Jump to content

Mlaaa

Members
  • Posts

    22
  • Joined

  • Last visited

  • Days Won

    1

Mlaaa last won the day on April 8 2017

Mlaaa had the most liked content!

About Mlaaa

  • Birthday 09/24/1982

Profile Information

  • Gender
    Male
  • Location
    Croatia
  • Age
    34

Contact Methods

  • Skype
    mario.lukacic.or

Mlaaa's Achievements

Member

Member (2/5)

2

Reputation

  1. <?php // date H is display a hour in a 24 hour format 20:00 $t = date("H"); // so if Hour $t is lesser than 20:00 display message "have a good day" 00:00 - 19:59 if ($t < "20") { // display this message until 20:00 h echo "Have a good day."; } else { // time is now 20:00+ echo "Have a good night."; } ?>
  2. Are u using error_reporting(E_ALL); ini_set('error_reporting', 1); var_dump($_COOKIE); And i think that u need to check if user is logged in ( if cookie exists ) before u try to login.
  3. First of all u don't have in your input fields name="" which is used for $_POST['name'], it need to be like this Login form: <form action ="login.php" method="POST"> <input type="text" name="Username" class= "inputvalues" placeholder="Username" required/><br> <input type="password" name="Password" class= "inputvalues" placeholder="Password" required/><br> <input type="submit" name="submit" id="login_btn" value="Register"/> </form> Register form: <form action ="register.php" method="POST"> <input type="text" name="Username" class= "inputvalues" placeholder="Username" required/><br> <input type="password" name="Password" class= "inputvalues" placeholder="Password" required/><br> <input type="submit" name="submit" id="login_btn" value="Register"/> </form> Second thing u need a proper connection to database mysqli or PDO with prepared statements "mysql is deprecated DON'T USE IT !" Also don't use md5() it's not safe for decryption use password_hash() and password_verify() for storing passwords http://php.net/manual/en/ref.password.php This is a config file with error_reporting() and proper connection: conf.php <?php // turn on error reporting error_reporting(1); ini_set("error_reporting", E_ALL); $db_host = 'localhost'; // your host name $db_user = 'root'; // your database username $db_pass = ''; // your batabase password $db_name = 'web'; // your database name // mysqli connection $conn = mysqli_connect($db_host, $db_user, $db_pass, $db_name); // test connection if (!$conn) { echo "Error: Unable to connect to MySQL." . mysqli_connect_error(); exit(); } ?> login.php <?php // include your config file include_once 'conf.php'; // check if submit button is pressed if (isset($_POST['submit'])) { // check if your fields username and password isset if (isset($_POST['Username']) && isset($_POST['Password'])) { // grab data from your form inputs $_POST['Username'] and $_POST['Password'] // prevent mysql injection $Username = mysqli_escape_string($conn, $_POST['Username']); $Password = mysqli_escape_string($conn, $_POST['Password']); // convert password to md5() $Password_md5 = md5($Password); // make query to check for username and password match $query = "SELECT * FROM users WHERE Username = '$Username' AND Password = '$Password_md5'"; // run query $query_run = mysqli_query($conn, $query); // fetch data from query $row = mysqli_fetch_array($query_run); // check if username and password if founded, if founded result is greater than 0 if ($row > 0) { $_SESSION['Username'] = $Username; } else { echo "Invalid username or password."; } } } ?> register.php <?php // include your config file include_once 'conf.php'; // check if submit button is pressed if (isset($_POST['submit'])) { // check if your fields username and password isset if (isset($_POST['Username']) && isset($_POST['Password'])) { // grab data from your form inputs $_POST['Username'] and $_POST['Password'] // prevent mysql injection $Username = mysqli_escape_string($conn, $_POST['Username']); $Password = mysqli_escape_string($conn, $_POST['Password']); // convert password to md5() $Password_md5 = md5($Password); // make query to check that username don't exists, prevent duplicate usernames $query = "SELECT * FROM users WHERE Username = '$Username'"; // run query $query_run = mysqli_query($conn, $query); // fetch data from query $row = mysqli_fetch_array($query_run); // if username exists give a message if ($row > 0) { echo "Username already in use, please choose another one."; } else { // if user don't exists lets put him into database $reg = "INSERT INTO users (Username, Password) VALUES ('$Username', '$Password_md5')"; // run query $reg_user = mysqli_query($conn, $reg); // check if our user is inserted into database if (mysqli_insert_id($conn)) { echo "Thank u for registering, u can now <a href=\"login.php\">Login</a>"; // close connection mysqli_close($conn); } else { echo "User fail to register, please try again."; } } } } ?>
  4. U thinking clearly , if i select username from database it will give me all information about this user as i need, and what i need is to check if that password is valid for that username from query. So your code need to be valid. I try to login with all combination and it only login me with right username and password. So this works. Thanks guys.
  5. I try this, and it works, if u enter valid username it wont login if u enter valid password and invalid username it wont login. But if i leave WHERE korisnicko_ime = :username AND lozinka = :password this don't works. $stmt = $dbh->prepare("SELECT * FROM administrator WHERE korisnicko_ime = :username"); $stmt->bindParam(':username', $username); $stmt->execute(); $p = $stmt->fetch(); if (password_verify($password, $p['lozinka']) && $p['korisnicko_ime'] == $username) { $_SESSION['laa'] = $username; header('Location: index.php'); exit(); }
  6. Thanks i used it like this and how works, also problem was in $p['password'] instead or $p['lozinka'] and same for username/korisnicko ime. $stmt = $dbh->prepare("SELECT * FROM administrator WHERE korisnicko_ime = :username"); $stmt->bindParam(':username', $username); $stmt->execute(); $p = $stmt->fetch(); if (password_verify($password, $p['lozinka']) || $p['korisnicko_ime'] == $username) { $_SESSION['laa'] = $username; header('Location: index.php'); exit(); }
  7. So i need first query to get the password from the database that i can check it with entered password ? Then another query to check if username and password match ?
  8. Hi, i have problem with login script. Problem is that i cant login using my username and password. Password i entered in database was with password_hash('admin', PASSWORD_DEFAULT); Here is a code <?php include 'config.php'; if (isset($_SESSION['laa'])) { die('U already logged in. <a href="index.php">Home</a>'); } if (isset($_POST['login'])) { if (isset($_POST['username']) && isset($_POST['password'])) { $username = strip_tags($_POST['username']); $password = strip_tags($_POST['password']); if (empty($username) || empty($password)) { $error = 'Please enter username and password.'; } else { //$password = password_verify($password, PASSWORD_DEFAULT); $stmt = $dbh->prepare("SELECT * FROM administrator WHERE korisnicko_ime = :username AND lozinka = :password"); $stmt->bindParam(':username', $username); $stmt->bindParam(':password', $password); $stmt->execute(); $p = $stmt->fetch(); //password_verify($password, $data['password'])) if ($p['username'] == $username || $p['password'] == $password) { $_SESSION['laa'] = $username; header('Location: index.php'); exit(); } else { $error = 'Invalid username or password.'; } } } else { $error = 'Please enter username and password.'; } } ?> <center> <div style="display:block; margin-top: 10%;"> <p><?php if(!empty($error)) { echo $error; } ?></p> <form action="login.php" method="post"> <p>Username : <input type="text" name="username"></p> <p>Password : <input type="password" name="password"></p> <p><input type="submit" name="login" value="Login"></p> </form> </div> </center>
  9. So what u can suggest to me how do i escape data before i insert them into database ? Because i founded in one CMS some fuctions to escape, or is this bad example of using function cleartext($text, $bbcode=true, $calledfrom='root') { $text = htmlspecialchars($text); $text = strip_tags($text); $text = smileys($text,1,$calledfrom); $text = insertlinks($text,$calledfrom); $text = flags($text,$calledfrom); $text = replacement($text, $bbcode); $text = htmlnl($text); $text = nl2br($text); return $text; } function htmloutput($text) { $text = smileys($text); $text = insertlinks($text); $text = flags($text); $text = replacement($text); $text = htmlnl($text); $text = nl2br($text); return $text; } function clearfromtags($text) { $text = getinput($text); $text = strip_tags($text); $text = htmlnl($text); $text = nl2br($text); return $text; } function getinput($text) { //$text = stripslashes($text); $text = htmlspecialchars($text); return $text; } function getforminput($text) { $text = str_replace(array('\r','\n'),array("\r","\n"),$text); $text = stripslashes($text); $text = htmlspecialchars($text); return $text; }
  10. I know for validation that i must check is user/email already exists, double password check, crypt password, password/username lenght and that kind of stuff im just curious when i take $_POST data from form do i must somehow to secure them before inserting.
  11. Hi I have a question about managing data from forms and database, to be exact for safe input/output data from form input fields. Do i need some filters to remove code from input if user try to insert ? When i making database table i limiting chars and same in form. Here is a piece of code i use just for test and example : // connection to database $dbh = new PDO('mysql:host=localhost;dbname=test123', 'root', ''); $dbh->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION); // variables to insert into database $username = $_POST['username']; $password = $_POST['password']; $email = $_POST['email']; // query with prepare statements $stmt = $dbh->prepare("INSERT INTO members (username, password, email) VALUES (:username, :password, :email)"); $stmt->bindParam(":username", $username, PDO::PARAM_STR); $stmt->bindParam(":password", $password, PDO::PARAM_STR); $stmt->bindParam(":email", $email, PDO::PARAM_STR); $stmt->execute(); $lastId = $dbh->lastInsertId(); // checking if query is passed and data is inserted into dataabse if($lastId > 0) { echo 'Thank u for register.'; } else { echo 'Something went wrong, please try again.'; }
  12. Sorry for this try...catch block i was trying it on my computer i readed on link he gave Set PDO in exception mode. Do not use try..catch to report errors. Configure PHP for proper error reporting But can u tell me what to use then to protect input fields when inserting data into database or PDO do it itself ? Do i must use some kind of filter or just go with variable itself without any protection ? I know that with prepared statements u avoid SQL injections.
  13. So is this will be a good usage of PDO ? Im just curious because i learned from codeacademy from youtube chanell. I just didn't added that code in function in try...catch block. try { $dbh = new PDO('mysql:host=localhost;dbname=test123', 'root', ''); } catch (PDOException $e) { print "Error!: " . $e->getMessage() . "<br/>"; die(); } function NewUser() { $username = strip_tags($_POST['username']); $email = filter_var($_POST['useremail'], FILTER_VALIDATE_EMAIL); $password = strip_tags($_POST['password']); $stmt = $dbh->prepare("INSERT INTO members (username, email, password) VALUES (:username, :email, :password)"); $stmt->bindParam(":username", $username, PDO::PARAM_STR); $stmt->bindParam(":email", $email, PDO::PARAM_STR); $stmt->bindParam(":password", $password, PDO::PARAM_STR); $stmt->execute(); $lastId = $dbh->lastInsertId(); if($lastId > 0) { echo "YOUR REGISTRATION IS COMPLETED."; } else { echo "SOMETHING WENT WRONG."; } }
  14. I personally using a built in php filters http://php.net/manual/en/book.filter.php But from hes code u see he is starting to learn and even don't know how to make a query right, so for start will be better to jump straight to PDO http://www.w3schools.com/php/php_mysql_prepared_statements.asp http://php.net/manual/en/book.pdo.php
  15. Try like this and check for PDO instead of using mysqli its more simpler and less code. <?php $con = new mysqli('localhost', 'id535401_root', 'Patch201796','id535401_kickednetwork' ) or die("Could not connect to mysql".mysqli_error($con)); function NewUser() { $username = htmlspecialchars($_POST['username']); $email = htmlspecialchars($_POST['useremail']); $password = htmlspecialchars($_POST['password']); $username = mysqli_real_escape_string($con, $username); $email = mysqli_real_escape_string($con, $email); $password = mysqli_real_escape_string($con, $password); $query = "INSERT INTO members (username, email, password) VALUES ('".$username."','".$email."','".$password."')"; $data = mysqli_query($con, $query) or die(mysqli_error()); if($data) { echo "YOUR REGISTRATION IS COMPLETED."; } else { echo "SOMETHING WENT WRONG."; } } function SignUp() { // check if username and password fields are not empty if(!empty($_POST['username']) && !empty($_POST['password'])) //checking the 'user' name which is from Sign-Up.html, is it empty or have some text { /* * Convert special characters to HTML entities * http://in2.php.net/manual/en/function.htmlspecialchars.php */ $username = htmlspecialchars($_POST['username']); $password = htmlspecialchars($_POST['password']); /* * Escapes special characters in a string for use in an SQL statement, * http://in2.php.net/manual/en/mysqli.real-escape-string.php */ $username = mysqli_real_escape_string($con, $username); $password = mysqli_real_escape_string($con, $password); $query = mysqli_query($con, "SELECT * FROM members WHERE username = '".$username."' AND password = '".$password."'") or die(mysqli_error()); if(!$row = mysqli_fetch_array($con, $query) or die(mysqli_error())) { newuser(); } else { echo "SORRY...YOU ARE ALREADY REGISTERED USER..."; } } } if(isset($_POST['submit'])) { SignUp(); } ?>
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.