I've spent quite a long time trying to figure out why this block of code is not working. After logging in (on an html page that uses post to send the data to this php document) it says: "cannot select the database!!" (without quotes). Please help! Thank you!
<?php
$host="localhost";
$username="root";
$password="";
$db_name="firstTestLogins";
$tbl_name="members";
mysql_connect("$host", "$username, $password") or die("cannot connect to the database!!");
mysql_select_db("firstTestLogins") or die("cannot select the database!!");
$username=$_POST['username'];
$password=$_POST['password'];
$username=stripslashes($username);
$password=stripslashes($password);
$username=mysql_real_escape_string($username);
$password=mysql_real_escape_string($password);
$password = md5($password);
echo "This is a debug statement. User = $username and password = $password <br><br><br>";
if(!($sql="SELECT * FROM $tbl_name WHERE username = '$username' and password = '$password")) {die(mysql_error());}
$result = mysql_query($sql);
$test3 = mysql_num_rows(/*$result*/mysql_query($sql));
echo "$test3";
if(mysql_num_rows(/*$result*/mysql_query($sql))) { //should be true because only one row should match the user and pass
$_SESSION['username'] =1;
$_SESSION['password'] =1;
header("location:login_success.php");
}
else {
echo "The incorrect username or password was inserted";
}
?>
This is wrong:
mysql_connect("$host", "$username, $password");
it needs to be
mysql_connect($host, $username, $password);
you will see the exact problem by outputting mysql_error().
mysql_select_db("firstTestLogins")
or die("cannot select the database! ".mysql_error());
please change the code from:
mysql_select_db("firstTestLogins") or die("cannot select the database!!");
to:
mysql_select_db("firstTestLogins") or die(mysql_error());
This will help you to figure out why MYSQL cannot select the DB
In addition to the comments about selecting the database:
if(!($sql="SELECT * FROM $tbl_name WHERE username = '$username' and password = '$password")) {die(mysql_error());}
Silly doing a test with a mysql_error if the $sql string isn't being set... this won't generate a mysql error
You're also missing a closing ' in your $sql
$sql="SELECT * FROM $tbl_name WHERE username = '$username' and password = '$password'";
$result = mysql_query($sql);
if(!$result)
die(mysql_error());
Only thing I can think of is that the firstTestLogins database either doesn't exist on the database or is not accessible by the username/password combination you're using.
Related
<?php
//CONNECT TO DATABASE
$db_host="localhost";
$db_username="root";
$db_pass="";
$db_name="admin";
#mysql_connect("$db_host","$db_username","$db_pass","$db_name")
or die ("not connect");
#mysql_select_db("$db_name") or die ("no database");
echo "succesful connection";
//THEN I CHECK THE VALUES FROM MY FORM
if($_SERVER ['REQUEST_METHOD']=='POST'){
$username=$_POST['username'];
$password=$_POST['password'];
$username=htmlspecialchars($username);
$password=htmlspecialchars($password);
//SEARCH INTO MY DATABASE TABLE
$SQL="SELECT * FROM members WHERE`` username=$username AND password=$password ";
$result=mysql_query($SQL);
//BASED ON MY RESULTS I GIVE TO SESSION VARIABLE A VALUE 1 OR "" AND REDIRECT TO INDEX.PHP
if($result){
$num_rows=mysql_num_rows($result);
if($num_rows>0){
session_start();
$_SESSION['check']="1";
header ("Location:index.php");
}
else{
session_start();
$_SESSION['check']="";
header ("Location:index.php");
}
}
}
?>
#mysql_connect and #mysql_select_db: Please don't do that,
Use mysqli instead of the deprecated mysql extension, see Why shouldn't I use mysql_* functions in PHP?
There is a reason why functions maybe throws errors, you should handle it, instead of using # so they don't show up.
To your problem:
Look at your sql statement:
$SQL="SELECT * FROM members WHERE`` username=$username AND password=$password ";
That doesn't work, you pass $password as plain text for the password, not the value of this var, try:
$SQL='SELECT * FROM members WHERE username="' . $username . '" AND password="' . $password . '";
I think you have issue in your sql query. So try this
$SQL="SELECT * FROM members WHERE `username`='".$username."' AND `password`='".$password."' ";
Issue :
1) You are using direct $username without single quote so if username is string it will not work
2) check that special character you are using after WHERE
I have been working with MYSQL in the past and am no expert but have managed to produce a simple MySQL login script. However I am aware that my script is basic and outdated, and that I should be using MYSQLI,
However MYSQLI doesn't really make any sense to me as I have tried the following code in MySQL but I can't seem to get it to work and I get undefined index errors.
<?php
session_start();
include("config.php");
if (mysqli_connect_errno())
{
echo 'MySQLi Connection was not established:';
}
// checking the user
$myusername = mysqli_real_escape_string($conn,$_POST[‘myusername’]);
$pass = mysqli_real_escape_string($conn,$_POST[‘mypassword’]);
$sel_user = 'select * from supplier_users where username=’$myusername’ AND password=’$pass';
$run_user = mysqli_query($conn, $sel_user);
$check_user = mysqli_num_rows($run_user);
if($check_user>0){
$_SESSION[‘user’]=$myusername;
echo “success”;
}
else {
echo “fail”;
}
?>
here is my MySQL login script which works fine:
<?php
session_start();
include("config.php");
$tbl_name="internal_users";
$tbl_name2="supplier_users";
$myusername=$_POST['myusername'];
$mypassword=$_POST['mypassword'];
$myusername = stripslashes($myusername);
$mypassword = stripslashes($mypassword);
$myusername = mysql_real_escape_string($myusername);
$mypassword = mysql_real_escape_string($mypassword);
$sql = "select * from $tbl_name where username = '$myusername' and password = '$mypassword'
union
select * from $tbl_name2 where username = '$myusername' and password = '$mypassword'";
$result=mysql_query($sql);
$count=mysql_num_rows($result);
$row=mysql_fetch_array($result);
if($count==1){
session_start();
include("variables.php");
if($result){
$sql2 = "UPDATE $tbl_name2 SET online = 'online' WHERE online = 'offline' AND username = '$myusername'";
$result2=mysql_query($sql2);
$sql21 = "UPDATE $tbl_name SET online = 'online' WHERE online = 'offline' AND username = '$myusername'";
$result21=mysql_query($sql21); }
else
$_SESSION['val']=1;
header("location:../dashboard.php");
}
else {
$_SESSION['message2'] = '<div id="message_box2"><div class="boxclose" id="boxclose" onclick="this.parentNode.parentNode.removeChild(this.parentNode);">✖</div><h23>Oooops!</h23><p>The Username and Password Combination do not match. Please try again.</p> </div>';
header("location:../index.php");
}
ob_end_flush();
?>
my config.php file looks like this:
<?php
$host="localhost";
$username="mark";
$password="password";
$db_name="hewden1";
$conn = mysql_connect($host, $username, $password) or die("Could Not Connect to Server");
$db = mysql_select_db($db_name)or die("Cannot Connect the Database");
?>
my question is, could someone please show me how I can convert my simple login script from MYSQL to MYSQLI and make it more secure in the way that I am trying to do above? I really would appreciate anyone's help with this as I am really struggling to understand.
Thanks
The Mysqli code that you posted seems sort of malformed, the quotes are some other encoding type quotes : ’ When it should be ' IDK if that would make sense though.
Also in your select statement :
$sel_user = 'select * from supplier_users where username=’$myusername’ AND password=’$pass';
in the end a quote is missing and it should rather be like
$sel_user = "select * from supplier_users where username='$myusername' AND password='$pass'";
and it doesn't make sense to use mysql() instead of mysqli(), since the former is depreciated .
i'm going to update a row into mysql database. the senarius is: taking the values from a form and redirect to another file and set the form values to database using update statement. the problem is that mysql_query return value 1 and does not return any error but when i check the database through phpmyadmin my database doesn't affected.
here is the code
<?php
$host="localhost";
$username="root";
$password="";
$db_name="login_takrim";
$tbl_name="takrim_users";
// Connect to server and select databse.
mysql_connect("c$host","$username","$password") or die("can not connect");
mysql_select_db($db_name) or die(mysql_error());
// username and password sent from form
$myusername=$_POST["txtusername"];
$mypassword=$_POST["txtpassword"];
$myemail=$_POST["txtemail"];
// To protect MySQL injection
$myusername=stripslashes($myusername);
$myemail=stripslashes($myemail);
$mypassword=stripslashes($mypassword);
$myemail=mysql_real_escape_string($myemail);
$myusername=mysql_real_escape_string($myusername);
$mypassword=mysql_real_escape_string($mypassword);
echo "$myusername $mypassword $myemail";// test to see i get the form value on the php server.
$sql="UPDATE $tbl_name SET username = '$myusername' and password = '$mypassword' and email= '$myemail' where showname='hussein'";
$result=mysql_query($sql) or die(mysql_error());//does not return error
echo $result;
if($result==false)
{
echo "no";
}
else
{
//header("location:setEmail.php");
echo "yes";
}
?>
query may excuted correctly may be there was no matching records just do like this
<?php
$host="localhost";
$username="root";
$password="";
$db_name="login_takrim";
$tbl_name="takrim_users";
// Connect to server and select databse.
mysql_connect("c$host","$username","$password") or die("can not connect");
mysql_select_db($db_name) or die(mysql_error());
// username and password sent from form
$myusername=$_POST["txtusername"];
$mypassword=$_POST["txtpassword"];
$myemail=$_POST["txtemail"];
// To protect MySQL injection
$myusername=stripslashes($myusername);
$myemail=stripslashes($myemail);
$mypassword=stripslashes($mypassword);
$myemail=mysql_real_escape_string($myemail);
$myusername=mysql_real_escape_string($myusername);
$mypassword=mysql_real_escape_string($mypassword);
echo "$myusername $mypassword $myemail";// test to see i get the form value on the php server.
$sql="UPDATE $tbl_name SET username = '$myusername', password = '$mypassword',email= '$myemail' where showname='hussein'";
$result=mysql_query($sql) or die(mysql_error());//does not return error
if(mysql_num_rows($result) > 0)
{
//header("location:setEmail.php");
echo "yes";
}
else
{
echo "no";
}
?>
Chage your UPDATE statement like this
$sql="UPDATE $tbl_name SET `username` = '$myusername',`password` = '$mypassword',`email`= '$myemail' where `showname`='hussein'";
Disclaimer: Stop using mysql_* functions as they are deprecated. Switch to MySQLi or PDO instead.
You have an extra c here (before $host):
mysql_connect("c$host","$username","$password") or die("can not connect");
I'm fairly new to SQL and PHP.
I'm trying to write a simple login script. I have a form in a HTML document that I have proved posts the correct data into the 2 variables required but my script fails when it executes the SQL...
I've also tested the SQL in mysqlWorkbench and I get the result I want ???
Please help.
Here is my script:
<?PHP
$odbc = mysql_connect('localhost', 'root', '') or die ("could not connect to database");
mysql_select_db('examresults', $odbc) or die("Could not find database");
// username and password sent from form
$username=$_POST['username'];
$password=$_POST['password'];
$sql='SELECT * FROM tuser where username = '.$username.' and password = '.$password.'';
$result = mysql_query($sql, $odbc) or die ("Error in SQL");
// Mysql_num_row is counting table row
$count=mysql_num_rows($result);
//If result matched username and password, table row must only equal 1 row
if($count==1)
{
header("location:exammenu.php");
}
else
{
echo 'username and password do not match';
}
?>
Note: mysql_* functions are deprecated, you should not use them anymore. Your code is also vulnerable to SQL Injections.
Using mysql_error instead of just printing out "Error in SQL" would give us (and you) a more detailed sql error message. But most likely it is failing because you forgot to put " " around your strings in the query.
$sql='SELECT * FROM tuser where username = "'.$username.'" and password = "'.$password.'"';
If you're really going to need to use mysql, at least sanitize your input. Also note the quotes in the $sql variable. This should work (though not tested):
<?PHP
$odbc = mysql_connect('localhost', 'root', '') or die ("could not connect to database");
mysql_select_db('examresults', $odbc) or die("Could not find database");
// username and password sent from form
$username=mysql_real_escape_string($_POST['username'], $odbc);
$password=mysql_real_escape_string($_POST['password'], $odbc);
$sql=sprintf('SELECT * FROM tuser where username = "%s" and password = "%s"', $username, $password);
$result = mysql_query($sql, $odbc) or die ("Error in SQL");
// Mysql_num_row is counting table row
$count=mysql_num_rows($result);
//If result matched username and password, table row must only equal 1 row
if($count==1)
{
header("location:exammenu.php");
}
else
{
echo 'username and password do not match';
}
I suggest using sprintf to format your sql statement to make it easier to spot such errors.
The query should be as below:
$sql='SELECT * FROM tuser where username = "'.$username.'" and password = "'.$password.'"';
you can try this code. i think it will work correctly.
<?PHP
$odbc = mysql_connect('localhost', 'root', '') or die ("could not connect to database");
mysql_select_db('examresults', $odbc) or die("Could not find database");
// username and password sent from form
$username=$_POST['username'];
$password=$_POST['password'];
$sql="SELECT * FROM tuser where username = '".$username."' and password = '".$password."'";
$result = mysql_query($sql, $odbc) or die ("Error in SQL");
// Mysql_num_row is counting table row
$count=mysql_num_rows($result);
//If result matched username and password, table row must only equal 1 row
if($count==1)
{
header("location:exammenu.php");
}
else
{
echo 'username and password do not match';
}
?>
SOLUTION: I was pointed at the wrong database thanks for the help.
the count below returns 0 but when i run it manually there is a result.
by manually i mean copying the SQL that is echo'd by my code and pasting it into the mySQL command.
<?
$host="localhost"; // Host name
$username="userName"; // Mysql username
$password="userPW"; // Mysql password
$db_name="dbName"; // Database name
$tbl_name="userBase"; // Table name
// Connect to server and select databse.
$link=mysql_connect("$host", "$username", "$password")or die("cannot connect");
mysql_select_db("$db_name")or die("cannot select DB");
// username and password sent from form
$user=$_POST['user'];
$pass=$_POST['pass'];
// To protect MySQL injection (more detail about MySQL injection)
$user = stripslashes($user);
$pass = stripslashes($pass);
$user = mysql_real_escape_string($user);
$pass = mysql_real_escape_string($pass);
$salt = substr($pass, 0, 1);
$encrypted_pswd = crypt($pass, $salt);
$sql="SELECT * FROM $tbl_name WHERE user=\"$user\" and pass=\"$encrypted_pswd\";";
echo $sql."<br>";
$result=mysql_query($sql);
// Mysql_num_row is counting table row
$count=mysql_num_rows($result);
echo "count=".$count."<br>";
?>
Try:
$sql = sprintf("SELECT * FROM %s WHERE user='%s' and pass='%s'", $tbl_name, $user, $encrypted_pswd);