haris244808 Posted August 6, 2011 Share Posted August 6, 2011 Hi there i opened before a post and closed because it looked like i solved but i actually didnt, however now i am faced with a problem... I created a table in my database which containes: id, username, password and last_log_date.... i created the index.php page and admin_login.php (there are the codes of te pages) I am supposed that when i write tha username and surname to connect to database see the username password and if they exist to enter that page. but when i write the pass and username(which are in database) it directly goes ti the end of this index.php code where it echos : Your login session data is not on record on database. What is the problem? index.php <?php session_start(); if(!isset($_SESSION["manager"])){ header("location:admin_login.php"); exit(); } //Be sure to check that this manager SESSION value is in fact in the database $managerID=preg_replace('#[^0-9]#i','',$_POST["id"]);//Filter everything but numbers and letters $manager=preg_replace('#[^A-Za-z0-9]#i','',$_POST["username"]);//Filter everything but numbers and letters $password=preg_replace('#[^A-Za-z0-9]#i','',$_POST["password"]);//Filter everything but numbers and letters //Run MySQL query to be sure that this person is an admin and that their password session var equals the database information //Connect to MySQL Database include "../storescripts/connect_to_mysql.php"; $sql=mysql_query("SELECT * FROM admin WHERE id='$managerID' AND username='$manager' AND password='$password' LIMIT 1"); //---------MAKE SURE PERSON EXISTS IN DATABASE--------- $existCount=mysql_num_rows($sql);//count the row nums if($existCount == 0){//evaluate the count echo "Your login session data is not on record on database."; exit(); } ?> admin_login.php <?php session_start(); if(isset($_SESSION["manager"])){ header("location:index.php"); exit(); } ?> <?php //Parse the log in form if the user has filled out and pressed "Log In" if(isset($_POST["username"])&& isset($_POST["password"])){ $manager=preg_replace('#[^A-Za-z0-9]#i','',$_POST["username"]);//Filter everything but numbers and letters $password=preg_replace('#[^A-Za-z0-9]#i','',$_POST["password"]);//Filter everything but numbers and letters //Connect to MySQL Database include "../storescripts/connect_to_mysql.php"; $sql=mysql_query("SELECT id FROM admin WHERE username='$manager' AND password='$password' LIMIT 1"); //---------MAKE SURE PERSON EXISTS IN DATABASE--------- $existCount=mysql_num_rows($sql);//count the row nums if($existCount==1){//evaluate the count while($row=mysql_fetch_array($sql)){ $id=$row["id"]; } $_SESSION["id"]=$id; $_SESSION["manager"]=$manager; $_SESSION["password"]=$password; header("location:index.php"); exit(); }else{ echo 'That information is incorrect, try again <a href="index.php"> Click Here </a>'; exit(); } } ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <title>Admin Login</title> <link rel="stylesheet" href="../style/style.css" type="text/css" media="screen" /> </head> <body> <div align="center" id="mainWrapper"> <?php include_once("../template_header.php");?> <div id="pageContent"><br/> <div align="left" style="margin-left:24px;"> <h2>PLease Log In to Manage the Store</h2> <form id="form1" name="form1" method="post" action="admin_login.php"> User Name:<br/> <input name="username" type="text" id="username" size="40" /> <br/><br/> Password:<br/> <input name="password" type="password" id="password" size="40" /> <br/><br/><br/> <input type="submit" name="button" id="button" value="Log In" /> </form> </div> <br/> <br/> </div> <?php include_once("../template_footer.php");?> </div> </body> </html> Quote Link to comment https://forums.phpfreaks.com/topic/244063-php-mysql-help/ Share on other sites More sharing options...
jcbones Posted August 6, 2011 Share Posted August 6, 2011 1. I wouldn't filter out any of the input for a login. I just run it through mysql_real_escape_string(). I don't want to give anyone a hands up in hacking an account, and I expect everyone to know their login credentials. Ex. Login: Admin (would work: Ad!min, #$@#!#$#@Admin, etc.). Same for password: PS. You should want users to use symbols in their passwords (makes 'em stronger). 2. You should be storing a hash value of password, and not plain text. Bad juju! 3. No need to run a while loop on the admin login, as you are only checking for 1 row. 4. Need to see your form that submits to the first script. I see nothing that stands out for failure (other than the preg_replaces). Quote Link to comment https://forums.phpfreaks.com/topic/244063-php-mysql-help/#findComment-1253386 Share on other sites More sharing options...
Drummin Posted August 6, 2011 Share Posted August 6, 2011 Also you are not Posting to index.php so you can just check if session is set go from there. session_start(); if(!isset($_SESSION["manager"])){ header("location:admin_login.php"); exit(); } ELSE{ $managerID=$_SESSION["id"]; $manager=$_SESSION["manager"]; $password=$_SESSION["password"] } Quote Link to comment https://forums.phpfreaks.com/topic/244063-php-mysql-help/#findComment-1253388 Share on other sites More sharing options...
Pikachu2000 Posted August 6, 2011 Share Posted August 6, 2011 You have no logic in place to check whether the query executed successfully or not. It could be failing miserably. You have your query string embedded in the mysql_query() call, so you can't even echo the query string to make sure it contains the values you'd expect it to contain. A SELECT COUNT() query would make more sense than a SELECT * followed with a call to mysql_num_rows(). Why are you restricting the characters that can be used in a password? The password should be hashed and the value of the hash stored and compared against login password's hash value. Using include will fail silently if the file is not accessible. require_once would be a better option, IMHO. Quote Link to comment https://forums.phpfreaks.com/topic/244063-php-mysql-help/#findComment-1253389 Share on other sites More sharing options...
kickstart Posted August 6, 2011 Share Posted August 6, 2011 Hi First thing I would do is put the SQL into a string and echo it out. Then copy that and try it directly on the database. All the best Keith Quote Link to comment https://forums.phpfreaks.com/topic/244063-php-mysql-help/#findComment-1253391 Share on other sites More sharing options...
haris244808 Posted August 7, 2011 Author Share Posted August 7, 2011 Guys thanks for the reply but i tried evrything and still doesnt work.. pls if anymone can take the codes, correct and post it here so i can understand more clearly cause i am a kinda beginner i am bored trying to figure out this Quote Link to comment https://forums.phpfreaks.com/topic/244063-php-mysql-help/#findComment-1253538 Share on other sites More sharing options...
haris244808 Posted August 7, 2011 Author Share Posted August 7, 2011 Hi First thing I would do is put the SQL into a string and echo it out. Then copy that and try it directly on the database. All the best Keith it returns empty result :S Quote Link to comment https://forums.phpfreaks.com/topic/244063-php-mysql-help/#findComment-1253539 Share on other sites More sharing options...
kickstart Posted August 7, 2011 Share Posted August 7, 2011 Hi Play around and check which fields in the SELECT have no matching record in the table and are stopping anything from being brought back. All the best Keith Quote Link to comment https://forums.phpfreaks.com/topic/244063-php-mysql-help/#findComment-1253689 Share on other sites More sharing options...
haris244808 Posted August 7, 2011 Author Share Posted August 7, 2011 Hi Play around and check which fields in the SELECT have no matching record in the table and are stopping anything from being brought back. All the best Keith And how i am supposed to do that?? I tried in phpmyadmin directly also with heidi sql but i donw know why i returns empty query however there are records on that table Quote Link to comment https://forums.phpfreaks.com/topic/244063-php-mysql-help/#findComment-1253699 Share on other sites More sharing options...
haris244808 Posted August 7, 2011 Author Share Posted August 7, 2011 however now i changed my plan and i did a form that will add my informations to database but i am facing with these problems (i uploaded also as picture you can see it down): Warning: include(../storescripts/connect_to_mysql.php) [function.include]: failed to open stream: No such file or directory in C:\xampp\htdocs\html\upload_form.php on line 10 Warning: include() [function.include]: Failed opening '../storescripts/connect_to_mysql.php' for inclusion (include_path='.;C:\xampp\php\PEAR') in C:\xampp\htdocs\html\upload_form.php on line 10 Warning: mysql_num_rows() expects parameter 1 to be resource, boolean given in C:\xampp\htdocs\html\upload_form.php on line 13 No database selected here is my upload_form.php <?php // Parse the form data and add inventory item to the system if (isset($_POST['product_name'])) { $product_name = mysql_real_escape_string($_POST['product_name']); $price = mysql_real_escape_string($_POST['price']); $category = mysql_real_escape_string($_POST['category']); $subcategory = mysql_real_escape_string($_POST['subcategory']); $details = mysql_real_escape_string($_POST['details']); include "../storescripts/connect_to_mysql.php"; // See if that product name is an identical match to another product in the system $sql = mysql_query("SELECT id FROM products WHERE product_name='$product_name' LIMIT 1"); $productMatch = mysql_num_rows($sql); // count the output amount if ($productMatch > 0) { echo 'Sorry you tried to place a duplicate "Product Name" into the system, <a href="inventory_list.php">click here</a>'; exit(); } // Add this product into the database now $sql = mysql_query("INSERT INTO products (product_name, price, details, category, subcategory, date_added) VALUES('$product_name','$price','$details','$category','$subcategory',now())") or die (mysql_error()); $pid = mysql_insert_id(); // Place image in the folder $newname = "$pid.jpg"; move_uploaded_file( $_FILES['fileField']['tmp_name'], "../inventory_images/$newname"); header("location: upload_form.php"); exit(); } ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-type" content="text/html; charset=utf-8" /> <title>qwerty</title> <link rel="stylesheet" href="css/style.css" type="text/css" media="all" /> <!--[if lte IE 6]><link rel="stylesheet" href="css/ie6.css" type="text/css" media="all" /><![endif]--> <!--[if IE]><style type="text/css" media="screen"> #navigation ul li a em { top:32px; } </style><![endif]--> </head> <body> <form action="upload_form.php" enctype="multipart/form-data" name="myForm" id="myform" method="post"> <table width="90%" border="0" cellspacing="0" cellpadding="6"> <tr> <td width="20%" align="right">Product Name</td> <td width="80%"><label> <input name="product_name" type="text" id="product_name" size="64" /> </label></td> </tr> <tr> <td align="right">Product Price</td> <td><label> $ <input name="price" type="text" id="price" size="12" /> </label></td> </tr> <tr> <td align="right">Category</td> <td><label> <select name="category" id="category"> <option value="Clothing">Clothing</option> </select> </label></td> </tr> <tr> <td align="right">Subcategory</td> <td><select name="subcategory" id="subcategory"> <option value=""></option> <option value="Hats">Hats</option> <option value="Pants">Pants</option> <option value="Shirts">Shirts</option> </select></td> </tr> <tr> <td align="right">Product Details</td> <td><label> <textarea name="details" id="details" cols="64" rows="5"></textarea> </label></td> </tr> <tr> <td align="right">Product Image</td> <td><label> <input type="file" name="fileField" id="fileField" /> </label></td> </tr> <tr> <td> </td> <td><label> <input type="submit" name="button" id="button" value="Add This Item Now" /> </label></td> </tr> </table> </form> </body> </html> connect_to_mysql.php: <?php $db_host="localhost"; $db_username="root"; $db_pass=""; $db_name="database_web"; mysql_connect("$db_host","$db_username","$db_pass") or die ("Nuk mund te lidhet me databazen"); mysql_select_db("$db_name") or die ("Nuk ka databaze"); ?> and here is the sql code for the table products that i created: "CREATE TABLE products ( id int(11) NOT NULL auto_increment, product_name varchar(255) NOT NULL, price varchar(16) NOT NULL, details text NOT NULL, category varchar(16) NOT NULL, subcategory varchar(16) NOT NULL, date_added date NOT NULL, PRIMARY KEY (id), UNIQUE KEY product_name (product_name) ) "; How to fix this. I want to add my informations to the form then add those to database [attachment deleted by admin] Quote Link to comment https://forums.phpfreaks.com/topic/244063-php-mysql-help/#findComment-1253731 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.