2 questions about queryes

[Frezzwar]

Hi.

I'm working on a project, and i have some problems with it. I'm still a noob, but I'm trying to learn this.

Warning. This is a long post

 

First problem is with user registration. I have two tables in my database. One with users, and one with newly registered users. An admin will need to accept these new users (by moving the data from one table to another). This means the program needs to check usernames in both tables.

My code is:

<html><body>
<?php

echo "<h1>Register</h1>";

if(isset($_POST['submit']))
{
$submit = $_POST['submit'];

$username = strip_tags($_POST['username']);
$password = strip_tags($_POST['password']);
$repeatpassword = strip_tags($_POST['repeatpassword']);
$email = strip_tags($_POST['email']);
$realname = strip_tags($_POST['realname']);

if ($submit)
{

if ($username&&$password&&$repeatpassword&&$email&&$realname)
{		
if ($password==$repeatpassword)
{
	if (strlen($username)>25)
	{
		echo "Der må højest være 25 bogstaver i dit brugernavn";
	}		
	else
	{		 					 	
		if (strlen($password)>25)
		{
			echo "Din kode skal være under 25 tegn.";
		}
		else
		{
			if (strlen($password)<6)
			{
				echo "Din kode skal mindst indeholde 6 tegn.";
			}
			else
			{

				$password = md5($password);
				$repeatpassword = md5($repeatpassword);
				$username = strtolower($username);
				$email = strtolower($email);
				$realname = ucwords(strtolower($realname));

				$connect = mysql_connect ("localhost","root","");
				mysql_select_db("eksamen - phoenix");
				$query1 = mysql_query("SELECT * FROM newusers WHERE username='$username'");

				$numrows1 = mysql_num_rows($query1);

				if ($numrows1=1)
				{
					echo "En bruger med dette brugernavn har allerede ansøgt og venter stadig på svar.";
				}
				else
				{
					$query2 = mysql_query("SELECT * FROM users WHERE username='$username'");
					$numrows2 = mysql_num_rows($query2);
					if ($numrows2=1)
					{
						echo "En bruger med dette brugernavn er allerede registreret.";
					}	
					else
					{
						$queryreg = mysql_query("INSERT INTO newusers VALUES ('','$username','$password','$email','$realname')");							
						die("Du er nu registreret <a href='login.php'>Tilbage til login</a>");
					}
				}																							
			}
		}			
	}
}
else
	echo "Dine koder er ikke ens!";
}
else
echo "Udfyld venligst <b>alle</b> felter!";		
}
}
?>

Problem is, whatever i do, i get the following message: "En bruger med dette brugernavn har allerede ansøgt og venter stadig på svar." (meaning another user is registered with that name, but is not yet accepted.)

This makes me guess the error is around this part:

$connect = mysql_connect ("localhost","root","");
				mysql_select_db("eksamen - phoenix");
				$query1 = mysql_query("SELECT * FROM newusers WHERE username='$username'");

				$numrows1 = mysql_num_rows($query1);

				if ($numrows1=1)
				{
					echo "En bruger med dette brugernavn har allerede ansøgt og venter stadig på svar.";
				}

But... I have no clue what i am doing wrong.

 

Question 2.

Changing password.

I bet this is even more simple than the first question. I want this part to change the password value in the table in the database, but when i try to run this, i get the following error: "Parse error: parse error, expecting `T_STRING' or `T_VARIABLE' or `T_NUM_STRING' in C:\wamp (virker)\www\Eksamensprojekt\changepass.php on line 26"

Line 26 is:

$queryreg = mysql_query("INSERT INTO users VALUES WHERE username='$_SESSION['username']'

<html><body>
<?php include("navbar.php");

if(isset($_POST['submit']))
{
$submit = $_POST['submit'];
$oldpassword = $_POST['oldpassword'];
$newpassword = strip_tags($_POST['newpassword']);
$reppassword = strip_tags($_POST['reppassword']);

if ($submit)
{
	if ($oldpassword&&$newpassword&&$repeatpassword)
	{			
		if ($newpassword==$reppassword)
		{				 					 	
			if (strlen($newpassword)<25)
			{
				if (strlen($newpassword)>6)
					{
						//$newpassword = md5($newpassword);

						$connect = mysql_connect ("localhost","root","");
						mysql_select_db("eksamen - phoenix");

						$queryreg = mysql_query("INSERT INTO users VALUES WHERE username='$_SESSION['username']'
						('','','$newpassword','','','','','','','','','')");

						die("Din kode er nu ændret. <a href='login.php'>Tilbage til start</a>");
					}
				else
					{
					 	echo "Din kode skal mindst indeholde 6 tegn.";
					}
			}		
			else
			{
				echo "Din kode må ikke indeholde mere end 25 tegn.";																			
			}							
		}		
		else
		{
			echo "Dine koder er ikke ens!";
		}
	}
	else
	{
		echo "Udfyld venligst <b>alle</b> felter!";		
	}

}
}

What am i doing wrong here?

[Fadion]

I didn't look at the code because your logic seems a bit off in the first place. Why don't you add a field in the "users" table that flags the user as "moderated". By default, that value is 0 and is made 1 only when the admin accepts the registration. In this way you'll have only 1 table and no need to do transfer data.

 

Don't know if that will help in your case, but why don't give it a try?!

[fugix]

in your $queryreg mysql_query...you need to specify the values to add immediately after VALUES...WHERE is the last part of the query. and guilty gear is right...just add another field to your users table specifying whether or not they have been verified

[Frezzwar]

I didn't look at the code because your logic seems a bit off in the first place. Why don't you add a field in the "users" table that flags the user as "moderated". By default, that value is 0 and is made 1 only when the admin accepts the registration. In this way you'll have only 1 table and no need to do transfer data.

 

Don't know if that will help in your case, but why don't give it a try?!

That sounds a little too easy. I never think that way, but i guess that is the best way of doing it!

As it is right now i check for admin whenever  log in. That same code can check for registered users too.

But... With the other thing, I'm not sure i get it. Do you mean anything like this:?

$queryreg = mysql_query("INSERT INTO users VALUES 
('','','$newpassword','','','','','','','','','') WHERE username='$_SESSION['username']'");

It now says the error is in line 27, the later of the two.

[Fadion]

You can't put a WHERE clause in an INSERT; can't make conditions on a non existing row

 

You just make 1 query where you insert all the data for a new user registration. Make that "moderated" field and set it to 0 as default. When the admin wants to confirm that user and make him/her active, just a change of "moderated" to 1 will get the job done. Also, the "moderated" field will be used when logging in; users with a "moderated" 0 will not be able to log in.

[Pikachu2000]

What are you trying to do? Update a record, or insert a new one?

[wildteen88]

Your query is completely wrong for altering the users password

$queryreg = mysql_query("INSERT INTO users VALUES WHERE username='$_SESSION['username']'
('','','$newpassword','','','','','','','','','')"

 

When modifying records within the database you'll want to run an UPDATE query. An INSERT query is used for adding new records to the database. So to update the password your query with be

$query = "UPDATE users SET password='$newpassword' WHERE username='{$_SESSION['username']}";
$result = mysql_query($query);

if($result) {
    // successfully changed the password
} else {
    // password wasn't changed.
}

[Frezzwar]

It feels like I am getting closer and closer, but nothing happens. Right now, you have to type in your old password. It then compares what you write with what is in the database. This tells me that is is able to get into the database and find the old password, but i can not get it to update to the new one.

I'm using the code wildteen88 gave me, but it seems like nothing happens.

Any ideas?

The two codes are the ones active in this part. The first is the "change password page" and the other is a navigation bar in the top. The nav bar also keeps track of rights, sessions and variables.

<html><body>
<?php include("navbar.php");
echo"$username";
if(isset($_POST['submit']))
{
$submit = $_POST['submit'];
$oldpassword = $_POST['oldpassword'];
$newpassword = strip_tags($_POST['newpassword']);
$reppassword = strip_tags($_POST['reppassword']);

if ($submit)
{
	if ($oldpassword&&$newpassword&&$reppassword)
	{			
		if ($newpassword==$reppassword)
		{				 					 	
			if (strlen($newpassword)<26)
			{
				if (strlen($newpassword)>6)
				{
					//$newpassword = md5($newpassword);
					echo "hej";	
					$connect = mysql_connect ("localhost","root","");	
					mysql_select_db("eksamen - phoenix");
					$query = mysql_query("SELECT * FROM users WHERE username='$username'");
					while ($row = mysql_fetch_assoc($query))
					{	
					$dbpassword = $row['password'];
					}
					if ($oldpassword==$dbpassword)	
					{		
						$queryreg = "UPDATE users SET password='$newpassword' WHERE username='$username'";								
						die("Din kode er nu ændret. <a href='home.php'>Tilbage til start</a>");
					}
					else
					{
						echo "Du har skrevet din kode forkert.";
					}
				}
				else
				{
				 	echo "Din kode skal mindst indeholde 7 tegn.";
				}
			}		
			else
			{
				echo "Din kode må ikke indeholde mere end 25 tegn.";																			
			}							
		}		
		else
		{
			echo "Dine koder er ikke ens!";
		}
	}
	else
	{
		echo "Udfyld venligst <b>alle</b> felter!";		
	}

}
}


if ($_SESSION['username'])

{
Echo "
<form action='changepass.php' method='post'> 
<table>
	<tr>
		<td>
		Gamle Kode
		</td>
		<td>
		<input type='text' name='oldpassword'>
		</td>				
	</tr>		
	<tr>
		<td>
		Nye kode
		</td>
		<td>
		<input type='password' name='newpassword'>
		</td>				
	</tr>
	<tr>
		<td>
		Gentag Nye kode
		</td>
		<td>
		<input type='password' name='reppassword'>
		</td>				
	</tr>
</table>
<p>
<input type='submit' name='submit' value='Skift'/>
</form>
";
}
?>
</html></body>

 

<html><body>
<?php


session_start();

if(isset($_SESSION['username']))
{
	$username = $_SESSION['username'];
	$connect = mysql_connect("localhost","root","");
	mysql_select_db("eksamen - phoenix");
	$get = mysql_query("SELECT * FROM users WHERE username='$username'");
	while ($row = mysql_fetch_assoc($get))
		{
			$admin = $row['rank'];
		}
	if ($admin<2) // altså er man "normal"
		{
			 Echo "
				<html>
					<table border=2 align=center cellspacing=0 cellpadding=4 >
					<tr>
					<td>
					<a href='home.php'>Startside</a>
					</td>
					<td>
					<a href='info.php'>Information</a>
					</td>						
					<td>
					<a href='whfbrang.php'>Warhammer Fantasy Ranglisten</a>
					</td>
					<td>
					<a href='mtgrang.php'>Magic: The Gathering Ranglisten</a>
					</td>
					<td>
					<a href='logout.php'>Log Ud</a>
					</td>				
					</tr>
					</table>
				</html>
			";
		}
	else // altså er  man admin eller sejere
		{
			Echo "
				<html>
					<table border=2 align=center cellspacing=0 cellpadding=4 >
					<tr>
					<td>
					<a href='home.php'>Startside</a>
					</td>
					<td>
					<a href='info.php'>Information</a>
					</td>						
					<td>
					<a href='whfbrang.php'>Warhammer Fantasy Ranglisten</a>
					</td>
					<td>
					<a href='mtgrang.php'>Magic: The Gathering Ranglisten</a>
					</td>
					<td>
					<a href='logout.php'>Log Ud</a>
					</td>
					<td>
					<a href='admin.php'>Admin</a>
					</td>				
					</tr>
					</table>
				</html>
			";
		}
}

else
{
echo"Du har glemt at logge ind. Tryk <a href='login.php'>her</a> for at logge ind.";
}
echo"$username";
?>
</html></body>

[wildteen88]

One major problem you have is you're calling session_start after output has been taken place. You can only call session_start() before any output has been taken place, otherwise sessions will fail to work.

nav.php

<html><body>
<?php


session_start();

 

What you need to do is clean up your code. In nav.php remove the <html><body></body></html> tags. There is no need to add these HTML tags for every PHP file you include, just the main php file. Which I guess is changepassword.php

Remove session_start() from nav.php and add this line as the very first line in changepassword.php

<?php session_start(); ?>

 

That should sort your session issue out.

 

Next your code can be cleaned up a bit. There is no need for this if

if ($submit)
{

As you have already checked whether the form was submitted a couple of lines before. So you can remove that.

 

These four

		if ($oldpassword&&$newpassword&&$reppassword)
	{			
		if ($newpassword==$reppassword)
		{				 					 	
			if (strlen($newpassword)<26)
			{
				if (strlen($newpassword)>6)
				{

can be written as two

if($newpassword == $reppassword)
{
    if(strlen($newpassword) > 6 && strlen($newpassword) < 26)
    {
          ... rest of your  code here
    }
    else
    {
         echo 'Password must be between 6 and 26 chracters';
    }
}
else
{
     echo 'Your passwords do not match!';
}

 

Next, This can be all done within the update query

$query = mysql_query("SELECT * FROM users WHERE username='$username'");
					while ($row = mysql_fetch_assoc($query))
					{	
					$dbpassword = $row['password'];
					}
					if ($oldpassword==$dbpassword)	
					{		
						$queryreg = "UPDATE users SET password='$newpassword' WHERE username='$username'";								
						die("Din kode er nu ændret. <a href='home.php'>Tilbage til start</a>");
					}

So the above can be written as just

$queryreg = "UPDATE users SET password='$newpassword' WHERE username='$username' AND password='$oldpassword'";
$result = mysql_query($queryreg);

// check that the query successfully executed
if(!$result)
         trigger_error("MySQL Error:". mysql_error() . "<br /> Query: $query", E_USER_ERROR);

// check whether a row was updated
if(mysql_affected_rows() == 1)
{
     echo 'Password has been reset';
}
else
{
     echo 'Password has not been reset, probably due to username/password are incorrect'
}

 

With your code now cleaned up it should run as you expect it to. However you should look into encrypting your users passwords. Storing passwords as plain text is not very secure.

[Frezzwar]

Wohoo it is bloody working!

Thank you so much!

I am planning to do an MD5 encryption, but i did not want to encrypt anything before i know it is working

Once again thank you so much. That help is rely appreciated.