Jump to content

Checking and logging user name in database tables...


fr00tloops

Recommended Posts

I have most everything working on this script except one thing.

 

What I want to do is store that user's name and time they logged-in in a separate database table, so I can see who and when they logged in. The script I have thus far does everything perfectly fine up to the point where it tries to log the user's name in the database... which it doesn't. All I get is the auto generated time stamp, the "user_name" field is left blank in the database table.

 

The code is below, what am I doing wrong? And this is for a non-secure project, so security isn't an issue.

 

<?php 
$user_nameFromForm =$_POST['user_name']; 
$passwordFromForm =$_POST['password'];
ini_set("display_errors","on"); 
error_reporting(E_ALL | E_STRICT); 
ini_set("include_path","./includes");
include("reginfo.inc");
if(isset($_POST['submitted']) and $_POST['submitted'] == "yes") 
{ 
  foreach($_POST as $field => $value)         
  { 
    if(empty($value)) 
    { 
         $blank_array[] = $field; 
      } 
    { 
      $good_data[$field] = strip_tags(trim($value)); 
    } 
  }
  if(@sizeof($blank_array) > 0) 
  {
  /*Display error message if information is not entered*/ 
    $message = "<p style='color: red; margin-bottom: 0; 
                 font-weight: bold'> 
                 You didn't fill in one or more required fields. 
                 You must enter: 
                 <ul style='color: red; margin-top: 0; 
                 list-style: none' >";
    foreach($blank_array as $value) 
    { 
       $message .= "<li>$value</li>"; 
    } 
    $message .= "</ul>"; 
    echo $message; 
    extract($good_data); 
    include("logininfo.inc"); 
    exit();    
  } 
  foreach($_POST as $field => $value) 
{ 
  if(!empty($value)) 
  { 
    $user_patt = "/^[A-Za-z0-9_]{5,20}$/";
$pass_patt = "/(?!^[0-9]*$)(?!^[a-zA-Z]*$)^([a-zA-Z0-9]{4,8})$/";
if(preg_match("/user/i",$field)) 
    { 
      if(!preg_match($user_patt,$value)) 
      { 
        $error_array[] = "$value is not a valid name"; 
      } //end of username check
}
if(!preg_match("/pass/i",$field)) 
    { 
      if(preg_match($pass_patt,$value)) 
      { 
        $error_array[] = "Please enter a password that is between 4 to 8 characters and contains at least an letter and number"; 
      } //end of password check
}
  } 
  $clean_data[$field] = strip_tags(trim($value)); 
} 
if(@sizeof($error_array) > 0) 
{ 
  $message = "<ul style='color: red; list-style: none' >"; 
  foreach($error_array as $value) 
  { 
    $message .= "<li>$value</li>"; 
  } 
  $message .= "</ul>"; 
  echo $message; 
  extract($clean_data); 
  include("logininfo.inc"); 
  exit(); 
} 
else 
{ 
$cxn = mysqli_connect($host,$user,$passwd,$dbname) /* This is where it starts to check to see if the user's name and password are in the database */
             or die("Couldn't connect to server"); 
foreach($clean_data as $field => $value) 
{ 
  $clean_data[$field] = mysqli_real_escape_string($cxn,$value); 
} 
$query = "SELECT * from Registration 
                   WHERE user_name='$user_nameFromForm' 
                   AND password = '$passwordFromForm'"; 
$result = mysqli_query($cxn,$query) or die("Can't Execute query"); 
$nrows = mysqli_num_rows($result); 
if($nrows > 0) /* If user name and password match in the database, log user's name into specified table */
{ 
$cxn = mysqli_connect($host,$user,$passwd,$dbname) 
             or die("Couldn't connect to server"); 
foreach($clean_data as $field => $value) 
{ 
  $clean_data[$field] = mysqli_real_escape_string($cxn,$value); 
} /* Area where the problem apparently happens since it isn't posting the user's name into the table */
$sql = "INSERT INTO Login (user_name)
VALUE ('$clean_data[user_name]')";
$result = mysqli_query($cxn,$sql) 
            or die("Couldn't execute query"); 
include("loginsucess.inc");  
} 
else 
{ 
  include("loginunsucessful.inc"); 
}
} 
} 
else 
{ 
  include("logininfo.inc"); 
} 
?>

One thing I see that can be wrong is the following:

{ 
      $good_data[$field] = strip_tags(trim($value)); 
    } 

why do you use {}? if it isn't needed

 

And like you can see in your own code their are some braces with a blue color, it means that it stands alone,!

Also theres an SQL injection point on the login part but at a guess

WHERE user_name='$user_nameFromForm' 

$user_nameFromForm is unfiltered,

but i would guess that the problem is with the

$_POST['user_name']

is that being set ? you may wish to check that, this

$sql = "INSERT INTO Login (user_name)
VALUE ('$clean_data[user_name]')";

should be

$sql = "INSERT INTO Login (user_name)
VALUE ('{$clean_data['user_name']'})";

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.