I am having some trouble trying to delete a member from the database I'm using, I don't think it is getting the Username correctly. Here is the form I am using for HTML
deleteForm.php
<?php
//begin our session
session_start();
?>
<html>
<head>
<title>Welcome</title>
</head>
<form action="deleteUser.php">
<p>
<center><label for="Username">Enter username to delete</center></label>
<center><input type="text" id="Username" name="Username" value="" maxlength="20" /></center>
<center><input type="submit" value="Delete Member"></center>
</p>
</form>
</body>
</html>
And this is the code to handle the deletion itself:
deleteUser.php
<?php
//begin our session
session_start();
//Check if username, password have been sent
if((!filter_input(INPUT_POST, 'Username')))
{
echo 'Please enter a valid username';
}
else
{
//Enter the valid data into the database
$memberUsername = filter_input(INPUT_POST, 'Username', FILTER_SANITIZE_STRING);
echo $memberUsername;
$SQLhostname = "****";
$SQLusername = "****";
$SQLpassword = "****";
$databaseName = "****";
try
{
echo "in the try block";
// Create connection
$conn = mysqli_connect($SQLhostname, $SQLusername, $SQLpassword)
or die("Unable to connect MySQL");
$db_selected = mysqli_select_db($conn, $databaseName)
or die("Could not select database");
$deleteMember = "DELETE FROM customers
WHERE name =
'$memberUsername'";
$result = $conn->query($deleteMember);
if(! $result ){
die('Could not delete member: ' . $conn->error);}
else{
echo "Member deleted <br/>";
}
mysqli_close($conn);
}
catch (Exception $ex)
{
//To be added
}
}
?>
The problem is it always enters the if statement and asks for a valid username which I'm assuming is not being set.
Add method attribute to your form.
<form action="deleteUser.php" method="post">
<!--^^^^^^^^^^-->
<p>
<center><label for="Username">Enter username to delete</center></label>
<center><input type="text" id="Username" name="Username" value="" maxlength="20" /></center>
<center><input type="submit" value="Delete Member"></center>
</p>
Just as a quick FYI:
Whenever a method is omitted in a form, it defaults to GET and you're using INPUT_POST therefore you should either be using INPUT_GET or add a post method, i.e: method="post".
Consult the manual:
http://php.net/manual/en/function.filter-input.php
Plus, and for your added safety, your code is open SQL injection. Do use mysqli with prepared statements, or PDO with prepared statements, they're much safer.
in the form tag add "method" attribute:
<form ... method="POST">
In the PHP script you van find the value of inputs in the variable $_GET:
$_GET[Username'']
Kevin
Related
I tried many ways if I insert data to my data base without the
from method it works but with the form and it's method is not working and it doesn't show any error. I don't see any message seems like the code doesn't exist. the connection is good and the name of the table is fine. I am trying to save some data before to implement more code like validation password check and more but if it doesn't save the data how I am going to implement validations. I used the numbers of my serve because it could not be connect with localhost name.
<?php
session_start();
$_SESSION['message'] = "";
$host = "localhost:3308";
$user = "root";
$password = "";
$database = "accounts";
$connect = mysqli_connect($host, $user,
$password,$database); //open the connection.
if(!$connect){
die("cannot connect to database
field:".mysqli_connect_error());
}
else
{
`enter code here`echo "Database is connected". "
<br/>";
if(isset($_POST['create'])){
session_start();
$userName = $_POST['username'];
`enter code here`$email = $_POST['email'];
$pasword = $_POST['pasword'];
$avatar= $_POST['avatar'];
$sql = "INSERT INTO new_table (
username,email,password,avatar)
VALUES (
'$userName','$email','$pasword','$avatar')";
if(mysqli_query($connect, $sql)) {
$_SESSION['message']= "creted";
}
else{
$_SESSION['message']= "not created";
}
}
else {
$_SESSION['message']= "Enter valid data";
}
//my html form
<form action="conectingDB.php" method = "post">
<form action="conectingDB.php" method = "post">
<header>
<h3></h3>
</header>
<br /><br />
<div><?php $_SESSION['message'] ?></div>
<input type="text" name="username" placeholder=
"username" required /><br /><br />
<input type="email" name="email" placeholder = "email"
required /> <br /><br />
<input type="password" name="password"
placeholder="pasword" required /> <br /><br />
<div class = "avatar"><label>Select your avatar:
<input type= "text" name="avatar" ></label></div>
<input type="button" value="create account"
name="create" />
I suggest one more files in your directory with the name "conectingDB.php" and in this file insert the insert command with the connection to the database.
replace the
<input type = "button" value = "create account" name = "create" />
for this
<button type = "submit" value = "create account" name = "create"></button>
Alright so i have been looking around for a simple login system and i have looked at many videos and noticed they are all using MYSQL and according to my webhost i need to use MYSQLi so my code is posted below, can someone help me, everytime i press login it just refreshes the page and does nothing
<?php
$error=''; //Variable to Store error message;
if(isset($_POST['submit'])){
if(empty($_POST['user']) || empty($_POST['pass'])){
$error = "Username or Password is Invalid";
}
else
{
//Establishing Connection with server by passing server_name, user_id and pass as a patameter
$host = "198.91.81.8";
$user = "iishnoii_admin";
$pass = "password";
$db = "iishnoii_seclog";
$con = mysqli_connect($host, $user, $pass, $db);
//sql query to fetch information of registerd user and finds user match.
$query = mysqli_query($conn, "SELECT * FROM users WHERE password='$pass' AND username='$user'");
$rows = mysqli_num_rows($query);
if($rows == 1){
header("Location: welcome.php"); // Redirecting to other page
}
else
{
$error = "Username of Password is Invalid";
}
mysqli_close($conn); // Closing connection
}
}
?>
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<title>IIShNoII</title>
</head>
<body>
<div id="login-form">
<form method="post" action="index.php">
Username: <input type="test" name="username" /> <br /> <br />
Password: <input type="password" name="password" /> <br /> <br />
<input type="submit" name="submit" value="Log In" />
</div>
</body>
</html>
In your form, the names of the fields are username and password, but when you try to retrieve them in PHP with $_POST, you call them userand pass.
When I press the submit button I get error.
object not found error.
And the page automatically adds empty entries with auto incremented primary key (without pressing the submit button).
I am still a beginner in PHP, I searched thoroughly but I can't find out what's wrong in code.
<html>
<head>
<title>Add New Record in MySQL Database</title>
</head>
<body>
<form action="insert.php" method="post">
<p>
<label for="Name">Full Name:</label>
<input type="text" name="Name" id="Name">
</p>
<p>
<label for="Code">Code:</label>
<input type="text" name="Code" id="Code">
</p>
<p>
<label for="GPA">GPA:</label>
<input type="text" name="GPA" id="GPA">
</p>
<input type="submit" value="Submit">
</form>
<?php
/* Attempt MySQL server connection. Assuming you are running MySQL
server with default setting (user 'root' with no password) */
$link = mysqli_connect("localhost", "username", "password", "students");
// Check connection
if ($link === false) {
die("ERROR: Could not connect. " . mysqli_connect_error());
}
// Escape user inputs for security
$full_name = filter_input(INPUT_POST, 'full_name');
$code = filter_input(INPUT_POST, 'code');
$gpa = filter_input(INPUT_POST, 'gpa');
// attempt insert query execution
$sql = "INSERT INTO info VALUES ('$full_name', '$code', '$gpa')";
if (mysqli_query($link, $sql)) {
echo "Records added successfully. $full_name";
} else {
echo "ERROR: Could not able to execute $sql. " . mysqli_error($link);
}
// close connection
mysqli_close($link);
?>
</body>
</html>
Try this:
$full_name = filter_input(INPUT_POST, 'Name');
$code = filter_input(INPUT_POST, 'Code');
$gpa = filter_input(INPUT_POST, 'GPA');
The reason why I wrote that is because your input names contain Name, Code and GPA so you need to write this exactly as your input names (case-sensitive).
Do with isset(). when the submit button clicks only the code runs.
Inside the php you should use the form input name field.
<?php
if(isset($_POST['submit'])){
$link = mysqli_connect("localhost", "username", "password", "students");
if ($link === false) {
die("ERROR: Could not connect. " . mysqli_connect_error());
}
// Escape user inputs for security
$full_name = filter_input(INPUT_POST, 'full_name');
$code = filter_input(INPUT_POST, 'code');
$gpa = filter_input(INPUT_POST, 'gpa');
//to prevent sql injection attack
$full_name = mysqli_real_escape_string($link, $full_name);
$code = mysqli_real_escape_string($link, $code);
$gpa = mysqli_real_escape_string($link, $gpa);
// attempt insert query execution
$sql = "INSERT INTO info (Name,Code,GPA) VALUES ('$full_name', '$code', '$gpa')";
if (mysqli_query($link, $sql)) {
echo "Records added successfully. $full_name";
} else {
echo "ERROR: Could not able to execute $sql. " . mysqli_error($link);
}
// close connection
mysqli_close($link);
}
?>
<html>
<head>
<title>Add New Record in MySQL Database</title>
</head>
<body>
<form action="insert.php" method="post">
<p>
<label for="Name">Full Name:</label>
<input type="text" name="full_name" id="Name">
</p>
<p>
<label for="Code">Code:</label>
<input type="text" name="code" id="Code">
</p>
<p>
<label for="GPA">GPA:</label>
<input type="text" name="gpa" id="GPA">
</p>
<input type="submit" name="submit" value="submit">
</form>
</body>
</html>
The problem is the input name. You named Full Name input with name="Name", but you declare $full_name = filter_input(INPUT_POST, 'full_name'); in php section. you must change full_name to Name. As well as the Code and GPA input.
Following is the Code for LOGIN page used with html & php.
The problem I am facing is that , even after submitting correct information Login is failed .
Is there any problem with the query I used?
<html>
<head>
<title>login</title>
<link rel="stylesheet" href="css/insert.css" />
</head>
<body>
<div class="maindiv">
<!--HTML form -->
<div class="form_div">
<form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post"> <!-- method can be set POST for hiding values in URL-->
<h2>Login Form</h2>
<label>Email:</label><br />
<input class="input" type="email" name="mail" />
<br />
<label>Password:</label><br />
<input class="input" type="text" name="pass" />
<br />
<input class="submit" type="submit" name="submit" value="Login" />
PHP
//Selecting Database from Server
$db = mysql_select_db("tanni", $connection);
if(isset($_POST['submit'])){
//Fetching variables of the form which travels in URL
$mail = $_POST['mail'];
$pass = $_POST['pass'];
if($mail!=''&&$pass!=''){
$query=mysql_query("SELECT* FROM user WHERE mail='".$mail."' and pass='".$pass."'") or die(mysql_error());
$res=mysql_fetch_row($query);
if($res){
$_SESSION['mail']=$mail;
}else {
echo'You entered username or password is incorrect';
}
}else{
echo'Enter both username and password';
}
}
//Closing Connection with Server
mysql_close($connection);
?>
</form>
</div>
<div class="formget"><a href=http://www.formget.com/app><img src="formget.jpg" alt="Online Form Builder"/></a>
</div>
</div>
</body>
</html>
What is the problem in the code?
Need space between select and * at SELECT* FROM
Your query would be
SELECT * FROM user WHERE...
Use mysql_num_rows() to check number of rows return from your query instead mysql_fetch_row
mysql is deprecated instead use mysqli or PDO
You need to start session at the top of your page
session_start();
Don't store plain password into database use password hashing technique
http://php.net/manual/en/function.password-hash.php
http://php.net/manual/en/faq.passwords.php
Your code is open for sql injection read
How can I prevent SQL injection in PHP?
Your whole code would be
<?php
session_start();
//Establishing Connection with Server
$connection = mysql_connect("localhost", "root", "");
//Selecting Database from Server
$db = mysql_select_db("tanni", $connection);
if (isset($_POST['submit'])) {
//Fetching variables of the form which travels in URL
$mail = $_POST['mail'];
$pass = $_POST['pass'];
if ($mail != '' && $pass != '') {
$query = mysql_query("SELECT * FROM user WHERE mail='" . $mail . "' and pass='" . $pass . "'") or die(mysql_error());
$res = mysql_num_rows_row($query);
if ($res == 1) {
$_SESSION['mail'] = $mail;
} else {
echo'You entered username or password is incorrect';
}
} else {
echo'Enter both username and password';
}
}
//Closing Connection with Server
mysql_close($connection);
?>
I am experimenting with PHP and Mysql. I have created a database and table at mu localhost using xampp. I have also created a file that suppose to populate my table by executing a query, but the strange thing is that i get no errors but at the same time no DATA has been inserted into my DataBase:
CODE:
register.php:
<?php
session_start();
if(isset($_POST['submitted'])){
include('connectDB.php');
$UserN = $_POST['username'];
$Upass = $_POST['password'];
$Ufn = $_POST['first_name'];
$Uln = $_POST['last_name'];
$Uemail = $_POST['email'];
$NewAccountQuery = "INSERT INTO users (user_id,username, password, first_name, last_name, emial) VALUES ('$UserN','$Upass', '$Ufn', '$Uln', '$Uemail')";
if(!mysql_query($NewAccountQuery)){
die(mysql_error());
}//end of nested if statment
$newrecord = "1 record added to the database";
}//end of if statment
?>
<html>
<head>
<title>Home Page</title>
<meta http-equiv="content-type" content="text/html; charset=iso-8859-1" />
<link href="style.css" rel="stylesheet" type="text/css" />
</head>
<body>
<div id="wrapper">
<header><h1>E-Shop</h1></header>
<article>
<h1>Welcome</h1>
<h1>Create Account</h1>
<div id="login">
<ul id="login">
<form method="post" action="register.php" >
<fieldset>
<legend>Fill in the form</legend>
<label>Select Username : <input type="text" name="username" /></label>
<label>Password : <input type="password" name="password" /></label>
<label>Enter First Name : <input type="text" name="first_name" /></label>
<label>Enter Last Name : <input type="text" name="last_name" /></label>
<label>Enter E-mail Address: <input type="text" name="email" /></label>
</fieldset>
<br />
<input type="submit" submit="submit" value="Create Account" class="button">
</form>
</div>
<form action="index.php" method="post">
<div id="login">
<ul id="login">
<li>
<input type="submit" value="Cancel" onclick="index.php" class="button">
</li>
</ul>
</div>
</article>
<aside>
</aside>
<div id="footer">This is my site i Made coppyrights 2013 Tomazi</div>
</div>
</body>
</html>
I have also one include file which is connectDB:
<?php
session_start();
$con = mysql_connect("127.0.0.1", "root", "");
if(!$con)
die('Could not connect: ' . mysql_error());
mysql_select_db("eshop", $con) or die("Cannot select DB");
?>
Database structure:
database Name: eshop;
only one table in DB : users;
users table consists of:
user_id: A_I , PK
username
password
first_name
last_name
email
I spend a substantial amount of time to work this out did research and looked at some tutorials but with no luck
Can anyone spot what is the root of my problem...?
It is because if(isset($_POST['submitted'])){
you dont have input field with name submitted give the submit button name to submitted
<input name="submitted" type="submit" submit="submit" value="Create Account" class="button">
Check your insert query you have more fields than your values
Change :
$NewAccountQuery = "INSERT INTO users (user_id,username, password, first_name, last_name, email) VALUES ('$UserN','$Upass', '$Ufn', '$Uln', '$Uemail')";
to :
$NewAccountQuery = "INSERT INTO users (user_id,username, password, first_name, last_name, email) VALUES ('','$UserN','$Upass', '$Ufn', '$Uln', '$Uemail')";
Considering user_id is auto increment field.
Your email in query is written wrongly as emial.
Is error reporting turned on?
Put this on the top of your screen:
error_reporting(E_ALL);
ini_set('display_errors', '1');
Some good answers above, but I would also suggest you make use of newer MySQLi / PDO instead of outdated 2002 MySQL API.
Some examples: (i will use mysqli since you wrote your original example in procedural code)
connectDB.php
<?php
$db = mysqli_connect('host', 'user', 'password', 'database');
if (mysqli_connect_errno())
die(mysqli_connect_error());
?>
register.php -- i'll just write out an example php part and let you do the rest
<?php
//i'll always check if session was already started, if it was then
//there is no need to start it again
if (!isset($_SESSION)) {
session_start();
}
//no need to include again if it was already included before
include_once('connectDB.php');
//get all posted values
$username = $_POST['username'];
$userpass = $_POST['password'];
$usermail = $_POST['usermail'];
//and some more
//run checks here for if fields are empty etc?
//example check if username was empty
if($username == NULL) {
echo 'No username entered, try again';
mysqli_close($db);
exit();
} else {
//if username field is filled we will insert values into $db
//build query
$sql_query_string = "INSERT INTO _tablename_(username,userpassword,useremail) VALUES('$username','$userpass','$usermail')";
if(mysqli_query($db,$sql_query_string)) {
echo 'Record was entered into DB successfully';
mysqli_close($db);
} else {
echo 'Ooops - something went wrong.';
mysqli_close($db);
}
}
?>
this should work quite nicely and all you need to add is your proper posted values and build the form to post it, that's all.
<?php
$db = mysqli_connect('host', 'user', 'password', 'database');
if (mysqli_connect_errno())
die(mysqli_connect_error());
?>
register.php -- i'll just write out an example php part and let you do the rest
<?php
//i'll always check if session was already started, if it was then
//there is no need to start it again
if (!isset($_SESSION)) {
session_start();
}
//no need to include again if it was already included before
include_once('connectDB.php');
//get all posted values
$username = $_POST['username'];
$userpass = $_POST['password'];
$usermail = $_POST['usermail'];
//and some more
//run checks here for if fields are empty etc?
//example check if username was empty
if($username == NULL) {
echo 'No username entered, try again';
mysqli_close($db);
exit();
} else {
//if username field is filled we will insert values into $db
//build query
$sql_query_string = "INSERT INTO _tablename_(username,userpassword,useremail) VALUES('$username','$userpass','$usermail')";
if(mysqli_query($db,$sql_query_string)) {
echo 'Record was entered into DB successfully';
mysqli_close($db);`enter code here`
} else {
echo 'Ooops - something went wrong.';
mysqli_close($db);
}
}
?>