Hi I really need some help with PHP I am trying code something like the following After a user logs in, I want a page to display his username, how do I do that On the page where I want to display the username, I have got the following PHP coding so far <?php//set vars$user = $_POST['user'];$pass = md5($_POST['pass']); if ($user&&$pass) {//connect to db$connect = mysql_connect("$hostname","$username","$password") or die("not connecting");mysql_select_db("databasename") or die("no db :'(");$query = mysql_query("SELECT * FROM $tablename WHERE username='$user'");?> PHP: My login php page coding is below <?php//set vars$user = $_POST['user'];$pass = md5($_POST['pass']); if ($user&&$pass) {//connect to db$connect = mysql_connect("$hostname","$username","$password") or die("not connecting");mysql_select_db("databasename") or die("no db :'(");$query = mysql_query("SELECT * FROM $tablename WHERE username='$user'"); $numrows = mysql_num_rows($query); if ($numrows!=0){//while loop while ($row = mysql_fetch_assoc($query)) { $dbusername = $row['username']; $dbpassword = $row['password']; } else die("incorrect username/password!");}else echo "user does not exist!";} else die("please enter a username and password!");?><br><div id="login">Enter username and password below to login</div><form id='login' action='checklogin.php' method='post' accept-charset='UTF-8'><fieldset><legend></legend><input type='hidden' name='submitted' id='submitted' value='1'/><label for='username' >Username*:</label><input type='text' name='username' id='username' maxlength="50" /><label for='password' >Password*:</label><input type='password' name='password' id='password' maxlength="50" /><input type='submit' name='Submit' value='Login' /></fieldset></form><br><br><div id="forgot">Enter your registered email address below to generate a new password</div><form method="post" action="forgotpassword.php"><label for="email">Email:</label><input type="text" title="Please enter your email address" name="email" size="30"/> <input type="submit" value="Submit" class="submit-button"/></form> PHP: My registration form coding is below <?php//=============Configuring Server and Database=======$host = 'hostname';$user = 'username';$password = 'password';//=============Data Base Information=================$database = 'databasename'; $conn = mysql_connect($host,$user,$password) or die('Server Information is not Correct'); //Establish Connection with Servermysql_select_db($database,$conn) or die('Database Information is not correct'); //===============End Server Configuration============ //=============Starting Registration Script========== $email = $_POST['email']; $username = $_POST['txtUser']; $password = $_POST['txtPassword']; //=============To Encrypt Password===================$password = md5($salt.$password);//============New Variable of Password is Now with an Encrypted Value======== if(isset($_POST['btnRegister'])) //===When I will Set the Button to 1 or Press Button to register{$query = "insert into users(email,username,password)values('$email','$username','$password')";$res = mysql_query($query);header('location:registersuccess.html');} ?> <?php$to = "$email";$subject = "Registration Details";$message = "Email: $email \n Username: $username \n Password: $password";$from = "myemailaddress";$headers = "From: $from";mail($to,$subject,$message,$headers);echo "Mail Sent.";?> PHP:
Could you please press enter after every line of code, so that I can read it? I know, Digital Point sometimes automatically messes it up. Right down by where the reply button is on posts, there should be an 'edit' button by that spot on your post. Click it and press enter after every line of code. Then I can answer your question. Thanks, -Tony
Thanks, but I'm busy now, sorry. Will answer within 2 hours (most likely, if someone else doesn't first).
Yeah that's ok no problem Tony, thank you so much for being able to help me with this small problem Kind regards Ian
Sorry for taking so long to respond. First, on your login page, when the user logs in, you need to use something called a session: http://www.w3schools.com/php/php_sessions.asp Read that article. You need sessions for accounts. (Note: You might not understand the rest of this post before reading that article.) Also, a good practice is giving ever value in a database table a unique ID. Make a row called user_id or userid. Then, to get the username, you can say "SELECT username FROM tablename WHERE user_id='SESSION[mysiteuserid]'" I'd like to bring up a security issue. In your code, the user submits username and password, and the input goes in a SQL query. This is not secure--there is something called SQL Injection. Look at this link, explaining it: http://msdn.microsoft.com/en-us/library/ms161953(v=sql.105).aspx Feel free to ask more questions about SQL Injection, or sessions, or anything about your accounts system, really. -Tony
Hi Tony That's ok just glad and appreciate the help so If I read the article right, I need to add the following at the of the login, registration and the registration script that stores the data, is that right? <?php session_start(); ?> PHP: The userid is cool, I think I can do that part ok Just unsure on how to code the sql injection part etc, sorry only been using PHP for a month or two
I am getting this error any ideas why Parse error: syntax error, unexpected $end in and the file name This is the coding from the php file <?php session_start(); ?> <?php //set vars $user = $_POST['user']; $pass = md5($_POST['pass']); if ($user&&$pass) { //connect to db $connect = mysql_connect("$hostname","$username","password") or die("not connecting"); mysql_select_db("users") or die("no db :'("); $query = mysql_query("SELECT username FROM tablename WHERE user_id='SESSION[userid]"); ?>
I fixed that error by putting a } just before the ?> at the end but now got this error Warning: session_start(): Cannot send session cache limiter - headers already sent (output started at Sorry about this
Well, you shouldn't have put ?> after session_start(). There is no need to, and it may be problematic. Also, you wrote SELECT username FROM tablename WHERE user_id='SESSION[userid]". You forgot to enclose the variable in ' single quotes. Do it like this: SELECT username FROM tablename WHERE user_id='SESSION[userid]'". I'm writing explaining sessions now. Hold on.
Sorry fixed the error Warning: session_start(): Cannot send session cache limiter - headers already sent (output started at Got a blank page now so just need to do the sql injection part and hopefully I have done the session part right, I put <?php session_start(); ?> at the start of the php file How do I do the sql injection part and then once got that sorted can get round to displaying the username from the database Can you help me with the sql injection part please Thank you for all your help so far Ian
I don't think you understood the article on sessions. The incredibly cool thing about sessions is that they are exactly their name--sessions. Sessions allow you to store data that will be saved on the user's computer that you can manage. The data is deleted when the user closes their browser. For instance, you could have something like this on one page: <?php //start session session_start(); //store variable $_SESSION['testvar']=300; PHP: And this on a different page: <?php //resume session with the same function session_start(); //variable can be accessed again echo $_SESSION['testvar']; //will output 300 ?> PHP: Does that make sense? So, what if you did something like this (on login page)? <form action="processlogin.php" method="post"> Username: <input type="text" name="username" id="username"/> <br /> Password: <input type="password" name="password" id="password"/> <br /> <input type="submit" value="submit"/> </form> HTML: And then, on processlogin.php: <?php //connect to db //insert validation of credentials here //then, store user_id in session session_start(); $user_id = mysql_query("SELECT user_id FROM users WHERE username='$_POST[username]'"); $_SESSION['theuserid']=$user_id; ?> PHP: Then, you could retrieve any info associated with the user later. For example, say every user has a reputation as a number between 1-300. To get a user's reputation, you could just do this: session_start(); //connect to db here $reputation=mysql_query("SELECT reputation FROM users WHERE user_id'='$_SESSION[theuserid]'"); PHP: Now do you see the importance and usefulness of sessions? I will next write a post explaining sql injection in greater detail. Again, if you have any questions, just ask. -Tony
Think so, got bit confused, so is reputation their userid, going bit over my head, trying to get my head round it
I am getting totally stuck now, I tried to log in using a username and password I just registered and got this error after clicking login Warning: mysql_query(): Access denied for user ''@'srv113.one.com' (using password: NO) in /customers/irhwebsites.co.uk/irhwebsites.co.uk/httpd.www/login registration form/checklogin.php on line 6 Warning: mysql_query(): A link to the server could not be established in /customers/irhwebsites.co.uk/irhwebsites.co.uk/httpd.www/login registration form/checklogin.php on line 6 Wrong Username or Password No idea what that means
Sorry, can't help you there. That's probably your web hosting. Contact your webhost. Again, sorry I can't help. -Tony
Back to explaining what I said. Okay. Pretend you have a db table named users, and the columns are: user_id, username, password, email, reputation. In SQL: SELECT reputation FROM users WHERE user_id'='$_SESSION[theuserid]' In english: get the value of reputation in table users, in the row that has a user_id of the current user's user id Basically, it selects the reputation of the user with the user id of the current user. If you want a real tutorial on this (more than I can offer ): http://www.w3schools.com/sql/sql_where.asp Hope that helps. -Tony