I want to check if email already exists in the DB, starting at this and need some help. Here is the code:
<?php
require_once('includes/connects.php');
$username = $_POST['username'];
$nome = $_POST['nome'];
$password = sha1($_POST['password']);
$email = $_POST['email'];
$checkmail = mysql_query("SELECT email FROM utilizadores WHERE email = '$email'");
$result = $conn->query($checkmail);
if($result->num_rows == 0){
$querygo = "INSERT INTO utilizadores (username, nome, password, email) VALUES ('$username', '$nome', '$password', '$email'";
$result = $conn->query($querygo);
header('Location: index.php');
} else {
echo 'DONT WORK';
}
This is the error:
Fatal error: Call to a member function query() on a non-object in
C:\Sites\deca_13L4\deca_13L4_23\MiniProjeto\bussaco\registo.php on
line 12 Warning: Unknown: 1 result set(s) not freed. Use
mysql_free_result to free result sets which were requested using
mysql_query() in Unknown on line 0
Looking at your code, unsure what value this has in the mix of everything since that is exactly where the error occurs:
$result = $conn->query($checkmail);
So I would change your code to be like this:
<?php
require_once('includes/connects.php');
$username = $_POST['username'];
$nome = $_POST['nome'];
$password = sha1($_POST['password']);
$email = $_POST['email'];
$checkmail = mysql_query("SELECT email FROM utilizadores WHERE email = '$email'");
if(!$checkmail){
$querygo = "INSERT INTO utilizadores (username, nome, password, email) VALUES ('$username', '$nome', '$password', '$email'";
$result = $conn->query($querygo);
header('Location: index.php');
} else {
echo 'DONT WORK';
}
But that said, it’s unclear to me where the actual needed mysql_connect comes from. Is that in require_once('includes/connects.php');? I hope so. Otherwise mysql_query won’t work no matter what. To execute a query you need a connection.
just make your code as simple as you can. So here:
<?php
require_once('includes/connects.php');
$username = $_POST['username'];
$nome = $_POST['nome'];
$password = sha1($_POST['password']);
$email = $_POST['email'];
$checkmail = mysql_query("SELECT email FROM utilizadores WHERE email = '$email'");
$num_rows = mysql_num_rows($checkmail);
if($num_rows){
$querygo = "INSERT INTO utilizadores (username, nome, password, email) VALUES ('$username', '$nome', '$password', '$email'";
$result = mysql_query($querygo);
header('Location: index.php');
} else {
echo 'DONT WORK';
}
Related
I am get login errors when i test my script by logining under my own account. Do you think hashing passwords twice a bad practice?
I have hashed the users password twice in my website. Once, when they register and once, when they update their password in account update. Also i am using bcrypt method and cost of bcrypting is 10 on both hashings and i am on localhost server.
///// this is the code in register.php page
<?php
if(isset($_POST['registeruser'])) {
session_start();
$FName = $_POST['regfname'];
$LName = $_POST['reglname'];
$Email = mysqli_real_escape_string($conn, $_POST['regemail']);
$origignalpassword = preg_replace('#[^a-z0-9_]#i', '',
$_POST['regpassword']);
$Passwordw = $_POST['confirmedpassword'];
$infosql = "SELECT * FROM users WHERE useremail = '".$Email."'";
$result = mysqli_query($conn,$infosql);
if(mysqli_num_rows($result)>=1)
{
echo "Email already taken.";
}
else if(mysqli_num_rows($result) !=1 && $Passwordw ==
$origignalpassword) {
$Passwordhash = password_hash($Passwordw,
PASSWORD_BCRYPT, array('cost' => 10));
$sql = $conn->query("INSERT INTO users(firstname,
lastname, useremail, Passwordcell) Values('{$FName}',
'{$LName}','{$Email}','{$Psswordhash}')");
header('Location: login.php');
} else {
echo 'Please check your password:' . '<br>';
}
}
?>
//// Below code is the code in my update.php page
<?php session_start();
if(isset($_SESSION['user_id'])) {
} else {
header('Location: login.php');
}
$user = $_SESSION['userid'];
$myquery = "SELECT * FROM users WHERE `userid`='$user'";
$result = mysqli_query($conn, $myquery);
$row = mysqli_fetch_array($result, MYSQLI_BOTH);
$_SESSION['upd_fnames'] = $row['firstname'];
$_SESSION['upd_lnames'] = $row['Lastname'];
$_SESSION['upd_emails'] = $row['useremail'];
$_SESSION['upd_passwords'] = $row['Passwordcell'];
$_SESSION['upd_phone'] = $row['phonenum'];
$_SESSION['upd_bio'] = $row['biography'];
?>
<?php
if (isset($_POST['updateme'])) {
$updfname = $_POST['upd_fnames'];
$updlname = $_POST['upd_lnames'];
$updemail = $_POST['upd_emails'];
$updphone = $_POST['upd_phone'];
$upd_pswd = $_POST['upd_passwords'];
$biography = $_POST['update_biography'];
$Pswod = password_hash($upd_pswd, PASSWORD_BCRYPT,
array('cost' => 10));
$sql_input = $mysqli->query("UPDATE users SET firstname = '{$updfname}', Lastname = '{$updlname}', Phonenum = '{$updphone}', useremail = '{$updemail}', Passwordcell = '{$Pswod}', biography = '{$biography}' WHERE userid=$user");
header('Location: Account.php');
}
else
{
}
?>
Your problem could be just a typo, in your registration script, instead of $Passwordhash you wrote:
"INSERT INTO users(..., Passwordcell) Values(...,'{$Psswordhash}')"
Nevertheless there are other problems with your code, and since you asked for advise, i would like to share my thoughts.
Probably the biggest problem is, that your code is vulnerable to SQL-injection. Switch to prepared statements as soon as you can, writing code will become even easier than building the query as you did, and both MYSQLI and PDO are supporting it. This answer could give you a start.
Passwords should not be sanitized. Remove the line $origignalpassword = preg_replace('#[^a-z0-9_]#i', '', $_POST['regpassword']), and just pass the input directly to the hash function password_hash($_POST['regpassword'], PASSWORD_DEFAULT). The password_hash() function works with any type of input.
It is a good habit to place an exit after each redirection, otherwise the script will continue executing. header('Location: login.php', true, 303); exit;
Do you really have reason to put the user info into the session? Instead of $_SESSION['upd_fnames'] = $row['firstname']; i would fetch the information on demand from the database. With fetching it from the database you can be sure that the information is actually set (is not null) and is up to date, you can avoid a state and you get a bit more REST full.
Then last but not least i would recommend to follow some style rules, like starting variable names always with a small letter. You can avoid some silly typos and it makes your code more readable.
I have a simple contact form that works if I do not use smtp. I've tried to add smtp to use with mandrill, but it doesn't work. Emails aren't going through to mandrill.
I do not see any errors after sending either even if I enabled '$mail->SMTPDebug = 1;' I've tried on both local and live server environments.
<?php
require_once('../mail/class.phpmailer.php');
$emailaddress = "name#domain.com";
// Check for empty fields
if(empty($_POST['name']) ||
empty($_POST['email']) ||
empty($_POST['phone']) ||
empty($_POST['message']) ||
!filter_var($_POST['email'],FILTER_VALIDATE_EMAIL))
{
echo "No arguments Provided!";
return false;
}
$name = $_POST['name'];
$email_address = $_POST['email'];
$phone = $_POST['phone'];
$ip = $_SERVER['REMOTE_ADDR'];
$message = $_POST['message'];
$subject = "Contact Form: $name";
$body = "You have received a new message from website.\n\n"."Here are the details:\n\nName: $name\n\nEmail: $email_address\n\nPhone: $phone\n\nIP Address: $ip\n\nMessage:\n$message";
$mail = new PHPMailer();
$mail->IsSMTP();
$mail->Host = "smtp.mandrillapp.com";
//$mail->SMTPDebug = 1;
$mail->SMTPAuth = true;
$mail->Host = "smtp.mandrillapp.com";
$mail->Port = 587;
$mail->Username = "username";
$mail->Password = "password";
$mail->CharSet = 'UTF-8';
$mail->SetFrom($email_address);
$mail->AddReplyTo($email_address);
$mail->Subject = "Contact Form: ".$_POST['name']." ";
$mail->MsgHTML($body);
$mail->AddAddress($emailaddress);
$mail->Send();
?>
I figured it out. I needed to also include the 'class.stmp.php' file as well. It doesn't have to be call, but needs to in the same folder as 'class.phpmailer.php.'
I have a email form for my website but here is the issue: when i receive an email, the subject line in my inbox shows whatever the user inputted as subject in the form. id like to override that so that whenever an email comes in. the subject in the email header is always "an inquiry from your website". In the message body, sure i don't mind their specific subject they entered but when I receive an email, id like consistency in my inbox.
this is the current code:
<?php session_start();
if(isset($_POST['Submit'])) { if( $_SESSION['chapcha_code'] == $_POST['chapcha_code'] && !empty($_SESSION['chapcha_code'] ) ) {
$youremail = 'xxxxxxxxx';
$fromsubject = 'An inquiry from your website';
$title = $_POST['title'];
$fname = $_POST['fname'];
$lname = $_POST['lname'];
$mail = $_POST['mail'];
$address = $_POST['address'];
$city = $_POST['city'];
$zip = $_POST['zip'];
$country = $_POST['country'];
$phone = $_POST['phone'];
$subject = $_POST['subject'];
$message = $_POST['message'];
$headers = "From: $nome <$mail>\r\n";
$to = $youremail;
$mailsubject = 'Message received from'.$fromsubject.' Contact Page';
$body = $fromsubject.'
The person that contacted you is '.$fname.' '.$lname.'
Address: '.$address.'
'.$city.', '.$zip.', '.$country.'
Phone Number: '.$phone.'
E-mail: '.$mail.'
Subject: '.$subject.'
Message:
'.$message.'
|---------END MESSAGE----------|';
echo "Thank you for inquiring. We will contact you shortly.<br/>You may return to our <a href='/index.html'>Home Page</a>";
mail($to, $subject, $body, $headers);
unset($_SESSION['chapcha_code']);
} else {
echo 'Sorry, you have provided an invalid security code';
}
} else {
echo "You must write a message. </br> Please visit our <a href='/contact.html'>Contact Page</a> and try again.";
}
?>
It appears as though you have set a variable called $subject elsewhere.
$subject = $_POST['subject'];
and then use that same variable to send your mail.
mail($to, $subject, $body, $headers);
Try creating another variable for the second use or changing it prior to suit your needs.
Hi I was wondering how I would migrate a mysqli php file to use PDO. Would anyone be able to take a look at my code and see if I'm on the right track?
This is my original (mysqli) code:
<?php
// connecting to database
$conn = new mysqli('xxxxxx', 'xxxxxx', 'password', 'xxxxxx');
$match_email = 'email';
$match_passhash = 'passhash';
if (isset($_POST['email'])) {
$clean_email = mysqli_real_escape_string($conn, $_POST['email']);
$match_email = $clean_email;
}
if (isset($_POST['passhash'])) {
$clean_passhash = mysqli_real_escape_string($conn, $_POST['passhash']);
$match_passhash = sha1($clean_passhash);
}
$userquery = "SELECT email, passhash, userlevel, confirmed, blocked FROM useraccounts
WHERE email = '$match_email' AND passhash = '$match_passhash'
AND userlevel='user' AND confirmed='true' AND blocked='false';";
$userresult = $conn->query($userquery);
if ($userresult->num_rows == 1) {
$_SESSION['authorisation'] = 'knownuser';
header("Location: userhome.php");
exit;
} else {
$_SESSION['authorisation'] = 'unknownuser';
header("Location: userlogin.php");
exit;
}
?>
And this is my attempt to migrate it to PDO:
<?php
// connecting to database
$dbh = new PDO("mysql:host=xxxxxx; dbname=xxxxxx", "xxxxxx", "password");
$match_email = 'email';
$match_passhash = 'passhash';
if (isset($_POST['email'])) {
$clean_email = mysqli_real_escape_string($conn, $_POST['email']);
$match_email = $clean_email;
}
if (isset($_POST['passhash'])) {
$clean_passhash = mysqli_real_escape_string($conn, $_POST['passhash']);
$match_passhash = sha1($clean_passhash);
}
$userquery = "SELECT email, passhash, userlevel, confirmed, blocked FROM useraccounts
WHERE email = ':match_email' AND passhash = ':match_passhash' AND
userlevel='user' AND confirmed='true' AND blocked='false';";
$stmt = $dbh->prepare($query);
$stmt->bindParam(":match_email", $match_email);
$stmt->bindParam(":match_passhash", $match_passhash);
$stmt->execute();
$userresult = $conn->query($userquery);
if ($userresult->num_rows == 1) {
$_SESSION['authorisation'] = 'knownuser';
header("Location: userhome.php");
exit;
} else {
$_SESSION['authorisation'] = 'unknownuser';
header("Location: userlogin.php");
exit;
}
?>
I'm also not sure how to count the number of rows returned in PDO.
If anyone would be able to help me out that wold be very great.
A million thanks in advance!
When using prepared statements and $stmt->bindValue() or $stmt->bindParam() you do not need to escape values with mysqli_real_escape_string(), PDO will do that for you.
Just remember to set a correct data type for the value. That is the third argument in the bind functions and it is a string by default so your code here is fine. I would only use bindValue() instead of bindParam() as you do not need references.
$stmt->execute() will run your prepared statement as a query. The other $conn->query() does not work with prepared statements. It is for raw queries, like you used to have with MySQLi.
When $stmt->execute() runs your response is saved in the $stmt object. For row count use $stmt->rowCount().
I'm trying to script an authentication and login script and am quiet there.. I have a password 'password' saved in my database... it works with the password 'password' however should not work with 'password1!' or prefix or suffix two characters more.... IT shouldn't accept it... but if I enter something different (different string, or a few more characters), it gives me a proper error...
That is the only row in my database table... there are no duplicate entries..
Following is the code
public function validate_login($valuethrown) {
$username = $valuethrown['username'];
$email = $valuethrown['email'];
$password = $valuethrown['password'];
echo "Values thrown to the model are : $username, $email, $password";
$authAdapter = $this->getAuthAdaptor();
$authAdapter->setIdentity($email)
->setCredential(md5($password));
$auth = Zend_Auth::getInstance();
$result = $auth->authenticate($authAdapter);
if ($result->isValid()) {
$data = $authAdapter->getResultRowObject(null,'password');
$auth->getStorage()->write($data);
$this->_redirect('home');
} else {
echo "</br>Wrong Password</br>";
}
//check login details
}
public function getAuthAdaptor() {
$authAdapter = new Zend_Auth_Adapter_DbTable(Zend_Db_Table::getDefaultAdapter());
$authAdapter->setTableName('users')
->setIdentityColumn('email')
->setCredentialColumn('password');
return $authAdapter;
}
HELP!!!!