echo not working after login

bmccarthy · October 22, 2013, 8:28pm

Hello All.
Just yesterday, I’ve started to dabble in MySQL and PHP to help with a project at work. I’m (somewhat) familiar with php form handlers, but I only have limited experience. With the help of google, I’ve been able to get this far, but now I need some help.

I’ve created a database with a test user it it. I’ve created index.php (login page), checklogin.php (verifies user), login_success.php (redirects upon successful login to), main_login.php (homepage after login).

The problem is that I am trying to get some variables from the database to echo on the main_login.php page (like name, when account was created, etc), but the spot where the variables should be are just blank.

I don’t quite understand how ‘sessions’ work, so maybe that’s the problem and I have something wrong.

Index.php:
[php]

In order to locate your account, please provide the following information.
MID:
ZIP Code:

[/php]

checklogin.php:
[php]<?php

ob_start();
$host=“myhostname”; // Host name
$username=“myusername”; // Mysql username
$password=“mypassword”; // Mysql password
$db_name=“mydatabase”; // Database name
$tbl_name=“mydatabasetable”; // Table name

mysql_connect("$host", “$username”, “$password”)or die(“cannot connect”);
mysql_select_db("$db_name")or die(“cannot select DB”);

// Define $myusername and $mypassword
$mid=$_POST[‘mid’]; // acts as username
$zip=$_POST[‘zip’]; // acts as password

// To protect MySQL injection (more detail about MySQL injection)
$mid = stripslashes($mid);
$zip = stripslashes($zip);
$mid = mysql_real_escape_string($mid);
$zip = mysql_real_escape_string($zip);
$sql=“SELECT * FROM $tbl_name WHERE mid=’$mid’ and zip=’$zip’”;
$result=mysql_query($sql);

// Mysql_num_row is counting table row
$count=mysql_num_rows($result);

// If result matched $mid and $zip, table row must be 1 row
if($count==1){

// Register $mid, $zipand redirect to file “login_success.php”
session_register(“mid”);
session_register(“zip”);
header(“location:login_success.php”);
}
else {
echo “Wrong Username or Password”;
}
ob_end_flush();
[/php]

login_successful.php:
[php]<?php
session_start();
if(!session_is_registered($mid)){
header(“location:main_login.php”);
}
?>
[/php]

main_login.php:
[php]

Welcome

Welcome <? echo "$contact" ?>!

Name:<? echo "$company" ?>

Date Started:<? echo "$start" ?>

Last Validation:<? echo "$last" ?>

[/php]

Can someone spot what I’m doing wrong?

JimL · October 22, 2013, 9:06pm

It doesn’t look like you actually fetch the data from the database. You should read up on how to do sql-queries
http://php.net/manual/en/function.mysql-query.php

please also read my Use PDO thread, and your days of sql injection worries are over.

bmccarthy · October 22, 2013, 9:42pm

Thanks JimL…like I said, it’s new to me.

So, would I insert something like below?..and in which file (the main_login.php page?)…and where in the document should it be placed (before or after a certain part)?
Sorry and thanks!

[php]$query = sprintf(“SELECT mid, company, contact, last, start FROM users
WHERE mid=’%s’ AND zip=’%s’”,
mysql_real_escape_string($mid),
mysql_real_escape_string($zip));

// Perform Query
$result = mysql_query($query);
[/php]

JimL · October 22, 2013, 9:47pm

The page I linked to has this example, it explains everything. Please be advised though that using the mysql_* library is not recommended, it is deprecated, a security risk and will be removed from PHP soon

[php]<?php
// This could be supplied by a user, for example
$firstname = ‘fred’;
$lastname = ‘fox’;

// Formulate Query
// This is the best way to perform an SQL query
// For more examples, see mysql_real_escape_string()
$query = sprintf(“SELECT firstname, lastname, address, age FROM friends
WHERE firstname=’%s’ AND lastname=’%s’”,
mysql_real_escape_string($firstname),
mysql_real_escape_string($lastname));

// Perform Query
$result = mysql_query($query);

// Check result
// This shows the actual query sent to MySQL, and the error. Useful for debugging.
if (!$result) {
$message = 'Invalid query: ’ . mysql_error() . “\n”;
$message .= 'Whole query: ’ . $query;
die($message);
}

// Use result
// Attempting to print $result won’t allow access to information in the resource
// One of the mysql result functions must be used
// See also mysql_result(), mysql_fetch_array(), mysql_fetch_row(), etc.
while ($row = mysql_fetch_assoc($result)) {
echo $row[‘firstname’];
echo $row[‘lastname’];
echo $row[‘address’];
echo $row[‘age’];
}

// Free the resources associated with the result set
// This is done automatically at the end of the script
mysql_free_result($result);[/php]

bmccarthy · October 22, 2013, 11:00pm

Oh boy… Not I’m just more confused then I was before.
I added the example and manipulated what I thought I should (to be applicable to my database variables), but now I get a bunch of errors.

Here’s the error(s):

Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: Can’t connect to local MySQL server through socket ‘/var/lib/mysql/mysql.sock’ (2) in /home/…/main_login.php on line 7

Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: A link to the server could not be established in /home/…/main_login.php on line 7

Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: Can’t connect to local MySQL server through socket ‘/var/lib/mysql/mysql.sock’ (2) in /home/…/main_login.php on line 8

Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: A link to the server could not be established in /home/…/main_login.php on line 8

Warning: mysql_query() [function.mysql-query]: Can’t connect to local MySQL server through socket ‘/var/lib/mysql/mysql.sock’ (2) in /home/…/main_login.phpon line 11

Warning: mysql_query() [function.mysql-query]: A link to the server could not be established in /home/…/main_login.php on line 11
Invalid query: Can’t connect to local MySQL server through socket ‘/var/lib/mysql/mysql.sock’ (2) Whole query: SELECT mid, company, contact, zip, last, start FROM users WHERE mid=’’ AND zip=’’

Here’s my code:
[php]<?php
// Formulate Query
// This is the best way to perform an SQL query
// For more examples, see mysql_real_escape_string()
$query = sprintf(“SELECT mid, company, contact, zip, last, start FROM users
WHERE mid=’%s’ AND zip=’%s’”,
mysql_real_escape_string($mid),
mysql_real_escape_string($zip));

// Perform Query
$result = mysql_query($query);

// Check result
// This shows the actual query sent to MySQL, and the error. Useful for debugging.
if (!$result) {
$message = 'Invalid query: ’ . mysql_error() . “\n”;
$message .= 'Whole query: ’ . $query;
die($message);
}

// Use result
// Attempting to print $result won’t allow access to information in the resource
// One of the mysql result functions must be used
// See also mysql_result(), mysql_fetch_array(), mysql_fetch_row(), etc.
while ($row = mysql_fetch_assoc($result)) {
echo $row[‘mid’];
echo $row[‘zip’];
echo $row[‘last’];
echo $row[‘start’];
}

// Free the resources associated with the result set
// This is done automatically at the end of the script
mysql_free_result($result);
?>[/php]

Has it somehow lost the connection to the database…do I need to preface the page with something that relates to the session (login credentials that they provided to get to this page in the first place)?

I know you are trying to help, but I’m hoping you can try to walk me through it like I’m a 10-year-old or something. lol Thanks.

JimL · October 23, 2013, 4:39am

Then check out my tutorial. As I say in my signature I normally do not help people using mysql_*. I am not comfertable with helping people write insecure code