This is a school project and this particular page is to register a new user it does not display errors but it does not fill the MYSQL data base the connection for the database is in another page and I used the require function functions.php is where I am writing the connection function please help :(
<?php
include_once("menu.php");
?>
<form action="login.php" method="POST">
<?php
if ((isset($_POST['username']))&& (isset($_POST['password'])) && (isset($_POST['password2'])) && (isset($_POST['email'])))
{
$username = $_POST['username'];
$password = $_POST['password'];
$password2 = $_POST['password2'];
$email = $_POST['email'];
if ($password == $password2)
{
require_once("functions.php");
$connection = connectToMySQL();
$Query = "SELECT count(*) FROM tbl_users WHERE username='$username'";
$Result = mysqli_query($connection,$Query)
or die("Error in the query :". mysqli_error($connection));
$row = mysqli_fetch_row($Result);
$counter = $row[0];
if ($counter > 0)
{
echo "Username alredy exsist with the movie assosiation website<br/>";
echo "<input type=\"submit\" class=\"button\" value=\"Back\"/>";
}
else
{
$insertQuery = "INSERT INTO 'tbl_users'(username,password,email,role) VALUES ('$username',sha1('$password'),'$email','registered')";
$insertResult = mysqli_query($connection,$insertQuery)
or die("Error in the query :". mysqli_error($connection));
echo "account created !! <br />";
echo "<input type=\"button\" class=\"button\" value=\"Log In\" onclick=\"location.href='login.php'\"> ";
}
}
}
else
{
?>
<label>
<span>Username:</span>
<input id="username" type="text" name="username" placeholder="enter your Username" required />
</label></br>
<label>
<span>Password</span>
<input id="password" type="password" name="password" placeholder="enter your Password" required />
</label></br>
<label>
<span>Re-Enter Password</span>
<input id="password2" type="password" name="password2" placeholder="re-enter your Password" required />
</label></br>
<label>
<span>Email</span>
<input id="email" type="email" name="email" placeholder="enter email" required />
</label></br>
<label>
<span> </span>
<input id="submit" class="button" type="submit" name="submit" value="Submit"/>
</label>
</form>
<?php
}
?>
<?php
require_once("footer.php")
?>
remove single quote from your table name
try this
$insertQuery = "INSERT INTO `tbl_users`(username,password,email,role) VALUES ('$username',sha1('$password'),'$email','registered')";
instead of
$insertQuery = "INSERT INTO 'tbl_users'(username,password,email,role) VALUES ('$username',sha1('$password'),'$email','registered')";
Error in your sql statement.
Try this.
$insertQuery = "INSERT INTO tbl_users (username,password,email,role) VALUES ('{$username}',sha1('{$password}'),'{$email}','registered')";
or this
$insertQuery = "INSERT INTO tbl_users (username,password,email,role) VALUES ('".$username."',sha1('".$password."'),'".$email."','registered')";
Related
I'm trying to make a simple register and login form.
I want to use SHA1 to save the encrypted password in database.
But when I try to login with the password, it seems it does not work.
There are three files - index.php, register.php ,login.php
Please help me to solve this problem.
//index.php
<form action="register.php" method="post" enctype="multipart/form-data">
<label for="email">Email:</label>
<input type="text" name="email">
<br />
<label for="password">Password:</label>
<input type="password" name="password">
<button>Register</button>
</form>
<form action="login.php" method="post">
<label for="email">Email:</label>
<input type="text" name="email">
<br />
<label for="password">Password:</label>
<input type="password" name="password">
<button>Login</button>
</form>
//register.php
<?php
$email = $_POST['email'];
$password = $_POST['password'];
$regist_day=date('d-m-Y (H:i)');
if (!empty($email) && !empty($password)) {
require_once('lib/db_connect.php');
$dbc = mysqli_connect(DB_HOST,DB_USER,DB_PASSWORD,DB_NAME)
or die('Error connecting database');
$sql = "INSERT INTO member(email,password,regist_day)";
$sql .= "VALUES ('$email',SHA1('$password'),'$regist_day')";
mysqli_query($dbc,$sql);
echo("
<script>
location.href='try.php'
</script>
") ;
}
else{
echo "You need to enter Email and Password";
}
?>
//login.php
<?php
$user_email = $_POST['email'];
$user_password = SHA1($_POST['password']);
if (!empty($user_email) && !empty($user_password)) {
require_once('lib/db_connect.php');
$dbc = mysqli_connect(DB_HOST,DB_USER,DB_PASSWORD,DB_NAME)
or die('Error connecting database');
$sql = "SELECT * FROM member WHERE email = '$user_email'";
$result = mysqli_query($dbc,$sql);
$num_match = mysqli_num_rows($result);
if (!$num_match) {
echo "No result";
}
else{
$sql = "SELECT * FROM member WHERE password = '$user_password' ";
$result = mysqli_query($dbc,$sql);
$password_match = mysqli_num_rows($result);
if (!$password_match) {
echo "SHA1 does not work";
exit;
}
else{
echo"success";
}
}
}
else{
echo "You need to enter both Email and Password";
}
?>
I am building a three part signup system using sessions. The first part is on the homepage, there is a login here called form1 and a signup called form2. This question is about signup form2. In form2 the user inserts email and password into the DB table, and the iduser is created auto automatically. A sessions is created, this part works fine. In signup_part2.php using sessions I echo out the iduser and email to prove that the info was inserted into the database. Then in signup_part2.php there is a second form, however when I hit submit nothing is inserted into the database table into those user's fields. How can I insert data into the DB table during a user's session?
home.php
<?php
session_start();
require('connect.php');
require('header.php');
$form1 = <<<EOT
<div id="homebox1">
<div id="logohome">
<h2>Welcome</h2></br>
</div>
<div id="homecolumn1">
<p>Login</p></br>
<form id="login" action="home.php" method="POST">
<input name="emaillogin" placeholder="email" type="email" rows="20"> </input></br>
<input name="passwordlogin" placeholder="password" type="password" rows="20"> </input></br>
<input type="submit" name="submita" value="Log In"> </input>
</form>
</div>
EOT;
$form2 = <<<EOT
<div id="homecolumn2">
<p>Sign Up</p></br>
<form id="signuppart1" action="home.php" method="post">
<input name="signupemail" placeholder="email" type="email" rows="20" required> </input></br>
<input pattern="(?=^.{8,50}$)((?=.*\d)|(?=.*\W+))(?![.\n])(?=.*[A-Z])(?=.*[a-z]).*$" name="signuppassword" placeholder="password" type="password" rows="20" required> </input></br>
<input name="submitb" type="submit" value="Sign Up"> </input>
</form>
</div>
EOT;
$footer = <<<EOT
<div id="footerhome1">
</div>
</div>
EOT;
/*-------------------------------------form1----------------------------------------*/
if(isset($_POST['submita'])){
$email = mysql_escape_string($_POST['emaillogin']);
$pass = mysql_escape_string($_POST['passwordlogin']);
$salt = '458mn$8n#bty67mg%563!&78fj^543*41s';
$pass = md5($pass . $salt);
$sql = mysql_query ("SELECT * FROM `profile` WHERE `email` = '$email' AND `password`= '$pass' ");
if(mysql_num_rows($sql) > 0){
// ADDITIONAL CODE //pull userdata from db
while($row = mysql_fetch_array($sql)){
$_SESSION['logged_in']['fnlname'] = $row['fnlname'];
$_SESSION['logged_in']['username'] = $row['username'];
$_SESSION['logged_in']['gender'] = $row['gender'];
}
// END ADDITIONAL CODE
header('location: profile.php');
}else{
echo <<<EOT
<div id="homebox1">
<div id="logohome">
<h2>Welcome</h2></br>
</div>
<div id="homecolumn1">
<p>Login</p></br>
<form id="login" action="home.php" method="POST">
<input name="emaillogin" placeholder="email" type="email" rows="20"> </input></br>
<input name="passwordlogin" placeholder="password" type="password" rows="20"> </input></br>
<input type="submit" name="submita" value="Log In"> </input>
<p style="color:red;">"Wrong password or username"</p>
</form>
</div>
EOT;
}
}else{
echo $form1;
}
/*-------------------------------------form2----------------------------------------*/
if(isset($_POST['submitb'])){
//perform verification
$email1 = $_POST['signupemail'];
$pass1 = $_POST['signuppassword'];
if ($pass1 == NULL){
echo <<<EOT
<p style="color:red;">"Enter a password"</p>
EOT;
exit();
}
$email1 = mysql_escape_string($email1);
$password = mysql_escape_string($pass1);
$salt = 'justasalt';
$password = md5($password . $salt);
$sql2 = mysql_query("SELECT * FROM `profile` WHERE `email` = '$email1' ");
if(mysql_num_rows($sql2) > 0){
echo $form2;
echo <<<EOT
<p style="color:red;">"Sorry, that email already exists!"</p>
EOT;
exit();
}
else{
mysql_query("INSERT INTO `profile` (`iduser`, `password`, `email`)VALUES(NULL, '$password', '$email1')");
$sql = mysql_query ("SELECT * FROM `profile` WHERE `email` = '$email1' AND `password`= '$password' ");
if(mysql_num_rows($sql) > 0){
// ADDITIONAL CODE //pull userdata from db
while($row = mysql_fetch_array($sql)){
$_SESSION['logged_in']['iduser'] = $row['iduser'];
$_SESSION['logged_in']['fnlname'] = $row['fnlname'];
$_SESSION['logged_in']['username'] = $row['username'];
$_SESSION['logged_in']['gender'] = $row['gender'];
$_SESSION['logged_in']['location'] = $row['location'];
$_SESSION['logged_in']['website'] = $row['website'];
$_SESSION['logged_in']['age'] = $row['age'];
$_SESSION['logged_in']['joined'] = $row['joined'];
$_SESSION['logged_in']['email'] = $row['email'];
}
header("location: signup_part2.php");
}
}
}
else{
echo $form2;
}
?>
signup_part2.php
<?php
session_start();
include "connect.php";
include "header.php";
$iduser=$_SESSION['logged_in']['iduser'];
$sql = mysql_query("SELECT * FROM `profile` WHERE `iduser` = '$iduser' ");
while($row = mysql_fetch_array($sql)){
$iduser = $row['iduser'];
$password = $row['password'];
$email = $row['email'];
$fnlname = $row['fnlname'];
$username = $row['username'];
$joineddate = $row['joineddate'];
$gender = $row['gender'];
$age = $row['age'];
$location = $row['location'];
$website = $row['website'];
}
echo "$iduser $password $email";
$form1 = <<<EOT
<div id="homebox1">
<div id="logohome">
<h2>Welcome</h2></br>
</div>
<div id="signupcolumn1">
<p>Please fillout your info</p>
<form id="signup2" action="signup_part2.php" method="POST">
<p><input name="fnlname" placeholder="First and Last Name" type="text" size="50" required>*</br>
<input name="username" placeholder="Username" type="text" size="50" required>*</br>
<input name="age" placeholder="Your Age" type="" size="50" required>*</br></p>
<p><input style="text-align:left;" type="radio" name="gender" value="male"/>Male</br>
<input style="text-align:left;" type="radio" name="gender" value="female"/>Female</br>
<input style="text-align:left;" type="radio" name="gender" value="blank"/>Leave Blank</br></p>
<p><input name="location" placeholder="Location" type="" size="50" >Opt.</br>
<input name="website" placeholder="Website" type="" size="50">Opt. </br></p>
<input name="joineddate" placeholder="joineddate" type="hidden" size="50">
<input type="submit" name="submita" value="Next">
</div>
</form>
EOT;
if(isset($_POST['submita'])){
//perform verification
$fnlname = $_POST['fnlname'];
$username = $_POST['username'];
$age = $_POST['age'];
$gender = $_POST['gender'];
$location = $_POST['location'];
$website = $_POST['website'];
$joineddate = $_POST['joineddate'];
$iduser=$_SESSION['logged_in']['iduser'];
/*$fnlname = mysql_escape_string($fnlname);
$username = mysql_escape_string($username);
$age = mysql_escape_string($age);
$gender = mysql_escape_string($gender);
$location = mysql_escape_string($location);
$website = mysql_escape_string($website); */
$sql1 = mysql_query("SELECT * FROM `profile` WHERE `username` = '$username' ");
if(mysql_num_rows($sql1) > 0){
echo "Sorry, that username already exists!";
}else{
mysql_query("UPDATE profile SET fnlname='$fnlname' joineddate='$joineddate' gender='$gender' age='$age' location='$location' website='$website' WHERE iduser=$iduser ");
}
}else{
echo $form1;
}
?>
Found my mistake
if(isset($_POST['submit']))
should be
if(isset($_POST['submita']))
Hi i am new to PHP and i am trying to submit a registration form and it works fine but the problem is that when it gives some error like username already exists or password too short in an alert box and then it reloads the form page again and the user has to fill the whole form again i want the fields that are correct to remain unchanged
here is the form page code
<!DOCTYPE HTML>
<html>
<head>
<title>Details</title>
<link rel="stylesheet" type="text/css" href="reg.css">
</head>
<body id="body">
<div id="mmw"> <span> MAP MY WAY </span></div>
<form name="reg" id="reg" method="post" action="insert.php">
<h2>Kindly fill up your Information</h2>
<p>
<input name="username" required class="name" placeholder="Type Your User name" />
<input name="password" placeholder="Type Your Password" class="name" type="password" required />
<input name="first_name" required class="name" placeholder="Type Your First name" />
<input name="last_name" required class="name" placeholder="Type Your Last name" />
<input name="email" required class="email" placeholder="Type a valid E-Mail address" />
<input name="m_no" class="name" placeholder="Type Your Mobile #"/>
<input name="v_name" required class="name" placeholder="Type Your Vahical model and name"/>
<input name="capacity" required class="name" placeholder="Seating capacity"/>
<input name="fuel_type" required class="name" placeholder="Runs on what fuel type"/>
</p>
<p>
<input name="submit" class="btn" type="submit" value="Register" />
</p>
</form>
</div>
</body>
</html>
and here is the page that is processing the data
<?php
$con = mysqli_connect("localhost", "root", "", "map_my_way");
// Check connection
if (mysqli_connect_errno()) {
echo "Failed to connect to MySQL: " . mysqli_connect_error();
}
// escape variables for security
$username = mysqli_real_escape_string($con, $_POST['username']);
$password = mysqli_real_escape_string($con, $_POST['password']);
$first_name = mysqli_real_escape_string($con, $_POST['first_name']);
$last_name = mysqli_real_escape_string($con, $_POST['last_name']);
$email = mysqli_real_escape_string($con, $_POST['email']);
$m_no = mysqli_real_escape_string($con, $_POST['m_no']);
$v_name = mysqli_real_escape_string($con, $_POST['v_name']);
$fuel_type = mysqli_real_escape_string($con, $_POST['fuel_type']);
$capacity = mysqli_real_escape_string($con, $_POST['capacity']);
$exists = mysqli_num_rows(mysqli_query($con,"SELECT * FROM members WHERE username='" . $username . "'"));
if ($exists > 0) {
echo "<script language=\"JavaScript\">\n";
echo "alert('username already exists!');\n";
echo "window.location='reg.php'";
echo "</script>";
}
if (strlen ($password) < 6){
echo "<script language=\"JavaScript\">\n";
echo "alert('password must be 6 characters');\n";
echo "window.location='reg.php'";
echo "</script>";
}
else{
// if ($password < 6) {
// echo "<script language=\"JavaScript\">\n";
// echo "alert('username already exists!');\n";
// echo "window.location='reg.php'";
// echo "</script>";
// } else{
//insert query
$sql = "INSERT INTO members (username, password, first_name, last_name, email, m_no, v_name, fuel_type, capacity)
VALUES ('$username', '$password', '$first_name', '$last_name', '$email', '$m_no', '$v_name', '$fuel_type', '$capacity')";
}
//}
if (!mysqli_query($con, $sql)) {
die('Error: ' . mysqli_error($con));
}
else{
header("location:pic.php");
}
// Register $username
session_start();
$_SESSION['login'] = true;
$_SESSION['username'] = $username;
mysqli_close($con);
?>
Thanks in advance
header('Location: http://example.com/some/url'); relplace it with the javascript
also try to make a function to the escape string less typing:
function security($danger) {
mysqli_real_escape_string($con, $danger)}
simply call it with the username like $username = security($_POST['username'])
I m having a login page where user enters id and password.To reset the password i have to check whether the entered password is present or not whether it matches with the id i have entered.How to validate it.I m unable to validate it. If user enters any password it displays the record is updated. How to validate it. Here is the code
login.php
<label type="text" name="id" maxlength="50" size="20">ID</label><br />
<input type="text" name="id" placeholder="ID" class="input" size="20"/><br /></div>
<div class="formItem">
<label type="text" name="uid" maxlength="50" size="20">Password</label><br />
<input type="password" name="uid" placeholder="ID" class="input" size="20"/><br /></div>
<span class="field">(* Required field)</span><br /><br />
<input type="submit" name="login1" value="LOGIN" class="button"><br /><br /><br /><br />
</form>
</div>
</body>
</html>
<?php
$username = "root";
$password = "";
$hostname = "localhost";
$db = "abc";
//connection to the database
$dbhandle = mysql_connect($hostname, $username, $password) or die("Unable to connect to MySQL");
mysql_select_db($db,$dbhandle) or die('cannot select db');
if(isset($_POST['login1']))
{
$id= $_POST['id'];
$uid= $_POST['uid'];
$query= "select * from resume where id='$id'
AND uid='$uid'";
$run= mysql_query($query);
if(mysql_num_rows($run)>0){
echo "<script>window.open('resetp.php','_self')</script>";
}
else {
echo "<script>alert('Login details are incorrect!')</script>";
}
}
?>
resetp.php
<label type="text" name="uid" maxlength="50" size="20">Old Password</label><br />
<input type="text" name="uid" placeholder="id" class="input" size="20"/><br /></div>
<div class="formItem">
<label type="text" name="uid" maxlength="50" size="20">New Password</label><br />
<input type="password" name="pass" placeholder="pass" class="input" size="20"/><br /></div>
<div class="formItem">
<label type="text" name="cpas" maxlength="50" size="20">Confirm Password</label><br />
<input type="password" name="cpas" placeholder="" class="input" size="20"/><br /></div>
<div class="formItem">
<input type="submit" name="login1" value="RESET" class="formButton"><br /><br /><br /><br /></div>
</form>
<?php
$username = "root";
$password = "";
$hostname = "localhost";
$db = "resume1";
//connection to the database
$dbhandle = mysql_connect($hostname, $username, $password) or die("Unable to connect to MySQL");
mysql_select_db($db,$dbhandle) or die('cannot select db');
if(isset($_POST['login1']))
{
$pass= $_POST['pass'];
$uid= $_POST['uid'];
$cpas=$_POST['cpas'];
$query = "Update `resume` SET uid='".$_POST['pass']."' where uid='".$_POST['uid']."'";
$run = mysql_query($query);
if($query)
{
echo "<script>alert('Record updated')</script>";
}
else
{
echo "<script>alert('no')</script>";
}
}
?>
How can i validated it
Try this:
This line
<label type="text" name="uid" maxlength="50" size="20">New Password</label><br />
should be
<label type="text" name="pass" maxlength="50" size="20">New Password</label><br />
I guess couldn't understand your requirement.
Why don't you validate like you are doing in login.php
$query= "select * from resume where id='$id'
AND uid='$uid'";
$run= mysql_query($query);.................
the PHP script should be at the beginning, not at the end of the code. Begin with the <?php .... ?> and then follow the <HTML> ... </HTML> otherwise the result is returned even before the script is processed.
There are a lot of security issues with your code. You can try this.
<?php
require 'db.php';
$username = isset($_POST['username']) ? htmlspecialchars(trim($_POST['username']), ENT_QUOTES, 'UTF-8') : '';
$password = isset($_POST['password']) ? htmlspecialchars($_POST['password'], ENT_QUOTES, 'UTF-8') : '';
$error = array();
$error_found = 0;
if(isset($_POST['submit']) && ($_POST['submit'] == 'Reset'))
{
//check for errors.
//check if username field is empty.
if(empty($username))
{
$error[] = 'Please provide your user-name.';
}
//check if password field is empty.
if(empty($password))
{
$error[] = 'Please provide a password.';
}
//if errors exist, put errors found as true.
if(!empty($error))
{
$error_found = 1;
}
//else no errors are found.
else
{
//proceed to reset.
//connecting to database.
$db = mysql_connect(MYSQL_HOST, MYSQL_USER, MYSQL_PASSWORD) or die('Unable to connect, check your connection parameters. ');
mysql_select_db(MYSQL_DB, $db) or die('Could not select database, check availability. ' . mysql_error($db));
//querying the database. Checking if user-name password combination exists.
$query = 'SELECT username FROM resume WHERE username = "' . mysql_real_escape_string($username, $db) .
'" AND password = PASSWORD("' . mysql_real_escape_string($password, $db) . '")';
$result = mysql_query($query, $db) or die(mysql_error($db));
//checking if result is true.
if(mysql_num_rows($result) > 0)
{
//the result is true and so you can now reset your password.
}
else
{
$error[] = 'The username password combination you provided does not exist.';
$error_found = 1;
}
}
}
//HTML
?>
<!DOCTYPE HTML>
<html>
<head><title> ... </title></head>
<body>
<!--Your html code here -->
<?php
//if errors are found, then errors are shown here.
if($error_found == 1)
{
echo '<fieldset><center>';
echo '<ul>';
foreach($error as $e)
{
echo '<li>' . $e . '</li>';
}
echo '</ul>';
echo '</center></fieldset>';
}
?>
<form action="nameOfThisScript.php" method="POST">
Username:<input id="username" type="text" name="username" required />
Password:<input id="password" type="password" name="password" required />
<button id="Reset" type="submit" name="submit" value="Reset">Reset</button>
</form>
</body>
</html>
create a script named db.php in the same folder as this script and put the code
<?php
define('MYSQL_HOST', 'localhost');
define('MYSQL_USER', 'root');
define('MYSQL_PASSWORD', '');
define('MYSQL_DB', 'resume1');
?>
Hope this helps.
I'd like to know if there are any errors/exploits in this piece of coding, and also can someone help me because I register but it doesn't insert data into the database. If there are any mistakes can you correct them please. I want it so if the username exists, redirect them to error?=1, and so on with passwords not matching. Any help is appreciated.
Register.php
<form action="register_acc.php" method="post">
<input type="text" name="username" class="input" value="" autocomplete="off" placeholder="Username" maxlength="25" /><br />
<br />
<input type="password" name="password" class="input" value="" autocomplete="off" placeholder="Password" maxlength="20" /><br />
<br />
<input type="password" name="password2" class="input" value="" autocomplete="off" placeholder="Password again" maxlength="20" /><br />
<br />
<input type="text" name="email" class="input" value="" autocomplete="off" placeholder="Email" maxlength="255" /><br />
<br />
<input type="submit" name="submit "class="submit" value="Sign up">
</form>
register_acc.php
<?php
error_reporting(1);
include 'site/inc/config.php';
if (isset($_POST['submit'])) {
session_start();
$username = $_POST['username'];
$password = md5($_POST['password']);
$pass_conf = md5($_POST['password2']);
$email = $_POST['email'];
$ip = $_SERVER['REMOTE_ADDR'];
$date= date("d-m-Y");
$q = "SELECT * FROM `users` WHERE username = '$username'";
$r = mysql_query($q);
if (empty($username)) {
header("Location: register.php?error=1");
exit;
}
if ($password != $pass_conf) {
header("Location: /site/register.php?error=2");
exit;
}
if (!filter_var($email, FILTER_VALIDATE_EMAIL)) {
header("Location: /site/register.php?error=3");
exit;
}
if (mysql_num_rows($r) == 0) {
// Continue w/ registration, username is available!
$query = "INSERT INTO `users` (id, username, password, email, ip, rank, reg_date)
VALUES (0, '$username', '$password', '$email', '$ip', 1, '$date'())";
$run = mysql_query($query);
header("Location: /site/register.php?succsess=1");
}
}
else {
header("Location: register.php?error=4");
}
?>
You don't concatenate the $username variable into the query.
Try this:
"SELECT * FROM `users` WHERE username = '".$username."'"
Also your INSERT query looks a bit weird with the date() function. Try this:
$date = date("Y-m-d");
"INSERT INTO `users` (id, username, password, email, ip, rank, reg_date)
VALUES (0, '$username', '$password', '$email', '$ip', 1, '".$date."')"
EDIT: SCRIPT EXAMPLE
<?php
if(!isset($_POST['username'])||!isset($_POST['email'])||!isset($_POST['password']))//enter more values if necessary
{
header("Location: error_page.php?error=1");
}
else
{
//do whatever, eg execute query
}
?>