Alright, so recently I watched a tutorial and coded along with it in Notepad++. I am attempting a simple MYSQL login/register form, but when I login- it gives me the "Wrong U/P" error echo I wrote. It saves everything in the database as the md5 and stuff. Here is my codes.
register.php
<?php
require('config.php');
if(isset($_POST['submit'])){
//Preform the verification of the nation
$email1 = $_POST['email1'];
$email2 = $_POST['email2'];
$pass1 = $_POST['pass1'];
$pass2 = $_POST['pass2'];
if($email1 == $email2) {
if($pass1 == $pass2) {
//All good. Carry on.
$name = mysql_escape_string($_POST['name']);
$lname = mysql_escape_string($_POST['lname']);
$uname = mysql_escape_string($_POST['uname']);
$email1 = mysql_escape_string($_POST['email1']);
$email2 = mysql_escape_string($_POST['email2']);
$pass1 = mysql_escape_string($_POST['pass1']);
$pass2 = mysql_escape_string($_POST['pass2']);
$pass1 = md5($pass1);
$sql = mysql_query("SELECT * FROM `users` WHERE `uname` = '$uname'");
if(mysql_num_rows($sql) > 0) {
echo "Sorry, that user already exists!";
exit();
}
mysql_query("INSERT INTO `users` (`id`, `name`, `lname`, `uname`, `email`, `pass`) VALUES (NULL, '$name', '$lname', '$uname', '$email1', '$pass1')");
}else{
echo "Sorry, your passwords do not match<br><br>";
exit();
}
}else{
echo "Sorry, your emails do not match.<br><br>";
}
}else{
$form = <<<EOT
<form action="register.php" method="POST">
First Name: <input type="text" name="name" /><br />
Last Name: <input type="text" name="lname" /><br />
Username: <input type="text" name="uname" /><br />
Email: <input type="text" name="email1" /><br />
Confirm Email: <input type="text" name="email2" /><br />
Password: <input type="password" name="pass1" /><br />
Confirm Password: <input type="password" name="pass2" /><br />
<input type="submit" value="Register" name="submit" />
</form>
EOT;
echo $form;
}
?>
login.php
<?php
require('config.php');
if(isset($_POST['submit'])){
$uname = mysql_real_escape_string($_POST['uname']);
$pass = mysql_real_escape_string($_POST['pass']);
$pass = md5($pass);
$sql = mysql_query("SELECET * FROM `users` where `uname` = '$uname' and `pass` = '$pass'");
if(mysql_num_rows($sql) > 0){
echo "You are now logged in.";
exit();
}else{
echo "Wrong U/P combination";
}
}else{
$form = <<<EOT
<form action="login.php" method="POST">
Username: <input tye="text" name="uname" /><br>
Password: <input type="password" name="pass" /><br>
<input type="submit" name="submit" value="Login" />
</form>
EOT;
echo "$form";
}
?>
and config.php
<?php
mysql_connect("localhost", "X", "X");
mysql_select_db("X");
?>
The config.php code is correct, but I am not giving away X.
As you can see, this code echos out an error for login.php if it's incorrect. It gives me that error even if it is correct. I used MD5 hash passes, so please help!
Firstly, you're using the ` tag in there - this should be ' .
You need to either interpolate or concatenate your variables; i.e; instead of
mysql_query("INSERT INTO `users` (`id`, `name`, `lname`, `uname`, `email`, `pass`) VALUES (NULL, '$name', '$lname', '$uname', '$email1', '$pass1')");
use;
mysql_query("INSERT INTO 'users' ('id', 'name', 'lname', 'uname', 'email', 'pass') VALUES (NULL, '{$name}', '{$lname}', '{$uname}', '{$email1}', '{$pass1}')");
Anyway, aside from some good practice, have a look at this line;
$sql = mysql_query("SELECET * FROM `users` where `uname` = '$uname' and `pass` = '$pass'");
Just a small typo ruining everything for you. Change SELECET to SELECT , and you should be good to go.
Best of luck!
Eoghan
you don't need the following lines:
$email2 = mysql_escape_string($_POST['email2']);
and
`$pass2 = mysql_escape_string($_POST['pass2']);`
2. run SELECET * FROM users in order to see that the user/pwd really made it to the DB
3. add echo "$uname $pass <br>"; to the login form to make sure that it passed correctly
The other two answers are correct, but you have a more fundamental issue with this: you are using the old, deprecated mysql_* functions. Those functions are an old, procedural interface to MySQL and don't support the modern features of that RDBMS. I suggest using mysqli or PDO for an OOP approach to database access.
If you are going to stick to this ancient code, you should at least use mysql_real_escape_string() instead of mysql_escape_string().
Related
I know that there are a tons of related threads but none of them fixes my problem. i'm having a problem connecting to my database. I get the following error:
Access denied for user ''#'localhost' (using password: NO)
My code for register.php is the following:
<?php
require 'config.php';
if(isset($_POST['submit'])){
//does verification
$mail1 = $_POST['email1'];
$mail2 = $_POST['email2'];
$pass1 = $_POST['pass1'];
$pass2 = $_POST['pass2'];
if(($mail1 == $mail2) && ($pass1 == $pass2)){
//everything is k
$name = mysql_escape_string($_POST['name']);
$lname = mysql_escape_string($_POST['lname']);
$uname = mysql_escape_string($_POST['uname']);
$email1 = mysql_escape_string($_POST['email1']);
$pass1 = mysql_escape_string($_POST['pass1']);
$pass1 = md5($pass1);
//Checks if username is taken
$check = mysql_query("SELECT * FROM users WHERE uname = '$uname'")or die(mysql_error());
if (mysql_num_rows($check)>=1) {
echo "Username already taken";
} else {
mysql_query("INSERT INTO `users` (`first_name`, `last_name`, `username`, `mail`, `password`, `id`) VALUES ('$name', '$lname', '$uname', '$email1', '$pass1', NULL)") or die(mysql_error());
echo "Registration Successful";
} }
else {
echo "sorry, something doesn't match.";
}
} else {
//displays form
echo $form = <<<EOT
<form action="register.php" method="POST">
First Name: <input type="text" name="name" /><br />
Last Name: <input type="text" name="lname" /><br />
Username: <input type="text" name="uname" /><br />
Email: <input type="text" name="email1" /><br />
Confirm Email: <input type="text" name="email2" /><br />
Password: <input type="password" name="pass1" /><br />
Confirm Password: <input type="password" name="pass2" /><br />
<input type="submit" value="Register" name="submit" />
EOT;
}
?>
and my config.php is:
<?php
mysql_connect("localhost", "root", "");
mysql_select_db("MyDB");
?>
What to do? My PHP version is 5.6.27 and MySQL version is 5.6.33
Aside from the fact that you should be using mysqli functions instead of mysql for security reasons, have you checked:
Your MySQL username is correct?
That a password is not required?
The database you are connecting to is correct?
The do:
$db = mysql_connect("localhost", "root", "");
mysql_select_db("MyDB", $db);
And your queries should be:
$query = mysql_query("SELECT * FROM users WHERE uname = '$uname'", $db);
First of all, you'd better use mysqli or pdo (https://stackoverflow.com/a/12860046/2660794)
Once you have modified your code, you need to use the credentials you use to connect to database on your server (eg : the one you use for phpmyadmin).
I'd recommend using mysqli. For your case, the config.php would look like:
<?php
$mysqli = new mysqli("localhost", "root", "", "MyDB");
if(mysqli_connect_errno()){
printf("Connection Failed %s\n", mysqli_connect_error());
exit();
}
session_start();
if(isset($SESSION["REMOTE_ADDR"]) && $SESSION["REMOTE_ADDR"] != $SERVER["REMOTE_ADDR"]){
session_destroy();
session_start();
}
?>
and instead of "require", you'd do:
include ("config.php");
Hope this helped
I am trying to make a registration form in which I have connected to the database and it can also check whether the username is unique or not but unfortunately, I can't insert the new data in my table.
I would really appreciate if anyone could help me with this.
<?php
error_reporting(E_ALL ^ E_DEPRECATED);
include 'connect.inc.php';
if(isset($_POST['submit'])) {
$username = mysql_real_escape_string($_POST['username']);
$password = mysql_real_escape_string($_POST['password']);
$password2 = mysql_real_escape_string($_POST['password2']);
$firstname = mysql_real_escape_string($_POST['firstname']);
$lastname = mysql_real_escape_string($_POST['lastname']);
//md5 password
$password_hash = md5($password);
//check to see if the fields are empty
if(empty($username) || empty($password)|| empty($firstname)|| empty($lastname)) {
echo "Not all fields filled!<br /><br />";
exit();
}
//check if password is equal
if($password != $password2) {
echo "Your Passwords Do Not Match.<br />";
exit();
} else {
$query = "SELECT `username` From `users` WHERE username='$username'";
$result = mysql_query($query);
if(mysql_num_rows($result) ==1) {
echo "Sorry, that user has already exists.";
exit();
} else {
$query1= mysql_query("INSERT INTO `users` ('',username,password,firstname,lastname) VALUES ('','$username', '$password_hash', '$firstname', '$lastname'");
if($result1 = mysql_query($query1)) {
echo "Registered Successfully";
} else {
echo "Sorry, You could not Register";
}
}
}
}
?>
<form action="" method="POST">
Username:<br />
<input type="text" name="username" /><br /><br />
Password:<br />
<input type="password" name="password" /><br /><br />
Confirm Password:<br />
<input type="password" name="password2" /><br /><br />
First Name:<br />
<input type="text" name="firstname" /><br /><br />
Last Name:<br />
<input type="text" name="lastname" /><br /><br />
<input type="submit" value="Register" name="submit" />
</form>
Your INSERT statement is missing a closing parenthesis.
$query1= mysql_query("INSERT INTO ... '$lastname'");
$query1= mysql_query("INSERT INTO ... '$lastname')");
^
By the way, I find it easier when doing a single-row INSERT to use an alternative syntax, so the column names and the value are matched up:
$query1= mysql_query("INSERT INTO `users` SET
username='$username',
password='$password',
firstname='$firstname',
lastname='$lastname'");
That's easier to make sure you have the columns matched up to the right variables. Also there's no closing parenthesis to worry about.
See http://dev.mysql.com/doc/refman/5.7/en/insert.html for details on this syntax.
You should also abandon the deprecated mysql extension, and use PDO instead. Read this nice tutorial: https://phpdelusions.net/pdo
And Jay Blanchard is correct that your code is insecure. Security, like correctness, is not an add-on feature. You mention you are a beginner, but you should not start developing bad habits. Read https://blog.codinghorror.com/youre-probably-storing-passwords-incorrectly/
Try using
$query1= mysql_query("INSERT INTO users (username,password,firstname,lastname) VALUES ('$username', '$password_hash', '$firstname', '$lastname'");
Replace your else block with
else {
die('Error: ' . mysql_error());
//echo "Sorry, You could not Register";
}
From your comment, your INSERT QUERY is wrong. To find out what is wrong with your SQL query, add var_export($query1, true) with die. i.e.
die('Error: ' . mysql_error().'<br>Info: '.var_export($query1, true));
My guess is that you are still using your old query which has '' as one of the column names.
You want to probably insert the user id in the database.Define it as Autoincrement e remove the blank data from the query below:
Before:
$query1= mysql_query("INSERT INTO `users` ('',username,password,firstname,lastname) VALUES ('','$username', '$password_hash', '$firstname', '$lastname'");
After:
$query1= mysql_query("INSERT INTO `users` (username,password,firstname,lastname) VALUES ('$username', '$password_hash', '$firstname', '$lastname')") or die(mysql_error());
And you need also to replace the line with the code if($result1 = mysql_query($query1)) { by if($result1) {
I've been putting together my first attempt at anything PHP...and it doesnt work...
Basically when I click 'Submit' it just changed the window to display the php code, and submits nothing to mysql.
This is what I have.
<?php
require('config.php');
if(isset($_POST['submit'])){
//Perform the verification
$email1 = $_POST['email1'];
$email2 = $_POST['email2'];
$pass1 = $_POST['pass1'];
$pass2 = $_POST['pass2'];
if($email1 == $email2){
if($pass1 == $pass2){
//all good carry on
$name = mysql_escape_string($_POST['name']);
$lname = mysql_escape_string($_POST['lname']);
$uname = mysql_escape_string($_POST['uname']);
$email1 = mysql_escape_string($email1);
$email2 = mysql_escape_string($email2);
$pass1 = mysql_escape_string($pass1);
$pass2 = mysql_escape_string($pass2);
mysql_query("INSERT INTO `users` (`id`, `name`, `lname`, `uname`, `email`, `pass`) VALUES (NULL, '$name', '$lname', '$uname', '$email1', '$pass1')");
}else{
echo "Sorry, your passwords do not match.<br />";
exit();
}
}else{
echo "Sorry, your email addresses do not match.<br /><br />";
}else{
$form = <<<EOT
<form action="register.php" method="POST">
First Name: <input type="text" name="name" /><br />
Last Name: <input type="text" name="lname" /><br />
Username: <input type="text" name="uname" /><br />
Email: <input type="text" name="email1" /><br />
Confirm Email: <input type="text" name="email2" /><br />
Password: <input type="text" name="pass1" /><br />
Confirm Password: <input type="text" name="pass2" /><br />
<input type="submit" value="Register" name="submit" />
</form>
EOT;
}
?>
I'll add that the only way I could see the form was to copy the 'form' into a separate html file.
Any help wold be great and if you need more info just let me know.
Thanks
If you can see php code in your browser, your web server isn't configured properly and so this has nothing to do with php itself.
Do not pass the id field as null, just leave it out. Assuming of course the id field is set to primary index and autoincrement, which it should be.
turns out it was simply because i had mismatched my mysql_connect details.
Thanksfor the hints guys! wouldnt have figured it out otherwise.
Here is the code for my entire index page, which includes a register and a login. For some reason, the register part works fine, and it is inserting correctly. Yet, the login part is not working, as whenever I call the $queryrun(mysql_query($query)) on the SELECT * FROM, it does not work.
<?php
require('includes/dbconnect.php');
$firstname = $_POST['firstname'];
$lastname = $_POST['lastname'];
$email = $_POST['email'];
$password = $_POST['password'];
$password = md5($password);
$logemail = $_POST['logemail'];
$logpassword = $_POST['logpassword'];
$logpassword = md5($logpassword);
// Register Script
if (isset($firstname) && !empty($firstname) && !empty($lastname) && !empty($email) && !empty($password)) {
$query = "INSERT INTO users VALUES('', '$firstname', '$lastname', '$email', '', 'm', '9', '$password', 'bio'";
$queryrun = mysql_query($query);
} else {
echo 'Please fill out all of the form fields';
}
// Login Script
if (!empty($logemail) && !empty($logpassword)){
$query = "SELECT * FROM users WHERE email = '$email' AND password = '$password'";
$queryrun = mysql_query($query);
while ($row = mysql_fetch_assoc($queryrun)) {
$logemail = $row['logemail'];
}
echo $logemail;
$numrows = mysql_num_rows($query);
if ($numrows > 0){
echo 'User exists';
} else {
echo 'User does not exist';
}
} else {
}
?>
<html>
<head>
<title></title>
</head>
<body>
<form action="index.php" method="POST">
Firstname: <input type="text" name="firstname" /><br />
Lastname: <input type="text" name="lastname" /><Br />
Email: <input type="text" name="email" /><br />
Password: <input type="password" name="password" /><br />
<input type="submit" value="Submit" />
</form>
<br /><hr />
<br />
Login:<br />
<form action="index.php" method="POST">
Email:<input type="text" name="logemail" /><br />
Password: <input type="password" name="logpassword" /><br />
<input type="submit" value="Log in" /><br />
</form>
</body>
</html>
The connection to the database is fine because the register part code works, it's just the login code is returning nothing and saying that the user does note exist, when the user actually does exist
Your form field is $logemail while your mysql statement uses $email.
To get this working looks like you want:
$query = "SELECT * FROM users WHERE email = '$logemail' AND password = '$logpassword'";
But as John Conde mentions there are significant security issues.
What version of PHP are you using? This extension is deprecated as of PHP 5.5.0, you really should be using mysqli or PDO.
also
if (!empty($logemail) && !empty($logpassword)){
$query = "SELECT * FROM users WHERE email = '$email' AND password = '$password'";
you are checking for $logemail and $logpassword but putting $email and $password in the query string... also use {} in your strings for php variables. it helps keep string concatenation from getting confusing and you can use associated arrays in the string
echo "This is my string and this is the number {$number}. this is the value in my array: {$arrayvar["something"]}.";
I am a beginner PHP coder. I want it to be if when they register for my php code, it echos "You have been registered", instead of just showing a blank page. This is my code:
<?php
require('config.php');
if(isset($_POST['submit'])){
//Preform the verification of the nation
$email1 = $_POST['email1'];
$email2 = $_POST['email2'];
$pass1 = $_POST['pass1'];
$pass2 = $_POST['pass2'];
if($email1 == $email2) {
if($pass1 == $pass2) {
//All good. Carry on.
$name = mysql_escape_string($_POST['name']);
$lname = mysql_escape_string($_POST['lname']);
$uname = mysql_escape_string($_POST['uname']);
$email1 = mysql_escape_string($_POST['email1']);
$email2 = mysql_escape_string($_POST['email2']);
$pass1 = mysql_escape_string($_POST['pass1']);
$pass2 = mysql_escape_string($_POST['pass2']);
$pass1 = md5($pass1);
$sql = mysql_query("SELECT * FROM `users` WHERE `uname` = '$uname'");
if(mysql_num_rows($sql) > 0) {
echo "Sorry, that user already exists!";
exit();
}
mysql_query("INSERT INTO `users` (`id`, `name`, `lname`, `uname`, `email`,
`pass`) VALUES (NULL, '$name', '$lname', '$uname', '$email1',
'$pass1')");
}else{
echo "Sorry, your passwords do not match<br><br>";
exit();
}
}else{
echo "Sorry, your emails do not match.<br><br>";
}
}else{
$form = <<<EOT
<form action="register.php" method="POST">
First Name: <input type="text" name="name" /><br />
Last Name: <input type="text" name="lname" /><br />
Username: <input type="text" name="uname" /><br />
Email: <input type="text" name="email1" /><br />
Confirm Email: <input type="text" name="email2" /><br />
Password: <input type="password" name="pass1" /><br />
Confirm Password: <input type="password" name="pass2" /><br />
<input type="submit" value="Register" name="submit" />
</form>
EOT;
echo $form;
}
?>
As you can see, there is no echo for if everything works. Please help me add an echo if they're registrations gets registered!!
Just check the return of the insert query.
$result = mysql_query("INSERT ...");
if ($result) {
echo "Created!";
} else {
echo "Uh oh! Something went wrong!";
}
In your case - You could just type:
echo "Congratulations, You've been submitted";
or whatever you want to say just under the insert statement
before the last
}else{
in your code put
echo "You have signed up";
and that's it :)