I've to check whether the end user is admin or not, I've done right (I hope) but it fails to check. Here is what I'm using;
function checked_already($pid,$input)
{
global $db;
if ($mybb->user['usergroup'] != "4")
{
error_no_permission();
}
$query = $db->simple_select("users", "username", "uid='{$input}' OR username='{$input}'");
$user = $db->fetch_array($query);
if (!$user['username'])
{
echo "Nothing found!!";
exit;
}
}
But it fails to check if the end user is admin. :/ No error at all. What is missing here?
You've not used $mybb in global. Try this;
function checked_already($pid,$input)
{
global $db, $mybb;
if ($mybb->user['usergroup'] != "4")
{
error_no_permission();
}
$query = $db->simple_select("users", "username", "uid='{$input}' OR username='{$input}'");
$user = $db->fetch_array($query);
if (!$user['username'])
{
echo "Nothing found!!";
exit;
}
}
Related
Hi i need help to make a login check thourght db working anyone can say to me where is the error?
This is the code
if (!empty($_POST['user']) && !empty($_POST['password']))
{
$user=stripslashes(trim($_POST['user']));
$password=stripslashes(trim($_POST['password']));
mysql_connect("localhost","root","");
mysql_select_db("project");
$check=mysql_query("SELECT * FROM utenti WHERE nome='$user' AND password='$password'");
if(mysql_num_rows($check)!0)
{
$details=mysql_fetch_array($check);
$_SESSION['display_name']=$details[0];
$_SESSION['username']=$details[1];
$_SESSION['password']=$details[2];
print "Login succesful. <p> Level access: " . $details["type"] ;
}
else
{
print "Error";
}
}
else
{
print "Not all fields are compiled" ;
}
if ($details["type"] == "admin" )
{
$admn = 1;
}
else
{
$admn = 0;
}
I've no clue why is not working. Thanks in advance.
Change this:
if(mysql_num_rows($check)!0)
To This:
if(mysql_num_rows($check) != 0)
I have written This PHP code to for a login and a register page but, I don't know how it doesn't seem logical but it's not accepting some email it's while its accepting others. I don't know how is this even possible. I don't think is the apache server that I'm using because It wouldn't have accepted the other mails it accepted, I also tried restarting the server, Trying a different browser, I tried all that is to try. Please help.
<?php
session_start();
require_once "connect.php"
$con=#new mysqli($hn,$un,$pw,$db);
if($con->connect_error) die("Failed to connect to the database");
if (isset($_POST['register']))
{
$nam=$_POST['name'];
$sur=$_POST['sur'];
$email=$_POST['email'];
$pass=$_POST['pass'];
$cpass=$_POST['cpass'];
if ($nam!="" && $sur!="" && $email!="" && $pass!="" && $cpass!="")
{
if ($pass==$cpass)
{
$userinfo=sanitise($nam,$sur,$email,$pass);
if (validate($userinfo[0],$userinfo[1],$userinfo[2],$userinfo[3]))
{
if(dataentry($userinfo[0],$userinfo[1],$userinfo[2],$userinfo[3]))
{
echo "Account Create Successfully";
}
else
{
echo "Failed to Create the account, Please try again After Some Time";
}
}
}
else
{
echo "The Entered Password do not Match";
}
}
else
{
echo "Please fill all the fields";
}
}
if (isset($_POST['login']))
{
$id=$_POST['email'];
$pin=$_POST['lpass'];
$id=ucfirst(strtolower(stripslashes(strip_tags(htmlentities($id)))));
$pin=stripcslashes(strip_tags(htmlentities($pin)));
$pin=hash('ripemd128', $pin);
if (isuser($id))
{
if (verify($id,$pin))
{
$_SESSION['email']=$id;
header("Location:homepage.php");
}
else
{
echo "The Password And Email Do not Match";
}
}
else
{
echo "The Email Id is Not Registered";
}
}
function verify($email,$pass)
{
global $con;
$query="SELECT * FROM users WHERE email='$email' AND password='$pass'";
$result=$con->query($query);
$rows=$result->num_rows;
if ($rows==1)
{
return 1;
}
else
{
return 0;
}
}
function isuser($email)
{
global $con;
$query="SELECT * FROM users WHERE Email='$email'";
$result=$con->query($query);
$rows=$result->num_rows;
if ($rows==1)
{
return 1;
}
else
{
return 0;
}
}
function sanitise($name,$surname,$email,$password)
{
$name=ucfirst(strtolower(stripslashes(strip_tags(htmlentities($name)))));
$surname=ucfirst(strtolower(stripslashes(strip_tags(htmlentities($surname)))));
$email=ucfirst(strtolower(stripslashes(strip_tags(htmlentities($email)))));
$password=stripcslashes(strip_tags(htmlentities($password)));
$password=hash('ripemd128',$password);
return array($name,$surname,$email,$password);
}
function validate($name,$surname,$email,$password)
{
global $con;
$query="SELECT * FROM users WHERE email='$email'";
$result=$con->query($query);
$rows=$result->num_rows;
if ($rows==0)
{
return 1;
}
else
{
echo "Email Address is already in use";
}
}
function dataentry($name,$surname,$email,$password)
{
global $con;
$query="INSERT INTO users (Name,Surname,Email,Password) VALUES ('$name','$surname','$email','$password')";
$result=$con->query($query);
if ($result)
{
return 1;
}
else
{
return 0;
}
}
?>
Hey there is no Reason for some email Ids to get accepted and some not, try restarting your apache server that might help.
Also read more about SQL Injection, I know you must be working locally and not deploying this, but still its good to know about it.Peace
I use CI 2.2 to build a simple login system. But I get problem when I try to generate session. Of course I have properly set up libraries (database, session) and User_M. When I retrieve data from database (without session), that's work fine. This is my Controller code:
public function verify()
{
// Define variable
$user = $this->input->post('username');
$pass = $this->input->post('password');
// Check input data
if (!empty($user) AND !empty($pass))
{
// Check match data from db
$checks = $this->User_M->check_user($user, $pass);
if($checks->num_rows() == 1)
{
foreach ($checks->result() as $check)
{
$sess = array (
'username' => $check->username,
'logged_in' => TRUE
);
$rest = $this->session->set_userdata($sess);
if ($rest)
{
echo "working";
} else {
echo "not working";
}
}
} else {
echo "Not found";
}
} else {
echo "You've empty field";
}
}
Additional explain, I check the result with if ($rest)...bla..bla..bla, that's echoing Not Working. Please let me know where's my mistakes?
Thank in advance
I think the problem is with this statement
$rest = $this->session->set_userdata($sess);
the set_userdata() does not return anything, so according to your condition it will always execute the else part.
Try to change your condition like this
if (!empty($this->session->userdata("username"))){
echo "Working";
}else{
echo "Not Working";
}
I am assigning a loop to a function so it's working fine when not enrolled in a function but when it's enrolled in function so it's not showing the echo on success please as :
function questions_query() {
global $mysqli;
global $form_name;
$questions = $_POST['questions'];
for($i=0;$i<count($questions);$i++){
$i_query = $i+1;
$query_2 = mysqli_query($mysqli,"UPDATE forms SET question$i_query='$questions[$i]' WHERE form_name='$form_name'") or die(mysqli_connect_error());
}
}
if (questions_query()) {
echo "All Questions Are Done!";
}
So if you people can please take a look at my code that what is going wrong in there..so I will be thankful to you for that please..!
The function doesn't return anything. There's no return true; or return false; statement.
If it's not successful it never returns, it calls die(), which terminates the whole script. So there's no reason to use if() around the call, just do:
questions_query();
echo 'All Questions Are Done!';
Want to use return
function questions_query() {
global $mysqli;
global $form_name;
$questions = $_POST['questions'];
for($i=0;$i<count($questions);$i++)
{
$i_query = $i+1;
$query_2 = mysqli_query($mysqli,"UPDATE forms SET question$i_query='$questions[$i]' WHERE form_name='$form_name'") or die(mysqli_connect_error());
}
return true;
}
if (questions_query()) {
echo "All Questions Are Done!";
}
else {
//something happened
}
If you want to check MySQL query result, then you need to return error check.
function questions_query() {
global $mysqli;
global $form_name;
$questions = $_POST['questions'];
$has_errors = 0;
for($i=0;$i<count($questions);$i++)
{
$i_query = $i+1;
$query_2 = mysqli_query($mysqli,"...");
if (mysqli_errno($mysqli) > 0) {
$has_errors ++;
}
}
return $has_errors;
}
$errors = questions_query();
if ($errors == 0) {
echo "All Questions Are Done!";
} else {
echo "Errors in questions: $errors times!";
}
I'am investigating a site that was written long ago by some PHP developer, and I'd like to know if the login technique he used was safe or not.
Here is the way he did it:
$username='';
$username = escapeshellcmd($HTTP_POST_VARS['user']);
$pwd = escapeshellcmd($HTTP_POST_VARS['pw']);
$loginerror=false;
if ($logout=="1")
{
closesession($s_id);
$username='';
$logged=false;
}
$logged=checksession(session_id(), $ipaddr);
if ((!$logged) && ($username!=''))
{
//$username = escapeshellcmd($HTTP_POST_VARS['felhasznalo']);
//$pwd = escapeshellcmd($HTTP_POST_VARS['jelszo']);
if (checkuser($username, $pwd, DOM))
{
if (sessionstore(session_id(), $username, $pwd, $ipaddr, $datum, DOM))
{
$logged=true;
}
}
else
{
$loginerror=true;
;
}
}
if ($logged)
{
$username=getsessionuser(session_id());
$remember=getremember($username, DOM);
}
?>
function checkuser($u, $p, $d )
{
$sql_ell='SELECT PWD FROM USERS WHERE ACTIVE=1 AND USERNAME="'.$u.'" AND DOMAIN="'.$d.'"';
$eredm_ell= mysql_query($sql_ell);
if ($eredm_ell)
{
$domainnumrows=mysql_num_rows($eredm_ell);
if ($domainnumrows==1)
{
$egy_sor = mysql_fetch_row( $eredm_ell );
$pwd_in_table=$egy_sor[0];
if ($pwd_in_table==md5($u.$p))
{
return true;
}
} // rows
} // ered
return false;
} // func
Is this safe?
If I see correctly, the only check done on username is escapeshellcmd. That is NOT enough. Again, if I see correctly, it gets put into this query:
$sql_ell='SELECT PWD FROM USERS WHERE ACTIVE=1 AND USERNAME="'.$u.'" AND DOMAIN="'.$d.'"'
where you can do all sorts of nasties.
So no. it's not safe.