How do i do if i want to keep the username in the field if the users entered incorrect password, so the person doesnt need to retype the username? Should i use sessions for this?
Just pass the value to the field:
<input name="uid" value="<?php echo (isset($_POST['uid'])) ? $_POST['uid'] : ''?>" />
Never forget to sanitize user input first! (not like in my example but it should give you the right idea).
But be careful with error messages. Don't say that the password is wrong. Say that the password or username is wrong. You don't want to let anyone know that a certain username is register in your system (at least not by trying to login).
Make sure $_POST['username'] data is not harmful first.
<input name="username" type="text" value="<?php echo $_POST['username'] ?>" />
try this one
use the session variable
$_SESSION['username'] = $_POST['username'];
<input type="text" name="username" value="<?php echo $_SESSION['username']; ?>" />
Just print it:
<input name="username" type="text" value="<?php echo htmlspecialchars($_POST['username']) ?>">
Yes if you are not posting to the same page but to a php handeling script you would need to use a session variable like $_SESSION['sticky']['username'] = $_POST['username'], then on the page that you return to
<input type="text" value="<?php if isset($_SESSION['sticky']['username']) echo $_SESSION['sticky']['username'] ?>" name="username" />
Related
I have input with name of "username" and what I need is when I send the form to check whether the value was sent with the form I want to print the property inside input as:
<input type="text" name="username"
<?php if(isset($uname)){echo 'value="' . $uname . '"';} ?>
>
So I don't want to print value property unless there's a value already sent by POST method.
The code I have for now is:
<input type="text" name="username" id="username" class="form-control"
value="<?php if(isset($uname)){echo $uname;}?>"
placeholder="Username">
It's working fine but its printing value property even before I send the form, I have tried to modify the code, but the closing tag of input [ > ] seems to have problem with php closing tag ?>
How I can solve this issue?
Thanks a lot :)
Thanks, I solved it like this:
<?php
echo '<input type="text" name="username" id="username" class="form-control"';
echo (isset($uname)) ? 'value="'.$uname.'"' : '';
echo ' placeholder="Username">';
?>
Note:
I already had declared $uname = $_POST['username']; in another place, so that's why I have a valid variable ($uname).
You have to check for the post variables (which you don't show here)
<?php if (isset($_POST['uname']): ?>
value="<?php echo $_POST['uname'];?>"
<?php endif; ?>
Change the contente of post by what you have and it should solve your problem
<input type="text" name="username" id="username" class="form-control" value="<?php echo (isset($uname) && isset($_POST['uname'])) ? $uname : '';?>" placeholder="Username">
Don't forget to use filter_input(http://php.net/manual/en/function.filter-input.php) on your $uname variable before using.
(I found this but still dont understand) {HTML form PHP post to self to validate or submit to new page}
I am sorry if this question is explained better in another place but I have been stuck for hours, have searched, and have just given up. I am going by the W3c website tutorial on how to validate, sanitize, and handle forms using PHP. All went well (At least I think it did) until it was time to do something with this data. I will show you the code now and further explain my position and problem after the code:
<form method="POST" name="signup" action="<?php echo htmlspecialchars($_SERVER["PHP_SELF"]);?>">
<label for="first name"></label><input id="first name" name="first_name" placeholder="First Name" type="text" value="<?php echo $firstname;?>" /> <span class="error">* <?php echo $firstnameErr;?></span>
<label for="last_name"></label><input id="last name" name="last_name" placeholder="Last Name" type="text" value="<?php echo $lastname;?>" />
<span class="error">* <?php echo $lastnameErr;?></span>
<br><br>
<label for="email"></label><input id="email" name="email" placeholder="Email" type="text" value="<?php echo $email;?>" />
<span class="error">* <?php echo $emailErr;?></span>
<br /><br />
<label for="password"></label><input id="password" name="password" placeholder="Create Password" type="password" />
<span class="error">* <?php echo $passwordErr;?></span>
<br /><br />
<label for="male"><strong>Male</strong></label>
<input id="male" value="male" <?php if (isset($gender) && $gender=="male") echo "checked";?> name="gender" type="radio" />
<label for="female"><strong>Female</strong></label> <input id="female" value="female"
<?php if (isset($gender) && $gender=="female") echo "checked";?> name="gender" type="radio" />
<span class="error">* <?php echo $genderErr;?></span>
<br /><br />
<label for="submit">"I Agree To Terms And Conditions"</label> <input id="submit" value="Submit" type="submit" name="submit"/><br /><br />
<p><span class="error">* required field.</span></p>
<hr>
I am confused on many things. Should I keep the 'Form Action" as is, or should I change it to something like, "welcome.php". If I do change it to "welcome.php" do I still include the 'htmlspecialchars'? I am going to be using MSQLI. I am already able to connect to my database but how do I go about converting the users data into viable information for the server? Do I just go ahead and use the variables that I created in this HTML form? I know I need to put some kind of variables into a query string and then make sure I exit it as well. I am sorry if I pissed some of you off but I am just needing help. I dont want negative points but if I can receive some answers than I can handle a few bad points. Thanks for your help and happy holidays.
Below is my "welcome.php." It is actually called something different but for this moment it is "welcome.php". Thanks again.
<?php
$hostname="social89.db";
$username="social89";
$password="P!!";
$dbname="social89";
$db_conx = mysqli_connect($hostname, $username, $password) OR DIE ("Unable to
connect to database! Please try again later.");
if(mysqli_connect_errno()){
echo mysqli_connect_error();
exit();
}
$select = mysqli_select_db($db_conx,$dbname);
$firstname= $_POST["first_name"];
$lastname= $_POST["last_name"];
$email= $_POST["email"];
$password= $_POST["password"];
$gender= $_POST["gender"];
mysqli_query($db_conx,"INSERT INTO users (firstname, lastname, email, password, gender)
VALUES ('$firstname', '$lastname', '$email', '$password', '$gender')");
mysqli_close($db_conx);
header("Location: ERASETHISprofile.php")
?>
Ooh, where to begin.
At the beginning I guess.
"Post to self" refers to having the same script that renders the form receive the form data. The form action points back at the same php script using the server variable $_SERVER['PHP_SELF'].
This means you can do something like:
<?php
if (!empty($_POST)) { // if $_POST isn't empty, the user submitted the form
// validate
if ($validationPassed) {
// insert to db
} else {
// tell the user they messed up
$error = 'Hey, you! Email address was incorrect.';
}
}
//
?>
<html> ...
<?php if (isset($error)) { echo $error; } ?>
// form
The above is really basic. You'll want to set errors for specific fields failing validation to give the user more of a clue as to what to correct.
htmlspecialchars() - Convert special characters to HTML entities
In short, if you trust the input string, you don't need it. So "welcome.php" that has been typed manually by yourself into the document, is trusted, and doesn't need to have special characters converted - there aren't any in the string. If that text came from a user it could contain, for example, <h2>Hello</h2>. Without the use of this function, your page may render that Hello inside the H2.
Recommended reading for the next part: How can I prevent SQL injection in PHP?
At the moment you are vulnerable, because you are taking data from the form and are not validating or sanitizing it. Obligatory XKCD comic: http://xkcd.com/327/. In addition to the risk of SQL injection there is the risk of junk data ending up in your DB.
Validation in PHP: filter_var examples: http://www.php.net/manual/en/filter.examples.validation.php
I am trying to create posts with a userid = to the currently logged in users id.
On page 1 I use $_SESSION to set a variable
$_SESSION['Userid'] = $row_getUserStuff['userid'];
I can call $_SESSION['Userid'] on both page 1 and page 2 with
echo($_SESSION['Userid']);
which outputs the users id, my problem is when I try to push that data to the database.
In the form I put
<input type="hidden" name="userid" value="<?php $_SESSION['Userid']?>" />
But when I try to post it I get the error
Column 'userid' cannot be null
Don't put the session data in the form. It is pointless for the browser to have to send the server something the server already knows, and anyone can change it in an injection attack.
Instead, just access $_SESSION['Userid'] when inserting the value into the database.
try this:
<input type="hidden" name="userid" value="<?php echo $_SESSION['Userid']?>" />
You're not actually telling PHP to output the session variable, you're just referring to it. But since it's a session variable, it doesn't need to be in the form at all, I assume there's a $_POST['userid'] somewhere in your code to handle the form, just replace that with $_SESSION['Userid'].
try
<input type="hidden" name="userid" value="<?php echo $_SESSION['Userid']; ?>" />
I added the echo statement and the ; so that no php error will be generated and the $_SESSION['Userid'] is properly sent to the browser.
Replace this line:
<input type="hidden" name="userid" value="<?php $_SESSION['Userid']?>" />
to
<input type="hidden" name="userid" value="<?php echo $_SESSION['Userid']?>" />
I have a page which basically allows an admin user to create manager user types (basically a register function. So when the values are submitted, they are stored into the DB, very very basic stuff. However, I have a hidden variable type..reasons are I have 3 different user levels and I have declared they identification as an integer (e.g. 7 = manager, 8 =user etc.)
Can someone help me out with how to correctly pass this hidden value so it stores in the database...
Here is my form:
<form id="userreg" name="userreg" method="post" action="adduser-process.php">
<label>Full Name:</label> <input name="fullname" size="40" id="fullname" value="<?php if (isset($_POST['fullname'])); ?>"/>
<br />
<label>Username:</label> <input name="username" size="40" id="username" value="<?php if (isset($_POST['username'])); ?>"/> <br />
<label>Password:</label> <input name="password" size="40" id="password" value="<?php if (isset($_POST['password'])); ?>"/> <br />
<label>Email Address:</label> <input name="emailaddress" size="40" id="emailaddress" value="<?php if (isset($_POST['emailaddress'])); ?>"/>
<br />
<input name="userlevel" type="hidden" size="1" id="userlevel" value="<?php $_POST[5]; ?>" /> <br />
<input value="Add User" class="addbtn" type="submit" />
</form></div>
Next, here is the script that runs the query:
<?php
require_once "config.php";
$fullname = $_POST['fullname'];
$username = $_POST['username'];
$password = $_POST['password'];
$emailaddress = $_POST['emailaddress'];
$userlevel = $_POST[5];
$sql = "INSERT INTO users_tb VALUES('".$user_id."','".$fullname."','".$username."',MD5('".$password."'),'".$emailaddress."','".$userlevel."')";
$result = mysql_query($sql, $connection)
or die("MySQL Error: ".mysql_error());
header("Location: administratorfrontview.php");
exit();
?>
I'm basically trying to pass the hidden typem with a constant value of '5' just for this form, as it will not be changed...also while im here, for some reason, the 'fullname' is not stored in the DB either!!?? WTH?? all other fields are processed fine. Any help is much appreciated! Thank you.
Two things. One, $userlevel should equal $_POST['userlevel'] not 5 as POST data isn't always in that order. Two, your insert statement should be preceded with the column names (to prevent any data from going in the wrong order).
$sql = "INSERT INFO users_tb (id, name, username, password, email, userlevel) ".
"('".$user_id."','".$fullname."','".$username."',MD5('".$password."'),'".
$emailaddress."','".$userlevel."')";
Your PHP for outputting the value is wrong. Use:
<?= $_POST[5]; ?>
or
<?php echo $_POST[5]; ?>
So I have this empty textboxes in a registrationg page. The user enters some data, hits continue and then there's a confirmation page. If the data is incorrect, the user hits go back to go correct whatever was wrong. However, when he goes back, all the textboxes are empty. So the first thing that comes to my mind is to store the user data in a Session (I have a User class that holds all this data so I store the class in the session). When the user goes back I am able to retrieve the data.
I do something like this:
if($_SESSION['UserInfo'])
{
$user = $_SESSION['UserInfo'];
$firstName = $user->FirstName;
$lastName = $user->LastName;
}
How would I put these variables in a textbox?
To set the value, you can just echo out the content inside the value attribute:
<input type="text" name="firstname" value="<?php echo htmlentities($firstName); ?>" />
<input type="text" name="lastname" value="<?php echo htmlentities($lastName); ?>" />
Of course you will want to escape it but...
<input type="text" value="<?php echo $firstName ?>" />
or if the form is posted, it would be easier to do:
<input type="text" name="firstName" value="<?php echo $_POST['firstName'] ?>" />
fine... even though it was out of the scope of the question here is the escaped version:
<input type="text" name="firstName" value="<?php echo htmlentities($_POST['firstName']) ?>" />
smth like
<input type="text" value="<?php echo $first_name;?>">
Don't forget to escape with htmlentities() or smth similar. If you don't know why - google XSS.