FocuZst
-
Posts
4 -
Joined
-
Last visited
Content Type
Profiles
Forums
Events
Posts posted by FocuZst
-
-
You're not doing any error checking either, you're assuming that your queries are returning data when they might not be. Add this to the top of your code while you're debugging:
ini_set('display_errors', 1);error_reporting(E_ALL);The major problem I see with your logic is that you try to select the new ID before you insert the record, and showing all error messages would help point that out (since you're assuming that query is returning a record). Instead of selecting a record after insert, you can use this:http://php.net/manual/en/mysqli.insert-id.phpThanks man! All I had to do was
if(mysqli_query($dbConnect, $registerUser)) { $_SESSION['userID'] = mysqli_insert_id($dbConnect); // <<-- Add this header("Location: home.php"); } else { echo "<script>alert('error while registering you...');</script>";} -
First, you need to call session_start() before any HTML tags (or even whitespace) is printed out.
<!DOCTYPE html><?php session_start();
...needs to look like...
<?php session_start();// ... other code here ...?><!DOCTYPE html>
Very important: You're storing your password in plaintext. Don't do that. See password_hash() and password_verify().
I see that you're using mysqli_real_escape_string(). This is a mistake. The proper way to prevent SQL injection is to use prepared statements, not to escape input.
Reference: https://secure.php.net/manual/en/mysqli.prepare.php
I haven't learned about SQL injections yet. That's why I'm not worried about security now. This login and registration system is just for learning purposes.
-
I'm creating a simple login and registration form. What I'm trying to do is when a user registers, it should log them in. In order to get logged in, the user's ID that gets registered needs to be sent to the home page so the username can be displayed. I'm not sure what is wrong with my code.
Register:
<!DOCTYPE html><?php session_start(); if(isset($_SESSION['userID']) AND !empty($_SESSION['userID'])) { header("Location: home.php"); } if(isset($_POST['register'])) { $firstName = mysqli_real_escape_string($dbConnect, $_POST['firstName']); $lastName = mysqli_real_escape_string($dbConnect, $_POST['lastName']); $username = mysqli_real_escape_string($dbConnect, $_POST['username']); $email = mysqli_real_escape_string($dbConnect, $_POST['email']); $password = mysqli_real_escape_string($dbConnect, $_POST['password']);{ // Check if data exists already in the database $exists = mysqli_query($dbConnect, "SELECT user_id, username, email FROM users WHERE username = '$username' AND email = '$email'"); $row = mysqli_fetch_array($exists); $dbusername = $row['username']; $dbemail = $row['email']; if ($username == $dbusername) { die("Username already taken."); } else if ($email == $dbemail) { die("Email already registered."); }} $registerUser = "INSERT INTO users (first_name, last_name, username, email, password) VALUES('$firstName', '$lastName', '$username', '$email', '$password')";{ // Select ID from registered user $selectID = "SELECT user_id FROM users WHERE username = '$username'"; $selectID_Query = mysqli_query($dbConnect, $selectID); $fetch = mysqli_fetch_array($selectID_Query); $userID = $fetch['user_id']; $_SESSION['userID'] = $userID;} if(mysqli_query($dbConnect, $registerUser)) { header("Location: home.php"); } else { echo "<script>alert('error while registering you...');</script>"; } } include "includes/head.php"; include "includes/nav.php";?> <div id="main-content"> <div class="welcome-msg"> <h1 class="huge">Registration form</h1> <h3 class="medium">Please fill in all the inputs</h3> <form id="login-form" method="post"> <label for="firstName">First Name</label> <input type="text" name="firstName" id="firstName" required> <label for="lastName">Last Name</label> <input type="text" name="lastName" id="lastName" required> <label for="username">Username</label> <input type="text" name="username" id="username" required> <label for="email">Email</label> <input type="email" name="email" id="email" required> <label for="password">Password</label> <input type="password" name="password" id="password" required> <button type="submit" name="register">Register</button> </form> </div> </div></body>Home:
<!DOCTYPE html><html><?phpsession_start();if(!isset($_SESSION['userID'])) { header("Location: index.php");}$tUsers_Select_Query = mysqli_query($dbConnect, "SELECT * FROM users WHERE user_id=".$_SESSION['userID']);$row = mysqli_fetch_array($tUsers_Select_Query);include "includes/head.php";include "includes/nav.php";?> <div id="main-content"> <h1 class="huge">Welcome back, <?php echo $row['username'] ?>!</h1> <a href="/lr/logout.php?logout">Logout</a> </div></body>If you need any more details, please comment.
PHP restriction error [Closed]
in PHP
Posted · Edited by FocuZst
I'm trying to restrict users from accessing a page if their rank isn't manager or admin. I made a variable called $rank which is the rank that is fetched from the user's table in my database. When I echo the rank on the page, the rank does equal to manager or admin but it redirects me to the index page because it somehow doesn't equal manager or admin. When I try using this code:
if(!isset($_SESSION['userID'])) { header("Location: index.php");} else if ($rank == "manager" OR $rank == "admin") { } else { header("Location: index.php");}it does work but I feel like that's the wrong way of doing it. This is the code that I'm using now and isn't working:
$tUsers_Select = "SELECT users.rank, ranks.rank_name FROM users LEFT JOIN ranks ON users.rank = ranks.rank_name WHERE user_id = ".$_SESSION['userID'];$tUsers_Select_Query = mysqli_query($dbConnect, $tUsers_Select);$fetch = mysqli_fetch_array($tUsers_Select_Query);$rank = $fetch['rank'];if(!isset($_SESSION['userID'])) {header("Location: index.php");} else if ($rank !== "manager" OR $rank !== "admin") {header("Location: index.php");}Hopefully you understood. Please comment if you have any questions.