Jump to content

Recommended Posts

I have most everything working on this script except one thing.

 

What I want to do is store that user's name and time they logged-in in a separate database table, so I can see who and when they logged in. The script I have thus far does everything perfectly fine up to the point where it tries to log the user's name in the database... which it doesn't. All I get is the auto generated time stamp, the "user_name" field is left blank in the database table.

 

The code is below, what am I doing wrong? And this is for a non-secure project, so security isn't an issue.

 

<?php 
$user_nameFromForm =$_POST['user_name']; 
$passwordFromForm =$_POST['password'];
ini_set("display_errors","on"); 
error_reporting(E_ALL | E_STRICT); 
ini_set("include_path","./includes");
include("reginfo.inc");
if(isset($_POST['submitted']) and $_POST['submitted'] == "yes") 
{ 
  foreach($_POST as $field => $value)         
  { 
    if(empty($value)) 
    { 
         $blank_array[] = $field; 
      } 
    { 
      $good_data[$field] = strip_tags(trim($value)); 
    } 
  }
  if(@sizeof($blank_array) > 0) 
  {
  /*Display error message if information is not entered*/ 
    $message = "<p style='color: red; margin-bottom: 0; 
                 font-weight: bold'> 
                 You didn't fill in one or more required fields. 
                 You must enter: 
                 <ul style='color: red; margin-top: 0; 
                 list-style: none' >";
    foreach($blank_array as $value) 
    { 
       $message .= "<li>$value</li>"; 
    } 
    $message .= "</ul>"; 
    echo $message; 
    extract($good_data); 
    include("logininfo.inc"); 
    exit();    
  } 
  foreach($_POST as $field => $value) 
{ 
  if(!empty($value)) 
  { 
    $user_patt = "/^[A-Za-z0-9_]{5,20}$/";
$pass_patt = "/(?!^[0-9]*$)(?!^[a-zA-Z]*$)^([a-zA-Z0-9]{4,8})$/";
if(preg_match("/user/i",$field)) 
    { 
      if(!preg_match($user_patt,$value)) 
      { 
        $error_array[] = "$value is not a valid name"; 
      } //end of username check
}
if(!preg_match("/pass/i",$field)) 
    { 
      if(preg_match($pass_patt,$value)) 
      { 
        $error_array[] = "Please enter a password that is between 4 to 8 characters and contains at least an letter and number"; 
      } //end of password check
}
  } 
  $clean_data[$field] = strip_tags(trim($value)); 
} 
if(@sizeof($error_array) > 0) 
{ 
  $message = "<ul style='color: red; list-style: none' >"; 
  foreach($error_array as $value) 
  { 
    $message .= "<li>$value</li>"; 
  } 
  $message .= "</ul>"; 
  echo $message; 
  extract($clean_data); 
  include("logininfo.inc"); 
  exit(); 
} 
else 
{ 
$cxn = mysqli_connect($host,$user,$passwd,$dbname) /* This is where it starts to check to see if the user's name and password are in the database */
             or die("Couldn't connect to server"); 
foreach($clean_data as $field => $value) 
{ 
  $clean_data[$field] = mysqli_real_escape_string($cxn,$value); 
} 
$query = "SELECT * from Registration 
                   WHERE user_name='$user_nameFromForm' 
                   AND password = '$passwordFromForm'"; 
$result = mysqli_query($cxn,$query) or die("Can't Execute query"); 
$nrows = mysqli_num_rows($result); 
if($nrows > 0) /* If user name and password match in the database, log user's name into specified table */
{ 
$cxn = mysqli_connect($host,$user,$passwd,$dbname) 
             or die("Couldn't connect to server"); 
foreach($clean_data as $field => $value) 
{ 
  $clean_data[$field] = mysqli_real_escape_string($cxn,$value); 
} /* Area where the problem apparently happens since it isn't posting the user's name into the table */
$sql = "INSERT INTO Login (user_name)
VALUE ('$clean_data[user_name]')";
$result = mysqli_query($cxn,$sql) 
            or die("Couldn't execute query"); 
include("loginsucess.inc");  
} 
else 
{ 
  include("loginunsucessful.inc"); 
}
} 
} 
else 
{ 
  include("logininfo.inc"); 
} 
?>

One thing I see that can be wrong is the following:

{ 
      $good_data[$field] = strip_tags(trim($value)); 
    } 

why do you use {}? if it isn't needed

 

And like you can see in your own code their are some braces with a blue color, it means that it stands alone,!

Also theres an SQL injection point on the login part but at a guess

WHERE user_name='$user_nameFromForm' 

$user_nameFromForm is unfiltered,

but i would guess that the problem is with the

$_POST['user_name']

is that being set ? you may wish to check that, this

$sql = "INSERT INTO Login (user_name)
VALUE ('$clean_data[user_name]')";

should be

$sql = "INSERT INTO Login (user_name)
VALUE ('{$clean_data['user_name']'})";

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.