Okay I have been using mysql for use with my website however it has not been going well with some of the syntax. I've read up on it but I fell like I'm still doing it wrong... In the picture below, I have defined database variables and then tried to log into my database containing the columns of "ID" "Username" and "Password". I then define the username and password input, from my form, in the php and asked the database to compare... am I missing something? I feel like it's not comparing the data from the form with the data in the database. It works even if I type the password wrong..
//Name of File: LoginCheck.php <--Called with the Login.php (which has a form on it)
//posts information to LoginCheck.php
<?php
define('DB_HOST', 'localhost');
define('DB_USER', 'blah');
define('DB_PASS', 'blah');
define('DB_NAME', 'Profiles');
$con = mysql_connect(DB_HOST, DB_USER, DB_PASS);
if(!$con){
die('Could not connect. ' . '<br/>' . 'Error: ' . mysql_error());
}
$db_selected = mysql_select_db(DB_NAME, $con);
if(!$db_selected){
die('Could not select database: ' . DB_NAME . '<br/>' . 'Error: ' . mysql_error());
}
//defines login variables from the form.
$username = mysql_real_escape_string($_POST['username']);
$password = mysql_real_escape_string($_POST['password']);
$login = mysql_query("SELECT * FROM Users WHERE Username = '$username' AND Password = '$password'", $con);
if(!$login){
echo 'Error: ' . mysql_error();
echo "Didn't log in. Not matching database intel.";
}else{
echo "Logged in matching database intel.";
}
mysql_close($con);
?>
mysql_query() just returns a resource. You can then use that resource to get that data or more information about the query.
You can use mysql_num_rows() to see if your query was successful:
if(!mysql_num_rows($login)){
FYI, you should not be storing passwords in plain text. That is a huge security no-no.
Please, don't use mysql_* functions in new code. They are no longer maintained and are officially deprecated. See the red box? Learn about prepared statements instead, and use PDO or MySQLi - this article will help you decide which. If you choose PDO, here is a good tutorial.
It should be:
$login = mysql_query("SELECT * FROM Users WHERE Username = '$username' AND Password = '$password'", $con);
if(!$login){
echo 'Error: ' . mysql_error();
} elseif (mysql_num_rows($login) == 0) {
echo "Didn't log in. Not matching database intel.";
}else{
echo "Logged in matching database intel.";
}
Not finding a match is not the same as an error.
Related
I made a php script which'll echo an image if the correct password is entered; so that, nobody can access the images stored on my server directly, thus, making my server more secure. Now, for the php script I used GET method to generate a mysql_query to my database in order to check if the email and password entered by the user are associated with a relevant account and then echo the image from a folder on my server. Now, in order to pass the parameters while runtime, I'm adding them in the URL like this:
http://<mywebserver>/get_image.php/?email=<email>&password=<password>&file_name=<image-file-name>
But, something's wrong with this whole setup, and I'm getting the following error:
Warning: mysql_query() [function.mysql-query]: Access denied for user
'uXXXXXXXXX'#'XX.XX.XX.XX' (using password: NO) in
/home/uXXXXXXXXX/public_html/get_image.php on line 11
Warning: mysql_query() [function.mysql-query]: A link to the server
could not be established in /home/uXXXXXXXXX/public_html/get_image.php
on line 11 Error getting data: Access denied for user
'uXXXXXXXXX'#'XX.XX.XX.XX' (using password: NO)
Here is my php script, get_image.php:
<?php
$file_path = "/ProfilePics/";
if(isset($_GET['email']) && isset($_GET['password']) && isset($_GET['file_name'])) {
$id = "\"" . $_GET['email'] . "\"";
$typed_password = "\"" . $_GET['password'] . "\"";
$file = $_GET['file_name'];
$result = mysql_query("SELECT * FROM students WHERE email = $id AND password = $typed_password") or die ("Error getting data: " . mysql_error()); //line 11
if(!empty($result)) {
if (mysql_num_rows($result) > 0) {
$result = mysql_fetch_array($result);
$user = array();
$user["email"] = $result["email"];
$user["password"] = $result["password"];
$pass = "\"" . $user["password"] . "\"";
if($pass == $typed_password) {
$img_path = $file_path . $file;
echo '<img src="' . $img_path . '" name = "cover" />';
} else {
echo "Incorrect password";
}
} else {
echo "Unable to find user";
}
} else {
echo "Unable to find user";
}
} else {
echo "Required field(s) is missing";
}
?>
I agree, that there are lots of other questions already on stackoverflow stating similar problems. But, I didn't find the solution(s) to those questions applicable for my code. So, any help on this will be highly appreciated. Thank you for your time!
This is because you have not connected your file get_image.php to your MySQL database. Do so as follows:
$host="localhost"; // Host name
$username="username"; // Mysql username
$password="password"; // Mysql password
$db_name="database"; // Database name
$tbl_name="students"; // Table name
// Connect to server and select database.
mysql_connect("$host", "$username", "$password")or die("cannot connect");
mysql_select_db("$db_name")or die("cannot select DB");
Simply replace the information above with the correct information.
You don't seem to be connecting to the database before you try to send queries to it.
It should like something like this:
$conn = new mysqli($servername, $username, $password, $dbname);
Taken from the example here:
http://www.w3schools.com/php/php_mysql_select.asp
Furthermore, if you care, you should consider using PDO or some other method of preventing SQL injection attacks.
SQL Injection:
https://en.wikipedia.org/wiki/SQL_injection
Information on PDO:
http://code.tutsplus.com/tutorials/why-you-should-be-using-phps-pdo-for-database-access--net-12059
setup a database connection first:
$con = mysql_connect('server','username','password');
$rst = mysql_query('select...', $con);
remember that kind of library to access mysql is outdated.
imagine someone logging in with this password:
password = '"; DROP TABLE students;'
or something crafted better.
There are different libraries like PDO or MYSQLI that take cares of this for you.
in newer releases of php standard mysql libis deprecated and removed
I have 3 files to login
Can someone look through my code in checklogin... does it look OK. And hwo do I update it so it's not deprecated. mysql_select_db and sql select etc, how can I change the code to update version...
<?php
$host="localhost";
$username="root";
$password="";
$db_name="members";
$tbl_name="user";
$username=$_POST['username'];
$password=$_POST['password'];
$con= mysql_connect("localhost","root","","members");
if(!$con)
die("failed to connect");
mysql_select_db("members",$con);
$sql= "SELECT * FROM user WHERE username='$username' and password='$password'";
$result=mysql_query($sql);
$count=mysql_num_rows($result);
if($count==1)
{
session_start();
$_SESSION['username']=$username;
header("location:login_success.php");
}
else {
echo "Wrong Username or Password";
}
?>
Try this code and see if it does what you need. Also, when you post your form are you encrypting your password in anyway? You may need to decrypt the users password so that it matches what is in the DB?
<?php
define('DB_HOSTNAME','localhost');
define('DB_USERNAME','root');
define('DB_PASSWORD','');
define('DB_DATABASE','members');
$username = $_POST['username'];
$password = $_POST['password'];
//CONNECT TO DATABASE
$db = new mysqli(DB_HOSTNAME, DB_USERNAME, DB_PASSWORD, DB_DATABASE);
if($db->connect_errno > 0){
die('Unable to connect to database [' . $db->connect_error . ']');
}
$userExists = $db->query("SELECT * FROM user WHERE username='{$username}' and password='{$password}'");
$count = count($userExists);
$db->close();
if($count == 1){
session_start();
$_SESSION['username'] = $username;
header("location:login_success.php");
}else{
echo "Wrong Username or Password";
}
?>
You need to use PHP PDO.
PHP's mysql_* functions are deprecated and should not be used anymore!
All you need is to update your code to get rid of using deprecated functions.
What the posters failed to inform you of is that the functions for 'mysql..()' are deprecated by PHP. Meaning they will be taken out soon or will no longer be updated in the newer versions of PHP. Better description here Deprecated meaning?.
'mysqli' is the new standard for connecting with mysql through PHP. There are several ways you can connect to mysql through PHP as well. 'new mysqli', 'mysqli_connect', and even going the PDO route. http://php.net/manual/en/mysqli.quickstart.connections.php
php.net has a great set of documentation that will give you better insite into all of these methods.
Hope this helps you be not confused any longer.
This question already has answers here:
Why shouldn't I use mysql_* functions in PHP?
(14 answers)
Closed 8 years ago.
I'm writing a simple program in php that requires users to login. I have a working code but whenever a wrong username or password is entered, I got an exception that says the following:
Deprecated: mysql_connect(): The mysql extension is deprecated and will be removed in the future: use mysqli or PDO instead in C:\wamp\www\Directory\login.php on line 67
The script I have is working well, but I just need to get rid of this warning message.
Below is my php code.
<?php
$username = $_POST['username'];
$password = $_POST['password'];
// Connect to the database
$con = mysql_connect('localhost', 'root', '');
// Make sure we connected succesfully
if (!$con) {
die('Connection Failed' . mysql_error());
}
// Select the database to use
mysql_select_db("Garden", $con);
$q = mysql_query("select * from register where username='" . $username . "' and password='" . $password . "' ") or die(mysql_error());
$res = mysql_fetch_row($q);
if ($res) {
header('location:home.php');
} else {
echo 'Error. The Username or Password that you entered is invalid.';
}
?>
I dont know if im using something. This is my first time of using php. Please I need your help. Thank you.
Here's the same code using MySQLi:
<?php
$mysqli = new mysqli('localhost', 'user', 'password', 'db_name');
if(mysqli_connect_errno()){
printf("DB Connect failed: %s\n", mysqli_connect_error());
exit();
}
// Add the UTF8 Support
$mysqli->query("SET NAMES 'utf8'");
$mysqli->query("SET CHARACTER SET utf8");
$username = isset($_POST['username']) ? $_POST['username'] : '';
$password = isset($_POST['password']) ? $_POST['password'] : '';
$username = $mysqli->real_escape_string($username);
$password = $mysqli->real_escape_string($password);
$query = "SELECT * FROM `register` WHERE username='" . $username . "' and password='" . $password . "' LIMIT 1";
$result = $mysqli->query($query);
if(!empty($result)){
if($result->num_rows == 1) {
header("Location: home.php");
} else {
echo "Error. The Username or Password that you entered is invalid.";
}
}
mysqli_close($mysqli);
$mysqli = null;
?>
You shouldn't be avoiding the PHP Errors. You should always fix the code accordingly.
You can use PDO or MySQLi.
Rewrite your code (small effort) using mysqli even if it's working properly and check if the message still appears.
I am new to programming. I have a website on iPage. Now, I am learning PHP and one of the things I am learning is to connect PHP to mySql database. I am using the following:
mysql_connect(host name, username, password)
My question is, why I am not getting an error?
no matter what username and password and even host name i enter, it just accepts it!
This is the code I am trying (the username and password are just as example)
<?php
mysql_connect('ipage','admin','password');
echo 'Connected!';
?>
when I run it, it just says connected even though my username and password are not admin, password.
Use mysqli_*, beacuse mysql_* is deprecated and will be removed in the future:
$conn = mysqli_connect('localhost', 'username', 'password');
if(mysqli_connect_errno($conn))
{
die('Error in connection to MySQL: ' . mysqli_connect_error());
}
else
{
echo 'Connected successfully';
}
You are not checking if you are connected.
You need to use something like this:
$link = mysql_connect('localhost', 'mysql_user', 'mysql_password');
if (!$link) {
die('Could not connect: ' . mysql_error());
}
echo 'Connected successfully';
mysql_close($link);
My suggestion is to start reading some docs, they have some great examples and you can really learn a lot. DOCUMENTATION
I have a site that I am storing the username and hashed password in a table. I am trying to compair this information (username and hashed password) to the login information passed from my login site. Unfortunately this keeps crashing. If someone could point me in the right direction as to what I am doing wrong I would appreciate it. Below is the code I am using to check the login. It may be something very simple as I am still pretty new to php.
<?php
$myServer = "server.domain.com";
$myUser = "readaccess";
$myPass = "password";
$myDB = "database";
$dbhandle = mssql_connect($myServer, $myUser, $myPass)
or die("Couldn't connect to SQL Server on $myServer");
$selected = mssql_select_db($myDB, $dbhandle)
or die("Couldn't open database $myDB");
// username and password sent from form
$myusername=$_POST['myusername'];
$mypassword=$_POST['mypassword'];
//declare the SQL statement that will query the database
$query = "SELECT password, salt ";
$query. = "FROM dbo.members ";
$query. = "WHERE username = '$myusername' ";
$result = mssql_query($query)
or die('A error occured: ' . mssql_get_last_message());
// SQL_num_row is counting table row
$count=mssql_num_rows($result);
if($count) < 1) //no such user exists
{
header('Location: main_login.php');
}
$userData = mssql_fetch_array($result, MSSQL_ASSOC);
$hash = hash('sha256', $userData['salt'] . hash('sha256', $mypassword) );
if($hash != $userData['password']) //incorrect password
{
header('Location: main_login.php');
}
else {
header('Location: index.php');
}
?>
I think the problem is this line
$result = mssql_query($query)
or die('A error occured: ' . mssql_get_last_message());
The proper way to check failure is
$result = mssql_query($query, $dbhandle);
if(!$result)
die('A error occured: ' . mssql_get_last_message());
Note that this goes for the mssql_connect and mssql_select_db statements as well.
Note that you need to provide the database resource to the mssql_query function.
Also, most people find it more readable if you use .= without a space between them. I don't think it produces a parse error, but it make a lot of sense to keep the whitespace out of the operand. (You wouldn't do $counter+ +; even if it were legal.)
Note for asking future questions, always include whatever error message you're seeing and, if it is referencing a line number, point out that line in your code sample. In this case, I don't think your problem has anything to do with hashing or sql, as it's entirely a parse/syntax error.