I am trying to fill a varialble $login with the users user_id so I can use sessions, however the query does not return the user_id to fill the $login with.
users.php
<?php
function user_exists($username, $con) {
$data = $username;
$username = sanitize($data, $con);
$username = $data;
mysqli_query($con, "SELECT `user_id` FROM `users` WHERE `username` = '$username'");
return(mysqli_affected_rows($con) == 1) ? true : false;
}
function user_active($username, $con) {
$data = $username;
$username = sanitize($data, $con);
$username = $data;
mysqli_query($con, "SELECT `user_id` FROM `users` WHERE `username` = '$username' AND `active` = 1");
return(mysqli_affected_rows($con) == 1) ? true : false;
}
function user_id_from_username ($username, $con) {
$data = $username;
$username = sanitize($data, $con);
$username = $data;
mysqli_query($con, "SELECT `user_id` FROM `users` WHERE `username` = '$username'");
return mysqli_affected_rows($con) ? 0 : 'user_id';
}
function login($username, $password, $con) {
$user_id = user_id_from_username($username, $con);
$data = $username;
$username = sanitize($data, $con);
$username = $data;
$password = md5($password);
mysqli_query($con, "SELECT `user_id` FROM `users` WHERE `username` = '$username' AND `password` = '$password'");
return (mysqli_affected_rows($con) == 1) ? $user_id : false;
}
?>
login.php
<?php
include 'core/init.php';
if (empty($_POST) === false) {
$username = $_POST['username'];
$password = $_POST['password'];
if (empty($username) === true || empty($password) === true) {
$errors[] = 'You need to enter a username and password';
} else if (user_exists($username, $con) === false) {
$errors[] = 'We can\'t find that username. Have you registered?';
} else if (user_active($username, $con) === false) {
$errors[] = 'You have not activated your account. Please see the instructions.';
} else {
$login = login($username, $password, $con);
if ($login === false) {
$errors [] = 'That username and password combination is incorrect;';
} else {
echo 'hi';
die($login);
$_SESSION['user_id'] = $login;
}
}
print_r($errors);
}
?>
Init.php
<?php
session_start();
//error_reporting(0);
require 'database/connect.php';
require 'functions/users.php';
require 'functions/general.php';
$errors = array();
?>
When you get your userid you are returning the wrong value:
function user_id_from_username ($username, $con) {
$data = $username;
$username = sanitize($data, $con);
$username = $data;
mysqli_query($con, "SELECT `user_id` FROM `users` WHERE `username` = '$username'");
return mysqli_affected_rows($con) ? 0 : 'user_id';
}
This function will return a 0 (if affected_rows is not 0) or the string 'user_id' (if affected rows is 0). First off I think the logic is probably reversed (0 vs non-zero) and secondly I think you really want to return an actual user_id instead of just the string 'user_id'.
Then in your login function:
function login($username, $password, $con) {
$user_id = user_id_from_username($username, $con);
$data = $username;
$username = sanitize($data, $con);
$username = $data;
$password = md5($password);
mysqli_query($con, "SELECT `user_id` FROM `users` WHERE `username` = '$username' AND `password` = '$password'");
return (mysqli_affected_rows($con) == 1) ? $user_id : false;
}
You get this 0 or 'user_id' (string) into $user_id and then ignore it until the very end when you return either that value or a false. Since the logic was reversed on the return value of the previous function, then on a successful login your $user_id contains the 0 (which is boolean false in PHP) and so this function is returning either a 0 or a false from login - both of them are false so login() is returning false. But specifically in the case of a good login you are returning a 0 which then isn't going to look like a valid ID to put into your session and, if you get it there, isn't going to compare well because of the whole situation of zero being evaluated to boolean false.
Related
my login function does not work, always says username or password does not work. i need echo ok if username and password are correct so i can continue with my project. my db password is set to md5. here are y codes:
user.php file
<?php
<?php
function sanitize($username)//sanitizes user inputs
{ $connect = mysqli_connect('localhost','root','','lr');
return mysqli_real_escape_string
($connect,$username); }
?>
//checks if user exist
function user_exists($username)
{ $username = sanitize($username);
$conn = #mysqli_connect('localhost', 'root', '', 'lr') OR die("cant connect");
$query = mysqli_query($conn, "SELECT user_id FROM users WHERE username = '$username'");
return(mysqli_num_rows($query) ==1) ? true : false;
}
//checks if user active, if set in database to 1, its active, if set to 0, not active
function user_active($username)
{ $username = sanitize($username);
$conn = #mysqli_connect('localhost', 'root', '', 'lr') OR die("cant connect");
$query = mysqli_query($conn, "SELECT user_id FROM users WHERE username = '$username' AND active =1");
return(mysqli_num_rows($query) ==1) ? true : false;
}
//Gets user id from username
function user_id_from_username ($username) {
$username = sanitize ($username);
return mysql_result(mysqli_query("SELECT `user_id` FROM `users` WHERE `username` = '$username'"), 0, 'user_id');
}
function login($username, $password){
$user_id = user_id_from_username($username);
$username = sanitize($username);
$password = MD5($password);
return (mysql_result(mysqli_query("SELECT COUNT(`user_id`) FROM `users` WHERE `username`='$username' AND `password`='$password'"), 0)==1) ? $user_id : false;
}
?>
login.php file
<?php
function sanitize($username)
{ $connect = mysqli_connect('localhost','root','','lr');
return mysqli_real_escape_string
($connect,$username); }
?>
I have this error "Warning: mysql_result(): user_id not found in MySQL result index 13 in C:\xampp\htdocs\core\functions\users.php on line 14"
I think i don't know how to read from my Database, it looks like
Here is my users code
<?php
function user_exists($username){
$username = sanitize($username);
return (mysql_result(mysql_query("SELECT COUNT(`uID`) FROM `user` WHERE `uUserName` = '$username'"), 0) == 1) ? true : false;
}
function user_active($username){
$username = sanitize($username);
return (mysql_result(mysql_query("SELECT COUNT(`uID`) FROM `user` WHERE `uUserName` = '$username' AND `uActive` = 1"), 0) == 1) ? true : false;
}
function user_id_from_username($username){
$username = sanitize($username);
return mysql_result(mysql_query("SELECT `uID` FROM `user` WHERE `uUserName` = '$username'"), 0, 'user_id');
}
function login($username,$password){
$user_id = user_id_from_username($username);
$username = sanitize($username);
$password = md5($password);
return (mysql_result(mysql_query("SELECT COUNT(`uID`) FROM `user` WHERE `uUserName` = '$username' AND `uPassword` = '$password'"), 0) == 1) ? $user_id : false;
}
?>
This is my login system code
if(empty($_POST) === false){
$username = $_POST['username'];
$password = $_POST['password'];
if(empty($username) === true || empty($password) === true){
$errors[] = 'You need to enter a Username and Password';
} else if(user_exists($username) == false){
$errors[] = 'We cannot find that Username, have you registered?';
} else if(user_active($username) === false){
$errors[] = 'You have not activated your account.';
}
else {
$login = login($username,$password);
if($login === false){
$errors[] = 'The username or password is incorrect';
} else {
echo 'ok';
}
}
print_r($errors);
}
You have an error at line 13 where you specify 'user_id' as an offset.
You can simply get the uID column and store the value if that row exists.
$result = mysql_query("SELECT `uID` FROM `user` WHERE `uUserName` = '$username'");
$user_id = 0; // default value, meaning user not found
if ($result && mysql_num_rows($result) > 0){
$row = mysql_fetch_assoc($result);
$user_id = $row[0];
}
return $user_id;
Then you can modify your login function to check whether user_id > 0 or not. If it's larger than 0, then you got that user's id.
Currently the only problem that I see is your user_id_from_username function.
You're trying to set an offset to a field that doesn't exist and mysql doesn't find it. So it's throwing an error:
function user_id_from_username($username){
$username = sanitize($username);
return mysql_result(mysql_query("SELECT `uID` FROM `user` WHERE `uUserName` = '$username'"), 0, 'uID');
}
Try the above or leave off the uID since it's not a mandatory but rather an optional parameter.
Insert obligatory, you should be using mysqli instead of mysql at this point if your PHP version supports it.
when I log in, even the password and username are correct, it keep error.
Array ( [0] => That user/password combination is incorrect )
the username and password is active and existed.
login.php
<?php
include 'init.php';
if(empty($_POST) === false){
$username = $_POST['username'];
$password = $_POST['pwd1'];
if(empty($username)|| empty($password)) {
echo 'You need to enter username and password';
}
else if(user_exists($username) === true){
if(user_active($username) === true){
$login = login($username, $password);
if($login === false){
$errors[] = 'That user/password combination is incorrect' ;
} else{
$_SESSION['user_id'] = $login;
ob_end_clean();
header('Location:forum.php');
exit();
}
}
else{$errors[] = 'You haven\'t activated your account!';}
}
else{$errors[] = 'We can\'t find that username. Have you registered?';}
print_r($errors);
}
?>
users.php
<?php
function logged_in(){
return (isset($_SESSION['user_id'])) ? true :false;
}
function user_exists($username){
$username = sanitize($username);
$sql = "SELECT COUNT(user_id) FROM `user` WHERE username = '$username'";
$result = mysql_query( $sql);
return (mysql_result($result,0) ==1) ? true : false;
}
function user_active($username){
$username = sanitize($username);
$sql ="SELECT COUNT(user_id) FROM `user` WHERE username = '$username' AND `active` = 1";
$result = mysql_query( $sql);
if ($result === false){
return false;
}
return (mysql_result($result,0) ==1) ? true : false;
}
function user_id_from_username($username){
$username = sanitize($username);
$sql = "SELECT user_id FROM `user` WHERE username = '$username'";
$result = mysql_query( $sql);
if ($result === false){
return false;
}
return mysql_result($result,0, 'user_id');
}
function login($username, $password){
$username = sanitize($username);
$password = md5($password);
$query = mysql_query("SELECT COUNT(user_id)
FROM `user`
WHERE username ='$username' AND pwd1 ='$password'");
$row = mysql_fetch_row($query);
if($row[0]>0){
return user_id;
}else{
return false;
}
}
?>
general.php
<?php
function sanitize($data){
return mysql_real_escape_string($data);}
?>
init.php
<?php
ob_start();
session_start();
require 'connect.php';
require 'general.php';
require 'users.php';
$errors = array();
?>
You don't assign $login to $_SESSION['user_id'], because you call die($login); before that, which is same as exit, nothing is parsed after that. Change the order.
And pray that your sanitize function works. Anyway, you had better switch to PDO, because mysql_ functions are deprecated and not safe. Even if you sanitize your $_POST and $_GET, you can still have malicious values selected from your database or from XML you parse or from other source.
The database information is correct and working, I've tested this several times. The database exists along with the table i am trying to pull data out of. I have dummy information in the database, here is my code to check if the user in the database 'network', table 'users':
<?php
require 'core/init.php';
if (empty($_POST) === false){
$username = $_POST['username'];
$password = $_POST['password'];
if (empty($username) === true || empty($password) === true) {
$errors[] = 'You need to enter a username and password.';
} else if (user_exists($username) === false) {
$errors[] = 'Username does not exists. Have you registered?';
} else if (user_active($username) === false) {
$errors[] = 'Your account is not activated. Please check your email!';
} else {
}
print_r($errors);
}
?>
Here is the code for the functions 'user_exists($username)'
<?php
function user_exists($username) {
$username = sanitize($username);
return (mysql_result(mysql_query("SELECT COUNT('user_id') FROM 'users' WHERE 'username' = '".$username."'"), 0) === 1) ? true : false;
}
function user_active($username) {
$username = sanitize($username);
return (mysql_result(mysql_query("SELECT COUNT('user_id') FROM 'users' WHERE 'username' = '".$username."' AND 'active' = 1"), 0) === 1) ? true : false;
}
?>
sanitize function:
<?php
function sanitize($data) {
return mysqli_real_escape_string($data);
}
?>
Here is my issue:
When I login with the dummy information - Username; Password (md5 hashed via phpmyadmin) if displays the error:
'Username does not exists. Have you registered?'
I have tried using a different database, a different user.. nothing works.. Help!
Use back ticks for column and table names,not quotes.
"SELECT COUNT(`user_id`) FROM `users` WHERE `username` = '".$username."'")
return (mysql_result(mysql_query("SELECT COUNT('user_id')
FROM 'users' WHERE 'username' = '".$username."'"), 0) === 1) ? true : false;
}
mysql_results returns either a cell or false,so above the condition ===1 is never reached.
Docs
Returns the contents of one cell from a MySQL result set on success,
or FALSE on failure.
return (mysql_result(mysql_query("SELECT COUNT('user_id')
FROM 'users' WHERE 'username' = '".$username."'"), 0) == false) ? false: true;
}
Also you are connecting with mysql and using mysqli_real_escape_string in the sanitize function. Dont mix them.
function user_exists($username) {
$username = sanitize($username);
return (mysql_result(mysql_query("SELECT COUNT(`user_id`) FROM `users` WHERE `username` = '".$username."'"), 0) == 1) ? true : false;
}
function user_active($username) {
$username = sanitize($username);
return (mysql_result(mysql_query("SELECT COUNT(`user_id`) FROM `users` WHERE `username` = '".$username."' AND `active` = 1"), 0) == 1) ? true : false;
}
What was done:
Replaced '' for column names with `
Used == instead of ===
PDO:
function user_exists($username) {
$db = new PDO('mysql:host=localhost;dbname=testdb;charset=utf8', 'username', 'password', array(PDO::ATTR_EMULATE_PREPARES => falsse, PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION));
$stmt = $db->query("SELECT `user_id` FROM `users` WHERE `username` = '".$username."'"));
$row_count = $stmt->rowCount();
if($row_count==="1"){return true;}else{return false;}
}
I have the following functions in a file called user.php:
function user_id_from_username($username) {
$username = sanitize($username);
return mysql_result(mysql_query("SELECT `MemberID` FROM `member` WHERE `Email` = '$username'"),0, 'MemberID');
}
function login ($username, $password) {
$MemberID = user_id_from_username ($username);
$username = sanitize($username);
$password = md5($password);
return (mysql_result(mysql_query("SELECT COUNT(`MemberID`) FROM `member` WHERE `Email` = '$username' AND `Password` ='$password'"), 0) == 1) ? $MemberID : false; }
And in my login.php I have:
Session_start ();
include 'core/functions/users.php'
if (empty($_POST) === false){
$username = $_POST['Email'];
$password = $_POST['Password'];
$login = login($username, $password);
if($login === 1){
$_SESSION['MemberID'] = $login; //logged in and returned user ID and store in session
header('location: member.php?username='.$username);
}else{
// try admin login
$query2 = mysql_query("SELECT * FROM admin WHERE Email ='$username' AND Password ='$password'");
if(mysql_num_rows($query2) == 1){
$_SESSION['Email'] = $username;
header("location: admin.php");
}
else{
echo "Failed Login Attempt";
}
}
}
When I try to log a user in I get this error:
Warning: mysql_result(): Unable to jump to row 0 on MySQL result index 8 in oddjobexchange\core\functions\user.php on line 27
Failed Login Attempt
I can't get my head around this error because I can't see anything wrong with line 27 (below)
return mysql_result(mysql_query("SELECT `MemberID` FROM `member` WHERE `Email` = '$username'"),0, 'MemberID');
In my DB 'MemberID' is row 0, 'Email' is row 7 and 'Password' is row 8. Anybody know what I've got wrong?