benanamen

Do not post duplicate posts for the same thing

If you want to post a row of your data with headers I will help you sort it out, but you still need to understand Normalization.

Why are you even selecting the users status from the database? You already know they are online, just update the status to offline. It appears you are doing something with the status that will require some explanation. It simply should just be status = 1 or status =0 Is the status column an actual timestamp column? And you should be using an actual number for a user id, not the username.

You can have millions of records in a table. You should first learn Database Normalization and you will have a better idea how to do your tables. The amount of records you have wont even tickle a database.

In a perfect world every server will have Php ver. >=7. Its really the only way we can stop these people.

No, PHP_SELF is vulnerable to SQL injection. You can use $_SERVER['SCRIPT_NAME']

Ok, I finally remembered why you needed to only WHERE the username. After digging through my ancient archives I found a script that will demonstrate. The issue was SQL Injection and being able to login without a username and password. Security problem right? Just put the provided Injection examples in the username and password fields and the Injection Attack will give you the username and password, or in an old real world example would have logged you in. /* Source Database : sqlinjection */ -- ---------------------------- -- Table structure for users -- ---------------------------- DROP TABLE IF EXISTS `users`; CREATE TABLE `users` ( `user_id` int(11) NOT NULL AUTO_INCREMENT, `username` varchar(255) DEFAULT NULL, `password` varchar(255) DEFAULT NULL, PRIMARY KEY (`user_id`) ) ENGINE=InnoDB AUTO_INCREMENT=2 DEFAULT CHARSET=utf8; -- ---------------------------- -- Records of users -- ---------------------------- INSERT INTO `users` VALUES ('1', 'username', 'password'); <!DOCTYPE html> <html> <head> <title></title> </head> <body> This works:<br> anything' OR 'x'='x<br> ' or '1'='1<br> 'OR''='<br> <form action="<? echo $_SERVER['PHP_SELF'];?>" method="POST"> Username:<input name="username" type="text"><br> Password:<input name="password" type="text"> <input type="submit" name="Submit" value="Submit"> </form> <?php if ($_POST) { $DBhost = "localhost"; $DBusername = "root"; $DBpassword = ""; $DBname = "sqlinjection"; $DBtable = "users"; $con = @mysql_connect($DBhost, $DBusername, $DBpassword); mysql_select_db("$DBname"); $sql = "SELECT * FROM users WHERE username = '{$_POST['username']}' AND password='{$_POST['password']}' "; $result = mysql_query($sql); $row = mysql_fetch_array($result); echo "<p>$sql</p>"; echo "{$row['username']} {$row['password']}"; } ?> </body> </html>

I could have sworn there was something else but I cant remember what it was. I have always just did WHERE username= only for the last umteen years. Once I learned the "right" way to do something there was no reason to remember why it was right after all these years. Now its bugging me not remembering. The only thing I remember was it was way back when it was commonplace to put plaintext passwords in the db before md5 passwords started catching on.

@Jacques1, Wanted your input on the username/password selection comparison. From old school Mysql days I had learned to only WHERE the username, not WHERE username= AND password= and then do the password check after just like you did here so you weren't throwing more user supplied data at the database or some security related issue. Dont remember the details as to why now. With PDO and prepared statements does it even matter which way you do it? What do you say about the two options?

If I understand your example it would be include('../includes/some-file.php'); for a file located here: /htdocs/ng/some-dir/ to include a file located here: /htdocts/ng/includes/some-file.php

There are PDO tutorials all over. Just google. One of the things I want to point out, you want to have good error checking in place so you know exactly what goes wrong and where. Had you had that in place this would have been handled much easier and faster. When you start getting down on PDO I will show you how to set up your error catching if you haven't learned it. It should be the base of any project you start and will keep you moving along in your development.

Okay... movin on. <?php $hostdb = 'localhost'; $dbname = 'phphelp_rackspot'; $username = 'root'; $password = ''; $table = 'company'; $pdo = new PDO("mysql:host=localhost;dbname=$dbname", $username, $password); $pdo->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION); $sql = "SELECT * FROM $table"; $stmt = $pdo->prepare($sql); $stmt->execute(); $result = $stmt->fetchAll(); ?> <form action="http://" method="post"> <select name="company" size="1"> <?php foreach ($result AS $row) : ?> <option value="<?= $row['compid'] ?>"><?= $row['comp_name'] ?></option> <?php endforeach; ?> </select> </form>

Ok, looka here young man, see what you did? $row2 = mysql_fetch_array($r2, MYSQLI_ASSOC); You do remember you are using Mysqli right? I think we should get you on PDO, it's just better. Not an opinion, it just is.

All you have to do is change extension on the sql dump to something like .txt

If only these schools would teach real world programming.

Cuing @Jacques1 in 3...2...1

Any reason your not using a database instead of a flatfile?

For starters because you can use hex2bin() to un-hex it. You might as well just be storing plain text, not to mention, it doesn't encrypt anything.

Lets make this easy, give me a sql dump of your DB and your current php code. Meanwhile, fill in the db connection info and put this page up for me. <?php $hostdb = ''; $dbname = ''; $username = ''; $password = ''; $table = 'company'; $pdo = new PDO("mysql:host=localhost;dbname=$dbname", $username, $password); $pdo->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION); $sql = "SELECT * FROM $table"; $stmt = $pdo->prepare($sql); $stmt->execute(); $result = $stmt->fetchAll(); echo '<pre>'; print_r($result); echo '</pre>'; ?>

LOL @maxxd Just making the previous statement a ALOT more specific. NEVER use Internet Explorer If I could uninstall it I would.

Your post made it seem like you only wanted the phone number part. Not to get rid of the whole string. Mobile number along with unique code I want to hide that code issue to hide the response code

Don't use Internet Explorer for development. It caches everything. You will never be sure if you are looking at the current page.

Can you post an sql dump of your DB? What database are you using? You posted to the Mysql help. I dont think you are using Mysql.

Post your code