Posting comments into a Mysql database?

[Html]

Hi,

I have some pages setup, that create an account, I would like to post a comment to the accounts index page, there isn't an account index page, just a page that has a logout link.

I know I need a comment box so the logout page can have that, but posting a comment in a comment box, would require an Id I guess, I used a tutorial to help me, and the creator of the tutorial helped me getting the whole login working as he configured his differently as it was done on a local system, and not a free web host.

Thanks.

[Gabrielphp]

So what's your idea of coding a comment section? Before we can help you and eventually give you some code examples you need to show us some code too, we can't just give you the code without you doing something first because this way you won't learn to do it by yourself.

[Html]

Honestly, I don't know.

I have a database called site, so html code for the box and a submit button, and then what next?

 

[justsomeguy]

Design the database tables to hold the data you want, process the submitted form, and insert the data into the database.  You can display the data from the database on another page.

[Html]

The site database has the table called users, and then listed is a username and password.

So for comments on an accounts index page, I'm not sure how this is suppose to work.

I can't even get the registration page to get to the logout link page, I don't know what happened there. Once registered it would load a link on the same page and it would take me to the logout link. So there I want a comment box, which isn't really the problem, but getting it to post, as you stated "justsomeguy", I need to post the details to the site db.

 

<h3>Login</h3>
<form action="dashboard.php" method="POST">
<input type="text" name="uname" placeholder="username"><br>
<input type="password" name="pwd" placeholder="password"><br>
<input type="submit" name="Login" value="Login">

 

Edited September 29, 2017 by Html
Added login code

[justsomeguy]

You should also include a column in the users table for ID, make it an auto-increment integer column and the primary key in the table.  Use that ID to link up other things to the users.  So the comments table would also have an ID column, plus columns for whatever you want to save like the text, date/time, etc, plus a column for the user ID.  So all of the comments that have a certain ID in the user ID column were posted by that user.  That's how you handle those kinds of relationships, that's a one-to-many relationship.  One user can have many comments, and each comment is only posted by one user.  You should be able to look up several of the terms I'm using for more information.

[Html]

I had followed a youtube video tutorial, and got help from the creator of the video, as for a comment box I searched for that, so i returned here.

So for this ID row in the users table, how would that work with rich1 login details?

uname, fname, lname is an example of what is in the users table in site db.

Well yes text, date and time.

 

As for a login section on the registration.php page, how does that work? Or what could be the problem there?

Edited September 29, 2017 by Html

[justsomeguy]

So for this ID row in the users table, how would that work with rich1 login details?

I'm not sure what that means, but you're going to need a unique column in your users table which you can use as a foreign key in other tables to refer to a specific user.  In order to do that I use an auto-increment primary key for the unique ID.  You could use the username, but that means that if they want to change their username you have to change it in every table unless you have foreign key constraint which will cascade the changes.  It also means you need the extra space to store the duplicate username in multiple tables, which is going to require more storage space than storing an integer.  So I use integers as the primary keys for all of my tables unless there's a specific reason why I need something else.  You can still make the username field a unique index to ensure that there aren't duplicate usernames, but I think it makes more sense to use an integer ID that will never change.

As for a login section on the registration.php page, how does that work? Or what could be the problem there?

If you have questions about code then you'll need to post all of the relevant code.  Each form should be a standalone thing, if you want a page that has both a registration form and also a login form (which seems a little weird to put a login form on a page for someone to make a new account), you can do whatever you want to do as long as each form is separate.  There aren't any rules on how many forms you can have on a page or whatever, it's up to you to design it.

[Html]

The person who helped correct the php code he had made in his video, made it so that if I created rich1, it can't be created again. As for, the table so okay lets just keep really basic, one user has a comment box that posts to the accounts index, which I don't have one for the username, first I can't even get into the dashboard. He did leave some comments, but I'm still rusty with all of this, it was only a week or ago he corrected and made it work with a free host. He had created his own account and based the example files off it, and recorded some clips explaining a little of he did.

 

<?php
require 'connect.inc.php';

if (isset($_POST['fname']) and isset($_POST['lname']) and isset($_POST['uname']) and isset($_POST['pwd']) and isset($_POST['pwd2'])
	and !empty($_POST['fname']) and !empty($_POST['lname']) and !empty($_POST['uname']) and !empty($_POST['pwd']) and !empty($_POST['pwd2'])) {

$fname = mysqli_real_escape_string($conn, $_POST['fname']);
$lname = mysqli_real_escape_string($conn, $_POST['lname']);
$uname = mysqli_real_escape_string($conn, $_POST['uname']);
$pwd = $_POST['pwd'];
$pwd2 = $_POST['pwd2'];

//The mysqli_real_escape_string prevents sql injection... We are hashing the passwords, so we don't need to do it on those lines.

/*This line checks to make sure the passwords match*/if ($pwd != $pwd2) {

	echo 'The passwords you entered didn\'t match';
} else {

	$check = "SELECT * FROM users WHERE uname = '$uname'";
	$res = mysqli_query($conn, $check);
	/*This line checks to make sure the user exists*/if (mysqli_num_rows($res)>0) {
		echo 'That username is taken.';
	} else {

		$pwd = PASSWORD_HASH($pwd, PASSWORD_BCRYPT, array('cost' =>12));

$sql = "INSERT INTO users (fname, lname, uname, pwd) VALUES ('$fname', '$lname', '$uname', '$pwd')";
if (!mysqli_query($conn, $sql)) {

echo 'Error!';

} else {
echo 'Account created! <br> Click <a href="index.php">Here</a> to login';
				
			}
		}
	}
}
?>
<!DOCTYPE html>
<html>
<head>
<title>Register Account</title>
</head>
<body>
<h3>Login</h3>
<form action="dashboard.php" method="POST">
<input type="text" name="uname" placeholder="username"><br>
<input type="password" name="pwd" placeholder="password"><br>
<input type="submit" name="Login" value="Login">
<br>
<h2>Create Account</h2>
<form action="registration.php" method="POST"> <!-- This line should have been set to the current page were editing -->
<input type="text" name="fname" placeholder="first name"><br>
<input type="text" name="lname" placeholder="last name"><br>
<input type="text" name="uname" placeholder="username"><br>
<input type="password" name="pwd" placeholder="password"><br>
<input type="password" name="pwd2" placeholder="confirm password"><br>
<input type="submit" name="submit" value="Register">
</form>
</body>
</html>

<?php
session_start();

if (!isset($_SESSION['id'])) {

	header("Location: index.php");
//The above bit of code checks to make sure the user is logged in... If they're not, it will kick them back to the login page...
}

require 'connect.inc.php';

/*Dont change this line */$id = $_SESSION['id'];
/*This line tells PHP to get the user information from mysql*/$getuser = "SELECT * FROM users WHERE id = '$id'";
$res = mysqli_query($conn, $getuser);
/*This line will let you use $row['something here']' to pull information from the database*/$row = mysqli_fetch_assoc($res);

echo 'Welcome, '. $row['fname']. '<br><a href="logout.php">Logout</a>';

//As you can see, we don't have a var in here called fname, so that's a good example of the mysqli_fetch_assoc function pulling the information 'fname' from the database.


?>

<?php
session_start();
require 'connect.inc.php';

if (isset($_POST['uname']) and isset($_POST['pwd']) and !empty($_POST['uname']) and !empty($_POST['pwd'])) {

	$uname = mysqli_real_escape_string($conn, $_POST['uname']);
	$pwd = $_POST['pwd'];

	$check = "SELECT * FROM users WHERE uname = '$uname'";
	$res = mysqli_query($conn, $check);
	$row = mysqli_fetch_assoc($res);

	if (mysqli_num_rows($res)<1) {
		echo 'That user wasn\'t found';
	} else {

		$pwd = PASSWORD_VERIFY($pwd, $row['pwd']);

		$dbuser = $row['uname'];
		$dbpwd = $row['pwd'];

		if ($uname == $dbuser and $pwd == $dbpwd) {

			$id = $row['id'];
			$_SESSION['id'] = $id;
			
			header("Location: dashboard.php");
			exit();

		} else {
			echo 'That username and password didn\'t match';
		}

	}

}


?>


<!DOCTYPE html>
<html>
<head>
	<title>Login</title>
</head>
<body>

<h3>Login</h3>
<form action="index.php" method="POST"> <!-- This line should have been set to the current page were editing -->
<input type="text" name="uname" placeholder="Username"><br>
<input type="password" name="pwd" placeholder="Password"><br>
<input type="submit">
</form>
<p>Click <a href="registration.php">HERE</a> to register</p>

</body>
</html>

 

Edited September 30, 2017 by Html

[justsomeguy]

Checking whether a username already exists isn't affected by what I was describing.  I'm just describing a little more elegant way to do what you're trying to do.  If you want to duplicate the username across several tables that's fine, but it's now how I do it.

I would recommend learning how to use a database yourself rather than having someone else write your code.  That code would have felt right at home in 2004, but 13 years later it's vulnerable and out of date.  You should learn and use prepared statements, you can use them with either mysqli or PDO.  There's no reason to be writing new code in 2017 that is vulnerable to SQL injection attacks, that problem has been solved for over a decade.  Whoever wrote that code might be able to create something that works most of the time, but the code isn't correct.  Research and use prepared statements, never just put variables inside a SQL query like that.

And, no, using mysqli_real_escape_string isn't a good solution when prepared statements are an option.  If you're relying on trying to escape all of the data yourself then you're going to forget to do that at some point.  Prepared statements don't rely on whether or not you remembered to escape all of the data.

Some of those if statements are longer than they need to be too, you don't need to use both isset and empty.  Empty will check whether it's set, that's all you need to use.

[Html]

Oh, well I didn't know any of this.  I assumed it was okay, other clips show similar stuff.

I was glad this guy helped me out, It is a start.

Hmm, well could you create a simple post email and pwd with up to date code for me? I can then try get some kind of a login link for it.

Edited October 2, 2017 by Html

[justsomeguy]

And rob you of the experience of learning how to do everything?  I wouldn't want to do that.  The section on prepared statements is here:

https://www.w3schools.com/php/php_mysql_prepared_statements.asp

If you look in the menu on the left, you can go back as far as you need to to learn the other things you need.  There's a whole section on forms.

[Html]

Unfortunately, after having tried months ago using some random videos, and they turned out not to be useful when I tried here to get some help with them, but how it was setup the connected wasn't there.

So now with the other tutorial I saw last month, the code is now out of date from what you've stated. So I'm now stuck.

Hmm, okay to break it down, I want to send some details to the Mysql db, so include email and password, I have the login there.

Is it enough to use index.php, and then another page for the posting of the details to the mysql? Because from that to the registration where that is even more, I find that all confusing. And once I register, the dashboard doesn't load. So logining doesn't work once registered. I don't know what I could of done, all I did was add a login html code above the registration, unless the code was designed to fail after a few tries, I don't know.

Thanks.

[justsomeguy]

You need a form and code to process the form, there's no rules about whether those need to be on the same page or different pages.  You can do either.  You need to process the form wherever it gets submitted though, if you send a location header to redirect a user then the form data is gone, it doesn't go with the redirect.  You can redirect them after you've processed the form though.

That's the general idea though.  You can have a login form, and code to process it, and a register form, and code to process that, etc.  You can combine all of that in more than one way.  Logging in would probably set some variables in the session, and then you can redirect the user after login to the dashboard page or wherever else you want them to go.  The dashboard can look up the user from the session and get whatever information from the database you want to show.

[Html]

Hmm, okay, seems informative enough.

As for the code which is the obvious problem, the database was created using the control panel setting and the rows added, so that wasn't a problem. It is the code and posting to the database which does work on my example register, but to login into a dashboard, that doesn't work.

What could I have done to stop that from working?

I found some php files on a storage disk, that somebody had made for me in 2007, but a year after I gave up on the web design interest. The difference between then and now is the video site with narrated tutorials, so a book isn't a must, but a book is helpful for reference. Like I stated I viewed a clip, and I was lucky enough to get the help of that man who narrated a couple of clips explaining why I couldn't get the code all above to work, so he created an account on the free web host and tested it out. I haven't got a reply from him. He may be busy, or doesn't care much to help me beyond what he did help me with.

[justsomeguy]

What exactly happens when you try to login?  Does it redirect to dashboard.php or show an error message at the top of the page?

[Html]

Nope, the login link then loads after registering, and once clicked type in the username and password, and it goes nowhere.

Edited October 3, 2017 by Html

[justsomeguy]

You have to be specific, saying things like "it doesn't work" or "it goes nowhere" doesn't help.  What is the URL after you submit the login form?  You can use your browser's developer tools to help with that too, the network tab will show you if there are any redirections.  You have 2 login forms there with 2 different actions, one of them goes to index.php and one of them goes to dashboard.php.  Why are those going to different places, and which one processes the login form?  You should have the login form processing code in one file, if you want to send a separate variable to tell it where to redirect after login that's fine, but you shouldn't duplicate code.

[justsomeguy]

Also, you're not using the password_verify function correctly, that returns a boolean value.  It looks like you're expecting it to return a string that you're later comparing against the password from the database.  That's not how to do it, you pass the entered password and the database hash to password_verify and it returns true or false if they match.

http://php.net/manual/en/function.password-verify.php

[Html]

This below is what loads the index.php page, so after registration of the registration.php page, it loads again, with a link to go to the index to login. There is a comment which states account registered.

<?php
session_start();
require 'connect.inc.php';

if (isset($_POST['uname']) and isset($_POST['pwd']) and !empty($_POST['uname']) and !empty($_POST['pwd'])) {

	$uname = mysqli_real_escape_string($conn, $_POST['uname']);
	$pwd = $_POST['pwd'];

	$check = "SELECT * FROM users WHERE uname = '$uname'";
	$res = mysqli_query($conn, $check);
	$row = mysqli_fetch_assoc($res);

	if (mysqli_num_rows($res)<1) {
		echo 'That user wasn\'t found';
	} else {

		$pwd = PASSWORD_VERIFY($pwd, $row['pwd']);

		$dbuser = $row['uname'];
		$dbpwd = $row['pwd'];

		if ($uname == $dbuser and $pwd == $dbpwd) {

			$id = $row['id'];
			$_SESSION['id'] = $id;
			
			header("Location: dashboard.php");
			exit();

		} else {
			echo 'That username and password didn\'t match';
		}

	}

}


?>

<!DOCTYPE html>
<html>
<head>
	<title>Login</title>
</head>
<body>

<h3>Login</h3>
<form action="dashboard.php" method="POST"> <!-- This line should have been set to the current page were editing -->
<input type="text" name="uname" placeholder="Username"><br>
<input type="password" name="pwd" placeholder="Password"><br>
<input type="submit">
</form>
<p>Click <a href="registration.php">HERE</a> to register</p>

As for the code, this or that, I didn't create any of it, all based off that man's video tutorial on youtube, I lucky enough to get this working thanks to him. You clearly know much better at Pre hyper text processor language, that is something I do remember about the acronym php.

Edited October 4, 2017 by Html
Not forgetting the php above the html

[justsomeguy]

As for the code, this or that, I didn't create any of it, all based off that man's video tutorial on youtube

I know, that's the problem.  You can't expect to be able to build this stuff by copying and pasting without understanding the code.  If you want to build a site using PHP you can either learn how to use PHP, find someone to do the work for free (which you seem to have found, but the code is wrong and you can't get in touch with him, so you get what you pay for), or hire someone to create it for you.  If you want to take the first option, this is the right place.

[Html]

Hmm, I watched the video which he explained what to do, and so on and then he made those custom clips of how to get the pages to work with the free web host since what I tried just didn't work, so i was lucky to stumble on his videos and the fact that he could respond, which I mentioned in the above posts.

So what he did, was correct, could you not copy what is there and may be try on your host? I imagine you have a host free or paid.

I don't know what to do, what exactly do suggest I do to get this login to work, I want to able to post to the user rich's index page, that is my goal here. I think using what is there I feel is the correct step for now, it isn't a public site, so I'm not concerned about security. The hash he provided removed or remains isn't that good at all? I remember reading about Yahoo via Yahoo news and the UK's the Guardian newspaper about not having various data encrypted well.

[justsomeguy]

Yeah hashing a password is great, but he's not using the password_verify function correctly to check the password.  It might be possible that it works by virtue of PHP's loose comparison, but I wouldn't count on it.

I don't know what to do, what exactly do suggest I do to get this login to work

Your options are to learn how to do it, find someone to do it for free, or hire someone to do it.  Whichever one of those you pick is up to you.

[Html]

Sure, but how do I learn without the knowledge, I watched the video because that was the way I could learn, and so far I have got somewhere with this, I'm stuck with this error, as well beyond once logging in, text box post text to an index page linked with the user created on the database.

I need examples to continue with this.

[justsomeguy]

Sure, but how do I learn without the knowledge

No one has the knowledge when they start learning.  That's what learning is, getting the knowledge.

I watched the video because that was the way I could learn

What did you learn by watching the video?  You don't know how to fix the code, and you don't know how to make it do something else you want.  What exactly do you think you learned?