I am currently following a tutorial on Youtube called Register & Login/PHP tutorials by Alex from Phpacademy.. am in part 5 and here is login.php
<?php
include 'core/init.php';
if (empty($_POST) === false) {
$username = $_POST['username'];
$password = $_POST['password'];
if (empty($username) === true || empty($password) === true) {
$errors[] = 'You need to enter a username and password ';
} else if (user_exists($username) === false) {
$errors[] = 'We couldn\'t find that username. Have you registered?';
}
else if (user_active($username) === false){
$errors[] = 'You havn\'t activated your account!';
}
else {
$login = login($username, $password);
if ($login === false) {
$error[] = 'That username/password combination is incorrect';
} else {
$_SESSION['user_id'] = $login;
header('Location: index.php');
exit();
}
}
}
print_r($errors);
?>
Here is users.php
<?php
function user_exists($username) {
$username = sanitize($username);
return (mysql_result(mysql_query("SELECT COUNT(`user_id`) FROM `users` WHERE `username` = '.$username'"), 0) == 1) ? true : false;
}
function user_active($username) {
$username = sanitize($username);
return (mysql_result(mysql_query("SELECT COUNT(`user_id`) FROM `users` WHERE `username` = '.$username' AND `active` = 1 ") , 0 ) == 1 ) ? true : false;
}
function user_id_from_username($username){
$username = sanitize($username);
return mysql_result (mysql_query("SELECT `user_id` FROM `users` WHERE `username` = '$username' "), 0, 'user_id');
}
function login($username, $password){
$user_id = user_id_from_username($username);
$username = sanitize($username);
$password = md5($password);
return (mysql_result(mysql_query("SELECT COUNT(`user_id`) FROM `users` WHERE `username` = '.$username' AND `password` = '.$password'"), 0) == 1) ? $user_id : false;
}
?>
and here is the output Array ( [0] => We couldn't find that username. Have you registered? )
Am new here, apologies in advance
WHERE `username` = '.$username' AND `password` = '.$password'"
Remove the dots
Your SQL queries are going to be returning bad results. Otherwise, you will be searching for .jond in your database if the username they entered is jond.
return (mysql_result(mysql_query("SELECT COUNT(`user_id`) FROM `users` WHERE `username` = '.$username'"), 0) == 1) ? true : false;
Remove the . before $username and $password in the query.
"SELECT COUNT(`user_id`) FROM `users` WHERE `username` = '$username'"
Your query needs a tad bit tweaking. Remove the period in front of the username since it's inside the double quotes
return (mysql_result(mysql_query("SELECT COUNT(`user_id`) FROM `users` WHERE `username` = '$username'"), 0) == 1) ? true : false;
This goes the same for the other queries in that file. As mentioned in the comments, you really ought to switch from the deprecated mysql_* functions to PDO/mysqli so that your code will still work in future versions of PHP, and you won't be open to injection hacks.
Your code is pretty hideous overall. You should NOT be nesting your mysql calls like that. Nesting like that implies that you think a DB operation will NEVER fail. This is a VERY BAD assumption.
That being said, here's at least one source of your problems:
return (...snip ... WHERE `username` = '.$username'"), 0) == 1) ? true : false;
^--- here
You've embedded a . in that query, making all your usernames look like .foo instead of just foo. The problem exists in both user_exists(), user_active() AND login().
Related
I have this error "Warning: mysql_result(): user_id not found in MySQL result index 13 in C:\xampp\htdocs\core\functions\users.php on line 14"
I think i don't know how to read from my Database, it looks like
Here is my users code
<?php
function user_exists($username){
$username = sanitize($username);
return (mysql_result(mysql_query("SELECT COUNT(`uID`) FROM `user` WHERE `uUserName` = '$username'"), 0) == 1) ? true : false;
}
function user_active($username){
$username = sanitize($username);
return (mysql_result(mysql_query("SELECT COUNT(`uID`) FROM `user` WHERE `uUserName` = '$username' AND `uActive` = 1"), 0) == 1) ? true : false;
}
function user_id_from_username($username){
$username = sanitize($username);
return mysql_result(mysql_query("SELECT `uID` FROM `user` WHERE `uUserName` = '$username'"), 0, 'user_id');
}
function login($username,$password){
$user_id = user_id_from_username($username);
$username = sanitize($username);
$password = md5($password);
return (mysql_result(mysql_query("SELECT COUNT(`uID`) FROM `user` WHERE `uUserName` = '$username' AND `uPassword` = '$password'"), 0) == 1) ? $user_id : false;
}
?>
This is my login system code
if(empty($_POST) === false){
$username = $_POST['username'];
$password = $_POST['password'];
if(empty($username) === true || empty($password) === true){
$errors[] = 'You need to enter a Username and Password';
} else if(user_exists($username) == false){
$errors[] = 'We cannot find that Username, have you registered?';
} else if(user_active($username) === false){
$errors[] = 'You have not activated your account.';
}
else {
$login = login($username,$password);
if($login === false){
$errors[] = 'The username or password is incorrect';
} else {
echo 'ok';
}
}
print_r($errors);
}
You have an error at line 13 where you specify 'user_id' as an offset.
You can simply get the uID column and store the value if that row exists.
$result = mysql_query("SELECT `uID` FROM `user` WHERE `uUserName` = '$username'");
$user_id = 0; // default value, meaning user not found
if ($result && mysql_num_rows($result) > 0){
$row = mysql_fetch_assoc($result);
$user_id = $row[0];
}
return $user_id;
Then you can modify your login function to check whether user_id > 0 or not. If it's larger than 0, then you got that user's id.
Currently the only problem that I see is your user_id_from_username function.
You're trying to set an offset to a field that doesn't exist and mysql doesn't find it. So it's throwing an error:
function user_id_from_username($username){
$username = sanitize($username);
return mysql_result(mysql_query("SELECT `uID` FROM `user` WHERE `uUserName` = '$username'"), 0, 'uID');
}
Try the above or leave off the uID since it's not a mandatory but rather an optional parameter.
Insert obligatory, you should be using mysqli instead of mysql at this point if your PHP version supports it.
So I have created a function:
function user_data($user_id) {
$data = array();
$user_id = (int)$unser_id;
$func_num_args = func_num_args();
$func_get_args = func_get_args();
if ($func_num_args > 1){
unset($func_get_args[0]);
$fields = '`' . implode('`, `', $func_get_args) . '`';
$data = mysql_fetch_assoc(mysql_query("SELECT $fields FROM `users` WHERE 'user_id' = $user_id"));
return $data;
}
}
By mistake I crated a typo unser_id but didnt relise up until I had to troubleshoot further along the line in my code.
I am creating a login script but the point in which I am having to troubleshoot is showing profile data from my other users.
The reason I point out the typo part is because it for some reason is a strange error. If I change it to user_id it will not allow me to login anymore. If I leave it as under_id it works.
I am having to troubleshoot because I believe this is the cause of the problem I am having trying to view other users profiles and showing their information and not mine which is happening right now.
For example, in my url www.mywebsite.com/myprofile shows my username and my email address, if I type in www.mywebsite.com/otherprofile it still shows my information. But it does show a query if I type a user that does not exist in my database so that part works.
I believe the issue all stems form this typo but am really stuck as to appraoch a resolve?
So here is the other code:
profile page:
if (isset($_GET['username']) === true && empty ($_GET['username']) === false) {
$username = $_GET['username'];
if (user_exists($username) === true) {
$user_id = user_id_from_username($username);
$profile_data = user_data($user_id, 'first_name', 'last_name', 'email');
?>
<p><?php echo $profile_data['profile']; ?></p>
<h1><?php echo $profile_data['first_name']; ?> profile</h1>
<p><?php echo $profile_data['email'] ?></p>
<?php
} else {
echo 'Sorry, that user does not exist';
}
} else {
header('Location: index.php');
exit();
}
Here all the related functions:
function logged_in(){
return (isset($_SESSION['user_id'])) ? true : false;
}
function user_exists($username) {
$username = sanitize($username);
$query = mysql_query("SELECT COUNT(`user_id`) FROM `users` WHERE `username` = '$username'");
return (mysql_result($query, 0) == 1) ? true : false;
}
function email_exists($email) {
$email = sanitize($email);
$query = mysql_query("SELECT COUNT(`user_id`) FROM `users` WHERE `email` = '$email'");
return (mysql_result($query, 0) == 1) ? true : false;
}
function user_active($username) {
$username = sanitize($username);
$query = mysql_query("SELECT COUNT(`user_id`) FROM `users` WHERE `username` = '$username' AND `active` = 1");
return (mysql_result($query, 0) == 1) ? true : false;
}
function user_id_from_username($username) {
$username = sanitize($username);
return mysql_result(mysql_query("SELECT `user_id` FROM `users` WHERE `username` = '$username'"), 0, 'user_id');
}
function login($username, $password) {
$user_id = user_id_from_username($username);
$username = sanitize($username);
$password = md5($password);
return (mysql_result(mysql_query("SELECT COUNT(`user_id`) FROM `users` WHERE `username` = '$username' AND `password` = '$password' "), 0) == 1) ? $user_id : false;
}
The problem in your first function is that you are quoting your column name with single quotes:
$data = mysql_fetch_assoc(mysql_query("SELECT $fields FROM `users` WHERE 'user_id' = $user_id"));
^ ^
That means that you are not actually using the column user_id but a string.
You should change that to:
$data = mysql_fetch_assoc(mysql_query("SELECT $fields FROM `users` WHERE `user_id` = $user_id"));
(or without the backticks...).
Apart from that you are using the deprecated mysql_* functions and you don't have any error handling. You should switch to PDO or mysqli using prepared statements and make sure it throws exceptions (both can) so that you know exactly what goes wrong.
You are replacing the argument $user_id passed to user_data by $unser_id:
$user_id = (int)$unser_id;
This way, the value of $user_id will always be whatever is stored in $unser_id, not what is passed to the function. You should try removing the line, so the code actually uses the user id you are passing it.
If you do not have any variable called $unser_id you should check the PHP error logs. I suspect there will be lines saying something like Undefined variable: unser_id.
I created a login form but when i try to login, it says email or password is incorrect but I'm going in the right email and password.
I create user in my database users table but again again i get this error. All error is ok when i try to emtpy email and password it says You need to entere a email and password.
and activated error also ok.I am entering the correct password and email address. Gives me the error.
This is users.php
<?php
function user_exists($email) {
$email = sanitize($email);
return (mysql_result(mysql_query("SELECT COUNT(`id`) FROM `users` WHERE `email` = '$email'"), 0) == 1) ? true : false;
}
function user_active($email) {
$email = sanitize($email);
return (mysql_result(mysql_query("SELECT COUNT(`id`) FROM `users` WHERE `email` = '$email' AND `active` = 1"), 0) == 1) ? true : false;
}
function user_id_from_email($email) {
$email = sanitize($email);
return mysql_result(mysql_query("SELECT `id` FROM `users` WHERE `email` = '$email'"), 0, 'id');
}
function login($email, $password) {
$id = user_id_from_email($email);
$email = sanitize($email);
$password = md5($password);
return (mysql_result(mysql_query("SELECT COUNT (`id`) FROM `users` WHERE `email` = '$email' AND `password` = '$password'"), 0 ) == 1) ? $id : false;
}
?>
And this is login.php
<?php
include("core/init.php");
if(empty($_POST) === false) {
$email = $_POST['email'];
$password = $_POST['password'];
if (empty($email) === true || empty($password) === true) {
$errors[] = 'You need to enter a email and password';
} else if (user_exists($email) === false) {
$errors[] = 'We can\'t find that email. Have you registered ?';
} else if (user_active($email) === false) {
$errors[] = 'You have\'t activated your account';
} else {
$login = login($email, $password);
if ($login === false) {
$errors[] = 'That email/passowrd cocmbination is incorrect';
}else {
$_SESSION['id'] = $login;
header('Location: main.php');
exit();
}
}
print_r ($errors);
}
?>
Sorry, but there's a whole load of stuff which is wrong - lots of it may be producing errors.
1) there is no 'sanitize' function in php and you haven't told us what it does.
2) your login.php does niclude users.php
3) generating an md5 hash of the password is far from secure (it should be a slated sha1 hash as a minimum)
4) you never check for errors being returned by the DBMS
5) ...actually - that's not true - you compare the return value from the functions in users.php to false - and you'll only get false if the query fails - not if it returns 0 rows
Consider....
function do_something_with_email($email, &$err) {
$email = mysql_real_escape_string($email);
if (!($res=mysql_query("SELECT `id` FROM `users` WHERE `email` = '$email'"))) {
$err=mysql_error();
return false;
}
if (!($data=mysql_fetch_array($res)) {
$err=mysql_error();
return false;
}
return $data[0];
}
switch (do_something_with_email($email, $err)) {
case false:
die ($err);
case 0:
print "No records matched";
break;
default:
print "OK";
break;
}
The database information is correct and working, I've tested this several times. The database exists along with the table i am trying to pull data out of. I have dummy information in the database, here is my code to check if the user in the database 'network', table 'users':
<?php
require 'core/init.php';
if (empty($_POST) === false){
$username = $_POST['username'];
$password = $_POST['password'];
if (empty($username) === true || empty($password) === true) {
$errors[] = 'You need to enter a username and password.';
} else if (user_exists($username) === false) {
$errors[] = 'Username does not exists. Have you registered?';
} else if (user_active($username) === false) {
$errors[] = 'Your account is not activated. Please check your email!';
} else {
}
print_r($errors);
}
?>
Here is the code for the functions 'user_exists($username)'
<?php
function user_exists($username) {
$username = sanitize($username);
return (mysql_result(mysql_query("SELECT COUNT('user_id') FROM 'users' WHERE 'username' = '".$username."'"), 0) === 1) ? true : false;
}
function user_active($username) {
$username = sanitize($username);
return (mysql_result(mysql_query("SELECT COUNT('user_id') FROM 'users' WHERE 'username' = '".$username."' AND 'active' = 1"), 0) === 1) ? true : false;
}
?>
sanitize function:
<?php
function sanitize($data) {
return mysqli_real_escape_string($data);
}
?>
Here is my issue:
When I login with the dummy information - Username; Password (md5 hashed via phpmyadmin) if displays the error:
'Username does not exists. Have you registered?'
I have tried using a different database, a different user.. nothing works.. Help!
Use back ticks for column and table names,not quotes.
"SELECT COUNT(`user_id`) FROM `users` WHERE `username` = '".$username."'")
return (mysql_result(mysql_query("SELECT COUNT('user_id')
FROM 'users' WHERE 'username' = '".$username."'"), 0) === 1) ? true : false;
}
mysql_results returns either a cell or false,so above the condition ===1 is never reached.
Docs
Returns the contents of one cell from a MySQL result set on success,
or FALSE on failure.
return (mysql_result(mysql_query("SELECT COUNT('user_id')
FROM 'users' WHERE 'username' = '".$username."'"), 0) == false) ? false: true;
}
Also you are connecting with mysql and using mysqli_real_escape_string in the sanitize function. Dont mix them.
function user_exists($username) {
$username = sanitize($username);
return (mysql_result(mysql_query("SELECT COUNT(`user_id`) FROM `users` WHERE `username` = '".$username."'"), 0) == 1) ? true : false;
}
function user_active($username) {
$username = sanitize($username);
return (mysql_result(mysql_query("SELECT COUNT(`user_id`) FROM `users` WHERE `username` = '".$username."' AND `active` = 1"), 0) == 1) ? true : false;
}
What was done:
Replaced '' for column names with `
Used == instead of ===
PDO:
function user_exists($username) {
$db = new PDO('mysql:host=localhost;dbname=testdb;charset=utf8', 'username', 'password', array(PDO::ATTR_EMULATE_PREPARES => falsse, PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION));
$stmt = $db->query("SELECT `user_id` FROM `users` WHERE `username` = '".$username."'"));
$row_count = $stmt->rowCount();
if($row_count==="1"){return true;}else{return false;}
}
Hello so I am doing this tutorial from php academy for a php and mysql login and registration form. It was going okay.. he was showing how to idk what the correct way to say it but to create functions to echo errors.. yeah that sounds right. So the first couple errors echoed correctly but the one to actually validate the user_id and whatknot, isn't working. Its showing the error I created when the username and password combination is incorrect even when i submit the correct information. I've created a few dummy users and none of them can get through.
this is my code..
include 'core/init.php';
include 'includes/overall/header.php';
if (empty($_POST) === false) {
$username = $_POST['username'];
$password = $_POST['password'];
if (empty($username) === true || empty($password) === true) {
$errors[] = 'Uh oh! You forgot to enter your username and password';
} else if (user_exists($username) === false) {
$errors[] = 'Who is that? Have you registered?';
} else if (user_active($username) === false) {
$errors[] = 'Account is not activated.';
} else {
$login = login($username, $password);
if ($login === false) {
$errors[] = 'That username and password combination is incorrect';
} else {
$_SESSION['user_id'] = $login;
header('Location:index.php');
exit();
}
}
print_r($errors);
}
include 'includes/overall/footer.php';
and
function logged_in() {
return (isset($_SESSION['user_id'])) ? true : false;
}
function user_exists($username) {
$username = sanitize($username);
$query = mysql_query("SELECT COUNT(`user_id`) FROM `users` WHERE `username` = '$username'");
return (mysql_result($query, 0) == 1) ? true : false;
}
function user_active($username) {
$username = sanitize($username);
$query = mysql_query("SELECT COUNT(`user_id`) FROM `users` WHERE `username` = '$username' AND `active` = 1");
return (mysql_result($query, 0) == 1) ? true : false;
}
function user_id_from_username($username) {
$username = sanitize($username);
return mysql_result(mysql_query("SELECT `user_id` FROM `users` WHERE `username` = '$username'"), 0, 'user_id');
}
function login($username, $password) {
$user_id = user_id_from_username($username);
$username = sanitize($username);
$password = md5($password);
$query = mysql_query("SELECT COUNT(`user_id`) FROM `users` WHERE `username` = '$username' AND `password` = '$password'");
return (mysql_result($query, 0) == 1) ? $user_id : false;
}
does anyone know what I am doing wrong? I've tried a few things and nothing works. For example in the video he does it a little different and puts his queries in line but that was giving me errors so i did it the way he originally had it and made the queries variables (i only have somewhat of an idea what I'm actually saying haha).. but that fixed the errors. I tried doing that to the other functions (not shown) but that caused a whole lot of errors :(
is it something really dumb? I had a similar problem before that I figured out was due to a missing semi colon but I've stared at this stupid code for so long and haven't found anything.. I re-watched the videos in the tutorial series that explain all this like 10 times each.. my eyes feel like they are going to bleed or explode. Some of the comments show that others are having similar issues.. help?
I'm new to all this php mysql stuff so.. I wont be offended if u speak to me like a child.. in fact its appreciated.
thanks.
Do I understand correctly that you are unable to login now?
I had similar problems in the past. I do not see your mistake but I will share a method that allowed me to find mistakes.
Store the MySQL query in a variable as a string and data inputted from a form
echo that variable
Test the outputted string in phpMyAdmin - if the query is wrong it will give you a hint what is wrong with it.
Also it might be worth testing the queries with "LIKE" instead of "="
eg.
.....FROM `users` WHERE `username` LIKE '$username'.....
This is my code:
function user_exists($username) {
$username = sanitize($username);
return (mysql_result(mysql_query("SELECT * FROM `users` WHERE `username` = '$username' "),0) ==1) ? true : false;
}