Solve : Re: php mysql issues?

1.	Solve : Re: php mysql issues?
Answer» We are going to need a lot more information than that including how the site is built, exactly what goes wrong and any relevant code snippets.I agree with camerongray. What type of webserver are you using. what type of data is required to be entered in to the form. Have you checked to make sure that the fields in the database are correctly formatted. I mean by this if it's numerical and character data then have you set it to be varchar. If you have set any fields to be unique and are trying to enter the same data for test purposes this won't allow you to enter the same entry twice. What is the error message you are getting. If you have an example of what has worked and what hasn't can you post them here. Also as camerongray has said could you post your code here. So, that would be what you have in the html and the php page please.okay cam and base10... these are the codes... the data that is being filled by the user is not reflecting in the dbase on submission... i use xampp... if( isset($_GET['surname']) && isset($_GET['firstname']) && isset($_GET['Date_of_birth']) && isset($_GET['department']) && isset($_GET['username']) && isset($_GET['password']) && isset($_GET['Confirm_Password']) ) { echo "all is set"; $sname=$_GET['surname']; $fname=$_GET['firstname']; $dob=$_GET['Date_of_birth']; $department=$_GET['department']; $username=$_GET['username']; //$password=$_GET['password']; $pass2=$_GET['Confirm_Password']; echo "all is set"; } else { echo "some fields are not filled"; } //db conxn require_once 'login.php'; $db_server= new mysqli($db_hostname, $db_username, $db_password, $db_name); if ($db_server->connect_error)die($db_server->connect_error); echo "DB connection successful"; //$sql= "INSERT INTO user VALUES ('null','$sname','$fname','$dob','$department','$username','$pass2')"; $sql = "INSERT INTO user VALUES('null','$sname','$fname','$dob','$department','$username','$pass2')"; $result= $db_server-> query($sql); if (!$result)die($db_server->error); ?> Register to login h2 {background-color:#90ccd4; width: 100%; height: 40px; color: #000; font-size: 100%; font-family: arial, tahoma; line-height: 2.0; text-align: center; margin-top: 4px; } form{ width: 50%; height: 100%; clear: both; line-height:80px; color: #000; margin: 2% 0 0 20%; } .form{ BORDER: 1px solid; border-width:80%; padding-left: 5%; padding-bottom: 10%; background-color:#90ccd4; text-align: center; clear: both; } Registration Form Surname: First name: Date of Birth: Department: Username: Password: Confirm Password: First things first, you really need to read up on this sort of thing before you start implementing it. The code you have listed has four serious issues that must be resolved: You are not escaping the user provided data that you are using in your SQL queries leaving the site totally open to an SQL injection attack. You are storing passwords in plain text which is a massive issue, passwords stored in a database should be salted and hashed You aren't validating any inputs, as it is currently I could submit a totally blank form and it would work fine. Data for such a form should be sent as POST data, not GET. And finally: Code: [Select]<form> <div class="form" action='form.php'>The action attribute should be on the tag, not the Is this website for work, school/college/uni, or just your own interest in putting together a website. Firstly looking at your code you haven't closed your php off with "?>" (don't use the inverted commas please). The site below gives you information on Salted password hashing. This is a function you can add so that data written to your db will be encrypted first before being written to the hard disk drive (hdd). https://crackstation.net/hashing-security.htm#phpsourcecode If this is for a school or college project you're lecturer may NOT require you to do the hashing as they might want to see the data reaching the database. But for commercial use this is better to do for security purposes. Reason being if the db is compromised then it will take a long long time before anyone can crack the HASH code... unless they are a Dalek lol As camerongray has said there is also no validation here and you will have to change your code to use POST instead of GET. To validate your site you can use something like below, although you will have to tailor it to name of your form. Code: [Select]<script type="text/JavaScript"> function validate() { if(document.formOne.Email.value == "" \|\| document.formOne.Password.value == "") { alert("Please fill in the boxes provided and try again "); return false; } else { parent.location="Login.php"; } } </script> Quote from: Base10 on October 25, 2014, 06:47:08 PM To validate your site you can use something like below, although you will have to tailor it to name of your form. While using Javascript is certainly a good idea to validate user input as it will minimize server calls but it's important to note that the user can do whatever they want with the Javascript therefore you cannot rely on it as total input validation. The backend in PHP will still have to validate all the inputs in the same way before it will finally allow the insert to take place.As camerongray has stated, quite rightly too as this is an important part to remember, that the PHP end will have to validate the inputs also before the insert takes place. Don't know why I never mentioned it lol. Thanks for pointing that out camerongray, much appreciated. This code is just an example and depending on the sql database you are using the syntax, again, will have to be tailored to suit... especially because my example is using MySQL. The code below should be on the .php page and not on the .html page. Code: [Select] // to check for the users details. mysql_select_db("the_name_of_your_database", $con); $Usercheck = $_POST['Email']; $Passcheck = $_POST['Password']; $checkUser = mysql_query("SELECT Email FROM yourtable WHERE Email = '$Usercheck'") or die(mysql_error()); $Check2 = mysql_num_rows($checkUser); //If the user isn't in your database this inserts the new user if ($Check2 == 0) mysql_query("INSERT INTO airusers (Email, Password) Values ('$Email','$Password')"); If the registered user is already registered and tries again you will need to code an alert to throw up; this is to tell them that they are using details that are already registered and a link to get them to a password page to reset their password for login. Quote i use xampp Are you going to be using Xampp on a live server that is on the web which could be targeted by hackers etc? Xampp is only really intended for testing of code on a staged sandbox of a server, and not really intended for a live server environment. If this is for school and just as a backbone to demonstrate your code etc its fine as long as offline mode of use, or used in a private network among trusted users etc, but if a system with xampp is placed out onto the DMZ or even a port forward to it from a private server environment, dont be surprised if a hacker gets in there and makes a mess of it all. There is info on the web on how to harden xampp installs for a live server connection, but its best to build it all up as secure as possible with the components that you will be using only ACTIVE etc, and each one manually installed and custom configured for security, vs using xampp with all features possible active to work no matter what someone is going to use xampp for and many points of entry or points of attack for hackers that would find it pretty quickly with probes and the first PLAN of attack would probably be to use the default authentication of xampp tested against it before moving on to other methods of attack.

Answer»

We are going to need a lot more information than that including how the site is built, exactly what goes wrong and any relevant code snippets.I agree with camerongray.

What type of webserver are you using.

what type of data is required to be entered in to the form. Have you checked to make sure that the fields in the database are correctly formatted. I mean by this if it's numerical and character data then have you set it to be varchar.

If you have set any fields to be unique and are trying to enter the same data for test purposes this won't allow you to enter the same entry twice.

What is the error message you are getting.

If you have an example of what has worked and what hasn't can you post them here. Also as camerongray has said could you post your code here. So, that would be what you have in the html and the php page please.okay cam and base10... these are the codes... the data that is being filled by the user is not reflecting in the dbase on submission... i use xampp...

if(
   isset($_GET['surname'])
   && isset($_GET['firstname'])
   && isset($_GET['Date_of_birth'])
   && isset($_GET['department'])
   && isset($_GET['username'])
   && isset($_GET['password'])
   && isset($_GET['Confirm_Password'])
   )
   {
      echo "all is set";
      $sname=$_GET['surname'];
      $fname=$_GET['firstname'];
      $dob=$_GET['Date_of_birth'];
      $department=$_GET['department'];
      $username=$_GET['username'];
      //$password=$_GET['password'];
      $pass2=$_GET['Confirm_Password'];
      echo "all is set";
   }
   else {
      echo "some fields are not filled";
   }
   //db conxn
require_once 'login.php';
$db_server= new mysqli($db_hostname, $db_username, $db_password, $db_name);
if ($db_server->connect_error)die($db_server->connect_error);
echo "DB connection successful";

//$sql= "INSERT INTO user VALUES ('null','$sname','$fname','$dob','$department','$username','$pass2')";
$sql = "INSERT INTO user VALUES('null','$sname','$fname','$dob','$department','$username','$pass2')";
$result= $db_server-> query($sql);
if (!$result)die($db_server->error);
?>

   Register to login

   h2 {background-color:#90ccd4;
      width: 100%;
      height: 40px;
       color: #000;
       font-size: 100%;
       font-family: arial, tahoma;
       line-height: 2.0;
       text-align: center;
       margin-top: 4px;
   }

form{
   width: 50%;
   height: 100%;
   clear: both;
   line-height:80px;
   color: #000;
   margin: 2% 0 0 20%;
}

.form{
BORDER: 1px solid;
border-width:80%;
padding-left: 5%;
padding-bottom: 10%;
background-color:#90ccd4;
text-align: center;
clear: both;

}


Registration Form


   Surname:


   First name:


   Date of Birth:


   Department:


   Username:


   Password:


   Confirm Password:







First things first, you really need to read up on this sort of thing before you start implementing it. The code you have listed has four serious issues that must be resolved:

You are not escaping the user provided data that you are using in your SQL queries leaving the site totally open to an SQL injection attack.
You are storing passwords in plain text which is a massive issue, passwords stored in a database should be salted and hashed
You aren't validating any inputs, as it is currently I could submit a totally blank form and it would work fine.
Data for such a form should be sent as POST data, not GET.

And finally:
Code: [Select]<form>
<div class="form" action='form.php'>The action attribute should be on the tag, not the Is this website for work, school/college/uni, or just your own interest in putting together a website.

Firstly looking at your code you haven't closed your php off with "?>" (don't use the inverted commas please).

The site below gives you information on Salted password hashing. This is a function you can add so that data written to your db will be encrypted first before being written to the hard disk drive (hdd).

https://crackstation.net/hashing-security.htm#phpsourcecode

If this is for a school or college project you're lecturer may NOT require you to do the hashing as they might want to see the data reaching the database. But for commercial use this is better to do for security purposes. Reason being if the db is compromised then it will take a long long time before anyone can crack the HASH code... unless they are a Dalek lol

As camerongray has said there is also no validation here and you will have to change your code to use POST instead of GET.

To validate your site you can use something like below, although you will have to tailor it to name of your form.

Code: [Select]<script type="text/JavaScript">

function validate()
{
if(document.formOne.Email.value == "" || document.formOne.Password.value == "")
{
alert("Please fill in the boxes provided and try again ");
return false;
}
else
{
parent.location="Login.php";
}
}
</script>
Quote from: Base10 on October 25, 2014, 06:47:08 PM

To validate your site you can use something like below, although you will have to tailor it to name of your form.

While using Javascript is certainly a good idea to validate user input as it will minimize server calls but it's important to note that the user can do whatever they want with the Javascript therefore you cannot rely on it as total input validation. The backend in PHP will still have to validate all the inputs in the same way before it will finally allow the insert to take place.As camerongray has stated, quite rightly too as this is an important part to remember, that the PHP end will have to validate the inputs also before the insert takes place. Don't know why I never mentioned it lol. Thanks for pointing that out camerongray, much appreciated.

This code is just an example and depending on the sql database you are using the syntax, again, will have to be tailored to suit... especially because my example is using MySQL.

The code below should be on the .php page and not on the .html page.

Code: [Select]
// to check for the users details.

mysql_select_db("the_name_of_your_database", $con);
$Usercheck = $_POST['Email'];
$Passcheck = $_POST['Password'];

$checkUser = mysql_query("SELECT Email FROM yourtable WHERE Email = '$Usercheck'")
or die(mysql_error());
$Check2 = mysql_num_rows($checkUser);

//If the user isn't in your database this inserts the new user

if ($Check2 == 0)
mysql_query("INSERT INTO airusers (Email, Password) Values ('$Email','$Password')");

If the registered user is already registered and tries again you will need to code an alert to throw up; this is to tell them that they are using details that are already registered and a link to get them to a password page to reset their password for login. Quote

i use xampp

Are you going to be using Xampp on a live server that is on the web which could be targeted by hackers etc?

Xampp is only really intended for testing of code on a staged sandbox of a server, and not really intended for a live server environment.

If this is for school and just as a backbone to demonstrate your code etc its fine as long as offline mode of use, or used in a private network among trusted users etc, but if a system with xampp is placed out onto the DMZ or even a port forward to it from a private server environment, dont be surprised if a hacker gets in there and makes a mess of it all.

There is info on the web on how to harden xampp installs for a live server connection, but its best to build it all up as secure as possible with the components that you will be using only ACTIVE etc, and each one manually installed and custom configured for security, vs using xampp with all features possible active to work no matter what someone is going to use xampp for and many points of entry or points of attack for hackers that would find it pretty quickly with probes and the first PLAN of attack would probably be to use the default authentication of xampp tested against it before moving on to other methods of attack.

Solve : Re: php mysql issues?

Discussion

No Comment Found

Related InterviewSolutions

Reply to Comment