if (isset($submit)) {
$getusers = mysql_query("SELECT * FROM register");
while($getrows = mysql_fetch_array($getusers)) {
$users = $getrows['username'];
if ($touser == $users) {
echo "$users";
$send = $_GET['send'];
if ($send == $one) {
$query = mysql_query(
"INSERT INTO mailtbl VALUES
(
'', '$touser', '$fromuser', '$subject',
'$message', '0', '0', '1', '$date', '$rand'
)"
);
$query2 = mysql_query(
"INSERT INTO mailtbl_admin VALUES
(
'', '$touser', '$fromuser', '$subject',
'$message', '0', '0', '1', '$date', '$rand'
)"
);
$echo = "Message successfully sent.";
}
} else {
$echo = "There is no such user with the name of '$touser'";
}
}
echo "$echo";
}
I am trying to write code that accepts the message to send to another user if the recipient is in my database. The problem is that I think my condition (if ($touser == $users) is wrong. $touser refers to my $_POST['recipient'] in my form and $users refer to the users in the database.
Could someone please review my code to ensure I'm on the right track?
Instead of looping through all the users in your table, why don't you instead add a WHERE statement in your SQL command like this:
"SELECT * FROM register WHERE username = '" . $touser . "'"
If you get results send the message. If you get no results, display the 'no such user' message.
Also, if you are having trouble evaluating $touser to $user, try outputting the contents of $touser to make sure it's what you think it is.
print_r($touser);
Related
It's working, but when I add the data in to my database, the data will be twice. I don't know if my syntax is wrong or my code is wrong.
Here's the structure:
//if submit is clicked
$checkin = $_POST['text_checkin'];
while ($row = mysqli_fetch_array($reservation)) {
if (isset($_POST['submitBtn'])) {
if ($row['reservefrom'] == $checkin) {
echo "Same Date";
return;
}
else
{
$lastname = $_POST['text_lastname'];
$firstname = $_POST['text_firstname'];
$address = $_POST['text_address'];
$tnumber = $_POST['text_tnumber'];
$cnumber = $_POST['text_cnumber'];
$email = $_POST['text_email'];
$checkin = $_POST['text_checkin'];
$checkout = $_POST['text_checkout'];
$room = $_POST['text_room'];
$tour = $_POST['text_tour'];
$guest = $_POST['text_guest'];
$query = "INSERT INTO reservation
(lastname, firstname, homeaddress,
telephonenumber, cellphonenumber, email,
reservefrom, reserveto, room, tour,
guestnumber)
values ('$lastname', '$firstname', '$address',
'$tnumber', '$cnumber', '$email', '$checkin',
'$checkout', '$room', '$tour', '$guest')";
mysqli_query($db, $query);
echo "Data Submitted!";
}
}
}
You're getting multiple inserts because you are looping for each record in $reservations. You should first look into why you are getting multiple records if you expected just a single record reservation.
That aside, alter your code by replacing your while loop with:
if(isset($_POST['submitBtn']) && $row = mysqli_fetch_array($reservation)){
if($row['reservefrom'] == $checkin) die("Same Date");
$lastname = $_POST['text_lastname'];
$firstname = $_POST['text_firstname'];
// ... other values, then execute your query
}else{
// either submitBtn was not posted or no result were found in $reservation
}
I noticed also that you use return in your code, but the code doesn't seem to be within a function so that's confusing. If it is within a function, it's probably a bad idea to echo from within unless the function is specifically meant to send data directly to the browser.
How can i limit the failed logins with this script? If the login fails, i insert it into the sql. (Is it the right way?)
But how can i check at the next login, that the user can now log in? I would take the login limit in 1 hour.
Aniway, is this code is good for that?
<?php
$loginError = array();
if(isset($_POST['login_submit']))
{
if(empty($_POST['email']) or !isset($_POST['email'])){$loginError[] = "Hiányzó email cím.";}
if(empty($_POST['pass']) or !isset($_POST['pass'])){$loginError[] = "Hiányzó jelszó.";}
if(strlen($_POST['email']) > 50 ){$loginError[] = "Hibás adat az email mezőben.";}
if(strlen($_POST['pass']) > 40 ){$loginError[] = "Hibás adat a jelszó mezőben.";}
if(count($loginError) == 0 )
{
$email = mysqli_real_escape_string($kapcs,$_POST['email']);
$pass = sha1($_POST['pass']);
$lekerdezes = mysqli_query($kapcs, "SELECT * FROM admin_user WHERE email = '$email'") or die(mysqli_error($kapcs));
if(mysqli_num_rows($lekerdezes) > 0 )
{
$adat = mysqli_fetch_assoc($lekerdezes);
if($adat['status'] == 1 )
{
if($adat['pass'] == $pass)
{
$_SESSION['adatok'] = $adat;
$_SESSION['email'] = $adat['email'];
$_SESSION['userid'] = $adat['id'];
header("Location:home.php");
}
else
{
$sql = "INSERT INTO loginattempts(log_address, log_datetime) VALUES ('".$_SERVER['REMOTE_ADDR']."', NOW())";
$insert_login_attempt = mysqli_query($kapcs, $sql) or die(mysqli_error($kapcs));
$loginError[] = "Hibás email cím vagy jelszó.";
}
}
else
{
$sql = "INSERT INTO loginattempts(log_address, log_datetime) VALUES ('".$_SERVER['REMOTE_ADDR']."', NOW())";
$insert_login_attempt = mysqli_query($kapcs, $sql) or die(mysqli_error($kapcs));
$loginError[] = "Még nincs aktiválva a fiók.";
}
}
else
{
$sql = "INSERT INTO loginattempts(log_address, log_datetime) VALUES ('".$_SERVER['REMOTE_ADDR']."', NOW())";
$insert_login_attempt = mysqli_query($kapcs, $sql) or die(mysqli_error($kapcs));
$loginError[] = "Hibás email cím vagy jelszó.";
}
}
}
?>
I would create a field in the database called status (blocked/ok) and assuming youve got a field timestamp for the last login...
Then Id connect to the database in case the login fails and save the status bloqued and the time stamp. the next attempt you would check the time.now vs last access...
I good suggestion would be create a function for the database connection so you can call it a couple of time without repeat the code, also dont forget use the try/except fot the db connection.
I couldn't find any error. I tried the query on phpmyadmin and it works well but when I do in php page, it couldn't update into DB. The following code below:
$registerID = ($_POST['registerID']);
$firstName = ucwords(htmlspecialchars($_POST['firstName']));
$lastName = ucwords(htmlspecialchars($_POST['lastName']));
$emailAddress = htmlspecialchars($_POST['emailAddress']);
$mainAddress = ucwords(htmlspecialchars($_POST['fullAddress']));
$updateCity = ucwords($_POST['userCity']);
$updateCountry = $_POST['userCountry'];
$postalCode = strtoupper(htmlspecialchars($_POST['userZip']));
$profilePic = $_POST['pic'];
$updateProf = " UPDATE register_user
SET firstName='$firstName',
lastName='$lastName',
emailAddress='$emailAddress',
mainAddress='$mainAddress',
registerCity='$updateCity',
registerCountry='$updateCountry',
postalCode='$postalCode'
WHERE registerID = '$registerID'";
if (mysqli_query($mysqli, $updateProf)) {
echo "Record updated successfully";
} else {
echo "Error updating record: " . mysqli_error($mysqli);
}
In the end, there are no errors after I updated on the webpage, it just show Record updated successfully. But it didn't update into DB. Any ideas?
UPDATED CODING
$checkProfile = "SELECT * FROM register_user where emailAddress = '$emailAddress'";
$editProfile = mysqli_query($mysqli,$checkProfile);
if ($editProfile) {
if (mysqli_num_rows($editProfile) > 0) {
header("Location: event?error=That name of email has already been taken");
} else {
$updateQuery = "UPDATE register_user
SET firstName = '$firstName',
lastName = '$lastName',
emailAddress = '$emailAddress',
mainAddress = '$mainAddress',
registerCity = '$updateCity',
registerCountry = '$updateCountry',
postalCode = '$postalCode'
WHERE registerID = '$registerID'";
$updateResult = mysqli_query($mysqli,$updateQuery);
header("Location: profileUser");
}
}
After I updated, it still doesn't work after I am using prepared statement. Any ideas?
Try executing the query first, saving it into a variable.
then, check if the query executed by doing:
if(!$query) echo "Query error : " . $mysqli->error;
This will give you more detailed error report.
I have two steps sign up form. From the first step I'm picking up email and username and from second step I want to pick up first name and lastname and add it into DB.
But the problem is that variables which I've got from the first POST form, $bridge_username to be exact, is not available in the IF statement below (the first one from the bottom). The thing is that they are visible anywhere else, but not inside this particular IF statement. I've tried everything, including sessions. I can clearly see that variable is still there (using vardump or just echoing it out), everywhere but not where I need it...
I'll be happy to hear your advises.
$bridge_email = $_POST['email'];
$bridge_username = $_POST['username'];
$bridge_pass = $_POST['password'];
$bridge_pass_conf = $_POST['passconf'];
$bridge_terms = $_POST['terms'];
$bridge_pass_counted = strlen($bridge_pass);
$bridge_username_counted = strlen($bridge_username);
if (isset ($_POST['email']) AND isset ($_POST['password']) AND isset ($_POST['passconf']) AND isset ($_POST['username'])) {
if ($bridge_email != '' AND $bridge_pass != '' AND $bridge_pass_conf != '' AND $bridge_username != '' AND $bridge_terms != '') {
if ($bridge_pass == $bridge_pass_conf) {
if ($bridge_pass_counted >= 33 OR $bridge_pass_counted <= 5) {
} else {
if ($bridge_username_counted >= 65 OR $bridge_username_counted <= 3) {
} else {
if (is_numeric(substr($bridge_username, 0, 1))) {
} else {
//CHECK IF USERNAME OR EMAIL ALREADY EXIST
$checkreguser = $mysqli->query("SELECT username FROM `engine_users` WHERE username = '$bridge_username' OR email = '$bridge_email' LIMIT 0, 1 ");
$checkreguser = $checkreguser->fetch_assoc();
if ($checkreguser == '') {
//CREATING A NEW USER
$mysqli->query("INSERT INTO `users` (`id`, `username`, `password`, `email`, `fname`, `lname`, `company`, `address`, `city`, `state`, `zip`, `country`, `currency`, `phone`, `vat`, `userlevel`, `created`, `notes`, `lastlogin`, `lastip`, `active`) VALUES\n"
. "(NULL, '$bridge_username', '1411678a0b9e25ee2f7c8b2f7ac92b6a74b3f9c5', '$bridge_email', '', '', NULL, '', '', '', '', '', '', '', NULL, 5, '2011-05-01 18:10:14', '', '2013-04-19 22:25:11', '127.0.0.1', 'y')");
}}}}}}}
$bridge_fname = $_POST['1_1_3'];
$bridge_lname = $_POST['1_1_4'];
if (isset ($_POST['1_1_3']) AND isset ($_POST['1_1_4'])) {
$mysqli->query("UPDATE `users` SET `fname` = '$bridge_fname',`lname` = '$bridge_lname' WHERE `users`.`username` = '$bridge_username'");
}
I fixed your code a bit to make you a good example,
main issue was how you build your query string
..." username = '$bridge_username' "
this will result in a string like you see it
(it is good debug to print the queries, before executing them)
you have to change it to:
." username = '".$bridge_username."' "
and the variable will be replaced with its value.
Also added checks for the post values, so you don't get warnings if they are not set.
$bridge_email = (isset($_POST['email']) ? $_POST['email'] : null);
$bridge_username = (isset($_POST['username']) ? $_POST['username'] : null);
$bridge_pass = (isset($_POST['password']) ? $_POST['password'] : null);
$bridge_pass_conf = (isset($_POST['passconf']) ? $_POST['passconf'] : null);
$bridge_terms = (isset($_POST['terms']) ? $_POST['terms'] : null);
//$bridge_pass_counted = strlen($bridge_pass);
//$bridge_username_counted = strlen($bridge_username);
//return early and stay back from chained IFs
if (!$bridge_email || !$bridge_username || !$bridge_pass || !$bridge_pass_conf) {
return;
}
if ($bridge_pass != $bridge_pass_conf) {
return;
}
if ($bridge_pass AND strlen($bridge_pass) > 5 AND strlen($bridge_pass) < 33) {
return;
}
if ($bridge_username AND strlen($bridge_username) > 5 AND strlen($bridge_username) < 33) {
return;
}
if (is_numeric(substr($bridge_username, 0, 1))) {
return;
}
$result = $mysqli->query("SELECT username FROM `engine_users` WHERE username = '" . $bridge_username . "' OR email = '" . $bridge_email . "' LIMIT 0, 1 ");
$checkreguser = $result->fetch_assoc(); // returns associative array of strings or NULL if there are no more rows
//if ($checkreguser == '') {
if ($checkreguser === null) {
//CREATING A NEW USER
$mysqli->query("INSERT INTO `users` (`id`, `username`, `password`, `email`, `fname`, `lname`, `company`, `address`, `city`, `state`, `zip`, `country`, `currency`, `phone`, `vat`, `userlevel`, `created`, `notes`, `lastlogin`, `lastip`, `active`) VALUES\n"
. "(NULL, '" . $bridge_username . "', '1411678a0b9e25ee2f7c8b2f7ac92b6a74b3f9c5', '" . $bridge_email . "', '', '', NULL, '', '', '', '', '', '', '', NULL, 5, '2011-05-01 18:10:14', '', '2013-04-19 22:25:11', '127.0.0.1', 'y')");
}
$bridge_fname = (isset($_POST['1_1_3']) ? $_POST['1_1_3'] : null);
$bridge_lname = (isset($_POST['1_1_4']) ? $_POST['1_1_4'] : null);
if ($bridge_fname AND $bridge_lname ) {
$mysqli->query("UPDATE `users` SET `fname` = '" . $bridge_fname . "',`lname` = '" . $bridge_lname . "' WHERE `users`.`username` = '" . $bridge_username . "'");
}
Please examine the IF structure, returning early makes the code more readable.
http://php.net/manual/en/function.isset.php
I would try and break your code down to a simple few lines and test the if statement. Better to identify where it is breaking. Maybe add some echo statements during different steps or comment and step through the code. Example below.
$bridge_email = $_POST['email'];
$bridge_pass = $_POST['password'];
if (isset($_POST['email']) AND isset($_POST['password']){
// EXECUTE AN ALERT
echo"email and pass are set";
}else {
echo"not passing";
}
Use
if(isset($_POST['bridge_username']))
To see if it exists.
You can also use the ternary operator:
$email = isset($_POST['bridge_username']) ? $_POST['bridge_username'] = false;
And ye.. "$bridge_username to be exact, is not available in the IF statement below."
Show us the exact error if you want a more detailed answer :)
Are you checking to see if the session has been started. I see that you keep mentioning that the data was passed to session. May want to set this up to make sure that it is getting handled.
Try checking that the session variable was created and if not redirect back to the registration/login page.
As an example... if the session is not registered it will move to a different script or location.
session_start();
if(!session_is_registered(myusername)){
header("location:main_login.php");
you could further test the session by echoing contents on an isset on session to keep testing. Again, I would break your code down into the most basic form to learn what is going on. Might also need to see the prior page code to see what is happening.
found another example online that might help you out. http://www.phpeasystep.com/phptu/6.html
The form submits correctly and it sends me an email. No error is reported and the SQL it creates works fine, I tested it at phpMyAdmin. mysql_error() raises nothing, it just doesn't add a row. Can anyone see what's going on?
<?PHP
$to = "me#gmail.com";
$subject = "New Lead";
$date = date ("l, F jS, Y");
$time = date ("h:i A");
$mysql = mysql_connect("db.perfora.net:3306","db","password");
if(!$mysql)
{
die("Could Not Connect: ".mysql_error());
}
mysql_select_db("db",$mysql);
if ($_SERVER['REQUEST_METHOD'] == "POST") {
$name = $_POST['firstname']." ".$_POST['lastname'];
$email = $_POST['email'];
$phone = "(".$_POST['areacode'].") ".$_POST['firstthree']."-".$_POST['lastfour'];
$area = $_POST['area'];
$lookdate = $_POST['lmm']."/".$_POST['ldd']."/".$_POST['lyyyy'];
$lookdatedb = date("{$_POST['lmm']}.{$_POST['ldd']}.{$_POST['lyyyy']}");
$movedate = $_POST['mmm']."/".$_POST['mdd']."/".$_POST['myyyy'];
$movedatedb = date("{$_POST['mmm']}.{$_POST['mdd']}.{$_POST['myyyy']}");
$loft = $_POST['loft'] ? "loft" : "";
$highrise = $_POST['highrise'] ? "highrise" : "";
$traditional = $_POST['traditional'] ? "traditional" : "";
$price = $_POST['price'];
$comments = $_POST['comments'];
$sql = "INSERT INTO Leads
(Name, Email, Phone, Area, LookDate, MoveDate, Loft, HighRise, Traditional, Price, Comments)
VALUES
('$name', '$email', '$phone', '$area', '$lookdatedb', '$movedatedb', '{$_POST['loft']}', '{$_POST['highrise']}', '{$_POST['traditional']}', '$price', '$comments')";
if (mysql_query($sql,$con))
{
echo "Row added.";
}
else
{
echo "Error adding row: " . mysql_error();
echo("\n\n".$sql);
}
$msg = "
New Lead Submitted On $date at $time.\n\n
Name: $name\n
Email: $email\n
Phone: $phone\n
Area: $area\n
Look Date: $lookdate\n
Move Date: $movedate\n
Type: $loft $highrise $traditional \n
Price: $price\n
Comments: $comments\n
";
}
mysql_close($mysql);
mail($to, $subject, $msg, "From:$email");
if ($forward == 1) {
header ("Location:$location");
}
else {
echo "Thank you for submitting our form. We will get back to you as soon as possible.";
}
?>
Response:
Thank you for submitting our form. We will get back to you as soon as possible.
Generated SQL:
INSERT INTO Leads (Name, Email, Phone, Area, LookDate, MoveDate, Loft, HighRise, Traditional, Price, Comments) VALUES ('work work', 'work#work.com', '(214) 131-4131', 'dallas', '02.18.2010', '02.25.2010', '', '1', '1', '$333333333333333333', '33fdsdfsdfsd')
Database Structure:
http://imgur.com/iQHRk.jpg
Let's see, your DB connection handle is obviously referenced by $mysql, but you've done this:
if (mysql_query($sql,$con))
Your DB handler is wrong.
mysql_query($sql,$con);
should return something why don't you take a look at that
i.e.
$result = mysql_query('SELECT * WHERE 1=1');
if (!$result) {
die('Invalid query: ' . mysql_error());
}
It's a best practice to check for errors when you can.
Also to be noted, you are not escaping any of the user input so your code is vulnerable to SQL injections. please use mysql_real_escape_string.
take the post variable in another variable and then pass to the insert query i think it will be work
like this
$sql = "INSERT INTO Leads
(Name, Email, Phone, Area, LookDate, MoveDate, Loft, HighRise, Traditional, Price, Comments)
VALUES
('$name', '$email', '$phone', '$area', '$lookdatedb', '$movedatedb', '$loft', '$highrise', '$traditional', '$price', '$comments')";
mysql_query($sql);