fr00tloops Posted June 5, 2009 Share Posted June 5, 2009 I have most everything working on this script except one thing. What I want to do is store that user's name and time they logged-in in a separate database table, so I can see who and when they logged in. The script I have thus far does everything perfectly fine up to the point where it tries to log the user's name in the database... which it doesn't. All I get is the auto generated time stamp, the "user_name" field is left blank in the database table. The code is below, what am I doing wrong? And this is for a non-secure project, so security isn't an issue. <?php $user_nameFromForm =$_POST['user_name']; $passwordFromForm =$_POST['password']; ini_set("display_errors","on"); error_reporting(E_ALL | E_STRICT); ini_set("include_path","./includes"); include("reginfo.inc"); if(isset($_POST['submitted']) and $_POST['submitted'] == "yes") { foreach($_POST as $field => $value) { if(empty($value)) { $blank_array[] = $field; } { $good_data[$field] = strip_tags(trim($value)); } } if(@sizeof($blank_array) > 0) { /*Display error message if information is not entered*/ $message = "<p style='color: red; margin-bottom: 0; font-weight: bold'> You didn't fill in one or more required fields. You must enter: <ul style='color: red; margin-top: 0; list-style: none' >"; foreach($blank_array as $value) { $message .= "<li>$value</li>"; } $message .= "</ul>"; echo $message; extract($good_data); include("logininfo.inc"); exit(); } foreach($_POST as $field => $value) { if(!empty($value)) { $user_patt = "/^[A-Za-z0-9_]{5,20}$/"; $pass_patt = "/(?!^[0-9]*$)(?!^[a-zA-Z]*$)^([a-zA-Z0-9]{4,8})$/"; if(preg_match("/user/i",$field)) { if(!preg_match($user_patt,$value)) { $error_array[] = "$value is not a valid name"; } //end of username check } if(!preg_match("/pass/i",$field)) { if(preg_match($pass_patt,$value)) { $error_array[] = "Please enter a password that is between 4 to 8 characters and contains at least an letter and number"; } //end of password check } } $clean_data[$field] = strip_tags(trim($value)); } if(@sizeof($error_array) > 0) { $message = "<ul style='color: red; list-style: none' >"; foreach($error_array as $value) { $message .= "<li>$value</li>"; } $message .= "</ul>"; echo $message; extract($clean_data); include("logininfo.inc"); exit(); } else { $cxn = mysqli_connect($host,$user,$passwd,$dbname) /* This is where it starts to check to see if the user's name and password are in the database */ or die("Couldn't connect to server"); foreach($clean_data as $field => $value) { $clean_data[$field] = mysqli_real_escape_string($cxn,$value); } $query = "SELECT * from Registration WHERE user_name='$user_nameFromForm' AND password = '$passwordFromForm'"; $result = mysqli_query($cxn,$query) or die("Can't Execute query"); $nrows = mysqli_num_rows($result); if($nrows > 0) /* If user name and password match in the database, log user's name into specified table */ { $cxn = mysqli_connect($host,$user,$passwd,$dbname) or die("Couldn't connect to server"); foreach($clean_data as $field => $value) { $clean_data[$field] = mysqli_real_escape_string($cxn,$value); } /* Area where the problem apparently happens since it isn't posting the user's name into the table */ $sql = "INSERT INTO Login (user_name) VALUE ('$clean_data[user_name]')"; $result = mysqli_query($cxn,$sql) or die("Couldn't execute query"); include("loginsucess.inc"); } else { include("loginunsucessful.inc"); } } } else { include("logininfo.inc"); } ?> Link to comment https://forums.phpfreaks.com/topic/161073-checking-and-logging-user-name-in-database-tables/ Share on other sites More sharing options...
DEVILofDARKNESS Posted June 5, 2009 Share Posted June 5, 2009 One thing I see that can be wrong is the following: { $good_data[$field] = strip_tags(trim($value)); } why do you use {}? if it isn't needed And like you can see in your own code their are some braces with a blue color, it means that it stands alone,! Link to comment https://forums.phpfreaks.com/topic/161073-checking-and-logging-user-name-in-database-tables/#findComment-850021 Share on other sites More sharing options...
MadTechie Posted June 5, 2009 Share Posted June 5, 2009 Also theres an SQL injection point on the login part but at a guess WHERE user_name='$user_nameFromForm' $user_nameFromForm is unfiltered, but i would guess that the problem is with the $_POST['user_name'] is that being set ? you may wish to check that, this $sql = "INSERT INTO Login (user_name) VALUE ('$clean_data[user_name]')"; should be $sql = "INSERT INTO Login (user_name) VALUE ('{$clean_data['user_name']'})"; Link to comment https://forums.phpfreaks.com/topic/161073-checking-and-logging-user-name-in-database-tables/#findComment-850022 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.