Jump to content

I'm testing basic login system

sigmahokies

By sigmahokies
in PHP Coding Help

 Share
Go to solution Solved by Ch0cu3r,

Recommended Posts

sigmahokies Regular Member

sigmahokies

Posted
Posted (edited)

I am testing to see if PHP variables can pass from previous page to present page to login, I notice it doesn't work in MySQL query from previous to present page. It is like using ID to pass the variable in link like this: "?id=" in link, but I am using submit button. I typed name="user" in previous page, that should pass variable to present, then set up the select in database, but it doesn't do that, what i did do wrong?

if ($_POST['submitted']) {

$username = $_POST['user'];
$password = $_POST['pass'];


if ($username && $password) {
$log = "SELECT username, password, type FROM username WHERE username = '".$username."' AND WHERE password = '".$password."'";
$result = mysqli_query($Garydb, $log) or die("could not work");
echo "<p>".$result['username']."</p>";
}
}
 
Also, I wonder about two query in one sentence, like using 'AND' on sentence, will it works? Please advise me.
 
Thank you in advance time.
 
Gary
 
P.S. how do you type in chart like notepad++ in here? I need to know how to do that, so I show you in number line that you can point much easier to read.
Edited by QuickOldCar
Wrap in code tags
Link to comment
https://forums.phpfreaks.com/topic/299470-im-testing-basic-login-system/
Share on other sites
QuickOldCar Regular Member

QuickOldCar

Posted
Posted (edited)

Is username the name of the table?

 

WHERE is needed first time, then after that is just AND

$log = "SELECT username, password, type FROM username WHERE username = '".$username."' AND password = '".$password."'";

This leaves you open to sql attacks, nothing is escaped

Look into using mysqli_real_escape_string or pdo with prepared statements, password_hash and password_verify

 

The raw passwords should never be stored anywhere and be hashed instead.

Edited by QuickOldCar
QuickOldCar Regular Member

QuickOldCar

Posted
Posted (edited)
P.S. how do you type in chart like notepad++ in here? I need to know how to do that, so I show you in number line that you can point much easier to read.

 

Use the code button <>

 

We don't need to see the numbers, we can put it in our editors and see if wanted to.

Edited by QuickOldCar
ginerjm Prolific Member

ginerjm

Posted
Posted

1 - your password s/b stored in a secured fashion - never in plain text. Read up on "password_hash".

2 - when you do your query you use the userid to get the record for the user.  Then you use "password_verify" to see if the given password matches the one on file.  Read up on that function as well.

3 - once your user logs in successfully, store his id and whatever other token you may need to recognize his permissions in $_SESSION variables.  That way they are accessible by all the scripts that run during that session.  Solves your "passing" problem.

4 - As already said - never store the password anywhere other than in the user record and even then only once it is hashed.  Always use a POST method in your login form and not a GET

 

PS - the use of AND in a where clause is not another query.  It is another condition.  But as I said - you don't do that here.

 

Note - be sure that your table definition allows for a large enough value for the hashed password.  See what the documentation suggests.

QuickOldCar Regular Member

QuickOldCar

Posted
Posted

Can do it like this if want

$log = "SELECT username, password, type FROM username WHERE username = '".mysqli_real_escape_string($Garydb,$username)."' AND WHERE password = '".mysqli_real_escape_string($Garydb,$password)."'";

Should really look over the links and suggestions

sigmahokies Regular Member

sigmahokies

Posted
  • Author
Posted

Wow, seem i have to learn about login system - session, mysqli_real_escape_string and has_password. Sometimes, I don't understand what PHP and MySQL's manual website...I am appreciated that you advised me about those security in MySQL

sigmahokies Regular Member

sigmahokies

Posted
  • Author
Posted

QuickCarOld,

 

I added mysqli_real_escape_string where you showed me, but there is other situation that username and password didn't print in echo. I am using echo or print to make sure PHP variable are passing to other in statement, but it didn't get in statement, that's why i type 'die("Could not work"), it can tell me that PHP variable hasn't pass in other statement below of this statement. If PHP variable is passed into other state, then i can work on SESSION. But it didn't pass.

 

I thought PHP variable would pass to echo to print on website, but it didn't.

 

<?php
 
if ($_POST['submitted']) {
$username = $_POST['user'];
$password = $_POST['pass'];
 
if ($username && $password) {
$log = "SELECT username, password, type FROM username WHERE username = '".mysqli_real_escape_string($Garydb, $username)."' AND WHERE password = '".mysqli_real_escape_string($Garydb, $password)."'";
$result = mysqli_query($Garydb, $log) or die("could not work");
echo "<p>".$result['username']."</p>";
}
}
 
?>
 
I need to see PHP variable to be print in echo in "echo "<p>".$result['username']."</p>"; but it didn't show the print in echo.
 
Also, I created table name username, then I have four columns - ID, username, password, and type.
Ch0cu3r Newbie

Ch0cu3r

Posted
Posted

 

I need to see PHP variable to be print in echo in "echo "<p>".$result['username']."</p>"; but it didn't show the print in echo.

Of course it wont print that value. Why? Because mysqli_query does not return the results of the query. It only returns the mysqli result object. To get the actual results from the result object you need to fetch them, see the following manual pages

http://php.net/manual/en/mysqli-result.fetch-all.php - fetch all results from the result object, return as a multi dimensional array

http://php.net/manual/en/mysqli-result.fetch-array.php - fetch the next row from result object, a single row is returned an associative array.

sigmahokies Regular Member

sigmahokies

Posted
  • Author
Posted

Ch0cu3r,

 

No No, that is not what I meant, I mean, I need to pass PHP variable to pass into SESSION, it is a login. I'm trying to learn to do code in the login system in PHP, I know it is not easy to build the login system. if this mysqli_fetch_all or mysqli_fetch_array can show the result from MySQL, then i will know it will go to SESSION, but it didn't. I put 'die("Could not work")' show that PHP variable didn't pass into a new statement.

  • Solution
Ch0cu3r Newbie

Ch0cu3r

Posted
  • Solution
Posted

I put 'die("Could not work")' show that PHP variable didn't pass into a new statement.

If you are getting the COuld not work message then that means your query is failing, use mysqli_error to find out why your query failing

$result = mysqli_query($Garydb, $log) or die("could not work. MySQL Error: " . mysqli_error($Garydb));
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.