[PHP] Membership site
Hello, I am just starting out with PHP and I have just created a database named "Members" with a table named "Persons". There are 5 fields (id,firstname, lastname, username, password) . The form I created is a sign up form and the values entered into the form are inserted into the table "Persons", now my question is how do I create a secure log in system with this new database? Thanks in advance! :) -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Form Already Filled Out
Hello, S i created a simple login system, and I am using sessions Everything seems to work fine, however; when I upload my files to my server and type my domain name my index.php page comes up and the form is automatically filled out with a username and password. How do i make it empty when I initially enter the site, and yes I did create a logout.php file that destroys a session. Please help, it is hard to explain this when I cant show it in person. Thanks in advance!Here is the login.php code, i didn't md5() the password yet: if ($_SESSION['user']){ header("Location: error.php"); exit();}include('connect.php');if ($_POST['login']){ $user=$_POST['user'];$pass=$_POST['pass'];$sql="SELECT * FROM members WHERE username='$_POST[user]' and password='$_POST[pass]'";$result=mysql_query($sql, $con);$count=mysql_num_rows($result);if ($count==1){ $_SESSION['user'] = $user; header('location: home.php');}else echo "Wrong Username or Password";}?> Home Topix Mission Username: Password: Register?
[PHP] saving sessions
Hello, im new to the whole storing sessions thing and I really dont know how to ask this question, but here it goes. So on my site when someone logs in the login.php file checks for a the username and password in the table i created, then if it finds a match it will store a $_SESSION [] variable. To be exact the code is as follows: if ($count=='1'){session_start();$_SESSION['user']=$user; // $user is the $_POST['user'] from the login formheader('location: login_success.php');}Now what i would like to know is how do i make my website save new changes the user made while in their account? thanks!
[PHP] Sending a message
Ok so I have tried to create a sort of messaging system on my website and I have run into some problems storing who the message is from, ill try to take you through step by step what I am trying to do.step #1 (messages.php): <--This is where the member will view the recent messages that have been posted include 'connect.php'; session_start(); $_SESSION['user']=$user; //store sql queries $sql="SELECT * FROM entries"; $result=mysql_query($sql, $con); $count=mysql_num_rows($result); if ($count<1){ echo 'There are no messages yet!'; } while ($row=mysql_fetch_array($result)){ echo 'From: ' .$row['from']; echo ''; echo 'Subject: ' .$row['subject']; echo ''; echo 'Message: ' .$row['body']; echo ''; } ?> Step #2 (create_message.php):<-- This is where the user creates a new message Create new message Subject Body Step #3 (insert_message.php)<-- this is where my problem is (trying to insert $_SESSION['user'] into table ['from'])include 'connect.php';session_start();$user=$_SESSION['user'];if ($_POST['new_message']){ include 'connect.php'; session_start(); $_SESSION['user']=$user; $body=$_POST['body']; $subject=$_POST['subject']; $date=' '; $sql="INSERT INTO `entries` ( `id` , `from` , `subject` , `body` , `date` ) VALUES ( NULL , '$user', '$subject', '$body', '$date' )"; if (mysql_query($sql,$con)){ echo 'Inserted!'; echo $user; } else echo 'Not Inserted'; }?>Hope i dont piss anyone off with such a long message, I just really need help on this.Thanks!
Re: [PHP] Sending a message
Well my problem is when i click submit, the $_SESSION['user'] ('from' part of the table in my db) is blank, so im guessing the $_SESSION variable didnt pass through. On Aug 04, 2011, at 10:11 PM, Negin Nickparsa wrote:in previous pages you must have a login page and in login page you must
store the username and then in next steps you have username in
$_SESSION['user']
now if it is not your problem then what is the problem?
Re: [PHP] Sending a message
This is the login.php which checks the form on the login page.session_start();include('connect.php');$user=$_POST['user'];$pass=$_POST['pass'];$sql="SELECT * FROM members WHERE username='$_POST[user]' and password='$_POST[pass]'";$result=mysql_query($sql, $con);$count=mysql_num_rows($result);if ($count==1){ session_start(); $_SESSION['user'] = $user;}else{ echo 'Wrong Username or Password'; }?>On Aug 04, 2011, at 10:23 PM, Negin Nickparsa wrote:you must check setting your session with this one:
if(isset($_SESSION['user']))
{
// Identifying the user
$user = $_SESSION['user'];
// Information for the user.
}
tell me what you have done in login page?
Re: [PHP] Sending a message
Woot! Got it! There was a page in between that stored $_SESSION['user']=$user rather than other way around! Thank you! and yea I will secure it!On Aug 04, 2011, at 10:37 PM, David Holmes wrote:Your code is full of security errors .. You should use mysql escape string(google it ) to protect your database from beiÿng hacked
David Holmes
twitter @mrstanfan
owner of the exclusive StanFan.com
Whats Your StanFan?
-Original Message-----
From: wil prim <wilp...@me.com>
Date: Sat, 06 Aug 2011 04:49:32
To: PHP MAILINGLIST<php-general@lists.php.net>; Philly Holbrook<pholbro...@gmail.com>
Subject: [PHP] Sending a message
Ok so I have tried to create a sort of messaging system on my website and I have run into some problems storing who the message is from, ill try to take you through step by step what I am trying to do.
step #1 (messages.php): <--This is where the member will view the recent messages that have been posted
include 'connect.php';
session_start();
$_SESSION['user']=$user;
//store sql queries
$sql="SELECT * FROM entries";
$result=mysql_query($sql, $con);
$count=mysql_num_rows($result);
if ($count<1){
echo 'There are no messages yet!';
}
while ($row=mysql_fetch_array($result)){
echo 'From: ' .$row['from'];
echo '';
echo 'Subject: ' .$row['subject'];
echo '';
echo 'Message: ' .$row['body'];
echo '';
}
?>
Step #2 (create_message.php):<-- This is where the user creates a new message
Create new message
Subject
Body
Step #3 (insert_message.php)<-- this is where my problem is (trying to insert $_SESSION['user'] into table ['from'])
include 'connect.php';
session_start();
$user=$_SESSION['user'];
if ($_POST['new_message']){
include 'connect.php';
session_start();
$_SESSION['user']=$user;
$body=$_POST['body'];
$subject=$_POST['subject'];
$date=' ';
$sql="INSERT INTO `entries` (
`id` ,
`from` ,
`subject` ,
`body` ,
`date`
)
VALUES (
NULL , '$user', '$subject', '$body', '$date'
)";
if (mysql_query($sql,$con)){
echo 'Inserted!';
echo $user;
}
else
echo 'Not Inserted';
}
?>
Hope i dont piss anyone off with such a long message, I just really need help on this.
Thanks!
Re: [PHP] Sending a message
I think Ill just use the better secured one, thanks!On Aug 04, 2011, at 10:41 PM, Negin Nickparsa wrote:or if you want to do this risky and none secure thing try this:$query="select * from members where user='"$_POST['user']."'and pass=password('$pas')";
well first you must check errors in mysql
then storing in session
also it is better to use:
$user=mysql_real_escape_string($_POST['user']);
then write the query
Re: [PHP] Sending a message
lol wow ok thanks, Im very new to coding, started html about 2 months ago, so ty for letting me know the security of the language! is there any place where i can read (other than the php manual), about a tutorial on security?On Aug 04, 2011, at 10:49 PM, Negin Nickparsa wrote:it is better to use this one:http://www.php.net/mysql_real_escape_string if you don't use this by inputting just a qoute or this input '--' a hacker can easily hack your syntax in another steps your site will send a message like:error in mysql on this line lob lob .. in this part he will find your server that it is my sql:Dhe/she will try anither syntaxes and by errors he/she finds your table namesand ...:Dyou know how bad:D then obey the security rules
