[can some one explain this code line by line]

sql="INSERT INTO person (FirstName, LastName, Age)

VALUES

 

you sql says their is a table called "person"

 

you need to add a table in your database called person for this to work

 

[[SOLVED] Quick question about log in form]

I have a query and an if statement that checks for a valid user logged in and matches it with the data in the database at the top of all my protected pages. I use the SESSION in my where clause to identify the user that was logged in at login page. 

[Date function]

here is an example snippets from my site that may help you..

 

this stores the date/time in database

    $sql2 = "UPDATE employees SET last_login=NOW() WHERE username = '$checkuser' LIMIT 1";   

 

 

this will select date time from table for display on web page in standard time

 

$last_login = ("SELECT DATE_FORMAT(last_login,  '%b %e %Y at %r') aS last_login FROM employees WHERE username = '$checkuser' LIMIT 1");

 

[two way encryption for passwords]

I agree with Dragen

[[SOLVED] can I call a stored procedure in php and pass the username and password strings]

Great. Keep in mind that you will not always need to strip_tags, but you should use a conditional statement to check to see if globals are activated or not. Also, mysqli_real_escape_string a return function, so it should be:

by globals, do you mean check for session variables to validate a user on every page view???

 

and the return function would be this........

.. I dont know how to use it? or where to put it?

function real_escape($string) {

      return  get_magic_quotes_gpc()?mysql_real_escape_string(stripslashes($string)):mysql_real_escape_string($string);

}

[[SOLVED] can I call a stored procedure in php and pass the username and password strings]

thats what I thought.  I think I got it now....This is what I did. this is before all my sql statements. thanks for the feedback

 

//trims and strips tags and escapes fields

$checkuser = trim(strip_tags($_POST['username']));

$checkpassword = trim(strip_tags($_POST['password']));

mysqli_real_escape_string($mysqli,$checkuser);

mysqli_real_escape_string($mysqli,$checkpassword);

 

[[SOLVED] can I call a stored procedure in php and pass the username and password strings]

IM just using procedural.  OOP I dont fully understand yet.  I got it to work like this...

//connect to server and select database
$mysqli = mysqli_connect("localhost", "root", "", "test");

//trims and strips tags
$checkuser = trim(strip_tags($_POST['username']));
$checkpassword = trim(strip_tags($_POST['password']));

//create and issue the query
$sql = "SELECT username, f_name, l_name FROM employees WHERE username = '$checkuser' AND password = '$checkpassword' LIMIT 1";
mysqli_real_escape_string($mysqli, $sql);
$result = mysqli_query($mysqli, $sql);

 

will this tolerate an sql injection???

[[SOLVED] can I call a stored procedure in php and pass the username and password strings]

I used the mysqlil_real_escape_string.....now I am down to 2 errors..

 

Warning: mysqli_real_escape_string() expects exactly 2 parameters, 1 given in C:\wamp\www\userlogin_e.php on line 11

 

Warning: Cannot modify header information - headers already sent by (output started at C:\wamp\www\userlogin_e.php:11) in C:\wamp\www\userlogin_e.php on line 99

[[SOLVED] can I call a stored procedure in php and pass the username and password strings]

Published websites do not remove all of their error checking(!), they just make sure it's clean and either isolated from the user, or understandable to the user.

I know. since I am new to this it was easier for me to take all the errors out. I dont know how to customize my error checking yet. 

I just realized you're using MySQLi, so, you'll need to use the MySQLi version of real_escape_string:

http://us2.php.net/manual/en/function.mysqli-real-escape-string.php

 

 

u kiddin. I should have saw that I will try it.

[[SOLVED] can I call a stored procedure in php and pass the username and password strings]

well I took out the error checking because this website is going to be published soon. I know it works because I am able to login and view the other pages and posts topics to my message board I created.  I even added the error check back in my code and it passes it right up. I was told I need to watch out for double escaping what ever that may be or if I am doing that

[[SOLVED] can I call a stored procedure in php and pass the username and password strings]

no thats not it because eveerything works fine without it.

[Secure Login Logout]

I am also fairly new to php. I only been messing with it for about a month and found this website very helpful...

 

http://www.w3schools.com/php/default.asp

 

also, I have this book

 

http://ebooks.ebookmall.com/title/sams-teach-yourself-php-mysql-and-apache-all-in-one-meloni-ebooks.htm

[[SOLVED] can I call a stored procedure in php and pass the username and password strings]

thats what I hear too but I am getting all kinds of errors with that function...............maybe you can help me with that?/

Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: Access denied for user 'ODBC'@'localhost' (using password: NO) in C:\wamp\www\userlogin_e.php on line 10

 

Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: A link to the server could not be established in C:\wamp\www\userlogin_e.php on line 10

 

Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: Access denied for user 'ODBC'@'localhost' (using password: NO) in C:\wamp\www\userlogin_e.php on line 11

 

Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: A link to the server could not be established in C:\wamp\www\userlogin_e.php on line 11

 

Warning: Cannot modify header information - headers already sent by (output started at C:\wamp\www\userlogin_e.php:10) in C:\wamp\www\userlogin_e.php on line 94

 

here is my code...

<?php
//initialize the session
session_start();

//connect to server and select database
$mysqli = mysqli_connect("localhost", "root", "", "test");


//trims and strips tags
$checkuser = mysql_real_escape_string(trim(strip_tags($_POST['username'])));
$checkpassword = mysql_real_escape_string(trim(strip_tags($_POST['password'])));

//create and issue the query
$sql = "SELECT username, f_name, l_name FROM employees WHERE username = '$checkuser' AND password = '$checkpassword' LIMIT 1";
$result = mysqli_query($mysqli, $sql);

//gets number of unsuccessful logins
$sql1 = ("SELECT failed_logins FROM employees WHERE username = '$checkuser' LIMIT 1");
$result1 = mysqli_query($mysqli, $sql1);
$resultarr = mysqli_fetch_assoc($result1);
$attempts = $resultarr["failed_logins"];

//disables user if failed logins >= 3 
if ($attempts >= 3){

//records unsuccessful logins
$sql1 = "UPDATE employees SET failed_logins = failed_logins + 1 WHERE username = '$checkuser' LIMIT 1"; 
    mysqli_query($mysqli,$sql1);

$_SESSION['disabled'] = "<font color='red'>Your account has been disabled.<br>Please contact the MIS department.</font>";
header("Location: employee_resource.php");

//close connection to MySQL
mysqli_close($mysqli);
exit();
} else {

//get the number of rows in the result set; should be 1 if a match
if (mysqli_num_rows($result) == 1) {

//if authorized, get the values of f_name l_name
while ($info = mysqli_fetch_array($result)) {
	$f_name = stripslashes($info['f_name']);
	$l_name = stripslashes($info['l_name']);
}
//set authorization cookie
setcookie("auth", "1", 0, "/", "r.com", 0);
$_SESSION['usersname'] = $f_name . " " . $l_name;

//get last successful login
$last_login = ("SELECT DATE_FORMAT(last_login,  '%b %e %Y at %r') aS last_login FROM employees WHERE username = '$checkuser' LIMIT 1");
$result = mysqli_query($mysqli, $last_login);
$result_login = mysqli_fetch_assoc($result);
$_SESSION['login'] = $result_login["last_login"];

//record last login
    $sql2 = "UPDATE employees SET last_login=NOW() WHERE username = '$checkuser' LIMIT 1";   
    mysqli_query($mysqli,$sql2);

//clears failed logins
$sql3 = "UPDATE employees SET failed_logins = 0 WHERE username = '$checkuser' LIMIT 1";
mysqli_query($mysqli, $sql3);

//sets session to authenticate
$_SESSION['loggedin_e'] = "yes";
  
//sets session to identify
$_SESSION['identity'] = $checkuser;

//close connection to MySQL
mysqli_close($mysqli);

//sets login timer
$current_time = time(); // get the current time
    $_SESSION['loginTime']=$current_time; // login time
    $_SESSION['lastActivity']=$current_time; // last activity

//directs authorized user
header("Location: resource.php");
exit(); 
} else {

//records unsuccessful logins
$sql4 = "UPDATE employees SET failed_logins = failed_logins + 1 WHERE username = '$checkuser' LIMIT 1"; 
    mysqli_query($mysqli,$sql4);

//stores a session error message
$_SESSION['error'] =  "<font color='red'>Invalid username and/or password combination<br>Please remember that your password is case sensitive.</font>"; 
	  
  	//close connection to MySQL
mysqli_close($mysqli);

//redirect back to login form if not authorized
header("Location: employee_resource.php");
exit;
}
}
?>

[[SOLVED] can I call a stored procedure in php and pass the username and password strings]

nope no value.  I have it working on my php page but I hear this is best defense against an sql injection. so I am doing some modifactions

[[SOLVED] can I call a stored procedure in php and pass the username and password strings]

I am thinking of doing a strored procedure in mysql.........CREATE PROCEDURE login() SELECT username, f_name, l_name FROM employees WHERE username = '$checkuser' AND password = '$checkpassword' LIMIT 1//

 

and call it in my php page........

 

//trims and strips tags

$checkuser = trim(strip_tags($_POST['username']));

$checkpassword = trim(strip_tags($_POST['password']));

CALL login()//

 

can anybody tell me if this will work? If not any recommendations?

[where to use mysql_real_escape_string()??]

thanks a bunch. I got it now.

[where to use mysql_real_escape_string()??]

really. so I guess this will workthan. I just wasnt sure because some examples I was looking at was more complex in using this function.

 

//trims and strips tags

$checkuser = mysql_real_escape_string(trim(strip_tags($_POST['username'])));

$checkpassword = mysql_real_escape_string(trim(strip_tags($_POST['password'])));

[where to use mysql_real_escape_string()??]

after reading this other topic on a secure login I am questioning my security. I never knew about the mysql_real_escape_string() function or used it before. can someone tell me how I can add that function to my login page code??

<?php
//initialize the session
session_start();

//connect to server and select database
$mysqli = mysqli_connect("localhost", "root", "", "test");

//trims and strips tags
$checkuser = trim(strip_tags($_POST['username']));
$checkpassword = trim(strip_tags($_POST['password']));

//create and issue the query
$sql = "SELECT username, f_name, l_name FROM employees WHERE username = '$checkuser' AND password = '$checkpassword' LIMIT 1";
$result = mysqli_query($mysqli, $sql);

//gets number of unsuccessful logins
$sql1 = ("SELECT failed_logins FROM employees WHERE username = '$checkuser' LIMIT 1");
$result1 = mysqli_query($mysqli, $sql1);
$resultarr = mysqli_fetch_assoc($result1);
$attempts = $resultarr["failed_logins"];

//disables user if failed logins >= 3 
if ($attempts >= 3){

//records unsuccessful logins
$sql1 = "UPDATE employees SET failed_logins = failed_logins + 1 WHERE username = '$checkuser' LIMIT 1"; 
    mysqli_query($mysqli,$sql1);

$_SESSION['disabled'] = "<font color='red'>Your account has been disabled.<br>Please contact the MIS department.</font>";
header("Location: employee_resource.php");

//close connection to MySQL
mysqli_close($mysqli);
exit();
} else {

//get the number of rows in the result set; should be 1 if a match
if (mysqli_num_rows($result) == 1) {

//if authorized, get the values of f_name l_name
while ($info = mysqli_fetch_array($result)) {
	$f_name = stripslashes($info['f_name']);
	$l_name = stripslashes($info['l_name']);
}
//set authorization cookie
setcookie("auth", "1", 0, "/", "dom.com", 0);
$_SESSION['usersname'] = $f_name . " " . $l_name;

//get last successful login
$last_login = ("SELECT DATE_FORMAT(last_login,  '%b %e %Y at %r') aS last_login FROM employees WHERE username = '$checkuser' LIMIT 1");
$result = mysqli_query($mysqli, $last_login);
$result_login = mysqli_fetch_assoc($result);
$_SESSION['login'] = $result_login["last_login"];

//record last login
    $sql2 = "UPDATE employees SET last_login=NOW() WHERE username = '$checkuser' LIMIT 1";   
    mysqli_query($mysqli,$sql2);

//clears failed logins
$sql3 = "UPDATE employees SET failed_logins = 0 WHERE username = '$checkuser' LIMIT 1";
mysqli_query($mysqli, $sql3);

//sets session to authenticate
$_SESSION['loggedin_e'] = "yes";
  
//sets session to identify
$_SESSION['identity'] = $checkuser;

//close connection to MySQL
mysqli_close($mysqli);

//sets login timer
$current_time = time(); // get the current time
    $_SESSION['loginTime']=$current_time; // login time
    $_SESSION['lastActivity']=$current_time; // last activity

//directs authorized user
header("Location: resource.php");
exit(); 
} else {

//records unsuccessful logins
$sql4 = "UPDATE employees SET failed_logins = failed_logins + 1 WHERE username = '$checkuser' LIMIT 1"; 
    mysqli_query($mysqli,$sql4);

//stores a session error message
$_SESSION['error'] =  "<font color='red'>Invalid username and/or password combination<br>Please remember that your password is case sensitive.</font>"; 
	  
  	//close connection to MySQL
mysqli_close($mysqli);

//redirect back to login form if not authorized
header("Location: employee_resource.php");
exit;
}
}
?>

 

 

[Secure Login Logout]

I agree with the other guy. you are allowing the users to enter whatever they want. you might want to think about using strip_tags() function

[Do I need to know html??]

I do agree DW does add a bunch of BS in the code. thats why I hard code most of my code. I just use DW for the designing aspects of my web site. I dont write code for the layout and designing  part of my web pages only the dynamic sections of it. ..I never used it but Zenstudio does look like a winner

[Do I need to know html??]

I use dreamweaver as an html editor and php editor and I don't any problems with it. I have downloaded a php editor and it looks like it could be useful but since I designed the website with dreamweaver, I just do everything with DW.  I have no major issues with it except I wish it had more intellisense with php code/syntax.   I guess I am not a serioius php programmer.    I guess they do have something better than dreamweaver for php editing but its not all that bad. for designing simple web pages and for an html editor I would recommend DW. 

[[SOLVED] trying to logout user after five minutes of inactivity]

thanks for teh reply but my first code did work.

[[SOLVED] trying to logout user after five minutes of inactivity]

The code I found does not work.  I am trying to log out user after five minutes of idle time. here is what I have .

IAm including this on all pages...

<?php
$timeout_min = 5; //5 minutes of inactivity 
$timeout_length = $timeout_min * 60;
$current_time = time(); // get the current time

if ($current_time - $_SESSION['lastActivity'] > $timeout_length) {
$_SESSION = array();
if (isset($_COOKIE[session_name()])) {
   unset($_COOKIE[session_name()]);
}
        session_destroy();
	$_SESSION['logout']="You have been logged out";
	header ("Location: employee_resource.php");
exit;
}
else
$_SESSION['lastActivity'] = $current_time;
?>

and this code is on my login page to set the sessions....

	//sets login timer
$current_time = time(); // get the current time
    $_SESSION['loginTime']=$current_time; // login time
    $_SESSION['lastActivity']=$current_time; // last activity

your help is always apprecited

[User Registeration , please help !]

the header will redirect you to the specified page.

 

info on header....http://us2.php.net/manual/en/function.header.php

[User Registeration , please help !]

I know......... it will stop a person from submitting blank fields