im trying to change the password of the signed in user but when i run the code it always changes the top row of the table and the signed in user is somewhere in the middle.
the code for the user
validation code
<?php
session_start();
include ('dbc.php');
if (!isset($_SESSION['user'])) {
header("Location: login.php");
}
$id = mysql_real_escape_string($_SESSION['id']);
$todo=$_POST['todo'];
$oldpwd=$_POST['oldpwd'];
$newpwd=$_POST['newpwd'];
if ($_POST['Submit']=='Change') {
$result = mysql_query("select * from users where id='$id'")
or die("asdasdsd".mysql_error());
while($row=mysql_fetch_array($result)) {
if ($_POST["oldpwd"] == $row["user_pwd"]) {
mysql_query("UPDATE users set user_pwd='$newpwd' WHERE id='$id'");
header("Location: userpanel.php?msg=Password updated...");
} else {
header("Location: userpanel.php?msg=ERROR: Password does not match...");
}
}
}
?>
Related
This works perfectly well on my localhost but when i hosted online, it does not logon and it echo logged on successful and error free. Pls what can be the cause for this?
<?php
session_start();
$_SESSION['user_logged']=$user;
$_SESSION['user_password']=$password;
$user = $_POST["username"];
$password = $_POST["password"];
include("include/connect.php");
$msg = array();
if(isset($_POST['submit'])){
foreach($_REQUEST as $key=>$val){
$$key=$val;
}
if(count($msg)==0){
$sql="SELECT username, password FROM admin WHERE username='$username' && password='$password'";
$res=mysql_query($sql) OR die(mysql_error());
if(mysql_fetch_array($res)>0){
$_SESSION['user_logged']= $user;
$_SESSION['user_password']=$password;
header("location:dashboard.php");
echo "You looged in Successfully";
} else{
$msg[]='Incorrect username/password';
}
}
}
?>
Below is the dashboard.php which its suppose to redirect to.
<?php
include('include/connect.php');
include('include/function.php');
if(isset($_REQUEST['mode']) )
{
$mode=$_REQUEST['mode'];
if($mode == 1)
{
$id=$_REQUEST['id'];
$sql="DELETE FROM enquiry WHERE id='$id'";
$result=mysql_query($sql);
}
}
$msg=array();
if(isset($_POST['submit'])){
$title=$_POST['news'];
$news_item=$_POST['news'];
if(empty($news_item)){
$msg[]='You must enter news in the column!';
}
if(empty($title)){
$msg[]='News Title must not be empty!';
}
else {
$sql = "SELECT * FROM news_file WHERE title='$title' ";
$res = mysql_query($sql) or die(mysql_error());
$result = mysql_fetch_array($res);
if($result > 0){
$msg[] = 'News with the same title has been added already';
} else {
$sql = "INSERT INTO news_file (title,news,date) VALUES ('$title','$news_item',Now())";
$result = mysql_query($sql);
$msg[]='News was successfully added';
}
}
}
?>
Try this.
<?php
session_start();
/*
These should be the other way round, as you are setting
the session variables with variables which have not been
initialised yet
*/
$user = $_POST["username"];
$password = $_POST["password"];
$_SESSION['user_logged']=$user;
$_SESSION['user_password']=$password;
include("include/connect.php");
$msg = array();
if(isset($_POST['submit'])){
foreach($_REQUEST as $key=>$val){
$key=$val; // Removed Erroneous double $
}
if(count($msg)==0){
$sql="SELECT
username,
password
FROM
admin
WHERE
username='$username'
AND
password='$password'";
// MySql does not accept && as a comparison operator.
$res=mysql_query($sql);
if(!$res)
{
var_dump(mysql_error());
exit;
}
else
{
if(mysql_fetch_array($res)>0)
{
$_SESSION['post'] = $_POST;
while(mysql_fetch_array($res)>0)
{
$_SESSION['user_logged']= $user;
$_SESSION['user_password']=$password;
header("location:dashboard.php");
echo "You logged in Successfully";
}
}
else
{
msg[]='Incorrect username/password';
}
}
?>
Looking at the code you have provided for dashboard.php, you are expecting there to be $_POST data, for a page which you have redirected to. Where you have redirected to the page, there will be no $_POST data for you to retrieve from the server.
I have amended my script above, to store the $_POST data in the session, so using that, you should be able to call your news items by calling $_SESSION['post']['news'], or if this is too long winded, simply re-assign the POST data once inside your dashboard.php script like so.
$post = $_SESSION['post'];
Then you can call it by using $post['news'].
I can login succesfuly and the user can be displayed... But im doing something wrong here, i can't display the name of the user. Here is the form I tried:
<?php
include("dbconfig.php");
session_start();
if($_SERVER["REQUEST_METHOD"] == "POST")
{
// username and password received from loginform
$name=mysqli_real_escape_string($dbconfig,$_POST['name']);
$username=mysqli_real_escape_string($dbconfig,$_POST['username']);
$password=mysqli_real_escape_string($dbconfig,$_POST['password']);
$sql_query="SELECT id FROM user WHERE username='$username' and password='$password'";
$result=mysqli_query($dbconfig,$sql_query);
$row=mysqli_fetch_array($result,MYSQLI_ASSOC);
$count=mysqli_num_rows($result);
// If result matched $username and $password, table row must be 1 row
if($count==1)
{
$_SESSION['login_user']=$username;
header("location: home.php");
}
else
{
$error="Useri ose passwordi gabim!";
}
}
?>
and here is the desplay code:
<?php
if(!isset($_SESSION['login_user']))
{
header("Location: login.php");
}
else
{
$name=$_SESSION['login_user'];
?>
Welcome <?php echo $name;?>
<?php
}
?>
What am I missing can anyone help me out? Thanks!
From what I understand, you're trying to display the user's name and not the username in the welcome message.
First of all, please see that you are not even retrieving the user's name. So, you need to fetch that along with the id.
Considering the field is "name" in your database.
You can modify your query:
$sql_query="SELECT id, name FROM user WHERE username='$username' and password='$password'"; // Add name along with id
$result = mysqli_query($dbconfig,$sql_query);
$row = mysqli_fetch_array($result,MYSQLI_ASSOC);
$count = mysqli_num_rows($result);
if($count==1) {
$_SESSION['User']['username'] = $username; // Change this
$_SESSION['User']['name'] = $row['name']; // Add this
header("location: home.php");
} else {
/* Other code */
}
Now, your display code:
<?php
session_start();
if(!isset($_SESSION['User'])) {
header("Location: login.php");
} else {
$name = $_SESSION['User']['name'];
?>
Welcome <?php echo $name;?>
<?php } ?>
Hope this helps.
I am trying to create two separate sessions- one for if the user is admin and another if the user is author. $type stored type as enum (can be either author or admin). But, I am not getting unique session id's for my sessions. I am new to PHP and MySQL . can somebody tell me where the error is in my code.
Please help
<?php
session_start();
?>
<?php
include("dbconnect.php");
$con= new dbconnect();
$con->connect();
//create and issue the query
$sql = "SELECT type FROM users WHERE username = '".$_POST["username"]."' AND password = PASSWORD('".$_POST["password"]."')";
$result = mysql_query($sql);
//get the number of rows in the result set; should be 1 if a match
if (mysql_num_rows($result) == 1) {
$type_num=0;
//if authorized, get the values
while ($info = mysql_fetch_array($result)) {
$type =$info['type'];
}
if($type == "admin")
{
$_SESSION['type']=1;
$u = 'welcome.php';
header('Location: '.$u);
}
else
{
$_SESSION['type']=$type_num;
$u = 'welcome.php';
header('Location: '.$u);
}
}
else {
//redirect back to loginfailed.html form if not in the table
header("Location: loginfailed.html");
exit;
}
?>
welcome.php is as follows:
<?php
session_start();
?>
<html>
<body>
<h2>Welcome to SOD73.</h2>
<?
if($_SESSION['type']==1){
echo "You are of the usertype Admin and your session id is ";
echo session_id();
session_destroy();
}
else {
echo "You are of the usertype Author and your session id is ";
echo session_id();
session_destroy();
}
?>
</body>
</html>
You have to use session_regenerate_id() before call session_destroy() in the file welcome.php
i have a problem with $_GET to authenticfiate an owner of his site.
im using this code to check, if the users id is registrated or not:
<?php
session_start();
include('scripts/db_connect.php');
if(isset($_SESSION['id'])){
$url_auth = $_GET['id'];
}else{
echo "no user found";
exit();
}
$sql = "SELECT * FROM table WHERE id='".$url_auth."'";
$query = $db->query($sql);
if($query->num_rows !=1){
header("Location: index.php");
exit();
i having problems with reading out that $_GET id. it seems that something is going wrong and i dont know why. is there maybe another way to check for users registration when someone is calling any id in the browser? thanks.
Try this way.
<?php
session_start();
include('scripts/db_connect.php');
$id=mysql_escape_string($_GET['id']); //Sanitized the variable to avoid SQL Injection attacks
$sql = "SELECT * FROM table WHERE id='".$id."'";
$query = $db->query($sql);
if($query->num_rows !=1){
header("Location: index.php");
exit();
}
else
{
$_SESSION["loggedIn"]="Success";
header("authenticationSuccess.php");
}
?>
Now check this $_SESSION["loggedIn"]="Success" on all your other pages to check whether the user is genuine.
Changes for Comment:
If you really think $_GET is the problem , try this.
<?php
session_start();
#extract($_GET);
include('scripts/db_connect.php');
$sql = "SELECT * FROM table WHERE id='".mysql_escape_string($id)."'";
$query = $db->query($sql);
if($query->num_rows !=1){
header("Location: index.php");
exit();
}
else
{
$_SESSION["loggedIn"]="Success";
header("authenticationSuccess.php");
}
?>
Here is the code
I dont know whats wrong with it.
<?php
//Logout code
//Starting Session
session_start();
//Include
include ("includes/mass.php");
//Check if the user is logged in
$username = $_SESSION['username'];
$logged_in_query = "SELECT * FROM user WHERE loggedin='1' AND username='$username'";
$check_if_logged_in = mysql_query($logged_in_query);
if (isset($username))
{ while ($row = mysql_fetch_array($check_if_logged_in))
{
$logged_in = $row['loggedin'];
if ($logged_in == 1)
{
//User becomes logged out on database records
$sql_logout = "UPDATE user SET loggedin='0' WHERE loggedin='1' AND username='$username'";
$logout_query = mysql_query($logout_query);
//Logout page
session_destroy();
echo "You have been logged out.","<br>"."<a href='index.php'>Click Here To Go Back</a>";
}
}
} else
{
echo"You are not logged in"."<br><a href='register.php'>Click To Sign Up</a>";
}
?>
Do you have a mysql link object (from mysql_connect() / mysql_select_db() ?) From your comments below, it doesn't sound that way.
This SQL is wrong:
$sql_logout = "UPDATE user WHERE loggedin='1' AND username='$username'";
Should be:
$sql_logout = "UPDATE user SET loggedin=0 WHERE loggedin='1' AND username='$username'";
?
You probably also mean to be using mysql_fetch_assoc() instead of mysql_fetch_array().
This line:
$logout_query = mysql_query($logout_query);
Should be
$logout_query = mysql_query($sql_logout);
Put in your correct mysql connection and db information and try to run this. Please post the output.
<?php
//Logout code
//Starting Session
session_start();
echo "hello<br />";
//Include
include ("includes/mass.php");
echo "no problem in mass.php!<br />";
// FILL ME IN
$my_link = mysql_connect($server, $username, $password, TRUE);
mysql_select_db('your_db', $link);
//Check if the user is logged in
$username = $_SESSION['username'];
$logged_in_query = "SELECT loggedin FROM user WHERE loggedin='1' AND username='$username'";
echo $logged_in_query . "<br />";
$check_if_logged_in = mysql_query($logged_in_query, $my_link);
var_dump(mysql_num_rows($check_if_logged_in));
if (isset($username))
{
while ($row = mysql_fetch_assoc($check_if_logged_in))
{
var_dump($row);
$logged_in = $row['loggedin'];
if ($logged_in == 1)
{
//User become logged out on database records
$sql_logout = "UPDATE user SET loggedin=0 WHERE loggedin='1' AND username='$username'";
$logout_query = mysql_query($sql_logout, $my_link);
//Logout page
session_destroy();
echo "You have been logged out.","<br>"."<a href='index.php'>Click Here To Go Back</a>";
}
else
{
echo"You are not logged in"."<br><a href='register.php'>Click To Sign Up</a>";
}
}
}
?>
what you have written is very bad code. i would suggest you do like this
1. create a session in the login page once their username and password matches with the entry in the db
2. destroy that session when they say log out.
your implementation of checking the user using db is not scalable. everytime it gets executed and its not the right idea of doing it.
I would use something like this:
<?php
//Logout code
//Starting Session
session_start();
//Include
include ("includes/mass.php");
//Check if the user is logged in
$username = $_SESSION['username'];
if (isset($username))
{
$logged_in_query = "SELECT * FROM user WHERE loggedin='1' AND username='".$username."' LIMIT 1";
$check_if_logged_in = mysql_query($logged_in_query);
$logged_in = mysql_fetch_field($check_if_logged_in);
if ($logged_in == 1)
{
//User becomes logged out on database records
$sql_logout = "UPDATE user SET loggedin='0' WHERE loggedin='1' AND username='".$username."' LIMIT 1";
$logout_query = mysql_query($logout_query);
if ($logout_query)
{
//Logout page
session_destroy();
echo "You have been logged out.","<br>"."<a href='index.php'>Click Here To Go Back</a>";
}
else
{
//Couldn't update the user table to set your login status.
echo "MYSQL Error, please contact admin LO-2";
exit();
}
}
else
{
echo "You are not logged in"."<br><a href='register.php'>Click To Sign Up</a>";
}
}
else
{
echo "You are not logged in"."<br><a href='register.php'>Click To Sign Up</a>";
}
?>
Not tested
Max