I am getting an error regarding mssql_real_escape_string() - php

Please help to cure this error:
Fatal error: Call to undefined function mssql_real_escape_string() in
The Code:
<?php
$host="-Removed-"; // Host name
$username="-Removed-"; // Mysql username
$password="-Removed-"; // Mysql password
$db_name="-Removed-"; // Database name
$tbl_name="USERPASS";
$tbl_name2="EMPLOYEES"; // Table name
// Connect to server and select databse.
mssql_connect("$host", "$username", "$password")or die("cannot connect");
mssql_select_db("$db_name")or die("cannot select DB");
// username and password sent from form
$myusername=$_POST['login'];
$mypassword=$_POST['password'];
// To protect MySQL injection (more detail about MySQL injection)
$myusername = stripslashes($myusername);
$mypassword = stripslashes($mypassword);
$myusername = mssql_real_escape_string($myusername);
$mypassword = mssql_real_escape_string($mypassword);
$sql="SELECT *
FROM $tbl_name U, $table_name2 E
WHERE U.EMPLOYEE_ID = E.EMPLOYEE_ID
AND USERNAME='$myusername'
AND PASSWORD='$mypassword'";
$result=mssql_query($sql);
// Mysql_num_row is counting table row
$count=mssql_num_rows($result);
// If result matched $myusername and $mypassword, table row must be 1 row
if($count==1){
// Register $myusername, $mypassword and redirect to file "login_success.php"
session_register("myusername");
session_register("mypassword");
header("location:login_success.php");
}
else {
echo "Wrong Username or Password";
}
?>
.
Thank You for the help! Been trying to figure this out for forever now.

That's because thereisn't any php function called mssql_real_escape_string

If your using MSSQL Server there is no mssql_real_escape_string, only MySQL and MySQLi have it, at least I didn't find it:
http://php.net/manual/en/book.mssql.php
http://php.net/manual/en/ref.mssql.php

Unfortunately, as of right now, PHP mssql extension neither supports parameterized queries nor has an escape function. You have to either write your own escape function or use something like PDO prepared statements to prevent SQL injection.

Related

Login PhP Script

So I've been trying to Get my Validation script for my login to Work.
Here's The Code:
<?php
ob_start();
$host="localhost"; // Host name
$username="***"; // Mysql username
$password="***"; // Mysql password
$db_name="**"; // Database name
$tbl_name="**"; // Table name
// Connect to server and select databse.
mysql_connect("$host", "$username", "$password")or die("cannot connect");
mysql_select_db("$db_name")or die("cannot select DB");
// Define $myusername and $mypassword
$myusername=$_POST['username'];
$mypassword=$_POST['password'];
// To protect MySQL injection (more detail about MySQL injection)
$myusername = stripslashes($myusername);
$mypassword = stripslashes($mypassword);
$myusername = mysql_real_escape_string($myusername);
$mypassword = mysql_real_escape_string($mypassword);
$sql="SELECT * FROM $tbl_name WHERE username='$myusername' and password='$mypassword'";
$result=mysql_query($sql);
// Mysql_num_row is counting table row
$count=mysql_num_rows($result);
// If result matched $myusername and $mypassword, table row must be 1 row
if($count==1){
// Register $myusername, $mypassword and redirect to file "login_success.php"
session_register("myusername");
session_register("mypassword");
echo "Welcome $myusername";
header("location:../htdocs/home.php");
exit();
}
else {
echo "Wrong Username or Password";
}
ob_end_flush();
?>
What's weird is that if I entered credentials not in My Database it does return that they are incorrect. But If they are correct it doesn't redirect me to home.php
The code is very bad, would suggest you dont use it. As for the problem the SQL function you are using is wrokg.
replace $result=mysql_query($sql); with $result=mysql_fetch_array($sql);
as for the if($count==1){ change to if($result){
That should resolve your issue, also at the end of the SQL statement add LIMIT 1

how to check the permission and send the user to the correct page in php?

Halo everyone, I got a question for how to check the permission when the user login and send the user to the page where they suppose to be. But I just can't make it. Can anyone help?
<?php
$host="localhost"; // Host name
$username="root"; // Mysql username
$password="123456789"; // Mysql password
$db_name="hospital_db"; // Database name
$tbl_name="members"; // Table name
// Connect to server and select databse.
mysql_connect("$host", "$username", "$password")or die("cannot connect");
mysql_select_db("$db_name")or die("cannot select DB");
// username and password sent from form
$myusername=$_POST['myusername'];
$mypassword=$_POST['mypassword'];
// To protect MySQL injection (more detail about MySQL injection)
$myusername = stripslashes($myusername);
$mypassword = stripslashes($mypassword);
$myusername = mysql_real_escape_string($myusername);
$mypassword = mysql_real_escape_string($mypassword);
$sql="SELECT * FROM $tbl_name WHERE username='$myusername' and password='$mypassword'";
$result=mysql_query($sql);
// Mysql_num_row is counting table row
$count=mysql_num_rows($result);
// If result matched $myusername and $mypassword, table row must be 1 row
if($count==1){
$permissionssql="SELECT permissions FROM $tbl_name WHERE permissions";
$permissionssqlresult=mysql_query($permissionssql);
if(permissions==admin){
header("location:admin.php");
if(permissions==employees){
header("location:employees.php");
if(permissions==employees){
header("location:otherstaff.php");
}
}
}
}
else{
echo "Wrong username or password!";
}
?>
I create a permissions on my table and it is vachar.
The permission have admin/employees/otherstaff.
I'm just trying to let the system send the user to the correct page but it always doesnt work.
I'm really appreciate if there's an answer.
thanks

SQLite & Login Beginner

Ok so I'm diving in with not much knowledge or SQLite, I have a generic checklogin php file that I would like to connect to the db to check the login. So without much of an understanding of SQLite, what am I missing, I've never worked with database either. I just need to understand a basic starting point or concept of connecting the database to this. I have a index.html that grabs the username and pw and inputs it in to check the login with the database but having trouble connecting to database with sqlite. Every time I try to login it'll just show me this php file code, is it because it's not connected to the database?
<?php
$host="localhost"; // Host name
$username="Test"; // Mysql username
$password="test"; // Mysql password
$db_name="test"; // Database name
$tbl_name="members"; // Table name
// Connect to server and select databse.
mysqli_connect("$host", "$username", "$password")or die("cannot connect");
mysqli_select_db("$db_name")or die("cannot select DB");
// username and password sent from form
$myusername=$_POST['myusername'];
$mypassword=$_POST['mypassword'];
// To protect MySQL injection (more detail about MySQL injection)
$myusername = stripslashes($myusername);
$mypassword = stripslashes($mypassword);
$myusername = mysqli_real_escape_string($myusername);
$mypassword = mysqli_real_escape_string($mypassword);
$sql="SELECT * FROM $tbl_name WHERE username='$myusername' and password='$mypassword'";
$result=mysqli_query($sql);
// Mysql_num_row is counting table row
$count=mysql_num_rows($result);
// If result matched $myusername and $mypassword, table row must be 1 row
if($count==1){
// Register $myusername, $mypassword and redirect to file "login_success.php"
session_register("myusername");
session_register("mypassword");
header("location:login_success.php");
}
else {
echo "Wrong Username or Password";
}
?>
hope it helps you
function getConnected($host,$user,$pass,$db)
{
$mysqli = new mysqli($host, $user, $pass, $db);
if($mysqli->connect_error)
die('Connect Error (' . mysqli_connect_errno() . ') '. mysqli_connect_error());
return $mysqli;
}
$mysqli = getConnected('localhost','user','password','database');
if your code really not connecting to database then it will print the message 'cannot connect to db' as you have written the die() statement.

Replacing session_register("myusername"); in PHP V5.3.6

I have the following in my code
session_register("myusername");
session_register("mypassword");
within
<?php
ob_start();
$host="ClubEvents.db.9606426.hostedresource.com"; // Host name
$username="ClubEventsRead"; // Mysql username
$password="Pa55word!"; // Mysql password
$db_name="ClubEvents"; // Database name
$tbl_name="members"; // Table name
// Connect to server and select databse.
mysql_connect("$host", "$username", "$password")or die("cannot connect");
mysql_select_db("$db_name")or die("cannot select DB");
// Define $myusername and $mypassword
$myusername=$_POST['myusername'];
$mypassword=$_POST['mypassword'];
// To protect MySQL injection (more detail about MySQL injection)
$myusername = stripslashes($myusername);
$mypassword = stripslashes($mypassword);
$myusername = mysql_real_escape_string($myusername);
$mypassword = mysql_real_escape_string($mypassword);
$sql="SELECT * FROM $tbl_name WHERE username='$myusername' and password='$mypassword'";
$result=mysql_query($sql);
// Mysql_num_row is counting table row
$count=mysql_num_rows($result);
// If result matched $myusername and $mypassword, table row must be 1 row
if($count==1){
// Register $myusername, $mypassword and redirect to file "login_success.php"
session_register("myusername");
session_register("mypassword");
header("location:login_success.php");
}
else {
echo "Wrong Username or Password";
}
ob_end_flush();
?>
What is it to be replace by, now that the php function has been deprecated?
I have been reading http://php.net/manual/en/function.session-register.php but am a little confused, been battling with this all day.
Thanks
Henry
Just place the values you want in the $_SESSION array, like:
$_SESSION['myusername'] = "xxx";
I'm not seeing you session_start on your code. Don't forget it.
I think you want to save your username and the password in the session :
First, usijng "login", "username", "password" in your code is no longer safe, some malicious script try to find these words in your code and play around.
session_start();
$_SESSION['myuse'] = $myuse;
$_SESSION['mypas'] = $mypas;

PHP: Opening url from database using header

I am pretty new to php (mostly don't do web development at all actually) and, have gotten into it lately. I am trying to make a login page that redirects users after login to a unique URL linked to the user. So I wanted to have say 4 columns in the database: id, username, password, and redirect. And after a successful login to have the URL redirect to the redirect column in the db that is storing the user URL. The problem is the code that I have been working off of. To make a login I cant seem to have it redirect to the db column using the header("location:) line. Here is my code maybe you guys can kindly help me:
<?php
$host="sql1om"; // Host name
$username="b33_1033"; // Mysql username
$password="b33_1033"; // Mysql password
$db_name="test"; // Database name
$tbl_name="members"; // Table name
// Connect to server and select databse.
mysql_connect("$host", "$username", "$password")or die("cannot connect");
mysql_select_db("$db_name")or die("cannot select DB");
// username and password sent from form
$myusername=$_POST['myusername'];
$mypassword=$_POST['mypassword'];
// To protect MySQL injection (more detail about MySQL injection)
$myusername = stripslashes($myusername);
$mypassword = stripslashes($mypassword);
$myusername = mysql_real_escape_string($myusername);
$mypassword = mysql_real_escape_string($mypassword);
$sql="SELECT * FROM $tbl_name WHERE username='$myusername' and password='$mypassword'";
$result=mysql_query($sql);
// Mysql_num_row is counting table row
$count=mysql_num_rows($result);
// If result matched $myusername and $mypassword, table row must be 1 row
if($count==1){
// Register $myusername, $mypassword and redirect to file "login_success.php"
session_register("myusername");
session_register("mypassword");
header("location:login_success.php");
}
else {
echo "Wrong Username or Password";
}
?>
So I can't figure out how to add a db column variable to output the url from the redirect column in the
header("location:login_success.php);
Every time I try a variable in that line nothing happens
Any help would be appreciated. Please thoroughly explain I am a newbie at php. Thank-you!
Here is edited code that I got working (with help):
<?php
$host="localhost"; // Host name
$username="root"; // Mysql username
$password=""; // Mysql password
$db_name="test"; // Database name
$tbl_name="members"; // Table name
// Connect to server and select databse.
mysql_connect("$host", "$username", "$password")or die("cannot connect");
mysql_select_db("$db_name")or die("cannot select DB");
// username and password sent from form
$myusername=$_POST['myusername'];
$mypassword=$_POST['mypassword'];
// To protect MySQL injection (more detail about MySQL injection)
$myusername = stripslashes($myusername);
$mypassword = stripslashes($mypassword);
$myusername = mysql_real_escape_string($myusername);
$mypassword = mysql_real_escape_string($mypassword);
$sql="SELECT * FROM $tbl_name WHERE username='$myusername' and password='$mypassword'";
$result=mysql_query($sql);
// Mysql_num_row is counting table row
$count=mysql_num_rows($result);
// If result matched $myusername and $mypassword, table row must be 1 row
if($count==1){
// Register $myusername, $mypassword and redirect to file"login_success.php"
$_SESSION['username'] = $myusername;
$_SESSION['password'] = $mypassword;
$result = mysql_query("SELECT redirect FROM members");
while ($row = mysql_fetch_array($result, MYSQL_ASSOC)) {
header("Location: " . $row['redirect']);
}
exit();
}
else {
echo "Wrong Username or Password";
}
?>
You need to fetch your results into an associative array:
$row = mysql_fetch_assoc($result)
Then simply use header("Location: $row['redirect']");
Enclosing a string in double quotes enable you to insert a variable in there.
Alternatively, you can also concatentate: header("Location: " . $row['redirect']);
Your SQL results will be stored in an associatively array called $row. To access the redirect column, use $row['redirect']. Of course, $row will only be populated if a row or rows are found.
Finally, it is good practice to have an exit() to immediate stop script execution if you are redirecting.
Your code would look like:
$sql="SELECT * FROM $tbl_name WHERE username='$myusername' and password='$mypassword'";
$result=mysql_query($sql);
// Mysql_num_row is counting table row
$count=mysql_num_rows($result);
// If result matched $myusername and $mypassword, table row must be 1 row
if($count==1){
// Register $myusername, $mypassword and redirect to file "login_success.php"
$_SESSION['username'] = $myusername;
$_SESSION['password'] = $mypassword;
$row = mysql_fetch_assoc($result);
header("Location: $row['redirect']");
exit();
}else {
echo "Wrong Username or Password";
}

Categories