Menu
Community /Pin to ProfileBookmark
@NogDogSep 29.2009 — #
Also, you'll need to either remove the quotes around "user", or wrap the variable in curly braces, or else use concatenation, e.g.:
The above assumes that $_POST['user'] is a string. If it's an integer, then you do not need a quote around the value in the SQL. [b]However[/b], you [i]do[/i] need to sanitize the $_POST['user'] value to ensure that you are safe from SQL injection (see the mysql_real_escape_string() function.) or cast it to an integer, if that's the case.
Also, you left out the ";" at the end of:
SQL "where" from post method
what is wrong with my code? this is just suppose to be a simple log in
[code]<?php session_start();?>
<html xmlns=”http://www.w3.org/1999/xhtml”>
<head>
<meta http-equiv=”Content-Type” content=”text/html; charset=iso-8859-1″ />
<title>Untitled Document</title>
</head>
<body>
<p><strong>This is a test run for Php login </strong></p>
<table width=”200″ border=”0″>
<form method=”post” action=”login1.php”>
<input type=”hidden” name=”recipient” value=”sample” />
<tr>
<td width=”73″>Username:</td>
<td width=”111″> <input type=”text” name=”user” /></td>
</tr>
<tr>
<td>Password</td>
<td> <input type=”password” name=”pass” /></td>
</tr>
<tr>
<td>
<label>
<input type=”submit” name=”Submit” value=”Log in”>
</label> </td>
<td> </td>
</tr>
</form>
</table>
<p>start creating you new account here!</p>
<table width=”236″ border=”0″>
<form method=”post” action=”login2.php”>
<tr>
<td width=”64″>Username:</td>
<td width=”156″>
<label>
<input type=”text” name=”newuser”>
</label>
</td>
</tr>
<tr>
<td>Pasword</td>
<td><label>
<input type=”text” name=”newpass”>
</label></td>
</tr>
<tr>
<td>
<label>
<input type=”submit” name=”Submit2″ value=”Submit”>
</label>
</form>
</table>
<p> </p>
<p>
Here are some of the acconts that you can try
<?php
$con = mysql_connect(“***,”***”,”***”);
if (!$con)
{
die(‘Could not connect: ‘ . mysql_error());
}
mysql_select_db(“fees0_4187690_ictproj”, $con);
$result = mysql_query(“SELECT * FROM account”);
echo “<table border=’0′ width=’323′ >
<tr>
<th align=’left’>Username</th>
<th align=’left’>Password</th>
</tr>”;
$nCtr=0;
$ctr=0;
while($row = mysql_fetch_array($result))
{
if ($nCtr == 1)
{
echo “<tr>”;
echo “<td>” . $row[‘volid’] .”</td>”;
echo “<td>” . $row[‘pass’] . “</td>”;
echo “</tr>”;
$nCtr = 0;
$ctr++;
}
else if ($nCtr == 0)
{
echo “<tr>”;
echo “<td bgcolor=’#CCCCCC’>” . $row[‘volid’] .”</td>”;
echo “<td bgcolor=’#CCCCCC’>”. $row[‘pass’] . “</td>”;
echo “</tr>”;
$nCtr = 1;
$ctr++;
}
}
echo “</table>”;
//<INPUT TYPE=”hidden” NAME=”recipient” VALUE=”hello”>
mysql_close($con);
?>
</p>
<p> </p>
<p><em>brought to you by:sher_amf </em></p>
<p> </p>
<p> </p>
</body>
</html>
[code]<?php session_start();?>
<html xmlns=”http://www.w3.org/1999/xhtml”>
<head>
<meta http-equiv=”Content-Type” content=”text/html; charset=iso-8859-1″ />
<title>Untitled Document</title>
<style type=”text/css”>
<!–
.style1 {
font-family: Calibri;
font-weight: bold;
}
–>
</style>
</head>
<body>
<p>
<?php
$con = mysql_connect(“***”,”***”,”****”);
if (!$con)
{
‘n’;
‘<n>’;
‘<n>’;
‘<n>’;
die(‘Could not connect: ‘ . mysql_error());
}
else
{
echo “SQl server is now connect to sql209.byetcluster.com” ;
echo “<br />”;
mysql_select_db(“fees0_4187690_ictproj”, $con);
$result = mysql_query(“SELECT * FROM account WHERE volid= $_POST[“user”] “);
$nCtr = 1;
$a =0;
$dbctr=0;
$checker = true;
while($row = mysql_fetch_array($result))
{
if ($row[‘volid’] == $_POST[“user”] && $row[‘pass’] == $_POST[“pass”])
{
echo “<br/>”;
echo “Hello”.”rn”.$_POST[“user”] ;
$a++;
$checker = false;
}
else
{
$a++;
echo $a;
echo “wrong password”
echo “<br />”;
}
}
}
?>
</p>
<p class=”style1″>Thank you for using my Php test run!</p>
<p> </p>
<p><em>This is brought to you by sher_amf </em></p>
</body>
</html>
Sign in
to post a comment2 Comments(s) ↴
0
@NogDogSep 29.2009 — #I see a couple things here.
Try putting quotes around the User ID: WHERE volid=' $_POST["user"] '");
unless the User Id is numerical....
[/quote]
Also, you'll need to either remove the quotes around "user", or wrap the variable in curly braces, or else use concatenation, e.g.:
[code=php]
$result = mysql_query("SELECT * FROM account WHERE volid='{$_POST["user"]}'");
// or
$result = mysql_query("SELECT * FROM account WHERE volid='$_POST[user]'");
// or
$result = mysql_query("SELECT * FROM account WHERE volid='".$_POST["user"]."'");
[/code]The above assumes that $_POST['user'] is a string. If it's an integer, then you do not need a quote around the value in the SQL. [b]However[/b], you [i]do[/i] need to sanitize the $_POST['user'] value to ensure that you are safe from SQL injection (see the mysql_real_escape_string() function.) or cast it to an integer, if that's the case.
Also, you left out the ";" at the end of:
[code=php]
echo "wrong password"
[/code]