I'm trying to write a code where all SQL statements are stored inside a separate PHP file so I can call them later as functions.
I've tried different things but I can't seem to make it work properly.
Here is my code (I'm trying to make a login page here)
login.php
<?php
include('sql.php');
$sql = new sql();
?>
<form class = "form-inline" method = "post" style="color: #FFF; position: absolute; margin-top:100px; margin-left:500px;">
<table width="100%" border="0">
<tr>
<td>Username</td>
<td><input type="text" id = "username" name = "username" class="large" placeholder=""></td>
</tr>
<tr>
<td>Password</td>
<td><input type="password" id = "password" name = "password" class="large" placeholder=""></td>
</tr>
</table>
<br />
<center><button type="submit" id = "submit" name = "submit" class="btn btn-primary">Log in</button></center>
</form>
<?php
//echo $sql->admin();
?>
<?php
if(isset($_POST['submit'])) {
// username and password sent from form
$username=$_POST['username'];
$password=$_POST['password'];
// To protect MySQL injection (more detail about MySQL injection)
$username = stripslashes($username);
$password = stripslashes($password);
$username = mysql_real_escape_string($username);
$password = mysql_real_escape_string($password);
//THIS IS THE PART WHERE I CALL THE SQL STATEMENT FROM A SEPARATE PHP FILE
echo $sql->admin($username,$password);
// Mysql_num_row is counting table row
$count=mysql_num_rows($sql);
// If result matched $username and $password, table row must be 1 row
if($count==1)
{
//unset($_SESSION);
$row = mysql_fetch_assoc($sql);
$_SESSION[logged] = $row[logged];
// Register $username, $password and redirect to file "index.php"
$_SESSION['username'] = $username;
$_SESSION['password'] = $password;
$_SESSION['submitted'] = $row[submitted];
$_SESSION['date_submitted'] = $row[date_submitted];
session_register($_SESSION['username']);
session_register($_SESSION['password']);
?>
<script>window.location="index.php";</script>
<?php
}
else
{ ?>
<center><span style="color:white;">Wrong Username or Password</span></center>
<?php
}
}
?>
sql.php
<?php
include('connect.php');
class sql{
function sql()
{
}
function admin($username,$password)
{
echo $sql=mysql_query("SELECT * FROM admin WHERE admin_username= '$username' and admin_password= '$password' ");
}
}
?>
The error that appears with this code is
Warning: mysql_num_rows(): supplied argument is not a valid MySQL result resource in login.php on line 40
my line 40 is
$count=mysql_num_rows($sql);
I've finally got it. As you said, I've added a line in my sql.php which is
return $result;
another reason why my code didn't work was because I didn't place my
$sql->admin($username,$password);
inside a variable. Now it looks like this
$a = $result->admin($username,$password);
and it's working now.
Like GBD told, you have to return the result set from the mysql query. Furthermore, you have to use the result in your script to handle the submission from the login page.
$result = admin($username,$password)
// Mysql_num_row is counting table row
$count = mysql_num_rows($result)
You should return result set in your function
function admin($username,$password)
{
$result=mysql_query("SELECT * FROM admin WHERE admin_username= '$username' and admin_password= '$password' ");
return $result; // return result set back
}
Your admin function should return a resultset of data:
function admin($username,$password)
{
$result = mysql_query("SELECT * FROM admin WHERE admin_username= '$username' and admin_password= '$password' ");
return $result;
}
By calling it like so:
$resultset = admin($username, $password);
You can then pass this resultset (not the sql) to mysql_num_rows:
$count = mysql_num_rows($resultset);
In login.php you used
//THIS IS THE PART WHERE I CALL THE SQL STATEMENT FROM A SEPARATE PHP FILE
echo $sql->admin($username,$password);
The parameters are send correctly, but the result of SQL should be returned from the function.
You used echo in sql.php as well as in login.php
Add return statement
function admin($username,$password)
{
$sql=mysql_query("SELECT * FROM admin WHERE admin_username= '$username' and admin_password= '$password' ");
return $sql;
}
in sql.php
$result=$sql->admin($username,$password);
and then use the variable $result as $sql is already used for CLASS
This should work.
As my predecessors said, you need to return the value from the admin function.
Besides, why do you call DB table 'admin' ? Do you plan on having multiple admins ? You shouldn't create separate tables for different types of users. You may create one table 'users' with column 'type' where you specify if he is an admin or regular user, and set his privileges based on this value.
Related
I am trying to implement my own class, functions and views to implement multi-user authentication and pages with php, mysql and pdo class.
Please let me know if I am doing it in proper way or I am on wrong path?
Mysql table will look like:
userID-----------int 1
userName---------varchar abc
userPassword-----varchar pass
userAccessCode---int 100
This is the html, and php which will pass the data via post to function called(aut) in class authen
note: session will be start in header login. and close on logout
//include authen class
if(isset(POST){
$authen->name= Check_Params($_POST['name ']);
$authen->pass= Check_Params($_POST['pass']);
$authen->accs= Check_Params($_POST['accs']);
$authen->aut()
}
<form method="post">
<input name="name" type="text">
<input name="pass" type="password">
<input name="access" type="password">
<input type="submit" value="login">
</form>
Now authen class will check if the user is in database:
public function auth() {
$name = Check_Param($this->name);
$pass = Check_Param($this->pass);
$accs = Check_Param($this->accs);
$passhashed = hash_pass(Check_Params($this->password));
$stm = "SELECT COUNT(*) FROM userTBL WHERE `userName`=:name AND `userPassword`=:pass AND `userAccessCode`=:accs LIMIT 1";
$stm = $this->conn->prepare($stmt9);
$stm->bindParam(':nameo', $name);
$stm->bindParam(':passs', $passhashed);
$stm->bindParam(':accs', $accs);
$stm->execute();
$checkstm = $stm->fetchColumn();
if ($checkstm == 1) {
$_SESSION['accs'] = Check_Params($accs);
$_SESSION['name'] = Check_Params($name);
header("location:../home");
exit;
} else {
header("location:logout.php");
exit;
}
}
Now in each page this will check if it's login request, here is the ifitislogin function
public function ifitislogin() {
if ($_SESSION['name'] == '' | $_SESSION['accs'] == '') {
header("location:logout.php");
} else {
$accs = Check_Params(preg_replace('#[^0-9]#i', '', $_SESSION["accs"]));
$name = Check_Params(preg_replace('#[^A-Za-z0-9]#i', '', $_SESSION["name"]));
$stm = "SELECT COUNT(*) FROM userTBL WHERE `userName`=:name AND `userAccessCode`=:accs";
stm = $this->conn->prepare($stmt9);
$stm->bindParam(':nameo', $name);
$stm->bindParam(':accs', $accs);
$stm->execute();
$checkstm = $stm->fetchColumn();
if ($checkstm != 1) {
header("location:logout.php");
exit();
}
}
}
Now for example this is the index page for all:
//include class authentic
$authen->ifitislogin(); // this will check if user is valid:
echo "<h1>" welcome to the document management system</h1> <br/>";
//this will befor admin and operator
if($_SESSION['accs'] = Check_Params('100')){
echo "<h1>welcome to admin page data....</h1>";
} elseif($_SESSION['accs']) == 101) {
echo "<h1>welcome to reporter page data....</h1>"
} else {
echo "welcome msg";
}
//this will be for clients or users, the function will get the result from database based on the user name and accs/
$accs = Check_Params($_SESSION['accs']);
$name = Check_Params($_SESSION['name']);
//get the result from database based on these tow variable which means $accs, $name it will select from database base where access = $accs and name = $name
In this code section querying the data from database based on the data i get from session variables is it ok? if not how can i know which data should display to which user? or which page is for which user?
regards in advances.
the registration form is connected to the database via db.php but I am having trouble in submitting the login details.
<html>
<head>
<?php
include('db.php');
$username = #$_POST['username'];
$password = #$_POST['password'];
$submit = #$_POST['submit'];
the main problem is after the submit button is clicked by an existing user it should give the message but there's problem in the if statement, because on the wamp server its showing only the else message i.e. Error.
if ($submit)
{
$result = mysql_query("SELECT * FROM users WHERE username='$username' AND password='$password'");
if (mysql_num_rows($result)) {
$check_rows = mysql_fetch_array($result);
$_POST['username'] = $check_rows['username'];
$_POST['password'] = $check_rows['password'];
echo "<center>";
echo "You are now Logged In. ";
echo "</center>";
}
else {
echo "<center>";
echo "No User found. ";
echo "</center>";
}
}
else echo "Error";
?>
</head>
<body>
<form method="post">
Username : <input name="username" placeholder="Enter Username" type="text"><br></br>
Password : <input name="password" placeholder="Enter Password" type="password"><br>
<input type="submit" value="Submit">
</body>
</html>
You want get $_POST with name submit, but do not send it to the form
Try change
<input type="submit" value="Submit">
to
<input type="submit" name="submit" value="Submit">
Firstly this is old style of php/mysql. So look at PDO on php.net seeing as you are setting out on new project it really wont be hard to make the change now rather than later.
Now onto your issue. if you intend on carrying on with your old method try this.
$sql = "SELECT * FROM user WHERE username=' . $username . ' AND password=' . $password . '";
// check the query with the die & mysql_error functions
$query = mysql_query($sql) or die(mysql_error());
$result = mysql_num_rows($query);
// checking here equal to 1 In a live case, for testing you could use >= but not much point.
if ($result == 1) {
// Checking needs to be Assoc Now you can use the field names,
// otherwise $check_rows[0], $check_rows[1] etc etc
$check_rows = mysql_fetch_assoc($query); // oops we all make mistakes, query not result, sorry.
// This is bad but for example il let this by,
// please dont access user supplied data without
// validating/sanitising it.
$_POST['username'] = $check_rows['username'];
$_POST['password'] = $check_rows['password'];
} else {
// do not logged in here
}
The same in PDO
$sql=" Your query here ";
$pdo->query($sql);
$pdo->execute();
$result = $pdo->fetch();
if ($result = 1) {
// do login stuff
} else {
// no login
}
Remember though that you need to set up PDO and it may not be available on your server by default (older php/mysql versions) but your host should be happy enough to set them up.
I used this series and I'm up to this video and mysql_num_rows has been pissing me off ever since the start.
http://www.youtube.com/watch?v=HP75yyjHgTg
i have easily spent 5 hours simply trying to fix all these mysql_num_rows errors.
At the Moment I'm doing profile page and I'm getting an error.
The Error is:
Warning: mysql_num_rows() expects parameter 1 to be resource, null given in /home/ztechrel/public_html/TESTING/blarg/REMAKE/profile.php on line 8 (line one is the mysql_num_rows part)
The Code in profile.php is:
<?php include("inc/incfiles/header.php"); ?>
<?php
if(isset($_GET['u'])) {
$username = mysql_real_escape_string($_GET['u']);
if(ctype_alnum($username)) //check user exists
$check = mysql_query("SELECT username,first_name FROM users WHERE username='$username'");
if(mysql_num_rows($check)===1)
{
$get = mysql_fetch_assoc($check);
$username = $get['username'];
$firstname = $get['first_name'];
}
else
{
echo "<h2>User Does Not Exist</h2>";
exit();
}
}
?>
is there a way i can fix this?
Or does anyone know another way i can write this?
I wouldn't be surprised he uses mysql_num_rows again, is there something i can use instead which is easy to implement?
If you need any other info just ask.
use this for checking error in your query
$username = mysql_real_escape_string($_GET['u']);
if(ctype_alnum($username)) {
//check user exists
$check = mysql_query("SELECT username,first_name FROM users
WHERE username='$username'") or die(mysql_error());
if(mysql_num_rows($check)===1){
$get = mysql_fetch_assoc($check);
$username = $get['username'];
$firstname = $get['first_name'];
}
else
{
echo "<h2>User Does Not Exist</h2>";
exit();
}
}
Make sure you are capture errors from PHP.
It might be the previous statement mysql_query is not executed and hence result is not set.
Try with below if mysql_query is executing properly or note
$check = mysql_query("SELECT username,first_name FROM users WHERE username='$username'") or die(mysql_error()."<br>".$sql);
This means your query returns nothing. Put echo for your query and display it in browser. Then copy the query and run it in phpmyadmin or mysql query browser or some other mysql editor. Try to find whether $username has correct value or any field name is wrong in the query.
Make sure variable $username is not empty., ctype_alnum is returning false. So $query is empty.
<?php include("inc/incfiles/header.php"); ?>
<?php
if(isset($_GET['u'])) {
$username = mysql_real_escape_string($_GET['u']);
if ($username != "" && if(ctype_alnum($username))) {
$check = mysql_query("SELECT username,first_name FROM users WHERE username='$username'");
if(mysql_num_rows($check)===1)
{
$get = mysql_fetch_assoc($check);
$username = $get['username'];
$firstname = $get['first_name'];
}
else
{
echo "<h2>User Does Not Exist</h2>";
exit();
}
}
}
?>
Here it's I have a problem with my PHP Code + Oracle Login form.
In this PHP file, I make login function. But I have an error like this :
Warning: oci_num_rows() expects parameter 1 to be resource, string given in C:\xampp\htdocs\developers\it\session.php on line 12
Wrong
-
<?php
session_start();
include ("config.php");
$username = $_POST['username'];
$password = $_POST['password'];
$do = $_GET['do'];
if($do=="login")
{
$cek = "SELECT PASSWORD, USER_LEVEL FROM T_USERS WHERE USERNAME='$username' AND PASSWORD='$password'";
$result = oci_parse($conn, $cek);
oci_execute($result);
if(oci_num_rows($cek)==1)
{
$c = oci_fetch_array($result);
$_SESSION['username'] = $c['username']; ociresult($c,"USERNAME");
$_SESSION['USER_LEVEL'] = $c['USER_LEVEL']; ociresult($c,"USER_LEVEL");
if($c['USER_LEVEL']=="ADMINISTRATOR")
{
header("location:supervisor.php");
}
else if($c['user_level']=="User")
{
header("location:user.php");
}
else if($c['user_level']=="Root")
{
header("location:administrator.php");
}
else if($c['user_level']=="Manager")
{
header("location:manager.php");
}
else if($c['user_level']=="Admin")
{
header("location:admin.php");
}
else if($c['user_level']=="Director")
{
header("location:director.php");
}
}
else
{
echo "Wrong";
}
}
?>
I have tried to search in google, but still don't find anything.
Someone knows, what's the problem ?
Thanks for advance.
According to your script instead of
if(oci_num_rows($cek)==1)
you should call
if(oci_num_rows($result)==1)
You probably want to use $result and not $cek when you're asking for the number of rows returned from oci_num_rows(). However, you really want to avoid using $username and $password directly in the string like that. It'll make you wide open for SQL injection attacks, so look into using oci_parse together with oci_bind_by_name.
After that you should also always call exit() after the sequence of redirects, as the script will continue running if you don't (and that might be a security issue other places).
I also got the same case, so I tricked it with a script like this, but I don't know whether there was an impact or not. because the session and validation went smoothly.
$username =$_POST['username'];
$password = $_POST['password'];
$conn = oci_connect('xxx', 'xxx', 'localhost/MYDB');
$pass_encription = md5($password);
$query = "SELECT * from *table_name* WHERE *field1*='".$username."' and *field2*='".$password."'";
$result = oci_parse($conn, $query);
oci_execute($result);
$exe = oci_fetch($result);
if ($exe > 0)
{
oci_close($conn);
oci_execute($result);
$row =oci_fetch_array($result);
$sid = $row['field_1_parameter'];
$snama = $row['field_2_parameter'];
$sjab = $row['field_3_parameter'];
$session = array (
'field_1_array' =>$sid,
'field_2_array' =>$snama,
'field_3_array' =>$sjab
);
if($sjab == 'Administrator')
{
$this->session->set_userdata($session);
redirect('redirecting_page');
}
`
My aim is to have a simple, form based CMS so the client can log in and edit the MySQL table data via an html form. The login is working, but the edit page isn't returning the values from the MySQL table, nor am I getting any errors.
I'm still amateur, and I first started the following code for a class project, but now plan to implement it for a live site. From what I understand I shouldn't have to declare the next/previous/etc. variables at the top, which I tried unsuccessfully to do so anyway. Does anything stand out to any of you?:
<?php
echo "<h2>Edit Special Offer</h2><hr>";
if (isset($_COOKIE["username"]))
{
echo "Welcome " . $_COOKIE["username"] . "!<br />";
include "login.php";
}
else
echo "You need to log in to access this page.<br />";
if(isset($previous))
{
$query = "SELECT id, specialtitle, specialinfo
FROM special WHERE id < $id ORDER BY id DESC";
$result = mysql_query($query);
check_mysql();
$row = mysql_fetch_row($result);
check_mysql();
if ($row[0] > 0)
{
$id = $row[0];
$specialtitle = $row[1];
$specialinfo = $row[2];
}
}
elseif (isset($next))
{
$query = "SELECT id, specialtitle, specialinfo
FROM special WHERE id > $id ORDER BY id ASC";
$result = mysql_query($query);
check_mysql();
$row = mysql_fetch_row($result);
check_mysql();
if ($row[0] > 0)
{
$id = $row[0];
$specialtitle = $row[1];
$specialinfo = $row[2];
}
}
elseif (isset($add))
{
$query = "INSERT INTO special (specialtitle, specialinfo)
VALUES ('$specialtitle', '$specialinfo')";
$result = mysql_query($query);
check_mysql();
$id = mysql_insert_id();
$message = "Special Offer Added";
}
elseif (isset($update))
{
$query = "UPDATE special
SET specialtitle='$specialtitle', specialinfo='$specialinfo'
WHERE id = $id";
$result = mysql_query($query);
check_mysql();
$id = mysql_insert_id();
$message = "Monthly Special Updated";
}
elseif (isset($delete))
{
$query = "DELETE FROM special WHERE id = $id";
$result = mysql_query($query);
check_mysql();
$specialtitle = "";
$specialinfo = "";
$message = "Special Offer Deleted";
}
$specialtitle = trim($specialtitle);
$specialinfo = trim($specialinfo);
?>
<form method="post" action="editspecial.php">
<p><b>Special Offer</b>
<br><input type="text" name="specialtitle" <?php echo "VALUE=\"$specialtitle\"" ?>> </p>
<p><b>Special Info/Description</b>
<br><textarea name="specialinfo" rows="8" cols="70" >
<?php echo $specialinfo ?>
</textarea> </p>
<br>
<input type="submit" name="previous" value="previous">
<input type="submit" name="next" value="next">
<br><br>
<input type="submit" name="add" value="Add">
<input type="submit" name="update" value="Update">
<input type="submit" name="delete" value="Delete">
<input type="hidden" name="id" <?php echo "VALUE=\"$id\"" ?>>
</form>
<?php
if (isset($message))
{
echo "<br>$message";
}
?>
Login.php:
<?php
function check_mysql()
{
if(mysql_errno()>0)
{
die ("<br>" . mysql_errno().": ".mysql_error()."<br>");
}
}
$dbh=mysql_connect ("xxxxxxxxxxxxxxxxx","xxxxxxxx","xxxxxxxx");
if (!$dbh)
{
die ("Failed to open the Database");
}
mysql_select_db("xxxxxx");
check_mysql();
if(!isset($id))
{
$id=0;
}
?>
Please please please do a little bit more learning before attempting to build this thing.
You can do it the way you are doing it, but with just a small amount of extra knowledge about OO programming, and maybe about the Pear db classes you will have 3x cleaner code.
If you really choose not to, at the very least, pull each of your save, update, delete, etc procedures out into functions instead of just inlining them in your code. put them in a separate file, and include it in that page.
It may not be useful to you, but I am going to dump a generic table access class here in the page for you. It requires a simple db class API, but if you use this or something like it your life will be 5x easier.
If you don't understand this code when you look at it, that's ok, but please just come back and ask questions about the stuff you don't understand. That is what stackoverflow is for.
This is an older class that should just do basic stuff. Sorry it's not better I just wanted to dig something out of the archives for you that was simple.
<?php
// Subclass this class and implement the abstract functions to give access to your table
class ActiveRecordOrder
{
function ActiveRecordOrder()
{
}
//Abstract function should return the table column names excluding PK
function getDataFields()
{}
//Abstract function should return the primary key column (usually an int)
function getKeyField()
{}
//abstract function just return the table name from the DB table
function getTableName()
{}
/*
This function takes an array of fieldName indexed values, and loads only the
ones specified by the object as valid dataFields.
*/
function loadRecordWithDataFields($dataRecord)
{
$dataFields = $this->getDataFields();
$dataFields[] = $this->getKeyField();
foreach($dataFields as $fieldName)
{
$this->$fieldName = $dataRecord[$fieldName];
}
}
function getRecordsByKey($keyID, &$dbHandle)
{
$tableName = $this->getTableName();
$keyField = $this->getKeyField();
$dataFields = $this->getDataFields();
$dataFields[] = $this->getKeyField();
$results = $dbHandle->select($tableName, $dataFields, array($keyField => $keyID));
return $results;
}
function search($whereArray, &$dbHandle)
{
$tableName = $this->getTableName();
$dataFields = $this->getDataFields();
$dataFields[] = $this->getKeyField();
return $dbHandle->select($tableName, $dataFields, $whereArray);
}
/**
* Since it is *hard* to serialize classes and make sure a class def shows up
* on the other end. this function can just return the class data.
*/
function getDataFieldsInArray()
{
$dataFields = $this->getDataFields();
foreach($dataFields as $dataField)
{
$returnArray[$dataField] = $this->$dataField;
}
return $returnArray;
}
/**
* Added update support to allow to update the status
*
* #deprecated - use new function saveObject as of 8-10-2006 zak
*/
function updateObject(&$dbHandle)
{
$tableName = $this->getTableName();
$keyField = $this->getKeyField();
$dataArray = $this->getDataFieldsInArray();
$updatedRows = $dbHandle->updateRow(
$tableName,
$dataArray,
array( $keyField => $this->$keyField )
);
return $updatedRows;
}
/**
* Allows the object to be saved to the database, even if it didn't exist in the DB before.
*
* #param mixed $dbhandle
*/
function saveObject(&$dbhandle)
{
$tableName = $this->getTableName();
$keyField = $this->getKeyField();
$dataArray = $this->getDataFieldsInArray();
$updatedRows = $dbHandle->updateOrInsert(
$tableName,
$dataArray,
array( $keyField => $this->$keyField )
);
return $updatedRows;
}
}
"Welcome " . $_COOKIE["username"] . "!<br />"; [and many other places]
HTML-injection leading to cross-site security holes. You need to use htmlspecialchars every time you output a text value to HTML.
"INSERT INTO special (specialtitle, specialinfo) VALUES ('$specialtitle' [and many other places]
SQL-injection leading to database vandalism. You need to use mysql_real_escape_string every time you output a text value to an SQL string literal.
if (isset($_COOKIE["username"]))
Cookies are not secure, anyone can set a username cookie on the client-side. Don't use it for access control, only as a key to a stored or session user identifier.
You also appear to be using register_globals to access $_REQUEST values as direct variables. This is another extreme no-no.
Between all these security snafus you are a sitting duck for Russian hackers who will take over your site to push viruses and spam.
Be careful with your code there. Your not filtering your cookie value and you shouldn't be storing a username directly in there as it can be easily changed by the visitor. You should look into filter_input for filtering cookie data and eany form data that is being submitted - especially your $_POST['id']
this will save you a lot of heartache further down the line from attacks.
Your if else statements are checking if variables are set but you dont set next, previous, add etc
You are using submit buttons with those values so you would need to check for
if(isset($_POST['previous']))
instead of yours which is
if(isset($previous))
I can't see where you set your database details either unless you have an included file somewhere that you haven't posted. (don't post the real ones of course but i can't see anything)
I don´t know what's happening in login.php, but you're using $id before it is set. That´s just in the first part.
Edit: To clarify, you are using $id in every query statement and setting it afterwards, my guess would be that $id is null and that is why nothing gets returned.
Edit 2: What else is happening in login.php? If you never read your $_POST variables, nothing will ever happen.
Edit 3: Like I already partly said in a comment, your if(isset($previous)) section, elseif (isset($update)) section and elseif (isset($delete)) sections will never do anything as $id is always 0.
After authenticating your user you need to get and filter the posted variables, $_POST['id'], $_POST['previous'], etc.