this is so that I come from Denmark and use google translate because I'm bad at English so hope that it can be in level with, however, this is how my MySQLI code to go right down to the last words, and says there are errors . I've tried to write it right password and email in, but it can not be bothered to work at all in some way it keeps making mistakes, how can it be?
<?php
session_start();
include("include/database/db.php");
if($stmt = $mysqli->prepare("SELECT id, djnavn, hemmelig, rank FROM `brugere` WHERE `email` = ? AND `password` = ?"))
{
$stmt->bind_param('ss', $email, $password);
$email = $_POST['email'];
$password = sha1($_POST['password']);
$stmt->execute();
$stmt->bind_result($id, $djnavn, $hemmelig, $rank);
$stmt->fetch();
$count_res = $stmt->num_rows;
$stmt->close();
if($count_res > 0) {
$_SESSION["logged_in"] = true;
$_SESSION["user_id"] = $id;
$_SESSION["djnavn"] = $djnavn;
$_SESSION["hemmelig"] = $hemmelig;
$_SESSION["rank"] = $rank;
if($rank == 0)
{
echo "Your can not log in!";
}
if($rank == 1)
{
echo "Ok, members you can log in now!";
}
if($rank == 2)
{
echo "Ok, Admin you can log in now!";
}
}
else {
echo 'fail her: ' . $mysqli->error;
}
}
?>
Can you help me on it!!
First of all it's notification and it occurs because you don't define $email and $password before you use them.
$email = $_POST['email'];
$password = sha1($_POST['password']);
cut and paste them befor you bind params:
$stmt->bind_param('ss', $email, $password);
Related
I have the following prepared statement:
$stmt = $conn->prepare("SELECT * FROM `users` WHERE user LIKE ? ");
$stmt->bind_param("s", $filtered_form['user']);
$stmt->execute();
$stmt->store_result();
if ($stmt->num_rows > 0) {
$stmt->bind_result($id, $user, $pass, $first, $last, $type, $email);
$stmt->fetch();
$stmt->close();
}
if ($pass === $filtered_form['pass']) {
$_SESSION['id'] = $id;
$_SESSION['user'] = $user;
$_SESSION['first'] = $first;
$_SESSION['last'] = $last;
$_SESSION['email'] = $email;
$_SESSION['type'] = $type;
header("Location:index.php");
exit;
} else {
return "Incorrect password";
}
however Visual Studio says there is a problem that the variables $id, $user, $pass, $first, $last, $type, $email are not defined. I added the variables like this:
$stmt = $conn->prepare("SELECT * FROM `users` WHERE user LIKE ? ");
$stmt->bind_param("s", $filtered_form['user']);
$stmt->execute();
$stmt->store_result();
if ($stmt->num_rows > 0) {
$id = "";
$user = "";
$pass = "";
$first = "";
$last = "";
$type = "";
$email = "";
$stmt->bind_result($id, $user, $pass, $first, $last, $type, $email);
$stmt->fetch();
$stmt->close();
}
if ($pass === $filtered_form['pass']) {
$_SESSION['id'] = $id;
$_SESSION['user'] = $user;
$_SESSION['first'] = $first;
$_SESSION['last'] = $last;
$_SESSION['email'] = $email;
$_SESSION['type'] = $type;
header("Location:index.php");
exit;
} else {
return "Incorrect password";
}
And the problem goes away. Upon reviewing the PHP documentation, I cant find examples where the variables must be defined first, yet visual studio still shows it as an error. Any idea why this is?
Nope, it is not necessary when variables are passed by reference, which is the case here. So it's Visual Studio who is wrong here.
However, you are using obsoleted techniques here, and can get rid of these false positive warnings and reduce the amount of code at once:
$stmt = $conn->prepare("SELECT * FROM `users` WHERE user = ? ");
$stmt->bind_param("s", $filtered_form['user']);
$stmt->execute();
$row = $stmt->get_result()->fetch_assoc();
if ($row and password_verify($filtered_form['pass'], $row['pass']) {
$_SESSION['user'] = $row;
header("Location:index.php");
exit;
} else {
return "Incorrect password";
}
as you can see, get_result() gives you a much better result (pun not intended) than store_result(), letting you to store the user information in a single variable, so it won't litter the $_SESSION array.
And num_rows() proves to be completely useless (as it always happens).
An important note: you should never ever store passwords in plain text. Alwas shore a hashed password instead.
Everthing seems to work except inserting data stmt.
I've added closing the connection and adding closing the statement.
$error = $user = $pass = "";
if (isset($_SESSION['user'])) destroySession();
if (isset($_POST['user']))
{
$user = sanitizeString($_POST['user']);
$pass = sanitizeString($_POST['pass']);
if ($user == "" || $pass == "")
$error = 'Not all fields were entered<br><br>';
else
{
$stmt = $connection->prepare('SELECT * FROM members WHERE user=?');
$stmt->bind_param('s', $user);
$stmt->execute();
$result = $stmt->get_result();
if ($result->num_rows)
$error = 'That username already exists<br><br>';
else
{
$hashedPwd = password_hash($pass, PASSWORD_DEFAULT);
$stmt = $connection->prepare("INSERT INTO members (user, pass) VALUES (?,?)");
$stmt->bind_param("ss", $user, $hashedPwd);
$stmt->execute;
$stmt->close();
die('<h4>Account created</h4>Please Log in.</div></body></html>');
}
}
}
$connection->close();
I can expect the code to recognize if a user exists. However, I can not expect the database to be updated with a new user.
Placing error_reporting(E_ALL); at the top of the page will show that there is problem with the $stmt->execute;
$stmt->execute; should be stmt->execute();
My php script for registrating using prepared statements isn't working and I can't figure out why.
Can somebody please check my code ? Thank you, and sorry for this post if it's duplicated but I can't figure it by myself
Code:
<?php
require_once 'connect.php';
$email = $_POST['email'];
$password = $_POST['password'];
$passwordR = $_POST['confpassword'];
if ($password == $passwordR) {
$password = hash('sha512', $password); // použi password_hash
$prep_stmt = "SELECT * FROM users WHERE email= ? ";
$stmt = connect()->prepare($prep_stmt);
if ($stmt) {
$stmt->bind_param('s', $email);
$stmt->execute();
$stmt->store_result();
if ($stmt->num_rows == 1) {
echo 0;
die();
} else {
if ($insert_stmt = connect()->prepare("INSERT INTO users (email, password) VALUES ( ? , ? )")) {
$insert_stmt->bind_param('ss', $email, $password);
$insert_stmt->execute();
if (!$insert_stmt) {
echo 2;
echo mysqli_stmt_sqlstate($insert_stmt);
die();
} else {
echo 1; //preslo to
die();
}
}
}
} else {
echo 3; //db error
die();
}
}
Sorry for asking silly question here. Problem is I didn't get the error message. I mean if email or password is incorrect I want to print this line :
'{"status":"false","message":"Login incorrect. Try again"}';
I've tried this code.
else if($email != $dbemail || $password != $dbpassword) { return '{"status":"false","message":"Login incorrect. Try again"}'; }
But didn't get else message.
if ($checkDevice != 0 ) {
$email = $get['email'];
$password = $get['password'];
$stmt = $con->prepare("SELECT * FROM users WHERE email = ? AND password = ? ");
$con->errorInfo();
$stmt->bindParam('1', $email, PDO::PARAM_STR);
$stmt->bindParam('2', $password, PDO::PARAM_STR);
$stmt->execute();
$num_rows = $stmt->rowCount();
// print_r($get);
if($num_rows != 0 )
{
while ($row = $stmt->fetch(PDO::FETCH_ASSOC))
{
$dbemail = $row['email'];
$dbpassword = $row['password'];
}
if($email == $dbemail && $password == $dbpassword)
{
return '{"status":"true","message":"Success. Login details correct."}';
}
else
{
return '{"status":"false","message":"Login incorrect. Try again"}';
}
}
}
I am learning to make website with some video tutorials based on mysqli. I came to know that using prepared statements are more secure and I am trying to create a login system. Here is what I have done so far.
This code helps me login success fully.
<form action ="" method="post">
User Name:<br/>
<input type='text' name='username' />
<br/><br/>
Password:<br/>
<input type='password' name='password' />
<br/><br/>
<input type='submit' name='submit' value='login'>
</form>
<?php
if(isset($_POST['submit'])){
$username = $_POST['username'];
$password = md5($_POST['password']);
$stmt = $con->prepare("SELECT username, password FROM users WHERE username=? AND password=? LIMIT 1");
$stmt->bind_param('ss', $username, $password);
$stmt->execute();
$stmt->bind_result($username, $password);
$stmt->store_result();
if($stmt->num_rows == 1) //To check if the row exists
{
while($stmt->fetch()) //fetching the contents of the row
{$_SESSION['Logged'] = 1;
$_SESSION['username'] = $username;
echo 'Success!';
exit();
}
}
else {
echo "INVALID USERNAME/PASSWORD Combination!";
}
$stmt->close();
}
else
{
}
$con->close();
?>
But I also need to check if the user have not activated or have been banned or deactivated. So I made another code.
And here is the code I made
<?php
if(isset($_POST['submit'])){
$username = $_POST['username'];
$password = md5($_POST['password']);
$stmt = $con->prepare("SELECT username, password FROM users WHERE username=? AND password=? LIMIT 1");
$stmt->bind_param('ss', $username, $password);
$stmt->execute();
$stmt->bind_result($username, $password);
$stmt->store_result();
if($stmt->num_rows == 1) //To check if the row exists
{
$result=$con->query($stmt);
$row=$result->fetch_array(MYSQLI_ASSOC);
$user_id= $row['user_id'];
$status = $row['status'];
if($status=='d'){
echo "YOUR account has been DEACTIVATED.";
}else{
$_SESSION['Logged'] = 1;
$_SESSION['user_id'] = $user_id;
$_SESSION['username'] = $username;
echo 'Success!';
exit();
}
}
else {
echo "INVALID USERNAME/PASSWORD Combination!";
}
$stmt->free_result();
$stmt->close();
}
else
{
}
$con->close();
?>
When I use this I get the following errors
Warning: mysqli::query() expects parameter 1 to be string, object given in F:\XAMPP\htdocs\login\login.php on line 33
Fatal error: Call to a member function fetch_array() on a non-object in F:\XAMPP\htdocs\login\login.php on line 34
I have database table columns
user_id,
username,
password (md5),
user_level,
status.
Under user_level I have the following
a = admin
m = member
Under status
a = activated
n = not activated
d = deactivated
b = banned
While logging in I need to check if the user status and if it is activated it should move to index page or if it is d it should show the user has been deactivated and likewise for others.
How to do it in prepared statements?
And I have this connect.php in all page
?php
//error_reporting(0);
'session_start';
$con = new mysqli('localhost', 'username', 'password', 'database');
if($con->connect_errno > 0){
die('Sorry, We\'re experiencing some connection problems.');
}
?>
I think you need to take a look into how mysqli_ works. This should get you in the right direction.
if(isset($_POST['submit'])){
$username = $_POST['username'];
$password = md5($_POST['password']);
$user_id = 0;
$status = ""
$stmt = $con->prepare("SELECT user_id, username, password, status FROM users WHERE username=? AND password=? LIMIT 1");
$stmt->bind_param('ss', $username, $password);
$stmt->execute();
$stmt->bind_result($user_id, $username, $password, $status);
$stmt->store_result();
if($stmt->num_rows == 1) //To check if the row exists
{
if($stmt->fetch()) //fetching the contents of the row
{
if ($status == 'd') {
echo "YOUR account has been DEACTIVATED.";
exit();
} else {
$_SESSION['Logged'] = 1;
$_SESSION['user_id'] = $user_id;
$_SESSION['username'] = $username;
echo 'Success!';
exit();
}
}
}
else {
echo "INVALID USERNAME/PASSWORD Combination!";
}
$stmt->close();
}
else
{
}
$con->close();