im a newbie in php and sql programming and can someone help me in my syntax , lately ive been creating this code to edit my user and write it on the database but it always gets an error in oldpassword and password , and it always says password didnt match even if i do it correctly the process , any help on me ? tnx
<?php
$update = strip_tags($_POST['update']);
$username = strtolower(strip_tags($_POST['username']));
$oldpassword = strip_tags($_POST['oldpassword']);
$newpassword = strip_tags($_POST['newpassword']);
$firstname = strip_tags($_POST['first']);
$lastname = strip_tags($_POST['last']);
$gender = strip_tags($_POST['gender']);
$address = strip_tags($_POST['address']);
$zipcode = strip_tags($_POST['zip']);
$contact = strip_tags($_POST['con']);
$email = strip_tags($_POST['mail']);
error_reporting(0);
if($update)
{
if($username&& $oldpassword && $newpassword && $firstname && $lastname && $address && $zipcode && $contact && $email)
{
$connect = mysql_connect("localhost","root","") or die(mysql_error());
mysql_select_db("brightlights") or die(mysql_error());
$updatecheck = mysql_query("SELECT * FROM username FROM tb_user WHERE username='$username'");
$count = mysql_num_rows($updatecheck);
if($count<=1)
{
if($_SESSION['password']==($oldpassword))
{
mysql_query("UPDATE tb_user SET
username = '$username',
password = '$newpassword',
Firstname = '$firstname',
Lastname = '$lastname',
gender = '$gender',
address = '$address',
zipcode = '$zipcode',
contact = '$contact',
email = '$email'
WHERE username='".$_SESSION['username']."'");
$_SESSION['username'] = $username;
$_SESSION['password'] = $newpassword;
$_SESSION['Firstname'] = $firstname;
$_SESSION['Lastname'] = $lastname;
$_SESSION['gender'] = $gender;
$_SESSION['address'] = $address;
$_SESSION['zipcode'] = $zipcode;
$_SESSION['contact'] = $contact;
$_SESSION['email'] = $email;
session_write_close();
echo "Succesfully Updated!";
}else
echo "Password not match!";
}else
echo "Username already Taken!";
}else
echo "Please fill up all form!";
}
?>
if($_SESSION['password']==($oldpassword))
But I can't see session_start() after <?php
I think $_SESSION['password'] is an encrypted password that doesn't match. Please echo $_SESSION['password'] and $oldpassword and exit, and check their values.
Related
I have this registration form that a user fills out and it sends to another page that adds the information in my database. Is there a way that after the person registers I can send the username and password to the sign-in page and it logs them in automatically?
this is the code that adds into my database after a user has registered:
require "connection.php";
session_start();
if ($_POST['firstname'] != "" && $_POST['lastname'] !="" && $_POST['email'] != "" && $_POST['username'] !="" && $_POST['password'] !="")
{
$firstname = $_POST['firstname'];
$lastname = $_POST['lastname'];
$email = $_POST['email'];
$password = $_POST['password'];
$username = $_POST['username'];
$query1="SELECT * FROM users WHERE username = '$username' ";
$username = mysqli_real_escape_string($conn,$username);
$password = mysqli_real_escape_string($conn,$password);
$firstname = mysqli_real_escape_string($conn,$firstname);
$lastname = mysqli_real_escape_string($conn,$lastname);
$email = mysqli_real_escape_string($conn,$email);
$result = mysqli_query($conn,$query1)
or die(mysqli_error($conn));
if(mysqli_num_rows($result) != 0)
{
$_SESSION['er_firstname'] = $firstname;
$_SESSION['er_lastname'] = $lastname;
$_SESSION['er_email'] = $email;
header("Location: index.php/?a=1");
}
else {
unset($_SESSION['er_firstname']);
unset($_SESSION['er_lastname']);
unset($_SESSION['er_email']);
$query = "INSERT INTO users (firstname, lastname, password, username) VALUES ('$firstname','$lastname','$email','$password', '$username')";
$data = mysqli_query($conn,$query)or die(mysqli_error($conn));
header("Location: index.php/?a=2");
}
}
?>
And this is my login code that when I user normally enters there username and password to log in:
<?php
session_start();
$username = $_POST['username']; //either username or email
$password = $_POST['password'];
if($username=="" || $password == "")
{
header("Location: index.php");
}
require "connection.php";
if(!empty($username) && !empty($password)) {
$username = mysqli_real_escape_string($conn,$username);
$password = mysqli_real_escape_string($conn,$password);
$query = "SELECT * FROM users WHERE username = '$username' OR email = '$username' AND password = '$password'";
$data = mysqli_query($conn,$query);
if($data) {
if (mysqli_num_rows($data) == 1 ) {
$row = mysqli_fetch_assoc($data);
$_SESSION['id'] = $row['id'];
$_SESSION['username'] = $row['username'];
header("Location: http://home");
}
else {
header("Location: index.php/?i=1");
exit();
} }
else {
die("Query failed");
}
}
else {
$_SESSION['message'] = "Please enter a email and password";
header("Location: index.php");
exit();
}
So is there a way to send add.php to login.php, I tried switching the add.php header location to login.php but it didnt work.
You could bypass the entire login screen. You can just apply login logic into your registration processing.
This would involve adding three lines of code by the looks of it.
$_SESSION['id'] = mysqli_insert_id($conn);
$_SESSION['username'] = $row['username'];
header("Location: http://home");
I am using below code to encrypt user registration password during registration. But the problem is that I can't get login with same password again, I might be because password in DB is different and encrypted and not same as the password user enter.
<?php
if(isset($_POST['submit'])) {
$firstname = $_POST['firstname'];
$lastname = $_POST['lastname'];
$username = $_POST['username'];
$email = $_POST['email'];
$password = $_POST['password'];
if(!empty($firstname) && !empty($lastname) && !empty($username) && !empty($email) && !empty($password)) {
$firstname = mysqli_real_escape_string($db_connect, $firstname);
$lastname = mysqli_real_escape_string($db_connect, $lastname);
$username = mysqli_real_escape_string($db_connect, $username);
$email = mysqli_real_escape_string($db_connect, $email);
$password = mysqli_real_escape_string($db_connect, $password);
$sql = "SELECT randsalt FROM user ";
$select_randsalt_query = mysqli_query($db_connect, $sql);
if(!$select_randsalt_query) {
die("Query failed".mysqli_error($db_connect));
}
while($row = mysqli_fetch_array($select_randsalt_query)) {
$salt = $row['randsalt'];
///crypt function takes 2 parameter. one from DB
///and other from user input.
// $password = crypt($password, $salt);
}
$sql_register ="INSERT INTO user(user_firstname, user_lastname, username, user_email, user_password, user_role )";
$sql_register .="VALUES('{$firstname}', '{$lastname}', '{$username}', '{$email}', '{$password}', 'Unknown' ) ";
$query_register = mysqli_query($db_connect, $sql_register);
if(!$query_register) {
die("Query failed".mysqli_error($db_connect));
}
$message = "<h3>Your Registration has been Submitted</h3>";
} else {
$message = "<h3>You Can't leave field Empty</h3>";
}
} else {
$message = '';
}
?>
I tried to do something like this in login.php
<?php
if(isset($_POST['submit'])){
$Username = $_POST['Username'];
$Password = $_POST['Password'];
//To prevent SQL injection and store into new variable
$Username = mysqli_real_escape_string($db_connect, $Username);
$Password = mysqli_real_escape_string($db_connect, $Password);
$sql_login = "SELECT * FROM user WHERE username = '{$Username}' ";
$query_login = mysqli_query($db_connect, $sql_login);
if(!$query_login){
die("Query Failed".mysqli_error($db_connect));
}
while($row = mysqli_fetch_assoc($query_login)){
$username = $row['username'];
$user_password = $row['user_password'];
$user_firstname = $row['user_firstname'];
$user_lastname = $row['user_lastname'];
$user_email = $row['user_email'];
$user_role = $row['user_role'];
}
$Password = crypt($Password, $user_password);
///User validation
if( ($Username === $username && $Password === $user_password) && $user_role === "Admin"){
//Using session to store information from db
//Using session from right to left. Right is the variable got from db.
$_SESSION['USERNAME'] = $username;
$_SESSION['PASSWORD'] = $user_password ;
$_SESSION['FIRSTNAME'] = $user_firstname;
$_SESSION['LASTNAME'] = $user_lastname;
$_SESSION['EMAIL'] = $user_email;
$_SESSION['ROLE'] = $user_role;
header("Location: ../admin/index.php");
}else{
header("Location: ../index.php");
}
}
?>
but this is not working. Sorry people I just entered to the PHP world and don't have deep understanding.
Welcome to PHP development. Let me make your life a lot easier:
Regardless of what your tutorial/book/friend said, don't escape strings, use prepared statements instead. They're a lot easier to implement safely and your life becomes a heck of a lot easier. (If you rely on escaping, and you remember to escape 2999 out of 3000 parameters a user can control, you're still vulnerable.)
Instead of mucking about with crypt(), just use password_hash() and password_verify().
There are updated guides everywhere that can explain how to use these features better, but http://www.phptherightway.com is the one the community points to the most.
I am having problems displaying my users information that they inputted at sign up once they have logged in again. Once I sign up the information will be displayed properly on my account page but when I log out and log back in the information disappears. How can I access the information for when my users login?
This is my user sign up.
<?php
include 'global_settings.php';
function NewUser() {
$firstName = $_POST['firstName'];
$lastName = $_POST['lastName'];
$email = $_POST['email'];
$username = $_POST['username'];
$password = $_POST['password'];
$query = "INSERT INTO userlogin (firstName, lastName, email, username, password) VALUES ('$firstName', '$lastName', '$email', '$username', '$password')";
$data = mysql_query ($query)or die(mysql_error());
if($data) {
session_start();
$_SESSION["firstName"] = $firstName;
$_SESSION["lastName"] = $lastName;
$_SESSION["userName"] = $username;
$_SESSION["email"] = $email;
header("Location: ../chooseyoursport.php");
}
}
NewUser();
function SignUp() {
if(!empty($_POST['username'])){ //checking the 'user' name which is from Sign-Up.html, is it empty or have some text
$query = mysql_query("SELECT * FROM userlogin WHERE Username = $username AND Password = $password") or die(mysql_error());
if(!$row = mysql_fetch_array($query) or die(mysql_error())) {
newuser();
} else {
echo "SORRY...YOU ARE ALREADY REGISTERED USER...";
}
}
}
if(isset($_POST['submit'])) {
SignUp();
}
?>
This is my user login.
<?php
error_reporting(0);
session_start();
include 'global_settings.php';
//Convert POST to normal variables
$password = $_POST['password'];
$username = $_POST['username'];
$sql = mysql_query("SELECT * FROM userlogin WHERE Username='$username' AND Password='$password'");
$login_check = mysql_num_rows($sql);
// if login_check is greater than 0 then it will register a session (meaning if the user exists username and password are both correct)
if($login_check > 0){
while($row = mysql_fetch_array($sql)){
foreach( $row AS $key => $val){
$$key = stripslashes($val);
}
session_start();
$_SESSION["firstName"] = $firstName;
$_SESSION["lastName"] = $lastName;
$_SESSION["userName"] = $username;
$_SESSION["email"] = $email;
header("Location: ../chooseyoursport.php");
//echo "It worked";
}
} else {
echo "You could not be logged in! Either your username or password is incorrect <br> Please try again!";
}
?>
1) $$key = stripslashes($val); Double $$
2) Data which you are putting into $_SESSION is empty;
3) session_start(); 2 times in one program's space
4) And everything else that the guys have said above
foreach( $row AS $key => $val){
$$key = stripslashes($val);
}
session_start();
$_SESSION["firstName"] = $firstName;
$_SESSION["lastName"] = $lastName;
$_SESSION["userName"] = $username;
$_SESSION["email"] = $email;
header("Location: ../chooseyoursport.php");
Here is the code
<?php
$username = $_POST['username'];
$email = $_POST['email'];
$password = $_POST['password'];
$phone = $_POST['phone'];
$referral = $_POST['refer'];
$referred = false;
mysql_connect("localhost","username","password") or die (mysql_error());
mysql_select_db("database") or die ("Cannot connect to database");
$query = mysql_query("Select * from member");
while($row = mysql_fetch_array($query))
{
$table_users = $row['username'];
$table_email = $row['email'];
$table_phone = $row['phone'];
if($referral == $table_users)
{
$referred = true;
}
if($username == $table_users || $email == $table_email || $phone == $table_phone)
{
$bool = false;
}
}
if(($bool))
{
$username = mysql_real_escape_string($username);
mysql_query("INSERT INTO member (username, password, email, phone, refer) VALUES ('$username', '$password', '$email', '$phone', '$referral')");
if($referred)
{
$from="Sent from test";
$subject="New user referred.";
$message="A new user " . $username . " has been referred by " . $referral . "Please stay updated. ";
mail("mymail", $subject, $message, $from);
}
$_SESSION['login'] = true;
echo "Thank you for registering with us.You can login now to start earning.";
}
If the referral code field is left empty or it does not match any value in database it still sends
the mail. So, what is going on here? I have added some more code. I left a part of it earlier.
This statement if($referral == $table_users) doesn't look right. You have not set the $referral variable anywhere in your code.
i have a login page that allow user to enter email and password then submit and the system check if data is correct it display the profile page and if not it display a message inform the user that the data are not correct .
but the problem is that if i put header("Location:profile.php"); the system do not work
but if i echo a message that inform user that the data are correct the browser display this message without any problem
login.php
<?php
session_start();
ob_start();
error_reporting(E_ALL);
require_once('include/connect.php');
//$message = "";
if(!empty($_POST['email']))
{
$email = $_POST['email'];
$pass = $_POST['pass'];
$email = strip_tags($email);
$pass = strip_tags($pass);
$email = mysql_real_escape_string($email);
$pass = mysql_real_escape_string($pass);
//$pass = md5($pass);
$sql=mysql_query( "SELECT user_id, email_address, first_name FROM user WHERE email_address='$email'AND password='$pass'LIMIT 1") or die("error in user table");
$login_check = mysql_num_rows($sql);
if($login_check > 0)
{
$row = mysql_fetch_array($sql);
$id = $row['user_id'];
$_SESSION['user_id'] = $id;
$firstname = $row['first_name'];
$_SESSION['first_name']= $firstname;
$email = $row['email_address'];
$_SESSION['email_address']= $email;
mysql_query("UPDATE user SET last_log_date=now() WHERE user_id='$id'");
//$message = "correct email and passworddd!!";
header("Location:profile.php");
exit();
}//close if
else
{
//$message = "incorrect Email or Password!!";
//exit();
}
}//close if
?>
profile.php
<?php
session_start();
require_once('include/connect.php');
if(isset($_GET['user_id']))
{
$id=$_GET['user_id'];
var_dump($id);
}
elseif(isset($_SESSION['user_id']))
{
$id= $_SESSION['user_id'];
}
else
{
print "Important data are missing";
print_r($_SESSION);
exit();
}
$sql = mysql_query("SELECT * FROM user WHERE user_id='$id'") or die(mysql_error());
$row = mysql_fetch_array($sql);
$firstname=$row['first_name'];
$lastname=$row['last_name'];
$birth_date=$row['birth_date'];
$registered_date=$row['registered_date'];
//***************for upload img*****************//
$check_pic="members/$id/image01.jpg";
$default_pic="members/0/image01.jpg";
if(file_exists($check_pic))
{
$user_pic="<img src=\"$check_pic\"width=\"100px\"/>";
}
else
{
$user_pic="<img src=\"$default_pic\">";
}
echo $id, $firstname, $birth_date;
?>
use ob_end_flush() before php close tag ?>
you can use javascript there to redirect on profile page. because if any small mistake like printing before or any space php header() function can cause some problem.. so better user javascript there.
check with bellow code
?>
<script>
window.location.href="profile.php";
</script>
<?
I have doubt in this line of profile.php
require_once('include/connect.php');
If path of profile.php is faulty, you have to change things in your
header(Location: "xyz/profile.php");
Please check that this relative path is correct!
Try this.
<?php
session_start();
ob_start();
error_reporting(E_ALL);
require_once('include/connect.php');
//$message = "";
if(isset($_POST['email']))
{
$email = $_POST['email'];
$pass = $_POST['pass'];
$email1 = mysql_real_escape_string(strip_tags($email));
$pass1 = mysql_real_escape_string(strip_tags($pass));
//$pass = md5($pass);
$sql = mysql_query("SELECT user_id, email_address, first_name FROM user WHERE email_address='$email1' AND password='$pass1' LIMIT 1") or die("error in user table");
$login_check = mysql_fetch_assoc($sql)
if($login_check)
{
$row = $login_check;
$id = $row['user_id'];
$_SESSION['user_id'] = $id;
$firstname = $row['first_name'];
$_SESSION['first_name']= $firstname;
$email = $row['email_address'];
$_SESSION['email_address']= $email;
mysql_query("UPDATE user SET last_log_date=now() WHERE user_id='$id'");
//$message = "correct email and passworddd!!";
header("Location: profile.php");
exit();
}//close if
else
{
//$message = "incorrect Email or Password!!";
//exit();
}
}//close if
?>