I have a login page (local intranet so dont worry about the security issues).
This page consists of the following form code :
<form action="auth.php" method="get" class="blocklogin">
<tr>
<td class="blocklogin" ><div align="left">Username: <input class="blocklogin" type="text" name="username" id="username" /><br />
</div></td>
</tr>
<tr>
<td class="blocklogin" ><div align="left">Password: <input class="blocklogin" type="password" name="password" id="password" />
</div></td>
</tr>
<tr>
<td colspan="2" class="blockloginfoot" title="Login"><input name="Login" type="submit" value="Login" /></td>
</form>
Now im trying to pass the username and password via the http link by doing the following :
http://localhost/folder/user_login.php?username=user#test&password=test123
But this does not seem to work,its suppose to use the details in the link to login. Am I missing something?
Pls help
The form action auth.php
<?php
session_start();
require_once('database.php');
$username = $_GET['username'];
$password = $_GET['password'];
$sql = "SELECT * FROM access_getaccountswithinfo WHERE username='".$username."' AND password='".$password."'";
$run = mysql_query($sql);
$row = mysql_fetch_array($run);
if (mysql_num_rows($run) == 1) {
$_SESSION['logged_in'] = true;
$_SESSION['username'] = $row['username'];
$_SESSION['password'] = $row['password'];
$_SESSION['packagename'] = $row['packagename'];
$_SESSION['creation-date'] = $row['creation-date'];
$_SESSION['cap'] = $row['cap'];
$_SESSION['total'] = $row['total'];
$_SESSION['remainingtopup'] = $row['remainingtopup'];
header("location: usage.php");
} else {
header("location: user_login.php");
}
mysql_close($link);
?>
Database code - database.php :
<?php
$link = mysql_connect('localhost', 'dbase', 'pass123');
if (!$link) {
die('Could not connect: ' . mysql_error());
}
// make dbase the current db
$db_selected = mysql_select_db('dbase', $link);
if (!$db_selected) {
die ('Can\'t use foo : ' . mysql_error());
}
?>
If you try via url:
http://yourserver.com/folder/user_login.php?username=user#test&password=test123
You should use $_GET['username'] and $_GET['password'] to retrieve the value.
Otherwise if you submitting it, use $_POST['username'] and $_POST['password']
May this help.
Your html form uses the method "post" to send the data to your php script. Post data is sent in the header and the setup you have now should work.
When doing it via url you can get the parameters using "$_GET", not "$_POST".
Also, remember to htmlspecialchars() what you send from the form.
instead of using URL passing values to user_login.php where the form is...you have to pass it to auth.php which is the php that actually captures the values as follow
http://localhost/folder/auth.php?username=user#test&password=test123
Related
<?php
session_start();
$db =mysqli_connect("localhost", "root", "","registration" );
if (isset($_POST['login_btn'])){
$username = mysql_real_escape_string($_POST ['username']);
$password = mysql_real_escape_string($_POST ['password']);
$password= md5($password);
$sql = "SELECT * FROM users WHERE username= '$username' AND password= '$password'";
$result = mysqli_query($db, $sql);
if(mysqli_num_rows($result) == 1 ){
$_SESSION['message']= "You are now logged in";
$_SESSION['username'] = $username;
header("Location: home.php");
}else{
$_SESSION['message'] = "Username and password combination is incorrect";
}
}
?>
<html>
<head>
</head>
<body>
<div class="header"> <h1>login</h1></div>
<?php
if (isset($_SESSION['message'])){
echo "<div id = 'error_msg>".$_SESSION['message']."</div>";
unset($_SESSION['message']);
}
?>
<form method="post" name="loginform" action="login.php">
<table>
<tr>
<td> Username:</td>
<td><input type = "text" name="username" placeholder="Username" class="textInput" required></td>
</tr>
<tr>
<td> Password:</td>
<td><input type = "password" placeholder="Password" name="password" class="textInput" required></td>
</tr>
<tr>
<td></td>
<td><input type = "submit" name="login_btn" value="Login"></td>
</tr>
</table>
</form>
</body>
</html>
Hi guys, this is my login page with PHP. Apart from logging in it allows passwords which are not the same. According to the code its set to check if the two passwords are matching and if they aren't, it displays an error.
This one doesn't display an error even if the two passwords don't match. Why does it allows a user to log in with wrong passwords??
I want it to display an error when passwords don't match and in return doesn't allow logging in because of wrong credentials.
You are not using mysql_real_escape_string properly. You should use either mysqli_real_escape_string or use mysql_connect to connect to MySQL.
mysql_real_escape_string's second parameter is assumed automatically if mysql_connect is used, but you are using mysqli_connect instead, that's why it's not finding any connection.
From pph website it states:
The MySQL connection. If the link identifier is not specified, the last link opened by mysql_connect() is assumed. If no such link is found, it will try to create one as if mysql_connect() had been called with no arguments. If no connection is found or established, an E_WARNING level error is generated.
Reference: http://php.net/manual/en/function.mysql-real-escape-string.php
Try changing
$username = mysql_real_escape_string($_POST ['username']);
$password = mysql_real_escape_string($_POST ['password']);
to
$username = mysqli_real_escape_string($db, $_POST ['username']);
$password = mysqli_real_escape_string($db, $_POST ['password']);
First sorry for my bad english
Second: the problem is all in my form, when sumbit he doesn't post on the same page or in another page the inserted datas.
I need it to post on the same page or on another pages when I fill the fields
And need to have the possibility to show the posted things on different pages without the possibity to let others fill the fields, but view / read only.
<?php
mysql_connect("sql.domain.com", "database", "password");
mysql_select_db("database");
$Username = $_POST['Username'];
$Password = $_POST['Password'];
$eMail = $_POST['eMail'];
$eMailPw = $_POST['eMailPw'];
$submit = $_POST['submit'];
$dbLink = mysql_connect("sql.domain.com", "database", "password");
mysql_query("SET character_set_client=utf8", $dbLink);
mysql_query("SET character_set_connection=utf8", $dbLink);
if($submit) {
if($Username && $Password && $eMail && $eMailPw) {
$insert = mysql_query("INSERT INTO commenttable (Username,Password,eMail,eMailPw) VALUES ('$Username','$Password','$eMail','$eMailPw') ");
echo "<meta HTTP-EQUIV='REFRESH' content='0; url=TEST2.php'>";
} else {
echo "please fill out all fields";
}
}
?>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>TEST 2</title>
</head>
<body>
<center>
<form action="TEST2.php" method="POST" >
<table border="0" cellspacing="8" cellpadding="0" >
<tr>
<td>Username</td>
<td><input type="text" name="Username" size="30" ></td>
</tr>
<tr>
<td>Password</td>
<td><input type="text" name="Password" ></td>
</tr>
<tr>
<td>eMail</td>
<td><input type="text" name="eMail" ></td>
</tr>
<tr>
<td>eMail Password</td>
<td><input type="text" name="eMailPw" ></td>
</tr>
</table>
<input type="submit" value="Submit">
</form>
<?php
$dbLink = mysql_connect("sql.domain.com", "database", "password");
mysql_query("SET character_set_results=utf8", $dbLink);
mb_language('uni');
mb_internal_encoding('UTF-8');
$getquery = mysql_query("SELECT * FROM commenttable ORDER BY id DESC");
while($rows = mysql_fetch_assoc($getquery)) {
$id = $rows['id'];
$Username = $rows['Username'];
$Password = $rows['Password'];
$eMail = $rows['eMail'];
$eMailPw = $rows['eMailPw'];
echo $Username . '<br/>' . '<br/>' . $Password . '<br/>' . '<br/>' . $eMail . '<br/>' . '<br/>' . $eMailPw . '<br/>' . '<br/>' . '<hr size="1"/>';
}
?>
</body>
</html>
First, your English is good. Second, there are a lot of things I would recommend working on before being concerned if it posts or not.
mysql vs mysqli
mysql extension depreciation warning
mysql extensions have been depreciated, so you will want to use mysqli. The benefit of working with PHP is that the documentation is very thorough. Check out this link to get familiar with the improved extensions.
mysql_connect
changes to
mysqli_connect
input type="password"
...provide a way for the user to
securely enter a password. The element is presented as a one-line
plain text editor control in which the text is obscured so that it
cannot be read, usually by replacing each character with a symbol such
as the asterisk ("*") or a dot ("•"). This character will vary
depending on the user agent and OS.
-https://developer.mozilla.org/en-US/docs/Web/HTML/Element/input/password
Here's a handy link to get familiar with different input types
if...submit
isset — Determine if a variable is set and is not NULL
-http://php.net/manual/en/function.isset.php
if($submit){
changes to
if(isset($_POST['submit'])){
<your code here>
}
redirect upon submit
It looks like you might want to redirect the user to a different page to view the data after submission. Below is an example of how to do that.
# after your query and insertion into table
$profile_url = 'http://' . $_SERVER['HTTP_HOST'] . '/profile.php';
$header('Location: ' . $profile_url);
Ok, I'm in the middle of making a multi function php file.
The file is named functions.php and has switch - case.
At first, I just have a simple register.php file which sends to functions.php.
Here's the error which I get :-
Notice: Undefined index: action in C:\Program Files (x86)\EasyPHP-DevServer-13.1VC9\data\localweb\transfer\functions.php on line 5
functions.php?username=223&password=223&action=register
This is pretty unsecure..I just want to show the action..like functions.php?action=register
What changes do I make to my script ?
Here's the code :-
register.php
<form action="functions.php" name="post">
<table>
<tr>
<td>Username : </td>
<td><input type="text" name="username"/></td>
</tr>
<tr>
<td>Password : </td>
<td><input type="password" name="password"/></td>
</tr>
<tr>
<td><input type="submit" name="action" value="register"></td>
</tr>
</table>
</form>
functions.php
<?php
session_start();
$db = mysql_connect('127.0.0.1', 'root', 'akshay!##') or die (mysql_error($db));
mysql_select_db('transfer', $db);
switch($_POST['action'])
{
case 'register':
$username = (isset($_POST['username'])) ? $_POST['username'] : '';
$password=(isset($_POST['password'])) ? $_POST['password'] : '';
$username=mysql_real_escape_string($username, $db);
$password = md5($password);
$password = mysql_real_escape_string($password);
$query = "select * from users where user_name = '" . $username . "'";
$result = mysql_query($query, $db) or die (mysql_error($db));
if(mysql_num_rows($result) > 0)
{
echo "Username already exists, redirecting";
header('Refresh: 3; URL=register.php');
die();
}
if(empty($username) || empty($password))
{
echo "Fields cannot be empty, redirecting";
header('Refresh: 3; URL=register.php');
}
else
{
$query2 = "insert into users(user_id, user_name, user_pass)
values
(NULL, '" . $username . "', '" . $password . "')";
$result2 = mysql_query($query2, $db) or die (mysql_error($db));
if($result2)
{
echo "Registration successful";
}
else
{
echo "Cannot register";
}
}
break;
}
?>
Based on the query string ("functions.php?username=223&password=223&action=register"), it looks like you're using GET to send the data, and not POST.
You should be looking for $_GET['action'] instead, and you should use
isset($_GET['action'])
to check if the action is set.
Edit
If you're set on using POST, which you really should be for this type of application, then you'll need to change your form:
<form action="functions.php" name="post" method="post">
Additionally, you'll want to use a hidden field for the action parameter instead of using the submit button:
<td>
<input type="hidden" name="action" value="register" />
<input type="submit" name="submit" value="Submit" />
</td>
The method="POST" attribute ensures that your data will be transmitted to functions.php using POST. This way the data won't show up in the URL.
Then, your functions.php can contain:
if (isset($_POST['action'])) {
switch($_POST['action']) {
case 'register':
$username = (isset($_POST['username'])) ? $_POST['username'] : '';
// And so on
}
}
else {
echo "No action specified.";
}
It means that $_POST['action'] isn't set.
In your example you pass it in the URL, so should be using $_GET['action'] instead.
I have some code for a login page i have except it doesn't seem to be working and by this i mean when i enter a correct username and password and click log in, the form just reloads and stays on the same login page. If anyone could suggest some possible solution that would be great, im quite new to PHP and haven't had any luck with fixing this so far. Here is my code :
<?php
require_once("nocache.php");
$id = $_POST["id"];
$pword = $_POST["pword"];
if(!empty($_POST)) {
if(!empty($id) || !empty($pword)) {
require_once("dbconn.php");
$sql = "select username, school_type from school_info where username = '$id' and password = '$pword'";
$rs = mysql_query($sql, $dbConn);
if(mysql_num_rows($rs) > 0) {
session_start();
$_SESSION["who"] = $id;
$_SESSION["school_type"] = mysql_result($rs, 0, "school_type");
header("location: EOI_home.php");
}
} else {
header("location: login.php");
}
}
?>
<form method="POST" action="<?php echo $_SERVER["PHP_SELF"];?>" id="login">
ID: <input type="text" name="id" /><br/>
pword: <input type="password" name="pword" /><br/>
<input type="submit" value="log in" />
<input type="reset" />
</form>
By the way the name of the file i took this code from is login.php
Here are the contents of the dbconn.php file :
<?php
$dbConn = mysql_connect("localhost", "twa312", "dam6av9a");
if (!$dbConn){
die('Could not connect: ' . mysql_error()); }
mysql_select_db("test", $dbConn)
or die ('Database not found ' . mysql_error() );
?>
and here is the nochache.php file :
<?php
header("Cache-Control: no-cache");
header("Expires: -1");
?>
Just added the contents of those extra files in case it makes any difference.
There's no exit; after header("location: EOI_home.php"); redirect. Also the following condition doesn't look right to me..
if (!empty($id) || !empty($pword))
if $id is not empty but $pword is it will still login, but won't redirect unless the user has an empty password. It should be..
if (!empty($id) && !empty($pword))
Move the session_start call to the top of the page. If you are outputting anything and prior to hitting that command it's not going to work and if you have warnings turned off then you wouldn't know about it.
I'm trying to build a login form so an admin I specify in the database can insert images into my database.
I'm having a few errors:
1) I'm using <?php echo $_SERVER['PHP_SELF']; ?> to call itself (call Login.php) so it will load the PHP code below it (which is in the same file). Whenever I press submit, it doesn't go to the specified header in the php code, but rather goes back to the homepage.php.
Login.php: Admin Login Form html
<form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post">
<table>
<tr>
<td>Username: </td><td><input type="text" name="username"></td>
</tr>
<tr>
<td>Password: </td> <td><input type="text" name="pw"></td>
</tr>
</table>
<br />
<input type="submit" value="Log in">
</center>
2) The second issue is... looking at the php code, I'm trying to find a function that will let me grab a specific key of an associate array. For example, I run the database query and store it as an associate array in $result, and return that. Then I want to grab a key ("username" and "password") from users table and compare them to the input from the above html form.
I've tried using array_keys, but that needs an array, not an object. So I casted it, and it still won't work.
I'm using print_r(array_keys($userResult, "username")); to see if it would print the key I wanted.
Login.php Php code
<?php
$username = isset($_POST['username']) ? $_POST['username'] : "";
$password = isset($_POST['pw']) ? $_POST['pw'] : "";
$userResult = verify($username, $password);
$array = (array)$userResult; //cast to array
print_r(array_keys($userResult, "username"));
if(array_keys($userResult, "username") == "dan" && array_keys($userResult, "password") == "12345") {
header("Location: ?action=admin");
}
else {
echo "<center>Incorrect credentials</center>";
}
function verify($user, $pw) {
include './scripts/dbconnect.php';
$result = $mysqli->query("SELECT username, password FROM users WHERE username='" . $user . "' AND password='" . $pw . "'");
return $result;
}
include 'include/footer.php';
?>
Any thoughts would be appreciated!
You can leave action in blank like action="" and it will post in the same page.
I don't remember what $_SERVER['PHP_SELF'] returns inside/outside includes but that must be your problem.
Also, you are alreadly checking the username and password on your query, then you just need to know if it returns a result or dont. Check for the number of rows :)
For part one if you want to just refresh the page you can do this.
<form action='' method=''>
Otherwise it is probably easier to just hard-code the path from login.php to your processing file.
For part two I think you incorrectly created your array.
$array = array();
$array[$username] = $password; // $username is the key and $password is the value aka.. array ($username => $password )
I am not sure why but it seems like with
$array = (array)$userResult;
you are trying to set an array as a tuple run though a function and that method seems a lot less clear than just setting the keys and values.
Thanks nimlhug, got it to work as such... forgot my main reason for checking the database was to actually see if there was a matching result... don't know why I was checking again to see if there was a match when I could have just used num_rows == 1, lol.
<?php
include 'include/header.php';
?>
<center>
<h2>Admin Log in</h2>
<br/>
<form action="" method="post">
<table>
<tr>
<td>Username: </td><td><input type="text" name="username"></td>
</tr>
<tr>
<td>Password: </td> <td><input type="text" name="pw"></td>
</tr>
</table>
<br />
<input type="submit" value="Log in">
</center>
<?php
$username = isset($_POST['username']) ? $_POST['username'] : "";
$password = isset($_POST['pw']) ? $_POST['pw'] : "";
if(verify($username, $password) == 1) {
header("Location: ?action=admin");
}
else {
echo "<center>Incorrect credentials</center>";
}
function verify($user, $pw) {
include './scripts/dbconnect.php';
$result = $mysqli->query("SELECT username, password FROM users WHERE username='" . $user . "' AND password='" . $pw . "'");
return $result->num_rows;
}
include 'include/footer.php';
?>