Hi i have 2 database one for voucher numbers and the other one for the new users
and i need from the subscribers to insert the voucher number if the number is correct then they can complete the registration and if not they will be asked to make sure from the voucher number they have and i use this code but it is very weak and did not work
<?php
$username = "salbota";
$password = "lK8tFIGAJ_Jp";
$hostname = "localhost";
$dbhandle = mysql_connect($hostname, $username, $password) or die("Could not connect to database");
$selected = mysql_select_db("salbota_users", $dbhandle);
$myusername = $_POST['user'];
$mypassword = $_POST['pass'];
$mycardnum = $_POST['cardnum'];
$myusername = stripslashes($myusername);
$mypassword = stripslashes($mypassword);
$mycardnum = stripslashes($mycardnum);
$query = "SELECT * FROM cardnumbers WHERE cardnumo='$mycardnum'";
if($mycardnum = $_POST['cardnum']){
mysql_query("INSERT INTO users (Username, Password, cardnum) VALUES ('$user', '$pass', '$mycardnum')");
}else{
echo 'card number is not correct';
}
mysql_close();
?>
<html>
<body>
<h1>Signup!</h1>
<form action="new_user.php" method="POST">
<p>Username:</p><input type="text" name="user" />
<p>Password:</p><input type="password" name="pass" />
<p>Card Number:</p><input type="text" name="cardnum" />
<br />
<input type="submit" value="Signup!" />
</form>
</body>
</html>
Your variables in the INSERT query are wrong. Instead of ('$user', '$pass', '$mycardnum'), it should be ('$myusername', '$mypassword', '$mycardnum').
Also, the check for "insert the voucher number if the number is correct the" doesn't seem to be anywhere in your code. Nor are you checking the vouchers table.
Edits after comment:
You've got a query $query = "SELECT * FROM cardnumbers WHERE cardnumo='$mycardnum'"; but you're not executing it.
And then you're checking if($mycardnum = $_POST['cardnum']){ but that just checks the same cardnumber which you did stripslashes on - so they won't match anyway. Instead you need to execute the query and check if you get the correct cardnumber. Also, your if check needs to be two == signs, not one.
There are too many non-related issues for why your code won't work. I don't think you'll get an answer on StackOverflow. Fix the above and try again.
Related
i use a crm on a wordpress website. I'm trying to make a search field where a user can enter a number and with that number he/she should be able to see certain data from the database that is connected with the number that is entered.
What i got so far is:
<?php
$dbhost = 'localhost';
$dbuser = 'my user name';
$dbpass = 'my password';
$conn = mysql_connect($dbhost, $dbuser, $dbpass);
if(! $conn ) {
die('Kan geen connectie maken: ' . mysql_error());
}
$sql = 'SELECT lead_content FROM wp_wgbsupicrm_leads';
mysql_select_db('my database name');
$retval = mysql_query( $sql, $conn );
if(! $retval ) {
die('Kan geen gegevens vinden: ' . mysql_error());
}
while($row = mysql_fetch_array($retval, MYSQL_ASSOC)) {
echo "EMP ID :{$row['lead_content']} <br> ".
"--------------------------------<br>";
}
echo "Gegevens ontvangen\n";
mysql_close($conn);
?>
This will give me a result of:
resultaat:{"zoeknummer":"554477","komplex":"test
4","plaats":"84","versturen":null}
resultaat:{"zoeknummer":"556478","komplex":"test
3","plaats":"51","versturen":null}
resultaat:{"zoeknummer":"112255","komplex":"test
2","plaats":"12","versturen":null}
resultaat:{"zoeknummer":"110022","komplex":"Test
1","plaats":"1","versturen":null}
What i want is a search field where the "zoeknummer" is entered and the "komplex" & "plaats" are shown. the "versturen" isn't needed to be shown.
This is an image of the database where i need to get the information from:
enter image description here
To get this far i spended 1 and a half day.. I know i'm a total starter at this all, i have a basic html and css.. But i'm trying to learn more and hope with some assistance here i can get this to work, and in the mean time learn how it works.
Thanks in advance!
you should know how to use WHERE clause in your SQL query. this is mainly used for search purposes.
In your HTML form, give the textfield a name such as: name="$data"
Then in your SQL query:
$sql = "SELECT lead_content FROM wp_wgbsupicrm_leads' where lead_content='$data'";
Then the search will give you only the data you want from the text field you entered.
I am creating a login which links to a database, when entering information the login then runs a blank page and does nothing, below is my code:
include "conn.php";
session_start();
$email_address = $_POST['email_address'];
$password = $_POST['password'];
if ($email_address && $password)
{
$connect = mysql_connect("computing","i7906890","password") or die ("couldn't connect!");
mysql_select_db("i7906890") or die ("couldn't find database");
$guery = mysql_query("SELECT * FROM UserAccount WHERE email_address = '$email_address'");
if ($numrows!=0) {
//code to login
while ($row = mysql_fetch_assoc($query)) //Password Check
{
$dbemail_address = $row['email_address']
$dbpassword = $row['password']
}
//Check if they match
if ($email_address==$dbemail_address&&$password==$dbpassword)
{
echo "You're in! <a href='user_page.php'>click</a> here to enter the members page";
$_SESSION['user']==$dbemail_address;
}
else
echo "Incorrect Password!";
}
else
die("That user doesn't exist!");
}
else
die("Please enter an email address and password!");
?>
Also here is my form
<form action = "login2.php" method ="POST">
<p><img src="images/space.gif" width="70px" height="1px"/><strong>Log in</strong> or <strong>Register</strong><br>
Email:<img src="images/space.gif" width="34px" height="1px"/><input type="text" name="user" size="33"> <br>
Password:<img src="images/space.gif" width="10px" height="1px"/><input type="password" name="password" size="33"> <br>
<div align="center">
<input type="submit" value="Log in" class="button">
</div>
</p>
</form>
Please help! SOS
You're missing a few ; in your code which is causing the script to crap out and not display anything. (Specifically in the while loop but check elsewhere as well.)
Edit: You may also want to consider losing that while loop all together and putting the password criteria in the SQL statement for better performance. And like the other poster said, watch out for SQL injection.
Please help! SOS Yep, you're in deep sh... But not for what you'd expect...
Even if your code was operating well, you are the 5th or 6th who asks roughly the same question, riddled with SQL injection in a PHP login form using the deprecated mysql_ functions...
And also, $guery is not the same as $query... Check for the q and g letters...
This line:
$guery = mysql_query("SELECT * FROM UserAccount WHERE email_address = '$email_address'");
Should be at least
$query = mysql_query("SELECT * FROM UserAccount WHERE email_address = '".mysql_real_escape($email_address)."'");
to both be correct, and avoid injection...
But you should really be using prepared statements through PDO, like this:
try {
//open connection, this is different than in the old functions
$dbh = new PDO('mysql:host=localhost;dbname=test', $user, $pass);
//***running query
//**step1: create statement
$stmt = $dbh->prepare('SELECT * FROM UserAccount WHERE email_address = :email'); //notice parameter prefixed with ':'
//**step2: bind values (be sure to also check out the bindParameter() function too!)
$stmt->bindValue(':email', $email_address);
//**step3: exexcute statement
$stmt->execute();
//**step4: process results
$result = $stmt->fetch(PDO::FETCH_OBJ);
if($result->PASSWORD==$password) {
//logged in, do whatever reuqired
}
$dbh = null; //don't let it slip out of our hands
} catch (PDOException $e) {
print "Error!: " . $e->getMessage() . "<br/>";
die();
}
Also, another word of caution: don't store plaintext passwords. Even storing MD5 hashes is out of scope these days, and SHA1 is also declared to be weak...
Basically I am setting up a subscription application of name and email on my website which I am currently building. I have tested out the subscription form and all is working as it sends the data to the msql database and into the appropriate table (subscriptions) then into the 2 fields (subscriptionname, subscriptionemail).
With this I wish to once a month randomly draw a line out of the fields (which would have their name and email) and display this (only their name along with some other text such as "name is the winner of this month's random draw" etc) on the homepage of the website. (Might do as TWO draws same time every month. Unsure yet).
I'd want this to also send an email to the winner using obviously the email address it has as well as send to a predefined email address to me. (This is so I know exactly who has won it as of course there could be 2 or more people with the same name so I would not know which one won it. So within this email it would simply provide me with the name and email so I could supply the prize.)
I really hope someone would be able to help as I am completely clueless as what to do as I know little in the world of codes especially something like this.
I am not sure what language you are using so I will write in python.
Rewritten in PHP
<?php
// your MySql specific parameters
$my_host = "localhost";
$my_user = "user";
$my_pass = "password";
$my_db = "test";
// Connecting, selecting database
$link = mysql_connect($my_host, $my_user, $my_pass);
mysql_select_db($my_db);
// Mysql fast random from http://wanderr.com/jay/order-by-slow/2008/01/30/
// Assuming MySql table called users
$query = "SELECT * FROM subscriptions T JOIN (SELECT FLOOR(MAX(ID)*RAND()) AS ID FROM USERS) AS x ON T.ID >= x.ID LIMIT 1;";
$result = mysql_query($query);
// get the user
$user = mysql_fetch_array($result, MYSQL_ASSOC);
$user_email = user['Subscriptionemail'];
$user_name = user['subscriptionname'];
// Free resultset
mysql_free_result($result);
// Closing connection
mysql_close($link);
//
// Email part
//
// specific to you
$HOST = 'My smtp server';
$my_email = 'me#my_domain.com';
$server = smtplib.SMTP(HOST);
$text = "Hello " + $user_name + " you have won the prize!";
mail($user_email, "You won!", $text, "From: " + $my_email);
$text = $user_name + " has won the prize! Their email is " + $user_email + ".";
mail($my_email, "New winner!", $text, "From: " + $my_email);
Perhaps I am just being a complete idiot but I am trying to insert a record into a MySQL table but it doesn't seem to be working. When I test it (i.e. get the script to echo the values so I can check that they are being posted by the form), they are being sent but the query isn't posting to the database. Like I said, perhaps I am being a complete idiot but I felt that perhaps a fresh set of eyes might speed up my troubleshooting because I have been fighting with this issue for the past 2 hours!
Here is the code:
// Connects to your Database
mysql_connect("localhost", "dbuser", "dbpword") or die(mysql_error());
mysql_select_db("dbname") or die(mysql_error());
// Get Variables
$sectorid = $_POST['sectorid'];
$parentid = $_POST['parentid'];
$sectorname = $_POST['sectorname'];
$status = $_POST['status'];
$creon = $_POST['creon'];
$creby = $_POST['creby'];
$modon = $_POST['modon'];
$modby = $_POST['modby'];
//Insert Record
mysql_query("INSERT INTO cand_emp_sector (sectorid, parentid, sectorname, status, creon, creby, modon, modby)
VALUES ('$sectorid', '$parentid', '$sectorname', '$status', '$creon', '$creby', '$modon', '$modby)");
//On completion, redirect to next page
header("Location: canddb.new.7i.php");
Any assistance would be greatly appreciated.
Thanks
you are missing a quote at the end
, '$modby')");
^---------here
Check the result for errors:
$result = mysql_query("INSERT INTO cand_emp_sector (sectorid, parentid, sectorname, status, creon, creby, modon, modby)
VALUES ('$sectorid', '$parentid', '$sectorname', '$status', '$creon', '$creby', '$modon', '$modby)");
if($result === false) die('query failed..');
Can anyone tell me why this isn't working? Everything comes up fine but when I hit submit it doesn't update the database.
$row = mysql_fetch_array($sql);
$title = $row['title'];
$content = $row['content'];
$author = $row['author'];
$author_email = $row['author_email'];
$cat = $row['category'];
$date = $row['date'];
$id = $row['id'];
$form = "<tr><td>$id
<form action='edit.php' method='post'>
<input type='text' value='$title' name='title'><br>
<textarea name='content'>$content</textarea><br>
<input type='submit' name='submit'>
</td></tr>";
$ptitle = htmlentities($_POST['title']);
$pcontent = htmlentities($_POST['content']);
if($_POST['submit']){
if ($ptitle && $pcontent){
mysql_query("UPDATE blogdata SET id='$id', title='$ptitle', author='$author', author_email='$author_email', date='$date', category='$category', content='$pcontent' WHERE id='$id'");
}
else
echo "A forms empty.";
}
else
echo "$form";
Note first that you should not be using the values that have been submitted directly from the form without first validating them. I will not address that here, but I will address your query:
You cannot set the value of the row identifier that you plan to use in your WHERE clause; this causes a concurrency problem. Your row identifier should be immutable.
Thus, your query should look like this (reminder: I have not fixed the security related issues):
UPDATE blogdata SET title='$ptitle', author='$author',
author_email='$author_email', date='$date', category='$category',
content='$pcontent' WHERE id='$id'
Because its badly written code with bugs in it?
You should use htmlentities to escape content you are writing to the browser. You should use mysql_real_escape_string to escape content you are writing to the database. Your code should have comments in it explaining what it does. You should check the return value for mysql_query and poll mysql_error when appropriate. You shouldn't quote numeric values in your SQL.