objnoob

All the way up to 65,535 minus the bytes used to store the length (as Kicken mentioned) and byte requirements of any other columns. The effective maximum length of a VARCHAR in MySQL 5.0.3 and later is subject to the maximum row size (65,535 bytes, which is shared among all columns) and the character set used. See Section E.7.4, “Limits on Table Column Count and Row Size”. mysql> create table test1 ( col1 varchar(65535) ); ERROR 1118 (42000): Row size too large. The maximum row size for the used table type, not counting BLOBs, is 65535. You have to change some columns to TEXT or BLOBs mysql> create table test2 ( col1 varchar(65532) ); Query OK, 0 rows affected (0.01 sec) mysql> create table test3 ( col1 varchar(65530), tenbytefixed char(10)); ERROR 1118 (42000): Row size too large. The maximum row size for the used table type, not counting BLOBs, is 65535. You have to change some columns to TEXT or BLOBs

http://lmgtfy.com/?q=php+session_register+deprecated will magically fix your code.

Cookies go in the headers.

Doesn't mean the session is destroyed. You have sloppy logic in your code. You're storing a password in the session? Why? You're not even starting a session. You can't start one after you've sent output to the browser when using cookie. <!DOCTYPE html> <!-- IS OUTPUT BEFORE SESSION START --> <script src="/javascript/header.js"></script> <!-- IS OUTPUT BEFORE SESSION START --> <? session_start();

You're not opening nor closing your if statements. if(isset($_POST['register'])){ $username= strip_tags(trim(mysql_real_ecape_string($_POST['username']))); $password= strip_tags(trim(mysql_real_ecape_string($_POST['password']))); if(!username || !$password){ echo "One of the fields are empty"; }else{ $find_multiple=" SELECT Username FROM register WHERE Username='$username' "; $run_multiple = mysql_query($find_multiple) or die (mysql_error()); $num_multiple= mysql_num_rows($run_multiple); if($num_multiple < 1){ $password= md5($password); mysql_query("INSERT INTO register SET Username='$Username', Password='$Pasword' ") or die(mysql_error()); echo "You have succesfully registered!"; }else{ echo "That username has already beed used" ; } } # endelse: empty password or username } # endif: registered ?>

nope. source code needs to have proper syntax, otherwise it can not be understood by the system and will generate an error. while you're writing your code you be making sure you escape the necessary characters to maintain valid syntax. you can also do a precision find/replace to help with existing source code. find/replace can end up backfiring on you if you're unfamiliar, so be careful not to mess everything up.

You should be establishing session settings before starting the session. Also, how do you know the session is being destroyed?

Nevermind. You're using javascript. I'd expect that to execute when posting back to that page. I'm done here. Bye

What you need to do, is check whether or not the form was submitted first. Your issue may be that you're outputting a full fledged document before anything else, and all other output after is not being presented on screen. That's why checking the source code is always helpful when debugging. The source code never hides anything. <?php if(isset($_POST['register'])){ // if submitted, validate data and connect to database }else{ // if not, show the registration form }

the action of the form is going to login.php, your registration form + registration processing is happening some other place. <form method='post' action='login.php'> would probably work if you just omitted the action... which will typically submit the form back to the same URI <form method='post' action=''> or.... <form method='post' action='registration.php'>

Sorry, never mind me. I'm dumber than dumb! Or, is it I'm dumb then dumber? Wait ...

And when it comes to passwords, before you hash it and bounce it off of the database server.... check the length if(($len=strlen($pass)) >= x && $len <= y){ // meets the length requirement, hash this password and use to look if password is right! // with security flaws in MD5 allow two unique values to hash into a single conflicting value. // checking the length of the password would limit the size of the data your hashing and lessen any the chance of a conflict. }else{ echo 'Always echo generic login error: Sorry your username and/or password are wrong!'; }

Too late to edit my quote of you .josh, So here it is: throw out ABC, yes it's too simple, but now your forced to check for ABC1, ABC2, ABC3, .... 3ABC, 1ABC, etc, etc. This adds more unique possible combinations and eliminates common passwords such as fido. Make those cracker jackers work harder for what they want. Anyhow, If you don't require a digit, most users won't use 1, most will be cracked by the crackers common password list in minutes, and ABC would be bruted in notime (if not on common list) I will say some websites go overbroard on password requirements. Ask yourself how topscret your applicaiton is, and design your password requirements around that,

duplicate post

I also want you to understand that your rows_num method is pointless. 1. you can count the rows of data your query returns. 2. in the event you only ever needed the row count, and not any of the data a little further in the code. use query method too. SELECT count(*) FROM tblPageHits; again, if you only need the count of rows in the database,,, ask the database to give you the just the count. if you need the data but also need or want to check the count, ask the database for the data and count it yourself.

Doing... $rowsNum = self::$dbConnection->rows_num("SELECT * FROM `users` WHERE `username`='$username' AND `password`='$pass'"); to check row count before doing... $f = self::$dbConnection->query("SELECT * FROM `users` WHERE `username`='$username' AND `password`='$pass'");is silly. you're doing the same thing twice making your hardware work that much harder. you're using resources where you don't have to. you can do this... $f = self::$dbConnection->query("SELECT * FROM `users` WHERE `username`='$username' AND `password`='$pass'"); # get user info for user user log in attempt. if ( ($cnt=count ($f)) === 0) echo 'username or password is wrong'; elseif ( $ cnt === 1 ) echo 'hi, we are now signing you in more efficiently! bonus!'; else throw new exception ('serious design flaw in your database');

Doing... $rowsNum = self::$dbConnection->rows_num("SELECT * FROM `users` WHERE `username`='$username' AND `password`='$pass'"); to check rows before doing... $f = self::$dbConnection->query("SELECT * FROM `users` WHERE `username`='$username' AND `password`='$pass'"); is silly. you're doing the same thing twice making your hardware work that much harder. you're using resources where you don't have to. you can do this... $f = self::$dbConnection->query("SELECT * FROM `users` WHERE `username`='$username' AND `password`='$pass'"); # get user info for user user log in attempt. if ( ($cnt=count ($f)) === 0) echo 'username or password is wrong'; elseif ( $ cnt === 1 ) echo 'hi, we are now signing you in more efficiently! bonus!'; else throw new exception ('serious design flaw in your database');

Not quite. If you allow weak passwords, you increase the chance the passwords can be cracked that much faster. The reason you enforce minimums in passwords is to increase the uniqueness of passwords. This really does makes it harder to guess / crack. The only problem with unnatural passwords is users are more likely to write them down because boBbYjojO1!woahwoah is ridiculous to remember right away :] Add password aging into the mix and now you're just promoting users to write down their passwords.

Here's a hint.... When you log a user in you SELECT the user id and store it in your session. If you don't have an id (user id) column in your user table, add one. It should be a primary key and auto incrementing. SELECT user.id FROM tblUser user WHERE username = 'THE_USER_NAME' and password = 'PASSWORD_HASH'; If that returns a row with the user.id in it, then you have a successful login... then you plop that user.id value in the session $_SESSION['authUserID'] = (int)$row['id']; Then when you do other queries you can do them by the user id . UPDATE `users` SET `cur_ip`='$ip', `last_login`='$date' WHERE users.id = $_SESSION['authUserID'];

In your UPDATE statement the WHERE clause is missing an AND

ooops change Thanks Use %a , I mean use $objDuration->days; lol

Whatever the function needs to do it's functioning should be passed into the function as arguments. function doThis(mysqli $db, $datetime, $url){ // NOTHING FROM GLOBAL $db->query('SELECT \' ' . $db->real_escape_string($datetime) .'\'' ); } $thisDid = doThis($conn, $stamp, $url); # we pass everything the function needs to do whatever. this make doing whatever really reusable.

well, then it's not help your looking for. go hire someone.

mod_rewrite to rewrite all requests to index.php with a rt parameter. the rt parameter would be anything after mysite.com mysite.com/thepage/this would get rewritten into mysite.com/index.php?rt=/thepage/this then you program something called a router to make sense of /thepage/this found in $_GET['rt'] and do whatever.