PHP - Select * From Users Where Username...?

While we're on the subject, is there a way to ensure that the first letter of a name is captalized, and the rest lowercase?  Or is this best handled later on, when the name is being used and called from the DB.

PS: some of us comment are code as to WHAT we are doing because we're just not that good yet, and we need to explain it to ourselves.

Hello   I am trying to work out how many regular users I have to my site and how long those users tend to be users..   So, I have a table that logs every time a user visits my site and logs in, it stores the date / time as a unix timestamp and it logs their user id.   I started by getting the id's of any user who logs in more than 5 times in a specified period, but now I want to extend that...  

 
SELECT userID as user, count(userID) as logins FROM login_history where timestamp > UNIX_TIMESTAMP('2014-06-01 00:00:00') and timestamp < UNIX_TIMESTAMP('2014-07-01 00:00:00') group by user having logins > 5;
 

I just discovered that I have a major security flaw with my website.
Anyone who logs in to the website can easily access other users information as well as delete and edit other users information just by changing the ID variable in the address bar.
I have user ID Session started on these pages but still people can do anything they like with other users information just by editing the address bar.
For example if your logged in in the address bar of www.mywebsite.com/delete_mystuff.php?id=5 and change the "5" say to a "9" then you will have access to user#9 information.

Every important page that I have has this code:
Code: [Select]
 session_start();

if (!isset($_SESSION['user_id'])) {
// Start defining the URL.
         $url = 'http://' . $_SERVER['HTTP_HOST'] . dirname($_SERVER['PHP_SELF']);
// Check for a trailing slash.
         if ((substr($url, -1) == '/') OR (substr($url, -1) == '\\') ) {
         $url = substr ($url, 0, -1); // Chop off the slash.
}
// Add the page.
$url .= '/index.php';
ob_end_clean(); // Delete the buffer.
header("Location: $url");
exit(); // Quit the script.
} else {
                //Else If Logged In Run The Script

if((isset($_GET['id'])) && (is_numeric($_GET['id']))) {
         $id = (int) $_GET['id'];
} elseif ((isset($_POST['id'])) && (is_numeric($_POST['id']))) {
         $id = (int) $_POST['id'];
} else {
         echo ' No valid ID found, passed in url or form element';
        
         exit();
}



What am I doing wrong?
Please help if you know how to correct this.

Many thanks in advance.

hirealimo.com.au/code1.php

this works as i want it:
Quote

SELECT * FROM price INNER JOIN vehicle USING (vehicleID) WHERE vehicle.passengers >= 1 AND price.townID = 1 AND price.eventID = 1



but apparelty selecting * is not a good thing????

but if I do this:
Quote

SELECT priceID, price FROM price INNER JOIN vehicle....etc


it works but i lose the info from the vehicle table.

but how do i make this work:
Quote

SELECT priceID, price, type, description, passengers FROM price INNER JOIN vehicle....etc


so that i am specifiying which colums from which tables to query??

thanks

Hi!
I want to add the users nickname to the urlcode. I don't have any clue how to :O
And maybe add more text after the url www.url.comTEXTusername
echo $row["url"];$row["username"];

Please help

Hi,
I used to use the php session to get the username of the user that was logged on and use that variable on our intranet. Recently we are having to redevelop the site, and we can no longer use this variable.

Is there another way of getting the username of the user who is logged onto the computer?

Thanks in Advance,
Stuart

How to show the username of the person who uploaded something?

I know how to make the upload script etc. but what is the script needed for the person's username and where do I put it?

Thanks.

Hi,
I used to be able to get the username of the user who was loggd onto the computer and use that as a session variable, so when they are on the intranet, they need not to add any data.

The code I used to use was
Code: [Select]
$logon_name = basename($_SERVER['AUTH_USER']);

Since I updated the webserver and put an up-to-date version of PHP on this no longer works.

If you have any ideas, such as maybe using Javascript to get this variable and passing it to PHP...

Your help is appreciated.
Stuart

I want to accomplish two things: save some server overhead and create a friendlier user experience.

Thus, prior to form submission, the user should have the opportunity to check whether the chosen username is available.

As I've begun researching the topic, I've discovered AJAX, Vue, and XMLHttpRequest alternatives.

 

Any suggestions and alternatives that would give me guidance would be appreciated.

 

Additionally, are there any characters that should be expressly prohibited from use in a username (or other input field) that could aid malicious hackers in causing harm to my website, database, and files?

 

 

Here's the class

Code: [Select]
<?php
session_start();

class Train
{
    private $_clicked;
    private $_name;
    
    
    function __construct()
    {
      $this->_name = (string) $_SESSION['nrpgusername'];
      $this->_clicked = (int) $_SESSION['clicked'];     
    }
    
    public function CheckLogged()
    {
        if(isset($this->_name))
         {}
        else{die("you must be logged in!");}
        
    }
    
    public function CheckClicked()
    {
        if(isset($_POST['go']))
        {
            $this->MysqlUpdate();
            $this->_clicked = 1;
            session_set_cookie_params(84600);
        }
       
        
    }
    
    public function Clicked()
    {
       
       if(isset($this->_clicked))
       {   echo'
            <div id="train"><img src="images/train.jpg" alt="train image"/></div> 
             <div id="text">
              <span id="click">' . $this->_name. ' has gained 7 experience,<br /> and cannot train anymore today.         </span><form method ="post" name="train" action=""> </div>'; 

       }
       
       else
        {
          echo'
           <div id="train"><img src="images/train.jpg" alt="train image"/></div> 
            <div id="text"><span id="click">Click here to train your shinobi!</span>
             <form method ="post" name="train" action=""><input type="submit" name="go" value="train"  /></div>';}

        }

    
    private function MysqlUpdate()
    {
      include("database.php");
      $query = "UPDATE account_info SET experience = experience + 7 WHERE username = '$this->name'"; 
      $result = mysql_query($query) or die(mysql_error());
    }


}


?>
For some reason, it's showing 1 has gained 7 experience,
and cannot train anymore today.

Instead of Tony has gained 7 experience,
and cannot train anymore today.

I have created a simple login system but need help getting the username after login is successfull.

The login page
<?php
session_start();
require_once 'classes/Membership.php';
$membership = new Membership();

// If the user clicks the "Log Out" link on the index page.
if(isset($_GET['status']) && $_GET['status'] == 'loggedout') {
   $membership->log_User_Out();
}

// Did the user enter a password/username and click submit?
if($_POST && !empty($_POST['username']) && !empty($_POST['pwd'])) {
   $response = $membership->validate_User($_POST['username'], $_POST['pwd']);
}
?>
      <div id="login">
        <form method="post" action="">
          <table width="200" border="0" align="center">
            <tr>
              <th scope="col">Username:</th>
              <th scope="col"><input type="text" name="username" /></th>
            </tr>
            <tr>
              <td>Password:</td>
              <td><input type="password" name="pwd" /></td>
            </tr>
            <tr>
              <td colspan="2"><input type="submit" id="submit" value="Login" name="submit" /></td>
            </tr>
          </table>
          <p>&nbsp;</p>
          <p>
            <?php if(isset($response)) echo "<h4 class='alert'>" . $response . "</h4>"; ?>
          </p>
    </form>
      </div>

Membership.php file

<?php

require 'Mysql.php';

class Membership {
   
   function validate_user($un, $pwd) {
      $mysql = New Mysql();
      $ensure_credentials = $mysql->verify_Username_and_Pass($un, md5($pwd));
      
      if($ensure_credentials) {
         $_SESSION['status'] = 'authorized';
         header("location: myaccount.php");
      } else return "Please enter a correct username and password";
      
   }
   
   function log_User_Out() {
      if(isset($_SESSION['status'])) {
         unset($_SESSION['status']);
         
         if(isset($_COOKIE[session_name()]))
            setcookie(session_name(), '', time() - 1000);
            session_destroy();
      }
   }
   
   function confirm_Member() {
      session_start();
      if($_SESSION['status'] !='authorized') header("location: login.php");
   }
}


myaccount page

<?php

require_once 'classes/Membership.php';
$membership = New Membership();

$membership->confirm_Member();

?>

<p>Welcome <?= $_SESSION['status'] ?></p

I'm wanting to increment usernames in ONLY the lowercase a-z for example if a user enters "abc" it will automatically be given "abc1" and the next user if entering the same username will automatically be given "abc2", the next "abc3" and so on. The base login and register script I'm using can be found on http://evolt.org/node/60265/   The database.php and register.php pages are below, but excluding the amendments I am seeking.   I have created a MySQL database with 2 tables, 1 table named 'Users' with 3 columns named (1) 'userid' primary key, auto increment, (2) 'username' (3) 'password'.   The other table is named 'UserCount' with 2 columns named (1) 'username' (2) 'count'.

Can someone provide the PHP coding for the following process?   When a new user registers a new username firstly PHP to check the characters are in lowercase a-z only and no other characters, and reject if they do not match, then for PHP to check to see if that username exists in the 'UserCount' table.   If it doesn't exist, PHP to insert the new username into the 'username' column and also set the value of the 'count' column to 1.   If the username does exist, PHP to add that username to the 'username' column and increment the value of the 'count' column by 1. Then in the 'Users' table PHP to insert a record with 'Users.username = UserCount.username + count' and PHP to inform the new user of their complete username including the integer that has been added to their first entered username.

It would also help if I could be provided a link to a website on where I can better understand how to collate coding of this kind, coz I have tried to formulate this coding but as I'm playing around in the dark I have no idea if it is the right process in particular considering security factors.

database.php
Code: [Select]
<?php

/**
 * Connect to the mysql database.
 */
$conn = mysql_connect("localhost", "your_username", "your_password") or die(mysql_error());
mysql_select_db('your_database', $conn) or die(mysql_error());

?>
register.php

Code: [Select]
<?php
session_start(); 
include("database.php");

/**
* Returns true if the username has been taken
* by another user, false otherwise.
*/
function usernameTaken($username){
global $conn;
if(!get_magic_quotes_gpc()){
$username = addslashes($username);
}
$q = "select username from Users where username = '$username'";
$result = mysql_query($q,$conn);
return (mysql_numrows($result) > 0);
}

/**
* Inserts the given (username, password) pair
* into the database. Returns true on success,
* false otherwise.
*/
function addNewUser($username, $password){
global $conn;
$q = "INSERT INTO Users VALUES ('$username', '$password')";
return mysql_query($q,$conn);
}

/**
* Displays the appropriate message to the user
* after the registration attempt. It displays a 
* success or failure status depending on a
* session variable set during registration.
*/
function displayStatus(){
$uname = $_SESSION['reguname'];
if($_SESSION['regresult']){
?>

<h1>Registered!</h1>
<p>Thank you <b><?php echo $uname; ?></b>, your information has been added to the database, you may now <a href="main.php" title="Login">log in</a>.</p>

<?php
}
else{
?>

<h1>Registration Failed</h1>
<p>We're sorry, but an error has occurred and your registration for the username <b><?php echo $uname; ?></b>, could not be completed.<br>
Please try again at a later time.</p>

<?php
}
unset($_SESSION['reguname']);
unset($_SESSION['registered']);
unset($_SESSION['regresult']);
}

if(isset($_SESSION['registered'])){
/**
* This is the page that will be displayed after the
* registration has been attempted.
*/
?>

<html>
<title>Registration Page</title>
<body>

<?php displayStatus(); ?>

</body>
</html>

<?php
return;
}

/**
* Determines whether or not to show to sign-up form
* based on whether the form has been submitted, if it
* has, check the database for consistency and create
* the new account.
*/
if(isset($_POST['subjoin'])){
/* Make sure all fields were entered */
if(!$_POST['user'] || !$_POST['pass']){
die('You didn\'t fill in a required field.');
}

/* Spruce up username, check length */
$_POST['user'] = trim($_POST['user']);
if(strlen($_POST['user']) > 30){
die("Sorry, the username is longer than 30 characters, please shorten it.");
}

/* Check if username is already in use */
if(usernameTaken($_POST['user'])){
$use = $_POST['user'];
die("Sorry, the username: <strong>$use</strong> is already taken, please pick another one.");
}

/* Add the new account to the database */
$md5pass = md5($_POST['pass']);
$_SESSION['reguname'] = $_POST['user'];
$_SESSION['regresult'] = addNewUser($_POST['user'], $md5pass);
$_SESSION['registered'] = true;
echo "<meta http-equiv=\"Refresh\" content=\"0;url=$HTTP_SERVER_VARS[PHP_SELF]\">";
return;
}
else{
/**
* This is the page with the sign-up form, the names
* of the input fields are important and should not
* be changed.
*/
?>

<html>
<title>Registration Page</title>
<body>
<h1>Register</h1>
<form action="<?php echo $HTTP_SERVER_VARS['PHP_SELF']; ?>" method="post">
<table align="left" border="0" cellspacing="0" cellpadding="3">
<tr><td>Username:</td><td><input type="text" name="user" maxlength="30"></td></tr>
<tr><td>Password:</td><td><input type="password" name="pass" maxlength="30"></td></tr>
<tr><td colspan="2" align="right"><input type="submit" name="subjoin" value="Join!"></td></tr>
</table>
</form>
</body>
</html>


<?php
}
?>

Hi,

iam pretty new and have made a forum style page for intern project display. ATM i use a standard php loginscript, just so i can add the author of the text.

But as you can imagine thats pretty inconvinient.

Is their a way to get the username from my roaming profil or from the current AD user (dont need to auth, just so i can add my nameunder post, like i login on windows with username "Heinz", and write a post on my side, so he can take the username "Heinz" and display it beneth the post?

iam pretty clueless where to start looking, would you be so nice and provide me some topic/hints to give me a push in the right direction.

 

Sry if my english is..... a bit rubbish.

i greatfull for all your time

sincerly

Nasten

Hello,

After searching for some hours I don't get an answer for my question .

I have a login index with session_start and register the user information with :


Code: [Select]
$_SESSION['user'] = $r['username'];
$_SESSION['loggedin'] = true;
In that index file, it echo the right username that's logged in.

On the other files, it echo always "root".

My other files are combined with

- Header.php ( Start of validation of session )
- Page.php ( Validate again )
- Footer.php ( End the validation of footer )

All files have a session start and if not logged in redirects to index file to login again.


The problem, somewhere I have an error that I can't discover..

Could you please help me ?

Header.php

Code: [Select]
<?php
session_start();
include("connect.php");
include("../inc/config.php");
if( isset($_SESSION['user']) and $_SESSION['loggedin'] == true){
    
?>

MY OWN CODE
  <?php
}
else{
    
Header("Location:index.php");
}

?>
PAGE.PHP




Code: [Select]
<?php
session_start();
if( isset($_SESSION['user']) and $_SESSION['loggedin'] == true){
    
?>
<?php include("header.php"); 
$session = session_decode(session_id());
$result = mysql_query("SELECT * FROM admutilizador WHERE id='$session'") or die(mysql_error());
$row = mysql_fetch_array($result);

?>

MY OWN CODE

<?php include("footer.php"); ?>
<?php

}
else{
    
Header("Location:index.php");
}


FOOTER.PHP
Code: [Select]
<?php
session_start();
if( isset($_SESSION['user']) and $_SESSION['loggedin'] == true){
    
?>

MY OWN CODE
<?php
}
else{
    
Header("Location:index.php");
}


Can someone help me ? thanks in advance.


P.S.

I used a test session var

$_SESSION['test'] = "TEST";
and it keeps the records in other pages.

Using the $_SESSION['user'] = $r['username'];   ( info from DB that returns the right username in the same page, echoing it in other pages always output root.

Hope this test could help anyone too.

I don't know anything about php and I'm trying to fix these two links. 

One of which will bring the user to view's his/her profile to view it and the other will bring the user to his/her profile to edit.

I'm sure it's just a matter of deleting a space or adding some sort of variable but I just don't know.

<br><a href="http://mysailingconnection.com/using-this-website"><Font color="#000033"><b>Using This Website</b></font></a><br><br><a href="/members/<?php global $current_user; echo $current_user->user_login;?>/profile/">Click here to visit your profile.</a> </p><a href="/members/<?php echo $current_user->user_login;?>/profile/edit/">Click here to edit your personal profile.</a><br />