wut

Thanks xyph!

Having a little problem with passwords, they are stored clear text and not encrypted because its for an assignment and I need to prove in the write up that users can change their passwords. Anyway when I register a user with a username and a password of say Password1, I can still login with PASSword1 or any other variation of upper and lower case characters! This is my select statement: $qry = "SELECT * FROM users WHERE username='$username' AND password='$password'"; Just wondering if there is anything that can be done to this, I read somewhere about using === but that doesn't seem to be fixing the problem, it just causes the query to fail! Using MySQL if thats any help. Thanks

So something like? if($password != '') { $qry= "SELECT * FROM users WHERE password='$password' AND username='{$_SESSION['SESS_USER_NAME']}'"; $result = mysql_num_rows($qry); if($result < 0) { $errmsg_arr[] = 'Current password is not correct'; $errflag = true; } } Yeah it's a uni project and my lecturer needs to see the passwords in mysql and that they have changed not sure of anohter way to go about that

Chances are I'm doing something terribly wrong because I've been at this all day and my brain is fried! I'm trying to make a change password script, when there is a password entered in the current password field to check it against the username and password that is stored in the mysql database. If incorrect details are entered there is no error message passed back? $errflag = false; if($password != '') { $qry= "SELECT * FROM users WHERE password='$password' AND username='{$_SESSION['SESS_USER_NAME']}'"; $result = mysql_query($qry); if(!$result) { $errmsg_arr[] = 'Current password is not correct'; $errflag = true; } } if($errflag) { $_SESSION['ERRMSG_PASS'] = $errmsg_arr; session_write_close(); header("location: member-profile.php"); exit(); }

Just want to know if it is possible to do something like this? If so, how? $qry = "SELECT * FROM users WHERE password='$password' AND username='$_SESSION['SESS_USER_NAME']'";

Ahh thank you so much DavidAM.. You genius!!

adauth.php just checks to see that it's the admin logged in, if not show access-denied.php this works on all of my other admin pages if im logged out i get redirected to access-denied.php but if im logged out and try to go to newsfeed.php i dont get redirected and still get the blank page <?php //Start session session_start(); //Check whether the session variable SESS_ADMIN_ID is present or not if(!isset($_SESSION['SESS_ADMIN_ID']) || (trim($_SESSION['SESS_ADMIN_ID']) == '')) { header("location: access-denied.php"); exit(); } ?> and config.php is the database config <?php define('DB_HOST', 'localhost'); define('DB_USER', 'xxxxxx'); define('DB_PASSWORD', 'xxxxxx'); define('DB_DATABASE', 'xxxxxx'); ?>

Ok so I edited the newsfeed.php to: <?php error_reporting(E_ALL); ini_set("display_errors", 1); //Start session session_start(); //Include database connection details require_once('config.php'); require_once('adauth.php'); //Array to store validation errors $errmsg_arr = array(); //Validation error flag $errflag = false; //Connect to mysql server $link = mysql_connect(DB_HOST, DB_USER, DB_PASSWORD); if(!$link) { die('Failed to connect to server: ' . mysql_error()); } //Select database $db = mysql_select_db(DB_DATABASE); if(!$db) { die("Unable to select database"); } //Function to sanitize values received from the form. Prevents SQL injection function clean($str) { $str = trim($str); if(get_magic_quotes_gpc()) { $str = stripslashes($str); } return mysql_real_escape_string($str); } //Sanitize the POST values $newsfeed = clean($_POST['newsfeed']); //Input Validations if($newsfeed == '') { $errmsg_arr[] = 'Please enter some news'; $errflag = true; } //If there are input validations, redirect back to the registration form if($errflag) { $_SESSION['ERRMSG_ARR'] = $errmsg_arr; session_write_close(); header("location: admin-news.php"); exit(); } //Create INSERT query $qry = "INSERT INTO news(newsfeed) VALUES('$newsfeed')"; $result = mysql_query($qry); if($result) { header("location: news-success.php"); exit(); } else { die("Query failed"); } ?> When it runs now the errors I get are: Warning: session_start() [function.session-start]: Cannot send session cache limiter - headers already sent (output started at /Applications/MAMP/htdocs/newsfeed.php:1) in /Applications/MAMP/htdocs/newsfeed.php on line 5 Notice: A session had already been started - ignoring session_start() in /Applications/MAMP/htdocs/adauth.php on line 3 Warning: Cannot modify header information - headers already sent by (output started at /Applications/MAMP/htdocs/newsfeed.php:1) in /Applications/MAMP/htdocs/newsfeed.php on line 51 Does this help you? Sure doesn't help me, sorry!

That hasn't changed anything, same problem! the page just wont redirect to where it should! Although if I change the code from header to an echo it will echo what i want, so the script is running to that point, the header just isn't working?

Hmm.. I'll give that a try

There is no error message when you submit the admin-news.php it takes you to a blank newsfeed.php but the data still gets put into the database

No, sorry thats just my bad posting.

I've been staring at this for ages and I can't for the life of me see what the problem is, even after reading the 'HEADER ERRORS - READ HERE BEFORE POSTING THEM' post I still haven't been able to get it! It's probably something really stupid, I'm fairly sure its to do with the header because all the info gets passed to the MySQL datase. The form: admin-news.php <?php session_start(); require_once('auth.php'); ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" /> <title>Admin Index</title> <link href="layout.css" rel="stylesheet" type="text/css" /> <script language="javascript" type="text/javascript"> function limitText(limitField, limitCount, limitNum) { if (limitField.value.length > limitNum) { limitField.value = limitField.value.substring(0, limitNum); } else { limitCount.value = limitNum - limitField.value.length; } } </script> </head> <body> <h1>Update News Feed</h1> <a href="admin-profile.php">My Profile</a> | <a href="admin-news.php">News</a> | <a href="adlogout.php">Logout</a> <p>Enter news below or click <a href="member-news.php">here</a> to view news feed.</p> <form id="news" name="news" method="post" action="newsfeed.php"> <table border="0" class="tablecontents"> <tr> <td align="left">Message:</td> <td><textarea name="newsfeed" style="resize: none;" rows="4" cols="40" onKeyDown="limitText(news.newsfeed,news.countdown,140);" onKeyUp="limitText(news.newsfeed,news.countdown,140);"></textarea> </td> </tr> <tr> <td> </td> <td><?php if( isset($_SESSION['ERRMSG_ARR']) && is_array($_SESSION['ERRMSG_ARR']) && count($_SESSION['ERRMSG_ARR']) >0 ) { echo '<ul class="err">'; foreach($_SESSION['ERRMSG_ARR'] as $msg) { echo '<li>',$msg,'</li>'; } echo '</ul>'; unset($_SESSION['ERRMSG_ARR']); } ?> </td> </tr> <tr> <td></td> <td><input type="submit" name="submit" value="Post News"></td> </tr> <tr> <td></td> <td><p>(Maximum characters: 140)<br /> You have <input readonly type="text" name="countdown" size="3" value="140" /> characters left.</p></td> </tr> </table> </form> </body> </html> The php script: newsfeed.php <?php //Start session session_start(); //Include database connection details require_once('config.php'); //Array to store validation errors $errmsg_arr = array(); //Validation error flag $errflag = false; //Connect to mysql server $link = mysql_connect(DB_HOST, DB_USER, DB_PASSWORD); if(!$link) { die('Failed to connect to server: ' . mysql_error()); } //Select database $db = mysql_select_db(DB_DATABASE); if(!$db) { die("Unable to select database"); } //Function to sanitize values received from the form. Prevents SQL injection function clean($str) { $str = @trim($str); if(get_magic_quotes_gpc()) { $str = stripslashes($str); } return mysql_real_escape_string($str); } //Sanitize the POST values $newsfeed = clean($_POST['newsfeed']); //Input Validations if($newsfeed == '') { $errmsg_arr[] = 'Please enter some news'; $errflag = true; } //If there are input validations, redirect back to the registration form if($errflag) { $_SESSION['ERRMSG_ARR'] = $errmsg_arr; session_write_close(); header("location: admin-news.php"); exit(); } //Create INSERT query $qry = "INSERT INTO newsfeed(newsfeed) VALUES('$newsfeed')"; $result = @mysql_query($qry); if($result) { header("location: news-success.php"); exit(); } else { die("Query failed"); } ?> The script carries out the insert but just leaves me at a blank newsfeed.php page! Any ideas? Thanks in advance

if(!filter_var($email, FILTER_VALIDATE_EMAIL)){ $errmsg_arr[] = 'Email is not valid'; $errflag = true; } This seems to have done the trick nicely! Thanks!

im looking to validate an email address before it gets sent to mysql database currently my code checks if an email address is present and if an email address already exists how do you check to see if an address contains a . and a @ symbol? if($email == '') { $errmsg_arr[] = 'Email is missing'; $errflag = true; } if($email != '') { $qry = "SELECT * FROM users WHERE email='$email'"; $result = mysql_query($qry); if($result) { if(mysql_num_rows($result) > 0) { $errmsg_arr[] = 'Email address already in use'; $errflag = true; } @mysql_free_result($result); } else { die("Query failed"); } } Thanks in advance

Ahh thank you! Silly me, I really should of tried that and not just assumed it would be in the source!

I'm trying to make a login page called login.html, currently my check.php posts from a submit button then checks the username and password fields. if (mysql_num_rows($res)==0) { echo "Username or password is incorrect <br>"; echo 'Click <a href="login.html">here</a> to try again'; } else { echo "Your Username and Password is correct, welcome<br>"; echo 'To enter the members area, click <a href="users.html">here</a> to enter'; } If the username or password is incorrect the site goes from login.html to check.php page and displays as expected: Username or password is incorrect Click here to try again Ideally, what I would like to happen would be the login.html page would let the user know that the username or password was incorrect. In a similar way to how https://www.stumbleupon.com/login does it. Or just an easier way to just replace the php code to redirect the user to a page like login_incorrect.html or something similar? I have tried simply copying the login.html code and putting it in a page called login.php and then adding the check.php code to this too, although this works I dont really want users to be able to see the code when going to the page source of login.php Thanks in advance