<?php $r = mysql_query("select * from tbl_student_master where email='#$_SESSION[email]'") or die(mysql_error());
There seems to be a problem with that. How do I properly enter the session variable within apostrophes?
First off, make sure that your $_SESSION variable is safe - I have no reason to assume that it isn't, but if you are initially getting it from $_GET or $_POST or $_REQUEST, you need to do this differently.
<?php $r = mysql_query("select * from tbl_student_master where email='" . $_SESSION["email"] . "'") or die(mysql_error());
That being said, mysql_query is deprecated, you should really look into either mysqli or PDO. I strongly recommend PDO.
If you are using the # because it is sometimes not set, you should wrap it in
if (isset($_SESSION["email"])) {
$r = mysql_query("select * from tbl_student_master where email='" . $_SESSION["email"] . "'") or die(mysql_error());
}
else {
//what to do if there is no session email
}
Related
Wampserver. in phpmyadmin i have added users db and user_data table. but my code doesn't work
<?php
include_once("sql_connect.php");
session_start();
$_SESSION['currentuser']=$_POST['usernameinput'];
$uname = $_POST['usernameinput'];
$pass = $_POST['passwordinput'];
$sql = "SELECT * FROM 'user_data' WHERE(
username='".$uname."' and password='".$pass."')";
$query = mysql_query($sql);
$result = mysql_fetch_array($query);
if($result[0]>0)
{
header ("location: Ghome.php");
}
else
{
header ("Location: loginform_er_incorrectlogpass.php");
}
?>
When i wrote correct username and password it doesn't work. maybe something wrong with my code?
<?php
session_start(); # Starts the session
session_unset(); #removes all the variables in the session
session_destroy(); #destroys the session
include ("LoginForm.php");
echo "<p align='center'><font color='red'>Неправильно указан Логин или Пароль.</font></p>";
?>
To fix your current problem, remove the quotes around the table name and get used to using back ticks instead.
SELECT * FROM `user_data` ...
Not this:
SELECT * FROM 'user_data' ...
(Technically, you don't even need the back ticks here, but using them is a good practice and will help catch a variety of typos down the road.)
Some additional pointers:
Never store passwords as plain text; this is extremely bad security practice. Use hashing and salting. Specifically, use bcrypt.
Please don't use mysql_*; the mysql_* functions are outdated, deprecated, and insecure. Use MySQLi or PDO instead.
You are wide open to SQL injection.
You were incorrectly using single quotes around the table name in your sql - you should use backticks instead. Also, there was no check for POSTed variables. Ideally though, to avoid heartache in the future, look at migrating to use either mysqli or PDO. At the very least try some basic filtering of provided POST data
<?php
session_start();
include_once("sql_connect.php");
if( isset( $_POST['usernameinput'] ) && isset( $_POST['passwordinput'] ) ){
$uname = mysql_real_escape_string( $_POST['usernameinput'] );
$pass = mysql_real_escape_string( $_POST['passwordinput'] );
$_SESSION['currentuser']=$uname;
$sql = "SELECT * FROM `user_data` WHERE `username`='".$uname."' and `password`='".$pass."';";
$query = mysql_query( $sql );
$result = mysql_fetch_array( $query );
header('location: ' .( $result[0]>0 ) ? 'Ghome.php' : 'loginform_er_incorrectlogpass.php' );
}
?>
replace this
$query = mysql_query($sql)
with the following
$query = mysql_query($sql) or die(mysql_error());
and see what error you are getting
I really got a problem now. I tried for decades and I can't find why it is not working. I want to get the user that is logged in to see their email on a specific page. I tried a new code now and i get this error: Notice: Undefined variable: row in
The code I use is:
<?
$username = $_SESSION['username'];
$sql = "select * from users where username=" . $username . "";
echo $sql;
$query = mysql_query($sql);
while ($row = mysql_fetch_array($query)) {
}
?>
AND
<?php echo $row['email']; ?>
<?php
$username = $_SESSION['username'];
$query = mysql_query("select * from users where username='".$username."'");
while ($row = mysql_fetch_array($query)) {
$email=$row["email"];
}
echo $email;
?>
try this.
don't use mysql_* functions
I think... Problem is in SQL query. I propose your column "username" is something like VARCHAR(50). So you have to add quote.
$sql = "select * from users where username='" . $username . "'";
I see a bug, and a design problem.
You've designed your script so that you're printing whatever was last assigned to $row in the condition of your while loop.
You're getting the error because the query is not returning anything and the loop is not running. Therefore, $row is never assigned. That being said, you probably don't want to use a while-loop if all you're trying to do is display the value of the "email" column in the first record returned. If you did want to, then stop it.
Call mysql_fetch_assoc() on your $result (doesn't return as much data), and check that it doesn't return FALSE (one or more records weren't found).
if((row = mysql_fetch_assoc($result)) === false)
die("Error.");
?>
Email:
The code below is supposed to check if there is a person in the database with a row in the database with the username it gets from the cookie login.And if there is it is supposed to include a page and if there isn't a person in the database with this user_id it is supposed to echo.Here is my code so far please tell me how I would do this.I also already know before someone tells me that mySQL statements like I have it are becoming depreciated.Here is My code:
<?php
include("dbconnect.php");
mysql_select_db("maxgee_close2");
$username = $_COOKIE['maxgee_me_user'];
$result = mysql_query("select user_id from users where username = '$username'");
$row = mysql_fetch_array($result);
mysql_free_result($result);
$check = mysql_query("SELECT * FROM events_main WHERE user_id ='$row['user_id']'") or die(mysql_error());
if(1==1){
if (mysql_num_rows($check)>0)
{
include("example.php");
}
else
{
echo "example";
}
}
?>
In the double-quoted string, your array variable $row['user_id'] is being incorrectly parsed due to the fact that you have quoted the array key without surrounding the whole thing in {}. It is permissible to omit the {} in a double-quoted string if you don't quote the array key, but the {} adds readability.
check = mysql_query("SELECT * FROM events_main WHERE user_id ='{$row['user_id']}'") or die(mysql_error());
//-------------------------------------------------------------^^^^^^^^^^^^^^^^^^
// Also acceptable, but not as tidy, and troublesome with multidimensional
// or variable keys - unquoted array key
check = mysql_query("SELECT * FROM events_main WHERE user_id ='$row[user_id]'") or die(mysql_error());
//-------------------------------------------------------------^^^^^^^^^^^^^^^^^^
As mentioned above, $_COOKIE is never considered a safe value. You must escape its values against SQL injection if you continue to use the old mysql_*() API:
$username = mysql_real_escape_string($_COOKIE['maxgee_me_user']);
2 Things right off the bat, like Waleed said you're open to SQL injection, not very nice thing to have happen to you. I would look into reading tutorials about MySQLi and PDOs, from there try and dive into a better way or running queries.
Also you are choosing to use cookies instead of sessions to store the username? Cookies can be modified client-side to say anything a smart user with firebug would want them to be. Sessions are stored server-side and the client (end-user) is only given an id of the session. They cannot modify the username if you send it as a session. (They could try and change the session id to another random bunch of numbers but thats like pissing into the wind, pardon my french.
Heres some pseduo code that will get you on your way I think
<?php
include("dbconnect.php");
$database = "maxgee_close2"; //Set the database you want to connect to
mysql_select_db($database); //Select database
$username = $_SESSION['maxgee_me_user']; //Grab the username from a server-side stored session, not a cookie!
$query = "SELECT user_id FROM `users` WHERE `username` = '" . mysql_real_escape_string($username) . "' LIMIT 1"; //Note the user of mysql_real_escape_string on the $username, we want to clean the variable of anything that could harm the database.
$result = mysql_query($query);
if ($row = mysql_fetch_array($result)) {
//Query was ran and returned a result, grab the ID
$userId = $row["user_id"];
mysql_free_result($result); //We can free the result now after we have grabbed everything we need
$query_check = "SELECT * FROM `events_main` WHERE `user_id` = '" . mysql_real_escape_string($userId) . "'";
$check = mysql_query($query_check);
if (mysql_num_rows($check)>0) {
include("example.php");
}
else {
echo "example";
}
}
?>
That code may/may not work but the real key change is that fact that you were running
mysql_free_result($result);
before your script had a chance to grab the user id from the database.
All in all, I would really go back and read some more tutorials.
I'm trying to use $_SESSION['valid_user'] in a .php script that accesses the table "mail" under "users." $_SESSION['valid_user'] has been defined in a script which I included. Whenever I use "WHERE to=$_SESSION['valid_user']" in my SELECT statement, I get a blank page. However, if I take it out, the script runs and displays all messages in the database, not just the message that was defined to show to that particular username. Despite this, I can echo $_SESSION['valid_user'] outside of the while loop or SELECT statement. Here's my code:
<?php
include("mainmenu.php");
include("checklogin.php");
//$_SESSION['valid_user'] defined in checklogin.php
$con = mysql_connect("localhost", "root", "g00dfor#boy");
if(!$con){
die(mysql_error());
}
mysql_select_db("users", $con);
$result = mysql_query("SELECT * FROM mail WHERE to=$_SESSION['valid_user']");
//when executed with WHERE to=$_SESSION['valid_user'] it displays blank page.
while($row = mysql_fetch_array($result))
{
echo "To: " . $row['to'] . "| From: " . $row['from'] . "<br/>";
echo "Subject: " . $row['subject'] . "<br/><br/>" . "Message: " . $row['message'];
echo "<br/>";
}
mysql_close($con);
?>
Don't say, "Put $_SESSION['valid_user'] in double quotes." I've already tried that.
Change to $result = mysql_query("SELECT * FROM mail WHERE to='".$_SESSION['valid_user']."'");
You need to put brackets around the SESSION variable in your query.
change
$result = mysql_query("SELECT * FROM mail WHERE to=$_SESSION['valid_user']")
to
$result = mysql_query("SELECT * FROM mail WHERE to='{$_SESSION['valid_user']}'")
EDIT
You need to change
while($row = mysql_fetch_array($result))
to
while($row = mysql_fetch_assoc($result))
because you are referencing the columns by their names rather than by their index value.
Try
$result = mysql_query("SELECT * FROM mail WHERE to='".$_SESSION['valid_user']."'");
or
$result = mysql_query("SELECT * FROM mail WHERE to='$_SESSION[valid_user]'");
Both should not be valid queries;
Try capturing your query in a variable and printing it out to see what you get.
$query = "SELECT * FROM mail WHERE to=$_SESSION['valid_user']";
If the $_SESSION['valid_user'] contains any spaces you will need to wrap it in some form of single or double quotes other wise MySQL won't know what you really want.
Presumably user_name is a variable, originally provided by a user of your site? In that case you absolutely must escape it when embedding it in an SQL query, or you will be prone to injection attacks:
$result = mysql_query("SELECT * FROM mail WHERE to='".mysql_escape_string($_SESSION['valid_user'])."'");
I have a PHP page and I want to share some data between pages like UserID, password.
I'm learning about sessions and I'm not sure if Im using it correctly.
<?php
require_once('database.inc');
$kUserID = $_POST['kUserID'];
$kPassword = $_POST['kPassword'];
if (!isset($kUserID) || !isset($kPassword)) {
header( "Location: http://domain/index.html" );
}
elseif (empty($kUserID) || empty($kPassword)) {
header( "Location: http://domain/index.html" );
}
else {
$user = addslashes($_POST['kUserID']);
$pass = md5($_POST['kPassword']);
$db = mysql_connect("$sHostname:$sPort", $sUsername, $sPassword) or die(mysql_error());
mysql_select_db($sDatabase) or die ("Couldn't select the database.");
$sqlQuery = "select * from allowedUsers where UserID='" . $kUserID . "' AND passwordID='" . $kPassword . "'";
$result=mysql_query($sqlQuery, $db);
$rowCheck = mysql_num_rows($result);
if($rowCheck > 0){
while($row = mysql_fetch_array($result)){
session_start();
session_register('kUserID');
header( "Location: link.php" );
}
}
else {
echo 'Incorrect login name or password. Please try again.';
}
}
?>
For the love of all that is holy, don't use addslashes to prevent SQL injection.
I just owned your site:
Image of your ownt site http://localhostr.com/files/8f996b/Screen+shot+2010-02-23+at+7.49.00+PM.png
Edit: Even worse.
I just noticed that you're attempt at preventing injection via addslashes, isn't even being used!
<?php
$kUserID = $_POST['kUserID'];
$user = addslashes($_POST['kUserID']); // this isn't used
$sqlQuery = "select * from allowedUsers where UserID='"
. $kUserID . "' AND passwordID='" . $kPassword . "'";
Be aware that session_register() is deprecated in favor of assigning values to the $_SESSION superglobal, e.g.
<?php
$_SESSION['hashedValue']= '437b930db84b8079c2dd804a71936b5f';
?>
Also be aware that anything stored in a session, especially in a shared-server environment, is fair game. Never store a password, regardless of whether it's hashed or encrypted. I would avoid storing a username as well. If you must use some authentication mechanism between pages using a session variable, I'd recommend using a second lookup table, e.g. logins, and store the username, login time, etc in that table. A hashed value from that table is stored in the session, and each page request checks the time in the table and the hashed value against the database. If the request is either too old or the hash doesn't match, force re-login.
All this and more is available to you in the PHP manual section on sessions.
You might also wanna rename "database.inc" to "database.inc.php", or properly setup your host to treat ".inc" as PHP:
http://www.namemybabyboy.com/database.inc
<?php
$sDatabase = 'shayaanpsp';
$sHostname = 'mysql5.brinkster.com';
$sPort = 3306;
$sUsername = 'shayaanpsp';
$sPassword = 'XXXX';
$sTable = 'allowedUsers';
?>
First, you need to put session_start() at the very beginning of your script. It also needs to go at the start of every script that uses session data. So it would also go at the top of babyRegistration.php.
Second, I would strongly recommend against using session_register() as it relies on register_globals which is off by default for security reasons. You can read more here: http://php.net/manual/en/security.globals.php. You can add/access session variables by using the $_SESSION superglobal:
$_SESSION['kUserID'] = $kUserID;
Last, not really session related, just an observation, your isset check at the top is redundant; empty will return true for an unset/NULL variable, just as you might expect.
At the top of a page
session_start();
$_SESSION['yourvarname']='some value';
then on some other page to retrieve
echo $_SESSION['yourvarname'];
// some value
Oh and about injection,use this on everything going into your db
http://us3.php.net/manual/en/function.mysql-real-escape-string.php
Just because almost everything turned into avoiding SQL injections. Escaping string is not going to save you from SQL injections. The correct way is using prepared statements.
https://www.php.net/manual/en/mysqli.quickstart.prepared-statements.php