Comparing Value on Submit Vs Database - php

The "dbcred.php" class
<?php
# pdo_testdb_connect.php - function for connecting to the "test" database
function testdb_connect ()
{
$dbh = new PDO("mysql:host=localhost;dbname=dbname", "root", "");
return ($dbh);
}
?>
PHP
<?php
#connect mysql
require_once "dbcred.php";
$dbh = testdb_connect ();
session_start();
$username = $_POST['regduser'];
$userpass = md5($_POST['regdpass']);
$result = mysql_query("SELECT * FROM Student WHERE regduser= '$username' AND regdpass = '$regdpass'");
if (mysql_num_rows($result)!= 1) { $error = "Login failed";
#include "loginform.php";
} else {
$_SESSION['username'] = "$username";
$_SESSION['ip'] = $_SERVER['REMOTE_ADDR'];
#include "membersection.php";
}
?>
HTML
<form action="inc/check_regUsr.php" method="post" id="userLogon">
<div class="field required">
Username: <input type="text" name="regduser" tabindex="1" /><br />
</div>
<div class="field required">
Password: <input type="text" name="regdpass" tabindex="2" /><br />
</div>
<input type="submit" name="submitUser" />
</form>
When I try to submit valid credentials it says: Warning: mysql_num_rows() expects parameter 1 to be resource, boolean given in on line 12
Why does it not like this and how can I fix it?
Thank you


$result = mysql_query("SELECT * FROM Student WHERE regduser= '$username' AND regdpass = '$regdpass'");
I don't know how your database class is working. So I will write a general mysql connect code.
mysql_connect($host,$username,$password);
mysql_select_db($db);
No you can execute the query.

Related

An error while using num_rows method in php

I designed a login form, but while processing it has a fatal error which I have no idea how to fix that.
here are my codes:
dbConnection.php:
<?php
$host = 'localhost';
$user = 'root';
$pass = '';
$dbname = 'fashionshop';
$conn = new mysqli($host,$user,$pass,$dbname);
if($conn->connect_error){
die('Connection Failed:' .$conn->connect_error);
}
//echo "Connected Successfully";
?>
userloginprocess.php:
<?php require_once 'dbConnection.php'; ?>
<?php
if(isset($_POST['client-login-submit'])){
$username = $_POST['username'];
$password = $_POST['password'];
$sql = "SELECT * FROM users
WHERE username = '".$username."' AND password1 = '".$password."' LIMIT 1";
$result = $conn->query($sql);
if($conn->num_rows($result) == 1){ // this is line 14
header('location:welcome.php');
}else{
header('location:error.php');
}
}else{
header('location:notworking.php');
}
?>
html form:
<form action="inc/userloginprocess.php" method="post">
<h1>LOG IN</h1>
<input placeholder="Username" type="text" name="username" id="username">
<input placeholder="Password" type="password" name="password" id="password">
<input type="submit" name="client-login-submit" value="LOG IN">
<p>Forget Your Password? RESET</p>
<p>SIGN UP</p>
</form>
and finally the error when I submit the form:
Fatal error: Uncaught Error: Call to undefined method mysqli::num_rows() in C:\xampp\htdocs\fashionshop\inc\userloginprocess.php:14 Stack trace: #0 {main} thrown in C:\xampp\htdocs\fashionshop\inc\userloginprocess.php on line 14
I would be grateful if you help me.

You are using the wrong object in getting the number of rows. Use $result instead of $conn.
Make
$conn->num_rows($result)
To:
$result->num_rows

database on phpmyadmin won't save data even though my connect file works [duplicate]

This question already has answers here:
Can I mix MySQL APIs in PHP?
(4 answers)
Closed 5 years ago.
this is my connect file which is error free but seems to not connect to my database.
<?php
$username="root";$password="Abubba21";$database="posts";
mysql_connect(localhost,$username,$password);
#mysql_select_db($database) or die( "Unable to select database");
mysql_close();
?>
Here is my code, I even have to put the php header at the bottom of the file because otherwise nothing will be displayed
<body>
<?php
$db_host = "localhost";
$db_username = "root"
$db_pass = "Abubba21";
$db_name = "accounts";
try
{
$db = new PDO('mysql:host='.$db_host.';dbname'.$db_name,$db_username,$db_pass);
$db->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_WARNING);
//$result = $db->query
}
catch(PDOException $e)
{
echo "Server error: ",$e->getCode()."invalid server";
}
$reg = #$_POST['reg'];
$un = "";
$pswd = "";
$em = "";
$em2 = "";
$pswd2 = "";
$un = strip_tags(#$_POST['username']);
$pswd = strip_tags(#$_POST['password']);
$em = strip_tags(#$_POST['email']);
$pswd2 = strip_tags(#$_POST['password2']);
$em2 = strip_tags(#$_POST['email2']);
if($reg){
if($em == $em2){
$u_check = mysql_query("SELECT username FROM accounts WHERE username = '$un'");
$check = mysql_num_rows($u_check);
if($check==0){
if($un&&$pswd&&$em&&$pswd2&&$em2){
if($pswd == $pswd2){
if(strlen($un)>25)
{
echo "The maximum limit for the username is 25 characters.";
}
else
{
if(strlen($pswd)>30||strlen($pswd)<5){
echo "Your password has to be between 5 and 30 characters.";
}
else
{
$pswd = md5($pswd);
$pswd2 = md5($pswd2);
$query = mysql_query("INSERT INTO accounts VALUES ('','un','pswd','em')");
die("<h2>Welcome</h2> Log in to start");
}
}
}
else
{
echo "Your passwords don't match";
}
}
else
{
echo "You must fill in all fields";
}
}
else
{
echo "Username is already token";
}
}
else
{
echo "Your emails don't match";
}
}
?>
<div class="body">
<div class="register">
<h1 class="heads">Register</h1><br><br><br><br>
<form action="#" method="post">
<div class="login">
<input type="text" name="username" value="" placeholder="Username ...">
<p />
<input type="password" name="password" value="" placeholder="Password ...">
<p />
<input type="password" name="password2" value="" placeholder="Password ...">
<p />
<input type="email" name="email" value="" placeholder="someone#somesite.com">
<p />
<input type="email" name="email2" value="" placeholder="someone#somesite.com">
<p />
<input type="submit" name="createaccount" value="Create Account">
</div>
</form>
</div class="register">
<div class="grad"></div>
<div class="header">
<div><span>Welcome</span></div> <br><br>
</div>
<br>
<form action="home.php" method="post">
<div class="login">
<input type="text" name="username" value="" size="30" placeholder="username"><br>
<input type="password" name="password" value="" size="30" placeholder="password">
<input type="submit" name="login" value="Login"><br>
</div>
</form>
</div>
<?php include("connect.php"); ?>

I believe your query string is incorrect:
$query = mysql_query("INSERT INTO accounts VALUES ('','un','pswd','em')");
To:
$query = mysql_query("INSERT INTO accounts (\`my_column_name\`,\`another_column\`,\`etc\`,\`etc2\`) VALUES ('','un','pswd','em')");

The example code is using mysql_query function, but the connection is PDO. That is not going to work. Do not mix function calls from the database extensions. Pick one.
With PHP, there's three commonly used database interface extensions:
mysql_ do not use this for new code
MySQLi
PDO_ - supports MySQL and other databases
Please see the notice here:
http://php.net/manual/en/function.mysql-query.php
Warning This extension was deprecated in PHP 5.5.0, and it was removed in PHP 7.0.0. Instead, the MySQLi or PDO_MySQL extension should be used. See also MySQL: choosing an API guide and related FAQ for more information. Alternatives to this function include:
. mysqli_query()
. PDO::query()
http://php.net/manual/en/mysqlinfo.api.choosing.php
Do not mix function calls from the database interface extensions. That's not going to work.
MD5 hash is unsuitable for passwords. http://php.net/manual/en/faq.passwords.php

Creating a Login System in PHP using Oracle

I'm having massive issues with creating this login system for my website and we are required to use php and oracle.
The table itself is very simple and only has a Username and Password value attached to it.
This is the code I am using and the main issue that comes with it is that the variable $password always returns a blank value.
<?php
/* Set oracle user login and password info */
$dbuser = "*MY USERNAME*";
$dbpass = "*MY PASSWORD*";
$dbname = "SSID";
$db = oci_connect($dbuser, $dbpass, $dbname);
if (!$db) {
echo "An error occurred connecting to the database";
exit;
}
$user = $_POST['user'];
$pass = $_POST['pass'];
$sql_login = "SELECT Username FROM users WHERE Username='%".$user."%'";
$login_stmt = oci_parse($db, $sql_login);
if(!$login_stmt)
{
echo "An error occurred in parsing the sql string.\n";
exit;
}
oci_execute($login_stmt);
while(oci_fetch_array($login_stmt))
{
$password = oci_result($login_stmt,"Password");
}
if ($password == "")
{
echo 'Password = blank';
}
if ($pass == $password)
{
echo 'Logged In';
}
else
{
echo 'Login Failed';
}
?>
I am using this command to try and write a value to the variable but I am having no luck.
while(oci_fetch_array($login_stmt))
{
$password = oci_result($login_stmt,"Password");
}
The form used is below, but I don't think there is a problem with it.
<form name="register" method="post" action="inc/login.php">
<div class="form_row">
<label class="contact"><strong>Username:</strong></label>
<input type="text" name="user" class="contact_input" />
</div>
<div class="form_row">
<label class="contact"><strong>Password:</strong></label>
<input type="password" name="pass" class="contact_input" />
</div>
<div class="form_row">
<div class="terms">
<input type="checkbox" name="terms" />
Remember me
</div>
</div>
<div class="form_row">
<input type="submit" class="register" value="login" />
</div>
</form>

problem is sql return 0 rows, bacase if u using in where clause % U must use like operator, not =
use this sql:
$sql_login = "SELECT Username FROM users WHERE Username like '%".$user."%'";
Here is good informatioun about this:
Equals(=) vs. LIKE

In $password = oci_result($login_stmt,"Password"); the word "Password" must be written on CAPS so it will be something like
$password = oci_result($login_stmt,"PASSWORD");
Worked that way for me

how to check whether old password entered is present or not in db

I m having a login page where user enters id and password.To reset the password i have to check whether the entered password is present or not whether it matches with the id i have entered.How to validate it.I m unable to validate it. If user enters any password it displays the record is updated. How to validate it. Here is the code
login.php
<label type="text" name="id" maxlength="50" size="20">ID</label><br />
<input type="text" name="id" placeholder="ID" class="input" size="20"/><br /></div>
<div class="formItem">
<label type="text" name="uid" maxlength="50" size="20">Password</label><br />
<input type="password" name="uid" placeholder="ID" class="input" size="20"/><br /></div>
<span class="field">(* Required field)</span><br /><br />
<input type="submit" name="login1" value="LOGIN" class="button"><br /><br /><br /><br />
</form>
</div>
</body>
</html>
<?php
$username = "root";
$password = "";
$hostname = "localhost";
$db = "abc";
//connection to the database
$dbhandle = mysql_connect($hostname, $username, $password) or die("Unable to connect to MySQL");
mysql_select_db($db,$dbhandle) or die('cannot select db');
if(isset($_POST['login1']))
{
$id= $_POST['id'];
$uid= $_POST['uid'];
$query= "select * from resume where id='$id'
AND uid='$uid'";
$run= mysql_query($query);
if(mysql_num_rows($run)>0){
echo "<script>window.open('resetp.php','_self')</script>";
}
else {
echo "<script>alert('Login details are incorrect!')</script>";
}
}
?>
resetp.php
<label type="text" name="uid" maxlength="50" size="20">Old Password</label><br />
<input type="text" name="uid" placeholder="id" class="input" size="20"/><br /></div>
<div class="formItem">
<label type="text" name="uid" maxlength="50" size="20">New Password</label><br />
<input type="password" name="pass" placeholder="pass" class="input" size="20"/><br /></div>
<div class="formItem">
<label type="text" name="cpas" maxlength="50" size="20">Confirm Password</label><br />
<input type="password" name="cpas" placeholder="" class="input" size="20"/><br /></div>
<div class="formItem">
<input type="submit" name="login1" value="RESET" class="formButton"><br /><br /><br /><br /></div>
</form>
<?php
$username = "root";
$password = "";
$hostname = "localhost";
$db = "resume1";
//connection to the database
$dbhandle = mysql_connect($hostname, $username, $password) or die("Unable to connect to MySQL");
mysql_select_db($db,$dbhandle) or die('cannot select db');
if(isset($_POST['login1']))
{
$pass= $_POST['pass'];
$uid= $_POST['uid'];
$cpas=$_POST['cpas'];
$query = "Update `resume` SET uid='".$_POST['pass']."' where uid='".$_POST['uid']."'";
$run = mysql_query($query);
if($query)
{
echo "<script>alert('Record updated')</script>";
}
else
{
echo "<script>alert('no')</script>";
}
}
?>
How can i validated it

Try this:
This line
<label type="text" name="uid" maxlength="50" size="20">New Password</label><br />
should be
<label type="text" name="pass" maxlength="50" size="20">New Password</label><br />

I guess couldn't understand your requirement.
Why don't you validate like you are doing in login.php
$query= "select * from resume where id='$id'
AND uid='$uid'";
$run= mysql_query($query);.................

the PHP script should be at the beginning, not at the end of the code. Begin with the <?php .... ?> and then follow the <HTML> ... </HTML> otherwise the result is returned even before the script is processed.
There are a lot of security issues with your code. You can try this.
<?php
require 'db.php';
$username = isset($_POST['username']) ? htmlspecialchars(trim($_POST['username']), ENT_QUOTES, 'UTF-8') : '';
$password = isset($_POST['password']) ? htmlspecialchars($_POST['password'], ENT_QUOTES, 'UTF-8') : '';
$error = array();
$error_found = 0;
if(isset($_POST['submit']) && ($_POST['submit'] == 'Reset'))
{
//check for errors.
//check if username field is empty.
if(empty($username))
{
$error[] = 'Please provide your user-name.';
}
//check if password field is empty.
if(empty($password))
{
$error[] = 'Please provide a password.';
}
//if errors exist, put errors found as true.
if(!empty($error))
{
$error_found = 1;
}
//else no errors are found.
else
{
//proceed to reset.
//connecting to database.
$db = mysql_connect(MYSQL_HOST, MYSQL_USER, MYSQL_PASSWORD) or die('Unable to connect, check your connection parameters. ');
mysql_select_db(MYSQL_DB, $db) or die('Could not select database, check availability. ' . mysql_error($db));
//querying the database. Checking if user-name password combination exists.
$query = 'SELECT username FROM resume WHERE username = "' . mysql_real_escape_string($username, $db) .
'" AND password = PASSWORD("' . mysql_real_escape_string($password, $db) . '")';
$result = mysql_query($query, $db) or die(mysql_error($db));
//checking if result is true.
if(mysql_num_rows($result) > 0)
{
//the result is true and so you can now reset your password.
}
else
{
$error[] = 'The username password combination you provided does not exist.';
$error_found = 1;
}
}
}
//HTML
?>
<!DOCTYPE HTML>
<html>
<head><title> ... </title></head>
<body>
<!--Your html code here -->
<?php
//if errors are found, then errors are shown here.
if($error_found == 1)
{
echo '<fieldset><center>';
echo '<ul>';
foreach($error as $e)
{
echo '<li>' . $e . '</li>';
}
echo '</ul>';
echo '</center></fieldset>';
}
?>
<form action="nameOfThisScript.php" method="POST">
Username:<input id="username" type="text" name="username" required />
Password:<input id="password" type="password" name="password" required />
<button id="Reset" type="submit" name="submit" value="Reset">Reset</button>
</form>
</body>
</html>
create a script named db.php in the same folder as this script and put the code
<?php
define('MYSQL_HOST', 'localhost');
define('MYSQL_USER', 'root');
define('MYSQL_PASSWORD', '');
define('MYSQL_DB', 'resume1');
?>
Hope this helps.

mysqli connect and select from database error

I recently started using mysqli_ to connect to my database because of the concern of sql injection and lack of security. I'm trying to reconfigure my login page with mysqli from mysql but the page just won't load and I'm not sure why. Thanks in advance for any help.
Here is my code:
<?php
$mysqli = new mysqli("localhost", "username", "password", "db");
if($mysqli->connect_errno > 0){
die('Unable to connect to database [' . $mysqli->connect_error . ']');
}
if (!isset($_SESSION['email'])) {
$e = trim($_REQUEST['email']);
$email = mysqli->real_escape_string($e);
$p = trim($_REQUEST['password']);
$password = mysqli->real_escape_string($p);
if ($result = $mysqli->query("SELECT email, password" .
" FROM users" .
" WHERE email = '".$email."' AND password = '".$password."'")) {
printf("Select returned %d rows.\n", $result->num_rows);
if ($result->num_rows == 1) {
$row = $result->fetch_array(MYSQLI_NUM);
$user_id = $ow['user_id'];
//No more setcookie
$_SESSION['user_id'] = $user_id;
$_SESSION['email'] = $email;
}
/* free result set */
$result->close();
}
}
?>
<html>
<head>
<title>Login</title>
</head>
<body>
<form id="signin_form"
action="<?php echo $_SERVER['PHP_SELF']; ?>"
method="POST">
<div class="signin_box">
<label for="email">Email or Username:</label><br>
<input type="text" name="email" id="email" size="30" />
<br />
<label for="password">Password:</label>
<input type="password" name="password" id="password" size="30" />
<br />
<span class="signin_submit">
<input type="submit" value="Sign In" class="signin_submit" />
</span>
</div>
</form>
</body>
</html>

Here
$email = mysqli->real_escape_string($e);
You forgot $
$email = $mysqli->real_escape_string($e);
and
$password = mysqli->real_escape_string($p);
to
$password = $mysqli->real_escape_string($p);

Categories