merrick89 Posted February 1, 2012 Share Posted February 1, 2012 Hi, I'm pretty new to php, and to this site as well, so please bear with me... I have a table in my database which has "user_id" as its primary key, and i want to set the values under this as a cookie. I've put in bold the main things that are affecting it (I think). As is, the mysite_userid cookie does not set properly, and I get an error like this "Header may not contain more than a single header, new line detected...." Any help would be really appreciated!! <?php include("connect.php"); $match = "select user_id from $table where username = '".$_POST['username']."' and password = '".$_POST['password']."';"; $qry = mysql_query($match) or die ("Could not match data because ".mysql_error()); $num_rows = mysql_num_rows($qry); if ($num_rows <= 0) { echo "Sorry, there is no username ".$_POST['username']." with the specified password. "; echo "Try again"; exit; } $remember = strip_tags($_POST['remember']); if ($remember) { setcookie("loggedin", "TRUE", time()+3600*24); setcookie("mysite_username", "".$_POST['username'].""); header("Location: members.php"); } else { setcookie("loggedin", "TRUE"); setcookie("mysite_username", "".$_POST['username'].""); setcookie("mysite_userid", $qry); $site_username = $HTTP_COOKIE_VARS["mysite_username"]; $site_userid = $HTTP_COOKIE_VARS["mysite_userid"]; header("Location: members.php?user=$site_userid"); } ?> Quote Link to comment https://forums.phpfreaks.com/topic/256217-setting-a-table-value-as-a-cookie/ Share on other sites More sharing options...
AyKay47 Posted February 1, 2012 Share Posted February 1, 2012 there are several things wrong with this code, and I am amazed that this is the only error that you are receiving. 1. you have an extra semi-colon in your SQL, it should read. $match = "select user_id from $table where username = '$_POST['username']' and password = '$_POST['password']'"; 2. note: using the context "or die(mysql_error())" should only be used in the developmental stages of coding. Once the site is ready to be live, a new error handling method should be created. 3. mysql_num_rows cannot return a negative value, so checking if mysql_num_rows is negative is not needed, you can simply write: if ($num_rows == 0) 4. (this should be the first check), you should always check to make sure that $_POST values are set by using isset before using them in your code. if(isset($_POST['username'], $_POST['password'])) 5. user input validation is a must before attempting to use the values in a query, as your code is right now, it is wide open to SQL injection. mysql_real_escape_string should be used at the least. 6. again, you are attempting to use a $_POST value ($_POST['remember']) before checking to make sure that it is set. You are also using strip_tags() on the value, and then checking for its existence, which logically makes no sense. 7. the first 2 cookies in theory should be ok. However the third one would cause trouble, since you are attempting to store a resource returned from mysql_query() into a cookie, which again, logically makes no sense. If you are attempting to store a value grabbed from the query, then use a mysql_fetch function to grab the values. mysql_fetch_assoc 8. $HTTP_COOKIE_VARS is deprecated and should not be used, use the superglobal array $_COOKIE instead. http://www.php.net/manual/en/reserved.variables.cookies.php 9. judging from the header, you expect $site_userid to have the value of user_id grabbed from your query as its value, thus $_COOKIE['mysite_userid'] as well, if this is the case, refer to answer 7. Quote Link to comment https://forums.phpfreaks.com/topic/256217-setting-a-table-value-as-a-cookie/#findComment-1313491 Share on other sites More sharing options...
scootstah Posted February 1, 2012 Share Posted February 1, 2012 1. you have an extra semi-colon in your SQL, it should read. $match = "select user_id from $table where username = '$_POST['username']' and password = '$_POST['password']'"; Semi-colons are interpreted by MySQL as the end of a statement, so that won't hurt anything. It will work either way. Quote Link to comment https://forums.phpfreaks.com/topic/256217-setting-a-table-value-as-a-cookie/#findComment-1313496 Share on other sites More sharing options...
merrick89 Posted February 1, 2012 Author Share Posted February 1, 2012 Thanks a lot for the replies! As you can see, i'm really new at this haha. Quote Link to comment https://forums.phpfreaks.com/topic/256217-setting-a-table-value-as-a-cookie/#findComment-1313509 Share on other sites More sharing options...
AyKay47 Posted February 2, 2012 Share Posted February 2, 2012 Thanks a lot for the replies! As you can see, i'm really new at this haha. has your issue been resolved? Quote Link to comment https://forums.phpfreaks.com/topic/256217-setting-a-table-value-as-a-cookie/#findComment-1313512 Share on other sites More sharing options...
merrick89 Posted February 2, 2012 Author Share Posted February 2, 2012 Hi, yes the problem has been solved with mysql_fetch_assoc. We've also made changes based on your other recommendations. I don't understand them all yet, but I'm working on it! Also, I tried making $match = "select user_id from $table where username = '".$_POST['username']."' and password = '".$_POST['password']."';"; into $match = "select user_id from $table where username = '$_POST['username']' and password = '$_POST['password']'"; but for some reason it gives a syntax error, so I just left it for now. Here's what it looks like now: <?php include("connect.php"); if(isset($_POST['username'], $_POST['password'])) $match = "select user_id from $table where username = '".$_POST['username']."' and password = '".$_POST['password']."';"; $qry = mysql_query($match) or die ("Could not match data because ".mysql_error()); $num_rows = mysql_num_rows($qry); if ($num_rows == 0) { echo "Sorry, there is no username ".$_POST['username']." with the specified password. "; echo "Try again"; exit; } $remember = $_POST['remember']; $result = mysql_fetch_assoc($qry); $user_id = $result['user_id']; if ($remember) { setcookie("loggedin", "TRUE", time()+3600*24); setcookie("mysite_username", "".$_POST['username']."", time()+3600*24); setcookie("mysite_userid", $user_id, time()+3600*24); header("Location: members.php"); } else { setcookie("loggedin", "TRUE"); setcookie("mysite_username", "".$_POST['username'].""); setcookie("mysite_userid", $user_id); $site_username = $_COOKIE["mysite_username"]; $site_userid = $_COOKIE["mysite_userid"]; header("Location: members.php?user=$site_username"); } ?> Quote Link to comment https://forums.phpfreaks.com/topic/256217-setting-a-table-value-as-a-cookie/#findComment-1313530 Share on other sites More sharing options...
AyKay47 Posted February 2, 2012 Share Posted February 2, 2012 $match = "select user_id from $table where username = '$_POST['username']' and password = '$_POST['password']'"; yes this was a tiny mistake on my part, the error is due to not concatenating the string correctly, if you want to use $_POST directly in your query, change it to this. $match = "select user_id from $table where username = '". $_POST['username'] ."' and password = '". $_POST['password'] ."'"; Quote Link to comment https://forums.phpfreaks.com/topic/256217-setting-a-table-value-as-a-cookie/#findComment-1313536 Share on other sites More sharing options...
scootstah Posted February 2, 2012 Share Posted February 2, 2012 Note that you should NOT be using $_POST directly in your query. Unless you are using prepared statements (which you are not) you are wide open to SQL injection. Pass your $_POST data (and any other user input) through mysql_real_escape_string(). Quote Link to comment https://forums.phpfreaks.com/topic/256217-setting-a-table-value-as-a-cookie/#findComment-1313538 Share on other sites More sharing options...
PFMaBiSmAd Posted February 2, 2012 Share Posted February 2, 2012 The three cookies you are setting for your 'login' script is not a secure way of making a login script and will easily allow anyone to become logged in as anyone else. Anyone can send any cookie value to your script. The "loggedin" cookie can simply be sent as "TRUE". The username is often displayed on social sites like forums and can easily be found or guessed if you have a username like 'admin' that can do anything on the site once logged in. The sequential user_id from the database can easily be found by sending a sequence of numbers until a match is found. For a 'remember me' feature, you need to generate a unique and hard to guess and hard to reproduce 'token' and store that in the cookie and in the row in your user table for the person who has logged in. This token value will only identify the visitor so that you can find his row in the user table (you would typically get his user_id and display name out of the table and store them in session variables.) You also need to keep the logged in/logged out state in the user table so that if someone specifically logs out (or your code automatically logs inactive visitors out after a time period), even if someone has obtained a copy of the unique id token value, they cannot visit the site and be considered to be logged in. They would need to know both the username and password in order to become logged in. Quote Link to comment https://forums.phpfreaks.com/topic/256217-setting-a-table-value-as-a-cookie/#findComment-1313660 Share on other sites More sharing options...
merrick89 Posted February 2, 2012 Author Share Posted February 2, 2012 hmmm, that makes sense, I'll look into that too. I'm currently working on using mysql_real_escape_string() in the registration page, and I'm having a bit of trouble there too ... I'm using the code from w3schools: <?php function check_input($value) { // Stripslashes if (get_magic_quotes_gpc()) { $value = stripslashes($value); } // Quote if not a number if (!is_numeric($value)) { $value = "'" . mysql_real_escape_string($value) . "'"; } return $value; } $con = mysql_connect("localhost", "peter", "abc123"); if (!$con) { die('Could not connect: ' . mysql_error()); } // Make a safe SQL $user = check_input($_POST['user']); $email = check_input($_POST['email']); $pwd = check_input($_POST['pwd']); $sql = "SELECT * FROM users WHERE user=$user AND password=$pwd"; mysql_query($sql); mysql_close($con); ?> That's directly from their tutorial. The problem I'm having is that I insert the email, password, username data into a table on my database, but the values insert as ' . And then its supposed to send you a confirmation e-mail, however since the e-mail submitted into the table is a ' , no e-mail gets sent out... I was trying to google stuff and I saw a guy post this on another forum: So I think what the moral of the story here is: Once you've scrubbed your data using mysql_real_escape_string() in preparation for insertion into the database, you can no longer use that data for other things, such as outputing it to the browser. So is what I'm trying to do impossible? Quote Link to comment https://forums.phpfreaks.com/topic/256217-setting-a-table-value-as-a-cookie/#findComment-1313802 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.