PHP login issues - mysql

I am creating a login which links to a database, when entering information the login then runs a blank page and does nothing, below is my code:
include "conn.php";
session_start();
$email_address = $_POST['email_address'];
$password = $_POST['password'];
if ($email_address && $password)
{
$connect = mysql_connect("computing","i7906890","password") or die ("couldn't connect!");
mysql_select_db("i7906890") or die ("couldn't find database");
$guery = mysql_query("SELECT * FROM UserAccount WHERE email_address = '$email_address'");
if ($numrows!=0) {
//code to login
while ($row = mysql_fetch_assoc($query)) //Password Check
{
$dbemail_address = $row['email_address']
$dbpassword = $row['password']
}
//Check if they match
if ($email_address==$dbemail_address&&$password==$dbpassword)
{
echo "You're in! <a href='user_page.php'>click</a> here to enter the members page";
$_SESSION['user']==$dbemail_address;
}
else
echo "Incorrect Password!";
}
else
die("That user doesn't exist!");
}
else
die("Please enter an email address and password!");
?>
Also here is my form
<form action = "login2.php" method ="POST">
<p><img src="images/space.gif" width="70px" height="1px"/><strong>Log in</strong> or <strong>Register</strong><br>
Email:<img src="images/space.gif" width="34px" height="1px"/><input type="text" name="user" size="33"> <br>
Password:<img src="images/space.gif" width="10px" height="1px"/><input type="password" name="password" size="33"> <br>
<div align="center">
<input type="submit" value="Log in" class="button">
</div>
</p>
</form>
Please help! SOS

You're missing a few ; in your code which is causing the script to crap out and not display anything. (Specifically in the while loop but check elsewhere as well.)
Edit: You may also want to consider losing that while loop all together and putting the password criteria in the SQL statement for better performance. And like the other poster said, watch out for SQL injection.

Please help! SOS Yep, you're in deep sh... But not for what you'd expect...
Even if your code was operating well, you are the 5th or 6th who asks roughly the same question, riddled with SQL injection in a PHP login form using the deprecated mysql_ functions...
And also, $guery is not the same as $query... Check for the q and g letters...
This line:
$guery = mysql_query("SELECT * FROM UserAccount WHERE email_address = '$email_address'");
Should be at least
$query = mysql_query("SELECT * FROM UserAccount WHERE email_address = '".mysql_real_escape($email_address)."'");
to both be correct, and avoid injection...
But you should really be using prepared statements through PDO, like this:
try {
//open connection, this is different than in the old functions
$dbh = new PDO('mysql:host=localhost;dbname=test', $user, $pass);
//***running query
//**step1: create statement
$stmt = $dbh->prepare('SELECT * FROM UserAccount WHERE email_address = :email'); //notice parameter prefixed with ':'
//**step2: bind values (be sure to also check out the bindParameter() function too!)
$stmt->bindValue(':email', $email_address);
//**step3: exexcute statement
$stmt->execute();
//**step4: process results
$result = $stmt->fetch(PDO::FETCH_OBJ);
if($result->PASSWORD==$password) {
//logged in, do whatever reuqired
}
$dbh = null; //don't let it slip out of our hands
} catch (PDOException $e) {
print "Error!: " . $e->getMessage() . "<br/>";
die();
}
Also, another word of caution: don't store plaintext passwords. Even storing MD5 hashes is out of scope these days, and SHA1 is also declared to be weak...

Related

check voucher number in database if it is correct then insert the subscribers data into another database

Hi i have 2 database one for voucher numbers and the other one for the new users
and i need from the subscribers to insert the voucher number if the number is correct then they can complete the registration and if not they will be asked to make sure from the voucher number they have and i use this code but it is very weak and did not work
<?php
$username = "salbota";
$password = "lK8tFIGAJ_Jp";
$hostname = "localhost";
$dbhandle = mysql_connect($hostname, $username, $password) or die("Could not connect to database");
$selected = mysql_select_db("salbota_users", $dbhandle);
$myusername = $_POST['user'];
$mypassword = $_POST['pass'];
$mycardnum = $_POST['cardnum'];
$myusername = stripslashes($myusername);
$mypassword = stripslashes($mypassword);
$mycardnum = stripslashes($mycardnum);
$query = "SELECT * FROM cardnumbers WHERE cardnumo='$mycardnum'";
if($mycardnum = $_POST['cardnum']){
mysql_query("INSERT INTO users (Username, Password, cardnum) VALUES ('$user', '$pass', '$mycardnum')");
}else{
echo 'card number is not correct';
}
mysql_close();
?>
<html>
<body>
<h1>Signup!</h1>
<form action="new_user.php" method="POST">
<p>Username:</p><input type="text" name="user" />
<p>Password:</p><input type="password" name="pass" />
<p>Card Number:</p><input type="text" name="cardnum" />
<br />
<input type="submit" value="Signup!" />
</form>
</body>
</html>
Your variables in the INSERT query are wrong. Instead of ('$user', '$pass', '$mycardnum'), it should be ('$myusername', '$mypassword', '$mycardnum').
Also, the check for "insert the voucher number if the number is correct the" doesn't seem to be anywhere in your code. Nor are you checking the vouchers table.
Edits after comment:
You've got a query $query = "SELECT * FROM cardnumbers WHERE cardnumo='$mycardnum'"; but you're not executing it.
And then you're checking if($mycardnum = $_POST['cardnum']){ but that just checks the same cardnumber which you did stripslashes on - so they won't match anyway. Instead you need to execute the query and check if you get the correct cardnumber. Also, your if check needs to be two == signs, not one.
There are too many non-related issues for why your code won't work. I don't think you'll get an answer on StackOverflow. Fix the above and try again.

Check if entry is available in database

I have generated a 10 digit number, added it to a database after purchase.
Now I want to make a php page to give users an input box, ask them to enter the 10 digit number, and click submit. After you click submit it should return if the pin is used or has not been used it. (Used if its not available - Not used if its in the table)
I got the following code:
<?php
require_once 'db.php';
function validated_pin($pin)
{
$pin = mysql_real_escape_string($pin); // SECURITY!
$result = mysql_query("SELECT pins FROM pins WHERE pin='$pin' LIMIT 1");
if (mysql_fetch_row($result)) {
return 'This pin has already been used';
} else {
return 'This pin is available for use';
}
}
echo '<html><center>
<form action="' . $_SERVER['SCRIPT_NAME'] . '" method="post">
<table style="border:0px solid black;">
<tr>
<td>PIN*:</td><td><input type="text" name="pin" value="" class="bginput"/></td>
</tr>
<tr>
<td></td><td><input type="submit" id ="submit" name="submit1" value="Check Pin>>" class="button"></td>
</tr>
</table>';
echo validated_pin($pin);
echo '</center></html>';
?>
And PHPmyAdmin looks like this:
http://gyazo.com/67c3df7171c83c677cb221c04d644ed7.png
It's located in _donation and in table name pins
I don't know whats going on tried looking everywhere
The current code will return this error
Warning: mysql_fetch_row() expects parameter 1 to be resource, boolean given in /home/website/public_html/directory/example.php on line 8
Your query is failing to fetch data, resulting in false returned.
Firstly - you should catch this false value and not assume $result has data.
Secondly - var_dump() the query you are running, run that in PhpMyAdmin
Your query is-
$result = mysql_query("SELECT pins FROM pins WHERE pin='$pin' LIMIT 1");
shouldn't it be
$result = mysql_query("SELECT pin FROM pins WHERE pin='$pin' LIMIT 1");
pin is the column name right? not pins
if (mysql_fetch_row($result)) {
if(mysql_num_rows($result)>0)
return 'This pin has already been used';
else
return 'This pin is available for use';
}
This seemed to have solved it:
$pin = $_POST["pin"];
function validated_pin($pin)
{
$pin = mysql_real_escape_string($pin); // SECURITY!
$result = mysql_query("SELECT pin FROM pins WHERE pin='$pin' LIMIT 1");
if(mysql_num_rows($result) == 0) {
return 'This pin has already been used';
} else {
return 'This pin is available for use';
}
}
Still facing the issue of it saying "Already been used" before I execute any code.

PHP Session Variable Not Passing with Header and Ob_Start Function

This is my code:
<?php
ob_start();
session_start();
include("index.php");
if (isset($_POST['user'],$_POST['pass'])):
$con=mysqli_connect("connect info");
if ( !$con ){
die('Could not connect to Database: '.mysqli_error());}
$pass=($_POST['pass']);
$query0 = "SELECT * FROM user WHERE username = '" . $_POST['user'] ."' AND password = '" . $pass . "'";
$resource0 = mysqli_query($con,$query0);
if(!$resource0):
die("Error conducting query. ".mysqli_error($con));
endif;
if(mysqli_num_rows($resource0) == 0){
echo "Username not find";
header("Location: /login.php");}
$result0 = mysqli_fetch_row($resource0);
$_SESSION['ID'] = $result0[0];
$_SESSION['userType'] = $result0[3];
if(!isset($_SESSION['ID'])):
//header("Location: ...");
else:
header("Location: ....");
endif;
else:
if(isset($_POST['from'])):
$_SESSION['from'] = $_POST['from'];
endif;
?>
<?php endif; ?>
This code takes a user's username and password information and stores and searching the database for the userID. Once is finds the information it stores in the session variable 'ID'.
PROBLEM: When the session 'ID' variable is passed to the next page it is not set. Surprisingly, this code without the ob_start function was working yesterday morning but wasn't working by the afternoon. I know it's not setting because two things: When I echo on the next page, nothing appears and because when I try to run a query with the session 'ID' variable I get a mysql error saying the query could not be conducted.
This is the code on the next page that is not working. At first I thought, it might be something wrong with my query because I was getting this error:
"Error conducting query. You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 1"
But when I tried printing the session 'ID' variable nothing is printed.
<?php session_start;
// Create connection
$con=mysqli_connect(connect info....);
// Check connection
if (mysqli_connect_errno($con))
{
echo "Failed to connect to MySQL: " . mysqli_connect_error();
}
$query0 = "SELECT * FROM studentProfile WHERE sID = ".$_SESSION['ID'];
$resource0 = mysqli_query($con,$query0);
if(!$resource0):
echo $_SESSION['ID'];
die("Error conducting query. ".mysqli_error($con));
endif;
.......(rest of code)
Solutions Already Tried: I have tried them all...session_write_close(), session_regenerate_id(true), session_commit(), ob_end_flush(). I have tried initially setting the session variable on the home page but once the functions are performed in the session 'ID' variable is no longer set at all.
Please help! I have read all the forums I could find on this problem but nothing seems to work.
what you have written on the next page that your code is not working. Please provide me with detail.
try this on the page which you have directed by header location. May be your session can work.
<?php
include('config.php');
if(!isset($_SESSION['ID']))
{
header("Location: ../index.html");
}
else{
$user_id=$_SESSION['ID'][0];
$user_name=$_SESSION['ID'][1];
?>
and end the else part at the last of the page

How to remove width and height attributes from multiple posts in Wordpress (MySQL)

So I have thousands of Wordpress posts with the width and height attributes which I want to remove. For example:
img class="aligncenter size-full wp-image-21011999" title="sometitle"
alt="somealt" src="http://mysite.com/blabla/somefile.jpg" width="xxx" height="xxx"
As i mentioned i want to remove width="xxx" height="xxx" and i want to remove them directly from MySQL, dont want to use any PHP functions or similar.
Is there a query i can run through PhpMyadmin?
Are there any regex i can use for the xxx which is different for each post.
Thank you!
You can write a small PHP script (outside of WordPress of course) that will accomplish this quite easily using Regex.
<?php
$host = "hostname";
$user = "username";
$pass = "password";
$db = "database";
mysql_connect($host, $user, $pass);
mysql_select_db($db);
$pattern = "/width|height=\"[0-9]*\"/";
$query = "SELECT ID, post_content FROM wp_posts";
while ($row = mysql_fetch_assoc($query)) {
if (preg_match($pattern, $row['post_content']))
{
$row['post_content'] = preg_replace($pattern, "", $row['post_content']);
mysql_query("UPDATE wp_posts SET post_content=" . $row['post_content'] . "WHERE ID=" . $row['ID'];
}
}
?>
That's the way I'd do it anyway. I'm assuming when you said "no PHP functions" that you mean that you want the data permanently updated in the database, rather than just updated on the fly every time the page is loaded. This should solve the issue. Writing a raw SQL query to deal with this problem will likely be much more complicated.
You don't need to do this within WordPress. You could even run this on a different host, provided said host has database access.
Note: I haven't tested any of this. If you use it, I'd make sure to run it on a small subsection of your database before applying it sitewide.
I have used this script and it has some errors. I have corrected them and used it. It works. Make sure the table name (wpfs_posts) correspondents to your table name with posts. Always have a backup off course.
<?php
$host = "localhost";
$user = "nameuser";
$pass = "password";
$db = "namedb";
mysql_connect($host, $user, $pass);
mysql_select_db($db);
$pattern = "/width|height=\"[0-9]*\"/";
$query = "SELECT ID, post_content FROM wpfs_posts";
$result = mysql_query($query);
while ($row = mysql_fetch_assoc($result)) {
if (preg_match($pattern, $row['post_content']))
{
$row['post_content'] = preg_replace($pattern, "", $row['post_content']);
$row['post_content']=mysql_real_escape_string($row['post_content']);
mysql_query("UPDATE wpfs_posts SET post_content='" . $row['post_content'] . "' WHERE ID=" . $row['ID']);
}
}
?>

Update Database Not Working

Can anyone tell me why this isn't working? Everything comes up fine but when I hit submit it doesn't update the database.
$row = mysql_fetch_array($sql);
$title = $row['title'];
$content = $row['content'];
$author = $row['author'];
$author_email = $row['author_email'];
$cat = $row['category'];
$date = $row['date'];
$id = $row['id'];
$form = "<tr><td>$id
<form action='edit.php' method='post'>
<input type='text' value='$title' name='title'><br>
<textarea name='content'>$content</textarea><br>
<input type='submit' name='submit'>
</td></tr>";
$ptitle = htmlentities($_POST['title']);
$pcontent = htmlentities($_POST['content']);
if($_POST['submit']){
if ($ptitle && $pcontent){
mysql_query("UPDATE blogdata SET id='$id', title='$ptitle', author='$author', author_email='$author_email', date='$date', category='$category', content='$pcontent' WHERE id='$id'");
}
else
echo "A forms empty.";
}
else
echo "$form";
Note first that you should not be using the values that have been submitted directly from the form without first validating them. I will not address that here, but I will address your query:
You cannot set the value of the row identifier that you plan to use in your WHERE clause; this causes a concurrency problem. Your row identifier should be immutable.
Thus, your query should look like this (reminder: I have not fixed the security related issues):
UPDATE blogdata SET title='$ptitle', author='$author',
author_email='$author_email', date='$date', category='$category',
content='$pcontent' WHERE id='$id'
Because its badly written code with bugs in it?
You should use htmlentities to escape content you are writing to the browser. You should use mysql_real_escape_string to escape content you are writing to the database. Your code should have comments in it explaining what it does. You should check the return value for mysql_query and poll mysql_error when appropriate. You shouldn't quote numeric values in your SQL.