PHP - What Is The Best Way To Protect Your Mysql Login Details?

I have created a button which when pressed should present the user with their details (whoever is logged in), here is the form code:

<form id="form1" name="form1" method="post" action="getdetails.php">
 
  <input type="submit" name="Get Details" value="Get Details" />
   </label>
   
  </p>
</form>

Here is the getdetails.php file

<?php
 mysql_connect("localhost","root","");
 mysql_select_db("test");
 $username = $_POST['textfield'];
  echo '</br>';
 $query = mysql_query("SELECT * FROM membersdetails WHERE name=`$username` ");

while($result = mysql_fetch_array($query)) {
//display
echo $result['firstname'];
echo $result['surname'];
}
?>

Its not workin at all I have attacthed the error i am getting

Any help please?

i want to make a monthly report
  the user selects month from drop down and i must get the specified dates of that month from the DB
  I am using ajax to get the dates

Hello everyone, I am trying to have a function on my website where the administrator can add a new member to the database. Their details are to be stored in the table memberdetails, I have posted the code below, the error i recieve is "Error: Column count doesn't match value count at row 1"

Can anybody help me please?

form code:

<form action="insert.php" method="post">
Username: <input type="text" name="username" /><br><br>
Firstname: <input type="text" name="firstname" /><br><br>
Surname : <input type="text" name="surname" /><br><br>
Date Birth: <input type="text" name="dob" /><br><br>
Total Wins: <input type="text" name="wins" />
Total Loses: <input type="text" name="loses" /><br><br>
Email Add: <input type="text" name="email" /><br><br>
Country : <input type="text" name="born" /><br><br>
Other Info: <input type="text" name="other" /><br><br>
<input type="submit" name="Submit" value="Create" align="right"></td>
</form>


insert.php

<?php
mysql_connect ("localhost","root","")
or die("Cannot connect to Database");
mysql_select_db ("test");

$sql="INSERT INTO memberdetails (username, firstname, surname, dob, totalwins, totalloses, email, country, info)
VALUES
('$_POST[username]''$_POST[firstname]','$_POST[surname]','$_POST[wins]''$_POST[loses]''$_POST[email]''$_POST[born]''$_POST[other]''$_POST[dob]')";

if (!mysql_query($sql))
  {
 die('Error: ' . mysql_error());
  }
echo "1 record added";

?>

hi
i had database with field of name,title,post,content

i want to fetch the post and content for a specific user from giving name of that user by form help me to get that

ps just give me idea to how to do that/

Code: [Select]
<form id="form1" name="form1" method="post" action="view.php">
  <label>Name
  <input type="text" name="textfield" />
  </label>
  <p>
    <label>
    <input type="submit" name="Submit" value="Submit" />
    </label>
  </p>
</form>

Hi,

I have successfully implemented a master details page with the results aligned in columns linking to a details page.
I wish to maintain the recordID passed from the master details page and make the dynamic text, which reads
Shade
A tree that is capable of.....
in the attached screen shot a link to another details page referencing the same recordID.

The detailspage2.php would look the same as the screenshot except the Shade text and description below will be highlighted, which I can do, there will be a new image and a new image description.  All other dynmaic elements on the page will remain the same.

I tried to simply save as my detailspage.php to detailspage2.php and create a link to detailspage2.php. It linked to detailspage2.php but none of the record info showed up in their respective table cells.

I have all the names desc's, images, etc setup in a table in my database.

Please let me know what code and other info you need to help me out with this procedure.

Thanks.

 

Hi All,

I've searched long and hard accross the web for an answer to this and finnally given in and requesting help. Here's what i have, i have a database setup and working fine. What i would like to do is for an administrator to be able to update my users details. It may sound odd, why don't you let your users update their own details? Well the administrators are dispatchers if you like, and my users are the 'dispatchees', for want of a better word. So i would like my administrators to be able to dispatch my users with routes and my users be able to see the routes that have been dispatched to them. I've setup a login area and a page that pulls there routes off the database, depending on their login details, i.e. jack will see his routes and jill will see her's independantly. This works by me editing the appropriate columns/rows of my database using phpmyadmin. What i'd like now is for administrators (who are directed to a seperate page, with more controls) to be able to do the same as me (updating the database) but by using a php form/script.

I'd like to be able to select the routes from a second table on the same database if possible, to try and keep everything tidy. So my dispatcher would select Route001 from a drop down list, this would fill in the text fields next to the route field with From To, so my dispatcher would know what route001 actually is from/ too, choose a username (now being driven from my other table) and hit dispatch. My user would login to their area, hit view dispatched routes and it would display Route 001 with the correct information.

The login area was a downloaded script i modified to suit and is called Login-Redirect_v1.31_FULL

Many thanks in advance, hope you can sort of understand what i want 

Josh

PHP/MySQL ability:Novice

Hello again guys, am having trouble with a login script I have been working on.  Have crawled the web for answers so thought i would post here again for some help.

A brief run down on what the script is intended to do:

1.) The script checks to see if a user is logged in, and asks them to if their not.
2.) If theuser is logged in their userid is grabbed from $_SESSION and assigned to $userid
3.) Connection to the database is made and the field premium is updated with value "1" where userid = $userid

A error message is supposed to be shown if the query has an error, but currently an error is not produced, the premium field remains NULL and the echo is shown.

Can't for the the life of me fiqure out why it isn't working, but i think it is quite simple.

Heres my script

<?php
if (!is_authed()) 
{
echo 'You are not logged-in. Please login so we can add your purchased video to your account.';
include 'login_form.inc.php';
}

else {
include 'cp/config.php';
include 'cp/opendb.php';

 $_SESSION['userid'] = $userid;

$query = "UPDATE user
SET premium='1'
WHERE userid='$userid'";
mysql_query($query) or die('Error, query failed : ' . mysql_error()); 
echo 'Thank You for purchasing our series. We have added it to your account so you can use it straight away.';
}
?>

For some reason the

i have already made the register page where their info goes into the database, and im not sure about the code that selects values from the database.
mysql_connect('', '', '');
mysql_select_db('');

$user = $_POST['user'];
$pass = $_POST['pass'];

echo "<font color='white'>You Need To Login</font>";
if($user == Username && $pass == Password) echo "Welcome $user";

mysql_query("SELECT ('Username', 'Password') FROM login");

?>

I am using a login system in php and mySQL but only one page is potected.

pages i am using:
1. login.php // inputing details (user name, password)
2. checkloginDetails.php // connect to db and check login details
3. logged_in.php // successfully login

...i need more than the one page protected for example; once the user has logged in there will be the main logged in page with other links, remove topics, add, user, remove user all these pages i want protecting but with out the user inputing his details again.

Has anyone got an idear onhow i ould achive this?
 

I have created a PHP & MySql login but its not working.  If I put the right email/password still its showing "Wrong Username or Password" everytime. Bacause I'm beginner to this I don't really know how to solve this issue. Thanks in advance.

Here is my coding

<?php


// Start PHP session at the beginning 
session_start();

// Create database connection using config file
include_once("connection.php");

// If form submitted, collect email and password from form
if (isset($_POST['login'])) {
    $email    = $_POST['email'];
    $password = $_POST['password'];

    // Check if a user exists with given username & password
    $result = mysqli_query($conn, "select 'Email', 'Password' from tblstudent
        where Email='$email' and Password='$password'");

    // Count the number of user/rows returned by query 
    $user_matched = mysqli_num_rows($result);

    // Check If user matched/exist, store user email in session and redirect to sample page-1
    if ($user_matched > 0) {

        $_SESSION["email"] = $email;
        header("location: welcome.php");
    } else {
        echo "User email or password is not matched <br/><br/>";
    }
}
?>

 

Edited May 4 by Barand
code tags added

Ok so I need to create a form to accept the users EmailAddress and Password as credentials to your site then use an SQL Query to determine if the person has an account

Code: [Select]
<?php

require "connectionInfo.php";

$error = "";

if(!isset($_POST["personId"]) || !isset($_POST["firstName"]) || !isset($_POST["lastName"]) || !isset($_POST["emailAddress"]) || !isset($_POST["telephoneNumber"]) || !isset($_POST["socialInsuranceNumber"]) || !isset($_POST["password"])  )
{
$error = "Please fill in the info";
}
else
{
if($_POST["personId"] != "" && $_POST["firstName"] != "" && $_POST["lastName"] != "" && $_POST["emailAddress"] != "" && $_POST["telephoneNumber"] != "" &&$_POST["socialInsuranceNumber"] != ""  && $_POST["password"] != "")
{
$dbConnection = mysql_connect($host, $username, $password);

if(!$dbConnection)
die("Could not connect to the database. Remember this will only run on the Playdoh server.");

mysql_select_db($database);

$sqlQuery = "INSERT INTO persons (personId, FirstName, LastName, emailAddress, telephoneNumber, socialInsuranceNumber, password) VALUES('".$_POST["personId"]."', '".$_POST["firstName"]."', '".$_POST["lastName"]."', '".$_POST["emailAddress"]."', '".$_POST["telephoneNumber"]."', '".$_POST["socialInsuranceNumber"]."', '".$_POST["password"]."')";

if(mysql_query($sqlQuery))
$error = "Person Successfully Added";
else
$error = "Person Could not be added ".mysql_error();

mysql_close($dbConnection);
}
else
$error = "Please enter all the information";
}

?>

<form action="createAccount.php" method="post">
Person ID: <input type="text" name="personId" />
<br />
First Name: <input type="text" name="firstName" />
<br />
Last Name: <input type="text" name="lastName" />
<br />
Email: <input type="text" name="emailAddress" />
<br />
Telephone: <input type="text" name="telephoneNumber" />
<br />
Social Insurance Number: <input type="text" name="socialInsuranceNumber" />
<br />
Password: <input type="text" name="password" />
<br />
<input type="submit" value="Submit to Database" />
</form>

-----EDIT-----

Ok I was able to create the html code for it, but how do I use an sql query to determine if the person has an account?

             Code: [Select]
<form method='post' action='login.php'>
  <table><tr><td>Email Address:</td><td><input type='text' name='emailAddress'></td></tr>
<tr><td>Password:</td><td><input type='password' name='password'></td></tr>
<tr><td></td><td><input type='submit' name='submit' value='Log in'></td></tr></table>
</form>

This is my first attemp at a log in system for a website.  Everything seems to work fine until the "successful" IF function near the end.  All I get it an output of "?>" instead of a redirect to the file "login_success.php".  Any help would be GREATLY appreciated!!  Tom


<?php

// Connect to server and select databse.
mysql_connect("localhost", "scripts3_public", "sfj123!")or die("cannot connect");
mysql_select_db("scripts3_sfj")or die("cannot select DB");

// username and password sent from form
$fusername=$_POST['fusername'];
$fpassword=$_POST['fpassword'];

// To protect MySQL injection (more detail about MySQL injection)
$fusername = stripslashes($fusername);
$fpassword = stripslashes($fpassword);
$fusername = mysql_real_escape_string($fusername);
$fpassword = mysql_real_escape_string($fpassword);

$sql="SELECT * FROM `users` WHERE `User name` = '$fusername' AND `Password` = '$fpassword'";
$result=mysql_query($sql);

if(!mysql_num_rows($result))
{echo "No results returned.";}

// Mysql_num_row is counting table row
$count=mysql_num_rows($result);

// If result matched $fusername and $fpassword, table row must be 1 row

if($count==1){

// Register $fusername, $fpassword and redirect to file "login_success.php"
session_register("fusername");
session_register("fpassword");
header("location:login_success.php");
}

else {
echo "Wrong Username or Password";
}

?>

This topic has been moved to PHP Installation & Configuration.

http://www.phpfreaks.com/forums/index.php?topic=355401.0

I currently have a MyBB forum and I'm going to attempt to create a top list for it, but I'd like users that have already registered on my forum to be able to log into the top list area and either add or edit their website on the top list. How would I go about creating a login script with an already existing MySQL database that contains my MyBB users?

I am new to PHP. I have been trying to do some research online for a few days and not getting very far. I feel like I know less now than I did before I started.

Here's the story:

I've set up a LAMP server that runs a Wiki and AppGini (http://www.bigprof.com/appgini/) - AppGini allows you to "Create web database applications instantly without writing any code" - The only downside we have with it, is it's got it's own set of user accounts. My team all logs in with the default admin account which isn't a big deal but we'd prefer to use LDAP to AD for reasons I won't get into right now.

I emailed AppGini support and asked about LDAP integration. Their response was that it's "a little bit of work" and "You can modify the login authentication function to authenticate using LDAP ... please see the example code he http://code.activestate.com/recipes/101525-ldap-authentication/ (needs some modifications to work with AppGini)"

I've googled around and found 2 dozen different LDAP PHP samples. I've gotten some of them to work. By work I mean they connect to my domain controller and say "success" I'm not actually logged into anything.

So I'm looking for a little help from square one. I need to have a better understanding of how things are supposed to work so I know where I'm supposed to go with all of this. Where do I start? What do I do? What would YOU do?


This is the current "index.php" that logs you into the site.
Code: [Select]
<?php

error_reporting(E_ALL ^ E_NOTICE);
$d=dirname(__FILE__);
include("$d/defaultLang.php");
include("$d/language.php");
include("$d/incCommon.php");
$x->TableTitle=$Translation['homepage'];
include("$d/header.php");

if($_GET['signOut']==1){
logOutMember();
}

$tablesPerRow=2;
$arrTables=getTableList();

?>
<div align="center"><table cellpadding="8">
<?php if($_GET['loginFailed']==1 || $_GET['signIn']==1){ ?>
<tr><td colspan="2" align="center">
<?php if($_GET['loginFailed']){ ?>
<div class="Error"><?php echo $Translation['login failed']; ?></div>
<?php } ?>
<form method="post" action="index.php">
<table border="0" cellspacing="1" cellpadding="4" align="center">
<tr>
<td colspan="2" class="TableHeader">
<div class="TableTitle"><?php echo $Translation['sign in here']; ?></div>
</td>
</tr>
<tr>
<td align="right" class="TableHeader">
<?php echo $Translation['username']; ?>
</td>
<td align="left" class="TableBody">
<input type="text" name="username" value="" size="20" class="TextBox">
</td>
</tr>
<tr>
<td align="right" class="TableHeader">
<?php echo $Translation['password']; ?>
</td>
<td align="left" class="TableBody">
<input type="password" name="password" value="" size="20"class="TextBox">
</td>
</tr>
<tr>
<td colspan="2" align="right" class="TableHeader">
<span style="margin: 0 20px;"><input type="checkbox" name="rememberMe" id="rememberMe" value="1"> <label for="rememberMe"><?php echo $Translation['remember me']; ?></label></span>
<input type="submit" name="signIn" value="<?php echo $Translation['sign in']; ?>">
</td>
</tr>
<tr>
<td colspan="2" align="left" class="TableHeader">
<?php echo $Translation['go to signup']; ?>
<br /><br />
</td>
</tr>
<tr>
<td colspan="2" align="left" class="TableHeader">
<?php echo $Translation['forgot password']; ?>
<br /><br />
</td>
</tr>
<tr>
<td colspan="2" align="left" class="TableHeader">
<?php echo $Translation['browse as guest']; ?>
<br /><br />
</td>
</tr>
</table>
</form>
<script>document.getElementsByName('username')[0].focus();</script>
</td></tr>
<?php } ?>
<?php
if(!$_GET['signIn'] && !$_GET['loginFailed']){
if(is_array($arrTables)){
if(getLoggedAdmin()){
?><tr><td colspan="<?php echo ($tablesPerRow*3-1); ?>" class="TableTitle" style="text-align: center;"><a href="admin/"><img src=table.gif border=0 align="top"></a> <a href="admin/" class="TableTitle" style="color: red;"><?php echo $Translation['admin area']; ?></a><br /><br /></td></tr><?php
}
$i=0;
foreach($arrTables as $tn=>$tc){
$tChk=array_search($tn, array());
if($tChk!==false && $tChk!==null){
$searchFirst='?Filter_x=1';
}else{
$searchFirst='';
}
if(!$i % $tablesPerRow){ echo '<tr>'; }
?><td valign="top"><a href=<?php echo $tn; ?>_view.php<?php echo $searchFirst; ?>><img src=<?php echo $tc[2];?> border=0></a></td><td valign="top" align="left"><a href=<?php echo $tn; ?>_view.php<?php echo $searchFirst; ?> class="TableTitle"><?php echo $tc[0]; ?></a><br /><?php echo $tc[1]; ?></td><?php
if($i % $tablesPerRow == ($tablesPerRow - 1)){ echo '</tr>'; }else{ echo '<td width="50">&nbsp;</td>'; }
$i++;
}
}else{
?><tr><td><div class="Error"><?php echo $Translation['no table access']; ?><script language="javaScript">setInterval("window.location='index.php?signOut=1'", 2000);</script></div></td></tr><?php
}
}
?>

</table><br /><br /><div class="TableFooter"><b><a href=http://bigprof.com/appgini/>BigProf Software</a> - <?php echo $Translation['powered by']; ?> AppGini 4.61</b></div>

</div>
</html>