mysqli('192.168.1.113:8080','root','hidden','av');
// Check for database connection error
if (mysqli_connect_errno()) {
echo "Failed to connect to MySQL: " . mysqli_connect_error();
}
If you get any error, please dump it here for debugging.
Updated.
// Connecting to mysql database
$db = new mysqli('localhost','root','hidden','av');
// Check for database connection error
if (mysqli_connect_errno()) {
echo "Failed to connect to MySQL: " . mysqli_connect_error();
}
I've got this error when I try to login in to my PHP form:
Call to undefined function mysql_rum_rows()
This is my code
<?php
mysql_connect("localhost", "root", "");
mysql_select_db("login");
if(isset($_POST['inloggen'])) {
$username = $_POST['username'];
$password = $_POST['password'];
$query = "SELECT * FROM users WHERE username = '". $username . "' AND '" . $password . "'";
$result = mysql_query($query);
if(mysql_rum_rows($result) == 1) {
echo "Juiste gegevens!";
}
else {
echo "Onjuiste gegevens!";
}
echo "<br />";
}
?>
<form method="post" action="">
<label>Username</label>
<input type="text" name="username"/><br />
<label>Password</label>
<input type="password" name="password"/><br />
<input type="submit" name="inloggen" value="Inloggen"/>
</form>
Can anyone help me to fix this ? I'm a noob to PHP and I've got this from a book called "PHP en MySQL" So I don't know why it isn't working
You have Typo error. Need to write mysqli_num_rows
Also No need to check mysqli_num_rows().
$result = mysql_query($query);
// $result will give you boolean TRUE or FALSE
if ($result) {
echo "Juiste gegevens!";
} else {
echo "Onjuiste gegevens!";
}
Suggestions:-
1) You need to encrypt your password before save to Database. One of the simple encryption techniques is md5. and you can check password with DB by below way.
$password = md5($_POST['password']);
2) You can write your query as below:-
"SELECT * FROM users WHERE username = '$username' AND '$password'";
3) Always check for query errors. You should use mysql_error() to get query error.
Warning:-
mysql_* was deprecated in PHP 5.5.0, and it was removed in PHP 7.0.0.
Instead, the MySQLi or PDO_MySQL extension should be used.
U misstyped mysql_num_rows (mysql_rum_rows), i guess thats all about it.
Good luck.
http://php.net/manual/de/function.mysql-num-rows.php
<?php
$conn = mysqli_connect("localhost", "root", "", "login");
if (isset($_POST['inloggen'])) {
$username = $_POST['username'];
$password = $_POST['password'];
$query = "SELECT * FROM users WHERE username = '" . $username . "' AND '" . $password . "'";
$result = mysqli_query($conn, $query);
if (mysqli_num_rows($result) == 1) {
echo "Juiste gegevens!";
} else {
echo "Onjuiste gegevens!";
}
echo "<br />";
}
?>
<form method="post" action="">
<label>Username</label>
<input type="text" name="username"/><br />
<label>Password</label>
<input type="password" name="password"/><br />
<input type="submit" name="inloggen" value="Inloggen"/>
</form>
You have a typo, use mysql_num_rows instead mysql_rum_rows
Hi guys I'm trying to write some code for a login, I've got it all but whenever I try login it says Could not select database. I can't figure it out, I've got hosting with One.com and when I go into the PHP & MySQL settings it says the database name is "c343_co_uk", which is what I've used in the code below:
UPDATE: It's detecting the database but whenever I try and log in with the exact same username and password that's on MySQL it says invalid login
Here is my Connection.php
<?php
$username = "c343_co_uk";
$password = "abc";
$hostname = "c343.co.uk.mysql";
//connection to the database
$connection = mysql_connect($hostname, $username, $password)
or die("Unable to connect to MySQL");
$selected = mysql_select_db("c343_co_uk",$dbhandle)
or die("Could not select Database");
?>
Loginform.php
<!DOCTYPE html>
<html>
Home
</font>
<head>
<style>
body {
font-size: 14px;
}
</style>
<link rel="stylesheet" type="text/css" href="website.css" />
</head>
<body>
<div id="loginform" style="font-family: 'ClearSans-Thin'; color: Black">
Please enter your login details<br /><br />
Username:<br />
<form method="post" action="loginsubmit.php">
<input type="text" name="username" />
<br />
Password:<br />
<input type="password" name="password" />
<br />
<input type="submit" name="submit" value="Submit" />
</form>
</center>
</div>
</body>
</html>
Loginsubmit.php
<?php
session_start();
?>
<font face="ClearSans-Thin">
<font color="lightgray">
<?php
include 'connection.php';
include 'loginform.php';
?>
<center>
<?php
if (isset($_POST['submit']))
{
$user = $_POST['username'];
$pass = $_POST['password'];
//Counts up how many matches there are in the database
$query = "SELECT COUNT(*) AS cnt FROM users WHERE Username='" . mysqli_real_escape_string($connection, $user) . "' && Password='" . mysqli_real_escape_string($connection, $pass). "'";
$result = mysqli_query($connection, $query);
$row = mysqli_fetch_assoc($result);
$queryadmin = "SELECT COUNT(*) AS cnt FROM admin WHERE Username='" . mysqli_real_escape_string($connection, $user) . "' && Password='" . mysqli_real_escape_string($connection, $pass). "'";
$resultadmin = mysqli_query($connection, $queryadmin);
$rowadmin = mysqli_fetch_assoc($resultadmin);
//If count is more than 0, log user in.
if ($row["cnt"] > 0)
{
$_SESSION["userlogged"] = $user;
echo "Logged in - Press the home button to return to the homepage";
}
//count for user table is 0, if there are more than 0 matches in the admin database, start admin session
else if ($rowadmin["cnt"] > 0 )
{
$_SESSION["adminlogged"] = $user;
echo "Logged in - Press the home button to return to the homepage";
}
else
{
echo 'Not a valid login';
}
}
?>
</center>
try these:
$dbname = "c343_co_uk"
$username = "c343_co_uk";
$password = "abc";
$hostname = "c343.co.uk.mysql";
and replace
$selected = mysql_select_db("c343_co_uk",$connection)
or die("Could not select Database");
to this:
$selected = mysql_select_db($dbname,$connect)
or die("Could not select Database");
i hope that work! have a nice day!
try to replace
$selected = mysql_select_db("c343_co_uk",$dbhandle)
or die("Could not select Database");
with
$selected = mysql_select_db("c343_co_uk",$connection)
or die("Could not select Database");
you can try by this way
<?php
define("DB_HOST", "c343.co.uk.mysql");
define("DB_USER", "c343_co_uk");
define("DB_PASSWORD", "abc");
define("DB_DATABASE", "c343_co_uk");
$conn = mysqli_connect(DB_HOST, DB_USER, DB_PASSWORD,DB_DATABASE );
?>
Use this for connection :-
$username = "c343_co_uk";
$password = "abc";
$hostname = "c343.co.uk.mysql";
$connection = mysql_connect($hostname, $username, $password);
#mysql_select_db("c343_co_uk",$connection);
you haven't do the host with mysql, just do c343.co.uk:
<?php
$username = "c343_co_uk";
$password = "abc";
$hostname = "c343.co.uk";
//connection to the database
$connection = mysql_connect($hostname, $username, $password)
or die("Unable to connect to MySQL");
$selected = mysql_select_db("c343_co_uk",$dbhandle)
or die("Could not select Database");
?>
I hope this work! other i'll take a look again