<body>
<?php
session_start();
function salt($pw) {
$salt = "This comment should suffice as salt.";
return sha1($salt.$pw);
}
if (isset($_POST['submit'])) {
$link = mysql_connect('localhost', 'codekadiya', 'pass');
if (!$link) {
die('Could not connect: ' . mysql_error());
}
echo 'Connected successfully';
mysql_close($link);
$username = mysql_real_escape_string($_POST['username']);
$password = mysql_real_escape_string($_POST['password']);
$password = salt($password);
$query = mysql_query("SELECT * FROM test WHERE username='$username' AND password='$password'");
if (mysql_num_rows($query)== 0) {
header("location:register.php");
exit;
}
else {
$_SESSION['user'] = $username;
header("location: register.php");
}
}
?>
</body>
I checked on my Connection. It says connection successful but I cant figure out what the other mistake are. Can someone guide me the mistake I have done? I can't find it.
echo 'Connected successfully';
mysql_close($link);
So you're closing the connection and then try to run queryes ? how should that work out ?
You should close the connection ( mysql_close($link); ) after you made you're query to the database ( meaning after $query = mysql_query("SEL..... )
You haven't really told us what doesn't work exactly, but it seems you are closing the MySQL link before the authentication query.
i don't tend to use isset instead i just use if($_POST["something"]) that way i get more relevant errors
also - you're closing the $link before you use it - ???
Related
I have this code in index.php
<?php
include "ch.php";
?>
ch.php
<?php
if (isset($_POST['Murad'])) {
header("Location: Main.php");
$firstname=$_POST['firstname'];
$lastname=$_POST['lastname'];
$userName=$_POST['username'];
$password=$_POST['pwd1'];
$userName = stripslashes($userName);
$password = stripslashes($password);
$userName = mysql_real_escape_string($userName);
$password = mysql_real_escape_string($password);
$email=$_POST['email'];
$mysql_hostname = "localhost";
$mysql_user = "root";
$mysql_password = "123";
$mysql_databse = "websiteusers";
$prefix = "";
$bd = mysql_connect($mysql_hostname, $mysql_user, $mysql_password) or die("Could not connect database");
$sql = "
INSERT INTO websiteusers
(fullname,lastname,userName,email,pass)
VALUES ( '$firstname', '$lastname','$userName', '$email','$password')
";
mysql_select_db('websiteusers');
$retval = mysql_query( $sql );
if (! $retval ) {
die('Could not enter data: ' . mysql_error());
return false;
} else {
echo "Entered data successfully\n";
}
$usernamecheck=mysql_query("
SELECT `userName` FROM `websiteusers`
WHERE userName='$userName'
");
if (mysql_num_rows($usernamecheck)>=1) {
echo $userName." is already taken";
return false;
}
}
?>
And
Main.PHP
<?php
include 'ch.php';
?>
And
<?php
echo $firstname=$_POST['firstname'];
?>
But it is not working. It worked before I put action in form instead of header but it didn't insert user in database now it inserts but it is not showing variables. Is there anyway to fix this?
1) Do not use mysql_ functions, it's deprecated and will be removed at PHP 7 stable release, choose between mysqli_ or PDO.
2) Don't open and close your php interpreter multiple times with no apparent reason. If your code is pure PHP, a standard is to never close it.
3) There should be nothing else for PHP or HTML to be processed/displayed after using header("Location: ...") function. It's the last thing you do at the script when you use it.
This is all really new to me and I only know the very basics. I'm creating a frontend login for a webpage (obviously security isn't a huge deal or I wouldn't be doing it). I keep getting in issue with my "where" clause, stating that the "user" does not exist. Database is setup like this:
dbname=connectivity
table=users
users has id, user, and pass.
Anyone want to give me some pointers? Thanks in advance.
<?php
define('DB_HOST', 'localhost');
define('DB_NAME', 'connectivity');
define('DB_USER','root');
define('DB_PASSWORD','');
$con=mysql_connect(DB_HOST,DB_USER,DB_PASSWORD) or die("Ya done goofed: " . mysql_error());
$db=mysql_select_db(DB_NAME,$con) or die("Ya done goofed: " . mysql_error());
function SignIn()
{
session_start();
if(!empty($_POST['user']))
{
$query = mysql_query("SELECT * FROM users where user = `$_POST[user]` AND pass = '$_POST[pass]'") or die(mysql_error());
$row = mysql_fetch_array($query) or die(mysql_error());
if(!empty($row['user']) AND !empty($row['pass']))
{
$_SESSION['user'] = $row['pass'];
echo "SUCCESSFULLY LOGIN TO USER PROFILE PAGE...";
}
else
{
echo "SORRY... YOU ENTERD WRONG ID AND PASSWORD... PLEASE RETRY...";
}
}
}
if(isset($_POST['submit']))
{
SignIn();
}
?>
Please stop using mysql_*. use mysqli_* or PDO. Have a look to the code:-
<?php
// Force PHP to show errors
error_reporting(E_ALL); // Get all type of errors if any occur in code
ini_set('display_errors',1); // Display those errors
session_start(); // start session
define('DB_HOST', 'localhost');
define('DB_NAME', 'connectivity');
define('DB_USER','root');
define('DB_PASSWORD','');
$con = mysqli_connect(DB_HOST,DB_USER,DB_PASSWORD,DB_NAME) or die("connection not established"); Or use $con = mysqli_connect('localhost','root','','connectivity') or die("connection not established");
if(isset($_POST['submit'])){
SignIn();
}
function SignIn(){
if(!empty($_POST['user'])) {
$username = mysqli_real_escape_string($con , $_POST['user']); // prevent form SQL injection
$password = mysqli_real_escape_string($con , $_POST['pass']); // prevent form SQL injection
$query = mysqli_query($con,"SELECT * FROM users where user = '".$username."' AND pass = '".$password."'") or die(mysqli_error($con));
if(mysqli_num_rows($query) > 0){ // check count of resultset
$_SESSION['user'] = $_POST['pass'];
echo "SUCCESSFULLY LOGIN TO USER PROFILE PAGE...";
}else{
echo "SORRY... YOU ENTERD WRONG ID AND PASSWORD... PLEASE RETRY...";
}
}
}
?>
There are some issues here:
SELECT * FROM users where user = `$_POST[user]` AND pass = '$_POST[pass]'
The quote styles are all over the place. Try this:
SELECT * FROM `users` WHERE `user` = '$_POST[user]' AND `pass` = '$_POST[pass]'
Also, you should pre-process for SQL injection if you're not already.
This is the correct formatted SQL.
$query = mysql_query("SELECT * FROM `users` WHERE `user` = `'".$_POST["user"]."'` AND pass = '".$_POST["pass"]."'") or die(mysql_error());
One thing to note is that you MUST escape and validate all global variables. For more information I strongly recommend you to read this SO post: How can I prevent SQL injection in PHP?
There are multiple things wrong with your code check it down below:
<?php
session_start(); // This needs to be on top of every page
define('DB_HOST', 'localhost');
define('DB_NAME', 'connectivity');
define('DB_USER','root');
define('DB_PASSWORD','');
// Use mysqli_* as mysql_* is depracted and will be removed
$con = mysqli_connect(DB_HOST, DB_USER, DB_PASSWORD, DB_NAME) or die("connection not established");
// Add a bit of security
$user = mysqli_real_escape_string($con, $_POST['user']);
$pass = mysqli_real_escape_string($con, $_POST['pass']);
function SignIn($user, $pass) {
// Add backticks ` around column and table names to prevent mysql reserved word error
$query = mysqli_query($con, "SELECT * FROM `users` WHERE `user` = '$user' AND `pass` = '$pass'");
// No need to fetch the data you already have
// Check if the query returns atleast 1 row (result)
if( mysqli_num_rows($query) >= 1 ) {
$_SESSION['user'] = $pass;
echo "SUCCESSFULLY LOGIN TO USER PROFILE PAGE...";
} else {
echo "SORRY... YOU ENTERD WRONG ID AND PASSWORD... PLEASE RETRY...";
}
}
if(isset($_POST['submit']) && !empty($user) && !empty($pass) ) {
SignIn($user, $pass);
} else {
echo "SORRY... THERE ARE EMPTY FIELDS... PLEASE RETRY...";
}
?>
Just changed your code like follows:
SELECT * FROM users where user ='$_POST[user]'AND pass = '$_POST[pass]'
That line need to rewrite like follows:
SELECT * FROM users WHERE user = '".$_POST[user]."' AND pass = '".$_POST[pass]."'
I believe that should work in every server without any kind of trouble.
You are missing quotations
Corrected code:
$query = mysql_query("SELECT * FROM `users` WHERE `user` = `'".$_POST["user"]."'` AND pass = '".$_POST["pass"]."'") or die(mysql_error())
Please could someone help me understand why the echo command, 'Incorrect Membership Number, please try again.' isn't working?
Everything else seems to be functioning okay.
<?php
define('DB_HOST', 'localhost');
define('DB_NAME', 'DBNAME');
define('DB_USER', 'USER');
define('DB_PASSWORD', 'PASS');
$con = mysql_connect(DB_HOST, DB_USER, DB_PASSWORD) or die("Failed to connect to MySQL: " . mysql_error());
$db = mysql_select_db(DB_NAME, $con) or die("Failed to connect to MySQL: " . mysql_error());
$mem_no = $_POST['mem_no'];
function SignIn()
{
session_start();
if (!empty($_POST['mem_no'])) {
$query = mysql_query("SELECT * FROM members where mem_no = '$_POST[mem_no]'") or die(mysql_error());
$row = mysql_fetch_array($query) or die(mysql_error());
if (!empty($row['mem_no'])) {
$_SESSION['mem_no'] = $row['mem_no'];
header("Location: " . $_POST['cat_link']);
} else {
echo "Incorrect Membership Number, please try again.";
} // This line is not executing
} else {
echo "Please go back and enter a Membership Number";
}
}
if (isset($_POST['submit'])) {
SignIn();
}
HTML Form as follows:
<form method="post" action="/check.php">
<p>Membership No.</p>
<input name="mem_no" type="text" id="mem_no">
<input name="cat_link" type="hidden" value="https://www.redirectlink.com">
<input name="submit" type="submit" id="submit" value="AELP Member Rate">
</form>
Link to test: https://www.eiseverywhere.com/ehome/index.php?eventid=106953&tabid=239372 and a valid 'Membership Number' is 1234 if you wish to test.
Leaving the form blank does give the correct error message and entering a valid number does redirect me correctly, but inputting an invalid number (9999 for e.g.) doesn't give me the correct output message.
Thank you in advance for any responses.
Regards,
Ash
You need to count rows, because even when a sql query has no results it is not empty. So count it.
function SignIn()
{
session_start();
if (!empty($_POST['mem_no'])) {
$query = mysql_query("SELECT * FROM members where mem_no = '". $_POST['mem_no'] ."'") or die(mysql_error());
#count rows
$count = mysql_num_rows($query);
$row = mysql_fetch_array($query) or die(mysql_error());
#check count
if ($count != 0) {
$_SESSION['mem_no'] = $row['mem_no'];
header("Location: " . $_POST['cat_link']);
} else {
echo "Incorrect Membership Number, please try again.";
}
} else {
echo "Please go back and enter a Membership Number";
}
}
Just a small reminder. mysql_ class in PHP is deprecated and will be removed in the next versions, I suggest you going to use mysqli_ or work with PDO's
Your script is hard to debug for several reasons:
It's unindented (I've fixed that for you in the question)
You're using deprecated mysql functions (see this). Switch to PDO or mysqli.
You have several exit points in your script. Everytime you make a call to the database, you "die" if you fail. that's not good
regardless, I suspect that one of those "die" making your script end prematurely. Instead of using die, handle the errors yourself.
I think this should work:
(Also put error reporting at the top!)
<?php
error_reporting(E_ALL);
ini_set("display_errors", 1);
?>
<?php
session_start();
define('DB_HOST', 'localhost');
define('DB_NAME', 'DBNAME');
define('DB_USER', 'USER');
define('DB_PASSWORD', 'PASS');
$con = mysql_connect(DB_HOST, DB_USER, DB_PASSWORD) or die("Failed to connect to MySQL: " . mysql_error());
//$db = mysql_select_db(DB_NAME, $con) or die("Failed to connect to MySQL: " . mysql_error()); //Useless
$mem_no = $_POST['mem_no'];
function SignIn() {
if (!empty($_POST['mem_no'])) {
$query = mysql_query("SELECT * FROM members WHERE mem_no = '" . $_POST['mem_no'] . "'") or die(mysql_error());
$row = mysql_fetch_array($query) or die(mysql_error());
$count = mysql_num_rows($query);
if ($count >= 1) {
$_SESSION['mem_no'] = $row['mem_no'];
header("Location: " . $_POST['cat_link']);
} else {
echo "Incorrect Membership Number, please try again.";
} // This line is not executing
} else {
echo "Please go back and enter a Membership Number";
}
}
if (isset($_POST['submit'])) {
SignIn();
}
?>
It doesnt make sense to put two else statements in a row. Take the last else block out of the inner if block
if(!empty($_POST['mem_no'])) {
//code
}else{
echo "Please go back and enter a Membership Number";
}
That should execute just fine
If the value of the result is 0 it has to go to 'cid_check_firstdep.php' otherways (if its 1) it has to go to 'cid_check_depwid.php'.
It has to work, but i don't know why it doesn't. I've tried what i could that i think would be possible to fix it, but nono.
Code:
<?php
$con = mysql_connect("localhost","root","password");
if (!$con)
{
die('Could not connect: ' . mysql_error());
header('Location: /ucp/error.php');
}
$sql = "SELECT validated FROM users WHERE username='".($_SESSION['username'])."'";
mysql_select_db("bluecard");
mysql_query($sql,$con);
if ($sql<'1')
{
mysql_close($con);
header('Location: /ucp/cid_check_firstdep.php');
}
else
{
mysql_close($con);
header('Location: /ucp/cid_check_depwid.php');
}
?>
or do i have to use :
if ($sql=='0')
?
|||
#John Conde
<?php
if(! get_magic_quotes_gpc() )
{
$withdraw = addslashes ($_POST['withdraw']);
}
else
{
$withdraw = $_POST['withdraw'];
}
$con = mysql_connect("localhost","root","password");
if (!$con)
{
die('Could not connect: ' . mysql_error());
header('Location: /ucp/error.php');
}
$__sql = "SELECT cardvalue FROM users WHERE username='".($_SESSION['username'])."'";
mysql_select_db("bluecard");
mysql_query($__sql,$con);
if ($__sql<'5000000')
{
header('Location: /ucp/includes/withdraw_fail.php');
mysql_close($con);
}
else
{
$_sql = "UPDATE users SET Bank=Bank + '$deposit' WHERE Username='".($_SESSION['username'])."'";
mysql_select_db("server");
mysql_query($_sql,$con);
$sql = "UPDATE users SET cardvalue=cardvalue +- '$deposit', thismonth_withdraw=thismonth_withdraw + '$deposit', lastwithdraw = Now() WHERE username='".($_SESSION['username'])."'";
mysql_select_db("bluecard");
mysql_query($sql,$con);
mysql_close($con);
header('Location: /ucp/includes/withdraw_done.php');
}
?>
You're checking the wrong variable for your SQL result. You're using the variable containing your query instead of the variable you never assigned to capture the result of mysql_query(). You also want to use mysql_num_rows() to see how many results were returned.:
$result = mysql_query($sql,$con);
if ($result && mysql_num_rows($result) == 1) {
FYI, you shouldn't use mysql_* functions in new code. They are no longer maintained and are officially deprecated. See the red box? Learn about prepared statements instead, and use PDO, or MySQLi - this article will help you decide which. If you choose PDO, here is a good tutorial.
Hi Morgan I change your code according to my knowledge. I think this will help you to work done.
If you found any match to the username "count($return_data)" will get 1.
Thanks.
<?php
$con = mysql_connect("localhost","root","password");
$select_db = mysql_select_db("bluecard");
if (!$con)
{
die('Could not connect: ' . mysql_error());
header('Location: /ucp/error.php');
}
$sql = "SELECT validated FROM users WHERE username='".($_SESSION['username'])."'";
$query = mysql_query($sql,$con);
$return_data = array();
while($rows = mysql_fetch_array($query)){
$return_data[]=$rows;
}
if (count($return_data)<=1)
{
mysql_close($con);
header('Location: /ucp/cid_check_firstdep.php');
}
else
{
mysql_close($con);
header('Location: /ucp/cid_check_depwid.php');
}
?>
I need to display a reply data on my page from my 'feedback' field in my mysql table. I want each user to have a different 'feedback' response stored per row and fetched when the user logs into a page through a session. I have set up my database but find it difficult forming the php code to view the feedback on my page...please can someone help../
<?php
session_start();
if ($_SESSION['username'])
{
$con = mysqli_connect('localhost','root','');
if (!$con)
{
die('Could not connect: ' . mysqli_error($con));
}
mysqli_select_db($con,"loginsession");
$username = $_SESSION['username'];
$sql="SELECT * FROM users WHERE username = $username";
$result = mysqli_query($con,$sql);
$feedback = mysql_query("SELECT feedback FROM users WHERE username='$username'");
echo $feedback;
}
else
header("Location: index.php");
?>
$feedback in this case is not a string, its a mysql resource. You need to fetch each row individually with something like:
echo "<PRE>";
while ($row = mysql_fetch_assoc($feedback)) {
print_r($row);
}
Also you should put $username through mysql_real_escape_string() or else your code may be vulnerable to SQL injection attacks.
Edit: (Disclaimer) The method you are using and my suggestion are very outdated and have been depreciated in php5.5 I suggest you look into prepared statements.
$sql = mysql_query("SELECT feedback FROM users WHERE username='{$username}' LIMIT 1");
$feedback = mysql_fetch_assoc($sql);
echo $feedback[0];
<?php
session_start();
if ($_SESSION['username'])
{
$con = mysqli_connect('localhost','root','');
if (!$con)
{
die('Could not connect: ' . mysqli_error($con));
}
mysqli_select_db($con,"loginsession");
$username = $_SESSION['username'];
$sql='SELECT feedback FROM users WHERE username = "'.$username.'"';
$result = mysqli_query($con,$sql);
while($row = mysqli_fetch_array($result))
{
echo $row['feedback'];
}
}
else
header("location: index.php");
?>