Here is my login PHP code.
<?php // rnlogin.php
include_once 'rnheader.php';
echo "<h3>Member Log in</h3>";
$error = $user = $pass = "";
if (isset($_POST['user']))
{
$user = sanitizeString($_POST['user']);
$pass = sanitizeString($_POST['pass']);
if ($user == "" || $pass == "")
{
$error = "Not all fields were entered<br />";
}
else
{
$query = "SELECT user,pass FROM rnmembers
WHERE user='$user' AND pass='$pass'";
if (mysql_num_rows(queryMysql($query)) == 0)
{
$error = "Username/Password invalid<br />";
}
else
{
$_SESSION['user'] = $user;
$_SESSION['pass'] = $pass;
die("You are now logged in. Please
<a href='rnmembers.php?view=$user'>click here</a>.");
}
}
}
echo <<<_END
<form method='post' action='rnlogin.php'>$error
Username <input type='text' maxlength='16' name='user'
value='$user' /><br />
Password <input type='password' maxlength='16' name='pass'
value='$pass' /><br />
<input type='submit' value='Login' />
</form>
_END;
?>
As you can see the error message is printed with echo.
Is there a way that I can put this error message in a control and display it only if there is error?
It sounds like I have to combine PHP with JavaScript?
The following code is used by Gmail to display error message.
It works even if JavaScript is turned off.
In other words, they use some techniques independent of JS.
Any idea, how I can do similar thing here?
<code>
<td align="left">
<div id="errormsg_0_Passwd" class="errormsg">
The username or password you entered is incorrect.
[<a target="_blank" name="helpLink" href="http://www.google.com/support/accounts/bin/answer.py?answer=27444&hl=en&ctx=ch_ServiceLoginAuth&p=mail">?</a>]
</div>
</td>
</code>
Thank you
Is there a way that I can put this error message in a control and display it only if there is error?
in PHP you can do anything. Want to put this error message in a control? Put it into control
if ($error) $error = "<control>$error</control>";
You have to distinguish string operation from echoing.
echoing a string is not the only way of string manipulations.
you can prepare your string first and then echo it out.
So, you can prepare all parts of the string first, and then print them all together.
Also, there is another way to output HTML, a preferred one.
<?php
// your php code here
//before output we close PHP tag and use pure HTML
//with some PHP specks
?>
<form method="post" action="rnlogin.php">
<?php if($error): ?>
<code>
<td align="left">
<div id="errormsg_0_Passwd" class="errormsg">
<?php echo $error ?>
</div>
</td>
</code>
<? endif ?>
Username <input type='text' maxlength='16' name='user'
value='$user' /><br />
Password <input type='password' maxlength='16' name='pass'
value='$pass' /><br />
<input type='submit' value='Login' />
</form>
Your answer stays in your question!
You declared $error="" make use of this,
check like this
if($error!="") echo $error;
anyone in my opinion do like this if the error exists then show it other wise do the rest.
for this you may need to change your code..
make the html part out of php tags and inside the html part use php tags again and display the error message.
in my observation you need to have bit knowledge on html also.
Related
I was wondering if someone could give me a hand. My browser is executing most of my php code, but when it gets to certain line, it prints the code instead of executing it.
My code is:
<!DOCTYPE html>
<html>
<body>
<?php
//Display registration form
function register_form(){
$date = date('D, M, Y');
echo <form action='?act=register' method='post'>
Username: <input type='text' name='username' size='30'><br>
Password: <input type='password' name='password' size='30'><br>
Confirm your password: <input type='password' name='password_conf' size='30'><br>
Email: <input type='text' name='email' size='30'><br>
<input type='hidden' name='date' value='$date'>
<input type='submit' value='Register'>
</form>;
}
?>
<?php
//Register users data.
function register(){
//Connecting to database
$connect = mysql_connect("localhost", "username" "password");
if(!$connect){
die(mysql_error());
}
//Selecting database
$select_db = mysql_select_db("database", $connect);
if(!$select_db){
die(mysql_error());
}
?>
<?php
//Collecting info
$username = $_REQUEST['username'];
$password = $_REQUEST['password'];
$pass_conf = $_REQUEST['password_conf'];
$email = $_REQUEST['email'];
$date = $_REQUEST['date'];
//Check input fields
if(!empty($username)){
die("Please enter your username!<br>");
}
if(!empty($password)){
die('Please enter your password!<br>');
}
if(!empty($pass_conf)){
die("Please confirm your password!<br>");
}
if(!empty($email)){
die("Please enter your email!");
}
?>
<?php
//Check username availability
$user_check = mysql_query("SELECT username FROM users WHERE username='$username'");
$do_user_check = mysql_num_rows($user_check);
//Check if email availability
$email_check = mysql_query("SELECT email FROM users WHERE email='$email'");
$do_email_check = mysql_num_rows($email_check);
//Display errors
if($do_user_check > 0){
die("Username is already in use!<br>");
}
if($do_email_check > 0){
die("Email is already in use!");
}
//Check if passwords match
if($password != $pass_conf){
die("Passwords don't match!");
}
?>
<?php
//Register user
$insert = mysql_query("INSERT INTO users (username, password, email) VALUES ('$username', '$password', '$email')");
if(!$insert){
die("There's little problem: ".mysql_error());
}
echo $username.", you are now registered. Thank you!<br><a href=login.php>Login</a>" ;
}
?>
<?php
switch($act){
default;
register_form();
break;
case "register";
register();
break;
}
?>
</body>
</html>
It prints a lot of the closing ?> tags, but if I remove the tag as well as its opening counterpart, it prints all the code that was between. I've been stuck on this for the last few days and really need some help. Thanks in advance.
UPDATE
I figured it out. I was executing from the directory instead of the address. (not sure if I worded that right). So instead browser pointing to registration page from "http://localhost:port/register.php" it was pointing to "file:///C:/xampp/htdocs/register.php"
Put double quotes around anything you to be echoed since there are single quotes used inside the strings. A simple example:
Ps. you have some other syntax errors as well, but if only you care.
One of them on line 45: $connect = mysql_connect("localhost", "username" "password"); this is definitely not the way it should be. Even if it was;
Notice the missing comma after `"username". Should have been like:
$connect = mysql_connect("localhost", "username", "password");
For the current problem, try this:
<?php
//Display registration form
function register_form(){
$date = date('D, M, Y');
echo "<form action='?act=register' method='post'>
Username: <input type='text' name='username' size='30'><br>
Password: <input type='password' name='password' size='30'><br>
Confirm your password: <input type='password' name='password_conf' size='30'><br>
Email: <input type='text' name='email' size='30'><br>
<input type='hidden' name='date' value='$date'>
<input type='submit' value='Register'>
</form>;";
}
?>
You need to put double quotes around your echoed strings. (double, since you use single quotes inside your tags). If you remove the php-tags, it will be interpreted as just HTML i.e. it will just be sent out to the browser.
If for some reason you hate quotes, you might like to do it as a here document:
echo <<<EOF
<form action='?act=register' method='post'>
Username: <input type='text' name='username' size='30'><br>
...
EOF
There's also at least one missing comma in you code, which will keep that part from executing (in mysql_connect).
B.t.w. you shouldn't use the mysql_*-type functions anymore. They are marked deprecated and are prone to make your code succeptible to SQL injection attacks. I recommend working into PDOs.
And just for wiw, as someone already mentioned in the comments it is not the browser that executes this code. PHP is interpreted by the webserver. The only scripting language that is actually executed browserside is still javascript (correct me if I'm wrong.).
I've made an online booking system for my website. It is now live and everything seems to be working fine. However I want to test a few new thing so I can improve it. I downloaded wamp a so that I can fiddle with things and the live version won't be affected.
I use a phpBB3 forum for the user base and used an external login script to access it. It works fine on actual system but when I use wamp and login it doesn't log me in. I am get a session id though.
This is the login script
<?php
if($user->data['is_registered'])
{ ?>
<div id="login">
<p>Your are logged in as: <strong><?php $user->get_profile_fields( $user->data['user_id'] );
if(isset($user->profile_fields['pf_forenames'])) {echo $user->profile_fields['pf_forenames'] . " " . $user->profile_fields['pf_surname'];} else {echo $user->data['username'];}
//User is already logged in?></strong></p>
<form action='logout.php' method='post' style="text-align:center;">
<input class='button' type='submit' value='Logout'>
</form>
</div>
<?php }
else if(isset($_POST['login']))
{
$username = request_var('username', '', true);
$password = request_var('password', '', true);
$autologin = (!empty($_POST['autologin'])) ? true : false;
$result = $auth->login($username, $password, $autologin);
if ($result['status'] == LOGIN_SUCCESS)
{
//User was successfully logged into phpBB
header('Location: cranwellbooking.php?sid=' . $sid. '');
}
else
{
echo 'Bad Login ' . $username; //User's login failed
}
}
else
{?>
<p>Please log in:</p>
<form method='POST' action=''>
<p>Username: <input type='text' name='username' ><br />
Password: <input type='password' name='password' ><br />
Remember Me?: <input type='checkbox' name='autologin'><br /><br />
<input class='button' type='submit' value='Submit' name='login'></p>
</form>
<?php } ?>
The main page starts the session and then uses include to get the login script.
Thanks for reading
EDIT: Ok found out its the $user->data['is_registered'] thats not working properly. Any ideas why, I've changed it so it works but would be nice to know why it doesn't.
My forgot password is not updating the token table nor is it updating the password when changes it keeps echoing the error message below is the form code:
Forgot Password</strong></h3>
<form name="forgot" method="POST" id="forgot" action="includes/reset.php">
<div align="center">
<table width="372" border="0">
<tr>
<td width="181"><p> </p>
<p><strong>Password</strong></p></td>
<td width="181"><span id="sprytextfield1"><br />
<label for="label"></label>
<input type="password" name="passsowrd" id="password" />
<span class="textfieldRequiredMsg">Your password is required</span></span></td>
</tr>
<tr>
<td><p> </p>
<p><strong>Confenter code hereirm Password</strong></p></td>
<td><span id="spryconfirm2">
<label for="password"></label>
<input type="password" name="password2" id="password" />
<span class="confirmRequiredMsg">A value is required.</span><span class="confirmInvalidMsg">The values don't match.</span></span></td>
</tr>
</table>
</div>
<div align="center">
<p> </p>
<table width="98" border="0">
<tr>
<th width="44" scope="row"><input type="submit" name="submit" id="submit" value="submit" /></th>
<th width="44" scope="row"><input type="reset" name="clear" id="clear" value="Clear" /></th>
</tr>
</table>
</div>
<div align="center">
<table width="372" border="0">
<tr> </tr>
<tr> </tr>
</table>
</div>
</form>
and the reset.php is:
<?php
session_start();
error_reporting(0);
$token=$_GET['token'];
include("settings.php");
connect();
if(!isset($_POST['password'])){
$q="select email from tokens where token='".$token."' and used=0";
$r=mysql_query($q);
while($row=mysql_fetch_array($r))
{
$email=$row['email'];
}
If ($email!=''){
$_SESSION['email']=$email;
}
else die("Invalid link or Password already changed <a href='../index.php'>Click here to go back to the HOME PAGE<a/>");}
$pass=$_POST['password'];
$email=$_SESSION['email'];
if(isset($_POST['password'])&&isset($_SESSION['email']))
{
$q="update registration set password='".md5($pass)."' where email='".$email."'";
$r=mysql_query($q);
if($r)mysql_query("update tokens set used=1 where token='".$token."'");echo "Your password is changed successfully <a href='../index.php'>Click here to go back to the HOME PAGE<a/>";
if(!$r)echo "An error occurred";
}
so the issue is the following error message is echoed all the time:
Invalid link or Password already changed.
what should i do also if i add:
if(!isset($pass)){
echo '<form method="post">
enter your new password:<input type="password" name="password" />
<input type="submit" value="Change Password">
</form>
';}
then it works but opens it in new blank page which is un professional thats y am trying to add it to the html
Your else die is in the totally wrong place. You are always going to die because while will always evaluate to false as the loop ends.
If your intent was to die if the query fails you should do something like:
$r = mysql_query($q);
if (false === $r) {
die(mysql_error());
}
while ($row = mysql_fetch_array($r)) {
...
}
Of course my general advice is to not use mysql functions at all, as they are deprecated with PHP 5.5. You also should make sure you are explicitly handling all the possible outcomes for you queries and log meaningful errors to help you debug.
You have no token being passed in the code you presented
$token=$_GET['token'];
where is that token coming from in the script, it is not calling it from the database,
$q="select email from tokens where token='".$token."' and used=0";
also you are not guarding against any sql injection, that should really be addressed, unless I missed the part of the code where the token was being sent to the reset page, if so my apologies
$r=mysql_query($q);
while($row=mysql_fetch_array($r))
{
$email=$row['email'];
}
If ($email!=''){
$_SESSION['email']=$email;
}
else die
flowing down your code you run the query to select email where the token would be blank, i assume no email is returned so if the email is not blank do this, or else die... it must die because the the $email is blank
You're closing your while block too soon. Move the } below the die
I was going to edit your post, but there were so many formatting and syntax issues I'll post it as an answer instead.
<?php
session_start();
error_reporting(0);
include 'settings.php';
connect();
$token = $_GET['token'];
$pass = $_POST['password'];
if (isset($pass) && isset($token)) {
$q = 'SELECT email FROM tokens WHERE token=' . $token . ' AND used=0';
$r = mysql_query($q);
while ($row = mysql_fetch_array($r)) {
$email = $row['email'];
}
if ($email != '') {
$_SESSION['email'] = $email; // Why?
$q = 'UPDATE registration SET password=' . md5($pass). ' WHERE email=' . $email;
$r = mysql_query($q);
if ($r) {
mysql_query('UPDATE tokens SET used=1 WHERE token=' . $token);
echo 'Your password is changed successfully <a href="../index.php">Click here to go back to the HOME PAGE<a/>';
} else {
echo 'An error occurred';
}
} else {
die('Invalid link or Password already changed <a href="../index.php">Click here to go back to the HOME PAGE<a/>');
}
}
This shnould get you on the right track, please take note of tabs, curly braces and most importantly, be consistent in how you write code. Stick to single or double quotes, always use curly braces even on single line if/else statements.
However, as others have said, this code is still highly insecure and deprecated, but it should work.
im currently stuck trying to create a log in form that submits to its self so that if theres any errors they'll be displayed above the login form rather than being sent to another page. Also if the login is successful then they're sent to the desired page. Here's my code below, I appreciate any help, Thanks!
<?php
if ((isset($_REQUEST['username'])) && (isset($_REQUEST['password']))) {
$adminusername = $_POST["username"];
$adminpassword = $_POST["password"];
if ($adminusername == '' || $adminpassword == '') {
echo "<b>You must complete all sections</b><br/>";
}
$query = mysql_query("SELECT * FROM admin WHERE username = '$adminusername' AND password = '$adminpassword'");
$numrows = mysql_num_rows($query);
if ($numrows != 0) {
while ($row = mysql_fetch_assoc($query)) {
$dbusername = $row['username'];
$dbpassword = $row['password'];
}
if ($adminusername == $dbusername && ($adminpassword == $dbpassword)) {
$_SESSION['username'] = $adminusername;
header("Location: admin.php");
}
} else {
echo " ($error) Username and password do not match";
}
}
?>
<h3>Admin Login</h3>
<form name="login" action="<?= $SERVER['PHP_SELF'] ?>" method="POST">
Username: <input type="text" name="username"><br/>
Password: <input type="password" name="password"><br/><br/>
<button type="submit">Log In</button>
</form>
I've indented your code so you can see the structure more clearly.
If the username and password are blank then an error will be output, but the database will still be queried.
You're not checking whether the database query actually works. You should check $query is not false, and if it is report an error.
You're checking the username and passwords match twice (once in the SQL and once again later), this is overkill, and besides you're not reporting if the second check fails.
header() will only work if you've not sent any output yet... if there's anything output before the code you've shown, even a blank line outside of PHP, then the header won't work.
On its own, this works for me (sql injection potential aside):
<?php
if ($_SERVER['REQUEST_METHOD'] == 'POST') {
$adminusername = $_POST["username"];
$adminpassword = $_POST["password"];
if ($adminusername == '' || $adminpassword == '') {
echo "<b>You must complete all sections</b><br/>";
} else {
$sql = "SELECT * FROM admin WHERE username = '$adminusername' AND password = '$adminpassword'";
$query = mysql_query($sql);
if ($query === false) {
echo "Could not successfully run query ($sql) from DB: " . mysql_error();
exit;
}
if (mysql_num_rows($query) > 0) {
$_SESSION['username'] = $adminusername;
header('Location: /admin.php');
exit;
}
echo "<b>Username and password do not match</b><br/>";
}
}
?>
<h3>Admin Login</h3>
<form name="login" action="<?= $_SERVER['PHP_SELF'] ?>" method="POST">
Username: <input type="text" name="username"><br/>
Password: <input type="password" name="password"><br/><br/>
<button type="submit">Log In</button>
</form>
To submit a <form>, you need a submit button; you've got:
<button type="submit">Log In</button>
try:
<input type="submit" value="Log In" />
I don't think you're currently submitting the form, so nothing will happen when you click submit.
instead of
header("Location: admin.php");
try java script
echo "<script>window.location = 'admin.php';</script>
if you have already outpu to the page header wont work
My solution echos the form with the error below it within a div. I'm still learning but I hope it helps someone.
<div>
<?php
//make sure the form action='' is set to itseslf
echo "
<form action='self_page_name' method='post'>
<table>
<tr>
<td>UserName:</td>
</tr>
<tr>
<td><input type='text' name='username' required='required' /></td>
</tr>
<tr>
<td>Password: </td>
</tr>
<tr>
<td><input type='password' name='password' required='required' /></td>
</tr>
<tr>
<td><input type='submit' name='submit' value='Login' /></td>
</tr>
</table>
</form>
";
//////////your php validation script here////////////
?>
</div>
Im trying to create a guestbook with mysql database. I have no trouble display the sql data on my form.
But when im trying to input data my send button dosent work. I think the problem is in this code, but I cant find it. and have done the tutorial a couple of times.
I dont have any error messages. But this is some of the code.
thanks
<?php
if(isset($_GET['page'])){
echo "
<form action='guest_process.php' method='post'>
<p>Name: <input type='text' name='name'> </p>
<p>Email: <input type='text' name='email'> </p>
<p>Comment: </p>
<p><textarea name='comment'></textarea></p>
<hr />
<p><input type='button' name='submit' value='Post Entry'></p>
</form>
";
}else{
$connect = mysql_connect('localhost','root','') or die ('Couldnt connet');
$db = mysql_select_db('guestbook');
$query = mysql_query('select * from guestbook order by id desc');
$num_rows = mysql_num_rows($query);
if($num_rows > 0){
//display entries
while($row = mysql_fetch_assoc($query)){
echo "
<p>
<b>Name: </b>".$row['name']."
</p>
<p>
<b>Email: </b>".$row['email']."
</p>
<p>
<b>Comment: </b>".$row['comment']."
</p>
<p>
<b>Date: </b>".$row['date']." | Time: ".$row['time']."
</p>
<hr />
";
}
} else{
echo 'no entries in database';
}
}
?>
The guestbook is seperated in two php files.
This is the other page the guest_process.php
<?php
if($_post['submit']){
$connect = mysql_connect('localhost','root','') or die ('Couldnt connet');
$db = mysql_select_db('guestbook');
$name = strip_tags($_POST['name']);
$email = strip_tags($_POST['email']);
$comment = n12br($_POST['comment']);
$date = date('Y-m-d');
$time = date('H:i:s');
$query = mysql_query("insert into guestbook values('','$name','$email','$comment','$date','$time')");
header('Location: index.php');
}else {
header ('Location: index.php');
}
?>
use <input type="submit" value="Post Entry"> instead of <input type=button>
this is not good:
<input type =button name='submit' value='Post Entry'>
it should be:
<input type="submit" name="submit" value="Post Entry">
The problem is that there is no code to put anything in a database.
First you need to actually post something. You might think that this line does this, but it doesn't:
<input type =button name='submit' value='Post Entry'>
Apart from the fact you need " around the type, a "button" isn't actually something that does submitting. You'll need client-side code for that. You could better change it to
<input type="button" name='submit' value='Post Entry'>
You won'nt be there though. Now you need to take the info from the $_POST variable (try var_dump($_POST) to see what's in there), and put it in your database. You can find the appropriate commands for SQL and the php-mysql connection in your tutorial probably