PLEASE HELP
5 OMITTEDIG HOUR 5 OMITTEDING HOURS WORKING ON THIS SHIT CODE AND IT IS NOT WORKING
WHEN I TRY LOGIN WITH PASSWORD ADMIN ADMIN IT LOGINS WHEN I ADD OTHER USER LIKE A A IT DOESN’T LOGIN FOR OMITTED SAKE I AM USING THIS CODE IN OTHER WEBSITES AND ITS ALWAYS WORK BUT NOW
IS MOTHER FUCKING WORKING WHEN I TYPE ADMIN ADMIN AND LOGIN BUT HERE IS NO FUCKING USERNAME ADMIN OR PASSWORD ADMIN IN MYSQL DATABASE
AND NO I DDIN’T MAKE ANY FUNCTIONS LIEK IF USERNAME = ADMIN AND PASSWORD = ADMIN THEN IT DOES LOGIN
OMFG NOW ITS WORKING I CHANGED CODE FOR 5 FUKEN HOURS AND NOW MADE IE BACK LIKE IT IS NOW AND IT IS WORKING?? WTF JUST FORGET ABOUT IT IM FUCKING NOT HUMAN ANYMORE
FORGET ABOUYT THIS DELETE
IM SO MAD I COULD KILLMYSELF
NO IT IS NOT UFKWFNIK DE WORKNG AGAIN
THERE IS NO GOD
IF I ADD ADMIN FROM MY WEBSITE TO MYSQL DATABASE I CAN’T LOGIN TO THAT ACCOUNT IF I DO IT FROM MYPHPADMIN I CAN LOGIN TO THAT ACCOUNT WTFF WTFFF WTFF IS WITH THIS WORLD WHY CAN’T IT BE SIMPLE
WHAT THE DIFFERENCE FOR FUCK SAKE IF I ADD IT FROM MYPHP ADMIN OR FROM WEBSITE IT IS THERE SO IT HAVE TO WORK BUT NO IT DOESNT
REALLY WHATS THE FUCKING DIFFERENCE IF I ADD USERNAME=A AND PASSWORD=A FROM PHPADMIN
OR I ADD USERNAME=A AND PASSWORD=A FROM WEBSITE
IT IS IN FUCKING TABLE IT HAVE TO WORK MY SOME BAD SPIRITS IN MY COMPUTER OR WHAT
ASDASD
OK, let’s start out with, typing in all caps is shouting, I totally understand that you are frustrated, but many people will be less inclined to assist if you are so overwhelmed and frustrated.
Now, I pulled the code, and looked it over… I don’t have all of the information so totally diagnose what is going on… But let’s start with some basics so we can get a starting point.
after the:
[php]$username = $_POST[“username”];
$password = $_POST[“password”];[/php]
Add this:
[php]echo “Username :”.$username."
";
echo “Password :”.$password."
";[/php]
Let’s also look at a couple of other things as well:
After:
[php]$numrows = mysqli_num_rows($query);[/php]
Add:
[php]echo “Number of rows :”.$numrows;[/php]
Make sure it has an output of what your expecting.
Here’s something that might help that I threw together. It obviously does NOT work, but there shouldn’t be any syntax errors. I can’t say there isn’t logical errors for there might be and the scripts need to be put in appropriate pages (files) with modifications.
[php]<?php
/*
function read($username, $password) {
/*
* I use PDO and I recommend it over mysqli for I find it easier to work with, gives you more database options
* other than MySQL and you cand use named prepared statements.
/
$db_options = array(
/ important! use actual prepared statements (default: emulate prepared statements) /
PDO::ATTR_EMULATE_PREPARES => false
/ throw exceptions on errors (default: stay silent) /
, PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION
/ fetch associative arrays (default: mixed arrays) /
, PDO::ATTR_DEFAULT_FETCH_MODE => PDO::FETCH_ASSOC
);
$pdo = new PDO(‘mysql:host=’ . DATABASE_HOST . ‘;dbname=’ . DATABASE_NAME . ‘;charset=utf8’, DATABASE_USERNAME, DATABASE_PASSWORD, $db_options);
/ Setup the Query for reading in login data from database table */
$query = ‘SELECT id, username, password, full_name, email, security_level, private FROM users WHERE username=:username’;
$stmt = $pdo->prepare($query); // Prepare the query:
$stmt->execute([':username' => $username]); // Execute the query with the supplied user's parameter(s):
$stmt->setFetchMode(PDO::FETCH_OBJ); // If you want to use an array then use FETCH_ASSOC:
$user = $stmt->fetch(); // Fetch the appropiate record:
/*
* If username isn't in the datebase table return false.
*/
if (!$user) {
return FALSE;
}
/*
* If password matches database table match send back true otherwise send back false.
* Check out http://php.net/manual/en/function.password-hash.php
* and
* http://php.net/manual/en/function.password-verify.php for better password management.
*/
if (password_verify($password, $user->password)) {
return \TRUE;
} else {
return \FALSE;
}
}
/*
This is just an example of how you might grab the user’s input.
*/
if (isset($submit) && $submit === ‘login’) {
$username = filter_input(INPUT_POST, ‘username’, FILTER_SANITIZE_FULL_SPECIAL_CHARS);
$password = filter_input(INPUT_POST, ‘password’, FILTER_SANITIZE_FULL_SPECIAL_CHARS);
$result = read($username, $password);
if ($result) {
after_successful_login();
}
}[/php]
You also need to relax for coding can be challenging and I have spent long hours of debugging a script to get it to work. I found myself doing more earlier on when I was just learning PHP, but I occasionally hit a snag now. I even have written a fairly lengthy script only to be told by someone with more programming experience to scrap it for it wasn’t secure. Talk about frustration! Anyways we all have been there when it comes to coding. Syntax errors are easy to debug, it’s the logical errors that are the tough ones.
HTH John
P.S. One good way to debug is to have errors to on (local server only) ->
[php]/* Turn on error reporting */
ini_set(‘display_errors’, 1);
ini_set(‘display_startup_errors’, 1);
if (filter_input(INPUT_SERVER, ‘SERVER_NAME’, FILTER_SANITIZE_URL) == “localhost”) {
error_reporting(-1); // -1 = on || 0 = off
} else {
error_reporting(0); // -1 = on || 0 = off
}[/php]
Thank you for answering me, i found my problem
When i was adding admins from website i made mistake
$sql = “INSERT INTO admins (username,password)
VALUES (’$username’,’$password ')”;
after $password was space xd
well im stupid
I would recommend adding a trim and security to the input and the data being retrieved…
Change this:
[php]
if (isset($_POST[‘login’])) {
$username = $_POST[“username”];
$password = $_POST[“password”];
$query = mysqli_query($conn,“SELECT * FROM admins WHERE username=’$username’”);
[/php]
To this:
[php]
if (isset($_POST[‘login’])) {
array_filter($_POST, ‘trim_value’);
$postfilter = array(
‘username’ => array(‘filter’ => FILTER_SANITIZE_ENCODED, ‘flags’ => FILTER_FLAG_STRIP_LOW),
‘password’ => array(‘filter’ => FILTER_SANITIZE_ENCODED, ‘flags’ => FILTER_FLAG_STRIP_LOW)
);
$revised_post_array = filter_var_array($_POST, $postfilter);
$username = $revised_post_array['username'];
$password = $revised_post_array["password"];
$query = mysqli_query($conn,"SELECT * FROM admins WHERE username='$username'");
[/php]
Now somewhere in your code, add this function:
[php]
function trim_value(&$value) {
$value = trim($value); // this removes whitespace and related characters from the beginning and end of the string
}
[/php]
This will trim all POST and sanitize the values so code cannot be executed.
Just my opinion, as of your code right now, I would be able to inject XSS into your form and take control of the server.
Thanks!
Welcome to the forum Jessica.
As to your reply/OP’s Code:
Don’t create variables for nothing
Never put variables in a query. Use prepared statements
Do not SELECT *. Specify each column name you want.
OP, you should start using PDO. Here is a tutorial to get you going. https://phpdelusions.net/pdo
And dont run your operators and variables into each other, put a space between them.