benanamen

In a perfect world every server will have Php ver. >=7. Its really the only way we can stop these people.

No, PHP_SELF is vulnerable to SQL injection. You can use $_SERVER['SCRIPT_NAME']

Ok, I finally remembered why you needed to only WHERE the username. After digging through my ancient archives I found a script that will demonstrate. The issue was SQL Injection and being able to login without a username and password. Security problem right? Just put the provided Injection examples in the username and password fields and the Injection Attack will give you the username and password, or in an old real world example would have logged you in. /* Source Database : sqlinjection */ -- ---------------------------- -- Table structure for users -- ---------------------------- DROP TABLE IF EXISTS `users`; CREATE TABLE `users` ( `user_id` int(11) NOT NULL AUTO_INCREMENT, `username` varchar(255) DEFAULT NULL, `password` varchar(255) DEFAULT NULL, PRIMARY KEY (`user_id`) ) ENGINE=InnoDB AUTO_INCREMENT=2 DEFAULT CHARSET=utf8; -- ---------------------------- -- Records of users -- ---------------------------- INSERT INTO `users` VALUES ('1', 'username', 'password'); <!DOCTYPE html> <html> <head> <title></title> </head> <body> This works:<br> anything' OR 'x'='x<br> ' or '1'='1<br> 'OR''='<br> <form action="<? echo $_SERVER['PHP_SELF'];?>" method="POST"> Username:<input name="username" type="text"><br> Password:<input name="password" type="text"> <input type="submit" name="Submit" value="Submit"> </form> <?php if ($_POST) { $DBhost = "localhost"; $DBusername = "root"; $DBpassword = ""; $DBname = "sqlinjection"; $DBtable = "users"; $con = @mysql_connect($DBhost, $DBusername, $DBpassword); mysql_select_db("$DBname"); $sql = "SELECT * FROM users WHERE username = '{$_POST['username']}' AND password='{$_POST['password']}' "; $result = mysql_query($sql); $row = mysql_fetch_array($result); echo "<p>$sql</p>"; echo "{$row['username']} {$row['password']}"; } ?> </body> </html>

I could have sworn there was something else but I cant remember what it was. I have always just did WHERE username= only for the last umteen years. Once I learned the "right" way to do something there was no reason to remember why it was right after all these years. Now its bugging me not remembering. The only thing I remember was it was way back when it was commonplace to put plaintext passwords in the db before md5 passwords started catching on.

@Jacques1, Wanted your input on the username/password selection comparison. From old school Mysql days I had learned to only WHERE the username, not WHERE username= AND password= and then do the password check after just like you did here so you weren't throwing more user supplied data at the database or some security related issue. Dont remember the details as to why now. With PDO and prepared statements does it even matter which way you do it? What do you say about the two options?

If I understand your example it would be include('../includes/some-file.php'); for a file located here: /htdocs/ng/some-dir/ to include a file located here: /htdocts/ng/includes/some-file.php

There are PDO tutorials all over. Just google. One of the things I want to point out, you want to have good error checking in place so you know exactly what goes wrong and where. Had you had that in place this would have been handled much easier and faster. When you start getting down on PDO I will show you how to set up your error catching if you haven't learned it. It should be the base of any project you start and will keep you moving along in your development.

Okay... movin on. <?php $hostdb = 'localhost'; $dbname = 'phphelp_rackspot'; $username = 'root'; $password = ''; $table = 'company'; $pdo = new PDO("mysql:host=localhost;dbname=$dbname", $username, $password); $pdo->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION); $sql = "SELECT * FROM $table"; $stmt = $pdo->prepare($sql); $stmt->execute(); $result = $stmt->fetchAll(); ?> <form action="http://" method="post"> <select name="company" size="1"> <?php foreach ($result AS $row) : ?> <option value="<?= $row['compid'] ?>"><?= $row['comp_name'] ?></option> <?php endforeach; ?> </select> </form>

Ok, looka here young man, see what you did? $row2 = mysql_fetch_array($r2, MYSQLI_ASSOC); You do remember you are using Mysqli right? I think we should get you on PDO, it's just better. Not an opinion, it just is.

All you have to do is change extension on the sql dump to something like .txt

If only these schools would teach real world programming.

Cuing @Jacques1 in 3...2...1

Any reason your not using a database instead of a flatfile?

For starters because you can use hex2bin() to un-hex it. You might as well just be storing plain text, not to mention, it doesn't encrypt anything.

Lets make this easy, give me a sql dump of your DB and your current php code. Meanwhile, fill in the db connection info and put this page up for me. <?php $hostdb = ''; $dbname = ''; $username = ''; $password = ''; $table = 'company'; $pdo = new PDO("mysql:host=localhost;dbname=$dbname", $username, $password); $pdo->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION); $sql = "SELECT * FROM $table"; $stmt = $pdo->prepare($sql); $stmt->execute(); $result = $stmt->fetchAll(); echo '<pre>'; print_r($result); echo '</pre>'; ?>

LOL @maxxd Just making the previous statement a ALOT more specific. NEVER use Internet Explorer If I could uninstall it I would.

Your post made it seem like you only wanted the phone number part. Not to get rid of the whole string. Mobile number along with unique code I want to hide that code issue to hide the response code

Don't use Internet Explorer for development. It caches everything. You will never be sure if you are looking at the current page.

Can you post an sql dump of your DB? What database are you using? You posted to the Mysql help. I dont think you are using Mysql.

Post your code

$val="919988776699-225d3e2c0d90404bb63dd39ae11e588c"; $phone = substr($val,0,12); echo $phone;

It sure does. Look next to the firstname input box and the last name box if you leave that blank and make sure you are using the code I last posted. And make sure you are doing this on a webserver, not your desktop and that the filename ends with .php.

Wrong data, my bad. Do this, $q2 = "select compid, comp_name from company"; $r2 = mysqli_query($dbc,$q2); $row2 = mysql_fetch_array($r2, MYSQLI_ASSOC); echo "<pre>"; print_r($row2); echo "</pre>"; die;

Forget my last post. Found an issue. Use this code. Problem solved. <?php error_reporting(-1); ini_set('display_errors', 1); if ($_POST) { $error = array(); if (empty($_POST['fname'])) { $error['fname'] = "<span class='error'>Please enter your first name.</span>"; } if (empty($_POST['lname'])) { $error['lname'] = "<span class='error'>Please enter your last name.</span>"; } if (!count($error)) { //Do something die("Do Something here"); } } ?> <!doctype html> <html> <head> <meta charset="utf-8"> <style type="text/css"> </style> <title>Untitled Document</title> </head> <body> <table id="contactForm" border cellspacing="20"> <form method="post"> <tr> <td class="question" >First Name:<br /> <input type="text" name="fname" size="15" value ="<?php echo !empty($_POST['fname']) ? $_POST['fname'] : '';?>" > <?php echo !empty($error['fname']) ? $error['fname'] : '';?> </td> <td class="question">Last Name<br /> <input type="text" name="lname" size="20"><?php echo !empty($error['lname']) ? $error['lname'] : '';?> </td> <td class="question">Organization's Name:<br /> <input type="text" name="orgName" size="15" maxlength="50"> </td> </tr> <tr> <td class="question">Street Address: <br /> <input type="text" name="address" size="15" maxlength="50"> </td> <td class="question">City: <br /> <input type="text" name="city" size="10" maxlength="25"> </td> <td class="question"> State: <br /> <select name = "state" value=""> <option value ="Please choose a state"> Please choose a state </option> <?php //states($state); ?> </select> </td> <td class="question">Zipcode:<br /> <input type="number" name="zipcode" size="5" maxlength="5"> </td> </tr> <tr> <td>Phone Number: <br />(including area code) <br /> <input type="text" name="phone" size="10" maxlength="10"> </td> <td>Fax Number: <br />(including area code) <br /> <input type="text" name="fax" size="10" maxlength="10"> </td> </tr> <tr> <td>Email:<br /> <input type="text" name="email" /> </td> <td>Confirm Email:<br /> <input type="text" name="ConfirmEmail" /> </td> </tr> <tr> <td>What would you like help with? </td> <td> <table id="projectOptions"> <tr span=2> <td><input type="checkbox" name="SocialMedia">Social Media </td> <td><input type="checkbox" name="WebContentManagement">Web Content Management </td> </tr> <tr> <td><input type="checkbox" name="MarketingMaterials">Marketing Material Creation </td> <td><input type="checkbox" name="SEO">SEO (Search Engine Optimization) </td> </tr> <tr> <td><input type="checkbox" name="VideoEditing"> Video Editing </td> <td><input type="checkbox" name="WebDesign">Web Design </td> </tr> </table> </td> <tr> <td>Overview about the project: </td> <td><textarea></textarea></td> </tr> <tr> <td>If you are not a robot, what year is it? </td> <td><input type="text" name="year" size="4" maxlength="4"> </tr> <tr> <td><input type="submit" name="submit" value="Contact Me!"> </td> <td><input type="reset"></td> </tr> </form> </table> </body> </html>