Ban Function is not working

Tom8001 · December 18, 2014

session_start();
This should to be called at the top of the page before any output to the browser.

There is a default buffer size set in php.ini, but it's different depending on which version you're using.

So you may get away with echoing output prior to session_start(), but why risk it and it's simply a poor practice.

Also, error_reporting should be called before any other PHP code is executed as well. Get in the practice of putting all of that code at the top of the page and not strewn all over here and there.

Usually i do, i didn't use session start because im not using any session variables.

Tom8001 · December 18, 2014

$stmt = $con->prepare("SELECT * FROM $tbl_name WHERE username='$username' AND password='$password'");
$stmt->execute();
$row = $stmt->fetch();
$user_level = $row['user_level'];
$active = $row['active'];

if($stmt->num_rows == 1) {

I don't have an error as such but it says Username or Password is incorrect

Jacques1 · December 18, 2014

This is not a prepared statement. It's an SQL injection masquerading as a prepared statement.

Before you write code, make sure you actually understand how the feature works. The whole point of prepared statements is that you have parameters and pass all external values to those parameters. You have no parameters at all, you just dump your variables into the query string like before.

Tom8001 · December 18, 2014

This is not a prepared statement. It's an SQL injection masquerading as a prepared statement.

Before you write code, make sure you actually understand how the feature works. The whole point of prepared statements is that you have parameters and pass all external values to those parameters. You have no parameters at all, you just dump your variables into the query string like before.

It worked fine before i wanted to add sql injection protection and everyone is telling me to do this.

Jacques1 · December 18, 2014

It worked fine before

No, it did not. Just because you've gotten the expected result in some cases doesn't mean that your script worked. Depending on the input, it would have either crashed or destroyed your data or even compromised your entire server.

Would you use software which does this? Would you say that it works great when it occasionally deletes your files?

i wanted to add sql injection protection and everyone is telling me to do this.

It's great that you want to fix the security holes, but it's not enough to randomly put a bunch of function calls into your script. You need to use them correctly.

Did you read the two examples in the PHP manual? Did you try them out yourself?

Tom8001 · December 18, 2014

No, it did not. Just because you've gotten the expected result in some cases doesn't mean that your script worked. Depending on the input, it would have either crashed or destroyed your data or even compromised your entire server.

Would you use software which does this? Would you say that it works great when it occasionally deletes your files?

It's great that you want to fix the security holes, but it's not enough to randomly put a bunch of function calls into your script. You need to use them correctly.

Did you read the two examples in the PHP manual? Did you try them out yourself?

Thats were i got the code from above i just edited the query and it gives errors & yes it did work before.

Tom8001 · December 18, 2014

And I'm 14 btw

Tom8001 · December 18, 2014

Originally I used this for my login script

<?php

session_start();

error_reporting(E_ALL | E_NOTICE);

include 'header.php';

require 'connect.php';

if(isset($_SESSION['loggedIn'])) {

echo "<br><br><br><br><br><br><br><center>You are already logged in, <a href='logout.php'><h3>click here</h3></a> if you want to logout</center>";

echo "<div id='index'><button><a href='index.php'>Index Page</a></div>";

echo "<style> a {color: #ff0000; font-weight: bold; text-decoration: none;} a:hover {color: #000;} #index {position: absolute; top: 80; left: 60;} #index button:hover {border: 2px solid #ff0000;}</style>";

exit();

}

if(isset($_POST['submit'])) { 

$username = trim($_POST['username']);
$password = trim($_POST['password']);

if($username&&$password) {


} else {

	die("Please enter a username and password");

}


$username = mysqli_real_escape_string($con, $_POST['username']);
$password = mysqli_real_escape_string($con, $_POST['password']);

$sql = $con->query("SELECT * FROM $tbl_name WHERE username='$username' AND password='$password'");

$row = $sql->fetch_array();
$user_level = $row['user_level'];
$active = $row['active'];

if($sql->num_rows == 1) {

 	if($row['active'] == 1) {


   if($row['user_level'] == 1) {

   	$_SESSION['username'] = $_POST['username'];
	$_SESSION['user_level'] = 1;
	$_SESSION['active'] = 1;
	$_SESSION['loggedIn'] = 1;
	header("Location: admin.php");

	exit();

	}

	$_SESSION['user_level'] = 0;
	$_SESSION['active'] = 1;
	$_SESSION['loggedIn'] = 1;
	$_SESSION['username'] = $_POST['username'];
	header("Location: index.php");

	exit();
	} else if($row['active'] == 0) {

		header("Location: banned.php");
		$_SESSION['active'] = 0;

	}


} else {

	echo "Username / Password is incorrect!";

	exit();
}

}

?>

And that works fine but when I tried to prevent SQL Injection attacks in the query like

$sql = $con->query("SELECT * FROM $tbl_name WHERE username=' ".mysqli_real_escape_string($username)." ' AND password='".mysqli_real_escape_string(password)."');

It didn't work now obviously I know I'm doing something wrong, and people were telling me to switch to prepared statements which I do not understand.

Tom8001 · December 18, 2014

mysqli_real_escape_string($sql);

Would this work?

ginerjm · December 18, 2014

If you're fourteen then you have a lot of learning to do - both in PHP and in life. Try listening to what people here are telling you and then do the homework to LEARN. Read the manual. Learn all about the functions. Google prepared statements and how you are supposed to write them and supply values to them. And when you declare that 'it works' be prepared to show us exactly the code you used in its entirety.

Don't be in such a hurry to accomplish some small task - take the time to learn how to use this language and platform the proper way so you will be smarter at the end of this project.

Please take this advice seriously - I'm not 14.

Tom8001 · December 18, 2014

If you're fourteen then you have a lot of learning to do - both in PHP and in life. Try listening to what people here are telling you and then do the homework to LEARN. Read the manual. Learn all about the functions. Google prepared statements and how you are supposed to write them and supply values to them. And when you declare that 'it works' be prepared to show us exactly the code you used in its entirety.

Don't be in such a hurry to accomplish some small task - take the time to learn how to use this language and platform the proper way so you will be smarter at the end of this project.

Please take this advice seriously - I'm not 14.

ok thanks

hansford · December 19, 2014

$sql = "UPDATE $tbl_name SET active=0 WHERE id={".mysqli_real_escape_string($con, $_GET['id'])."}";

Don't do this. It's unreadable, a pain to debug. Don't use raw $_GET or $_POST vars directly in queries - this will come back to bite you. Never trust a user's input - especially $_GET

// prepared statements and none of this embedded php functions in queries

Edited December 19, 2014 by hansford

Sign In

Ban Function is not working

Recommended Posts

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Join the conversation

Important Information