|
You to the rescue again. Thank you very much sir.
First off, I am using a hash.
$pass = md5($pass);
I did not paste it as part of my initial code.
Second, I created this custom script that I thought helps keep my code from sql injection attack:
</<pre lang="PHP">
function ms_escape_string($data) {
if ( !isset($data) or empty($data) ) return '';
if ( is_numeric($data) ) return $data;
$non_displayables = array(
'/%0[0-8bcef]/',
'/%1[0-9a-f]/',
'/[\x00-\x08]/',
'/\x0b/',
'/\x0c/',
'/[\x0e-\x1f]/'
);
foreach ( $non_displayables as $regex )
$data = preg_replace( $regex, '', $data );
$data = str_replace("'", "''", $data );
return $data;
} pre>
However, I can change it to use parameterized query:
$strSQL = "SELECT u.empl_first, u.username, u.empl_first +' '+ empl_last as fullname, e.Department, e.UnitName, e.empnum FROM users u inner join Employee e on u.Employee_Id = e.EmpNum inner join tblTBA t on u.Employee_Id = t.Employee_Id WHERE USERNAME = ?
and PASSWORD = ? ";
$params = array($_POST["user"], $_POST["pass"]);
$sqll = sqlsrv_query($con, $strSQL, $params);
Now, if I am on the right track on those two, could please be kind to help with the last part where I am trying to check whether username and / or password is correct and redirecting to appropriate page as described?
Thanks again for your help.
|
|
|
|
|
samflex wrote: First off, I am using a hash.
$pass = md5($pass);
An unsalted MD5 hash doesn't offer much protection:
Troy Hunt: Our password hashing has no clothes[^]
samflex wrote: check whether username and / or password is correct and redirecting to appropriate page
As I said, use two steps:
1) Validate the username and password:
SELECT
u.empl_first,
u.username,
u.empl_first +' '+ u.empl_last as fullname,
e.Department,
e.UnitName,
e.empnum
FROM
users u
INNER JOIN Employee e
ON u.Employee_Id = e.EmpNum
WHERE
u.USERNAME = ?
And
u.PASSWORD = ?
If no data is returned, then the username or password is invalid.
2) Check whether the user has completed the test:
SELECT Employee_Id FROM tblTBA WHERE Employee_Id = ?
If no data is returned, then the user has not taken the test.
NB: If the Employee record doesn't get created until the user has taken the test, then you'll need to move that part of the query from step 1 to step 2.
"These people looked deep within my soul and assigned me a number based on the order in which I joined."
- Homer
|
|
|
|
|
ahhh got!
I am slow.
Thanks so much. I learn so much when I am fortunate to get your help.
I would not have thought of doing it this way.
Thanks a lot Richard.
|
|
|
|
|
Sorry Richard,
I tried doing it separately like you spec'ed it out and it is just not working.
The first part which validates username/password works but when I added the second part, then it doesn't matter whether I have correct username and password, it just takes me to login page.
The code you see here shows I am doing them together again with if...else but that's just what I am trying since separating them isn't working.
$user = trim($_POST["user"]);
$pass = trim($_POST["pass"]);
$tsql = "SELECT u.empl_first, u.username, u.empl_first +' '+ empl_last as fullname FROM users u WHERE u.USERNAME = ? and u.PASSWORD = ? ";
$params = array($user, $pass);
$result = sqlsrv_query( $con, $tsql, $params, array(), array( "Scrollable" => 'static' ));
$row_count = sqlsrv_num_rows($result);
if ($row_count == 0){
header('location:login.php?msg=1');
exit;
}
else
{
$tSQL = "SELECT u.empl_first, u.username FROM users u inner join tblTBA t on u.Employee_Id = t.Employee_ID WHERE USERNAME = '".ms_escape_string($user)."'
and PASSWORD = '".ms_escape_string($pass)."' ";
echo $strSQL;
$sqll = sqlsrv_query($con, $tSQL);
}
if ($objResult = sqlsrv_fetch_array($sqll, SQLSRV_FETCH_ASSOC)) {
$firstname = $objResult["empl_first"];
$_SESSION["username"] = $objResult["username"];
header('location:donetba.php?user=' . urlencode($firstname));
}
else
header("location:registered.php?user='".ms_escape_string($user)."'&pass='".ms_escape_string($pass)."' ");
sqlsrv_close($con);
?>
|
|
|
|
|
Nothing obvious in the code, although you still need to parameterize the second query in the same way as the first, and you're still passing the password in the query-string to the registered.php page.
You could probably remove the else , since you've got an exit; in the if block.
Are you sure it's this page that's redirecting the user to the login page? Try tracing the network requests in your browser's developer tools, to see if either registered.php or dotnetba.php is doing the redirection instead.
"These people looked deep within my soul and assigned me a number based on the order in which I joined."
- Homer
|
|
|
|
|
That was it!!!
Removing the else since I have exit seems to have fixed it.
I have fixed the parameterized query stuff.
Thanks so much Richard.
I really, really am grateful for your help.
|
|
|
|
|
I'm not sure what I'm doing wrong, but for some reason my page works fine only after hitting the submit button twice.
Below is the code. Any help or a point in the right direction would be greatly appreciated.
The removejob.php is a small page that just makes a connection and updates a single field based on the jobid.
<html>
<head>
<title>Phoenix Metals Job Interface</title>
<script src="//ajax.googleapis.com/ajax/libs/jquery/1.10.2/jquery.min.js"></script>
<script type="text/javascript">
function like(Job)
{
$.ajax({
url: "RemoveJob.php",
type: "POST",
data: { 'JobID': Job },
success: function()
{
window.location.reload();
}
});
}
</script>
<style>
body
{
font-size: 200%;
}
table
{
width: 900px;
font-size:40px;
font-weight: bold;
}
td
{
text-align: center;
vertical-align: center;
border: 1px solid black;
padding: 10px;
}
.button
{
background-color: #ff3386;
color: white;
width: 175px;
height: 65px;
text-align: center;
vertical-align: middle;
font-size: 20px;
font-weight: bold;
}
</style>
</head>
<body>
<?php
$con=mysqli_connect('localhost', 'xxxxxxx', 'xxxxxxx','xxxxxxx');
if (mysqli_connect_errno())
{
echo "Failed to connect to MySQL: " . mysqli_connect_error();
}
$JobResults = mysqli_query($con,"SELECT * FROM JobInterface WHERE Completed is null ORDER BY JobNumber");
echo"<table>";
echo"<tr>";
echo"<tr><td colspan='3'>Phoenix Metals Job Interface</td></tr>";
echo"<td>";
echo"Job Number";
echo"</td>";
echo"<td>";
echo"Project Name";
echo"</td>";
echo"<td>";
echo"Account";
echo"</td>";
echo"<td>";
echo"Edit";
echo"</td>";
echo"<td>";
echo"Remove";
echo"</td>";
echo"</tr>";
$JobRow = array();
while($JobRow = mysqli_fetch_array($JobResults))
{
$back = 'white';
$message = 'Not Finished';
if(($JobRow['Sheets'] != 1) && ($JobRow['Burned'] != 1) && ($JobRow['FormUp'] != 1) && ($JobRow['CoilLine'] != 1) && ($JobRow['Liner'] != 1) && ($JobRow['Vanes'] != 1) && ($JobRow['Assembled'] != 1) && ($JobRow['Wrapped'] != 1) && ($JobRow['HandFab'] != 1) && ($JobRow['Welded'] != 1) && ($JobRow['Supplies'] != 1) && ($JobRow['WardFrames'] != 1) && ($JobRow['Special'] != 1))
{
$back = 'aqua';
$message = 'Possibly Done';
}
echo"<tr>";
echo"<td>";
echo $JobRow['JobNumber'];
echo"</td>";
echo"<td>";
echo $JobRow['ProjectName'];
echo"</td>";
echo"<td>";
echo $JobRow['AccountName'];
echo"</td>";
if ($JobRow['RTS'] == 0)
{
echo"<td style='background-color:".$back.";'>";
echo"<form style='margin-bottom:0; align:center;' name='EditJob' action='JobEdit.php' method='POST'><input type='hidden' name='JobID' value='".$JobRow['IDJob']."'/><input class='button' type='submit' name='submit-btn' value='Details'/></form>";
echo"</td>";
echo"<td>".$message."</td>";
}
if ($JobRow['RTS'] == 1)
{
echo"<td style='background-color:aqua;'>";
echo"RTS";
echo"</td>";
echo"<td bgcolor='#FF0000'>";
echo"<form style='margin-bottom:0; align:center;' name='ReloadJob' action='JobInterfaceMain.php' method='POST'>";
echo"<input class='button' type='submit' name='submit-btn' onclick='like(".$JobRow['IDJob'].")' value='Gone'/>";
echo"</form>";
echo"</td>";
}
echo"</tr>";
}
echo"</table>";
?>
</body>
</html>
|
|
|
|
|
What do you see in console?
|
|
|
|
|
I am in a PHP project, which is needs to pass the parameter to the next page. But only using the values, not with the variable name.
index.php/1+2
And in the next page, i want to get the values in different variable.
Santhosh Kumar
|
|
|
|
|
I don't know if php has something different but the easy way to do this in any web language is to use the querystring. index.php?var1=1&var2=2. Then on the next page you can read then from the querystring.
There are only 10 types of people in the world, those who understand binary and those who don't.
|
|
|
|
|
Hello there. I am trying to get data from 3 different tables based on simple join. One of the tables can have multiple values against one primary key. Here are the table designs
Table 1 - EmployeeDetails
EmployeeId INT, FirstName VARCHAR, SurName VARCHAR, SexId INT
Table 2 - EmployeeSex
SexId INT, Sex VARCHAR
Table 3 - EmployeeContacts
EmployeeId INT, Contact VARCHAR
I am using following query
SELECT ED.EmployeeId, ED.FirstName, ED.SurName, GROUP_CONCAT(EC.Contact)
FROM EmployeeDetails ED, EmployeeSex ES, EmployeeContacts EC
WHERE ED.SexId = ES.SexId AND ED.EmployeeId = EC.EmployeeId AND ED.EmployeeId = 'emp_password';
Now this query works fine if we have at least one contact number. But if there are not contacts, then this results in empty set. What is wrong with this query ? How can I improve so that it works in all scenarios (regardless of number of contacts in EmployeeContacts table). Thanks for any input.
modified 19-Aug-16 7:10am.
|
|
|
|
|
This question would probably be better posted in the DataBase forum.
|
|
|
|
|
Well I am using MySQL as my database, that is why posted here). Can copy there as well.
|
|
|
|
|
I appreciate that, but most of the DB experts don't visit this forum that often.
|
|
|
|
|
|
Can anyone help me with the following two PHP scripts on the machine running Centos 7. Scripts written on a command line editor
1) a PHP script that will connect to the database and create the tables and populate default data, this script will be executed from command line using PHP -f createdatabase.php
2) the databasename will be the same as your username
3) a PHP script that will load from a browser and use HTML and CSS to display the populated information, the script will be loaded as http://localhost/myname/showme.php, you will get extra points for having fewer lines code, less SQL queries, and for commenting and indenting your code nicely.
The database contains the following tables with attributes:
Class, Students, and Marks
|
|
|
|
|
Sorry, no. This site does not provide code to order, as you would see if you had read the forum guidelines.
|
|
|
|
|
Quote:
I want to add Google Translate facility on my PHP application
How?, Can you give me the source code?
, Please ..
Thank you for your attention
|
|
|
|
|
Member 12643825 wrote: Can you give me the source code? Sorry, no. This site does not provide code to order. Go to Google Translate and check there how to do it.
|
|
|
|
|
Hai frnds, One of my frnd is searching for the vaccancy of fresher linux admin for last 1 & half year. till now he didnt get any job as trainee. He completed the b.tech in 2014. and he done the whole courses about that. kindly pls help me... any one know about that vaccancy..... pls tell me.. we are in banglore...
~abi~
|
|
|
|
|
Sorry, this forum is for technical questions, not job searches. If you live in Banglore then you should know that there are many IT companies there.
|
|
|
|
|
how to get(echo) paypal amount from particular paypal account using PHP?
|
|
|
|
|
|
I have read a lot that PHP 7 outperforms the previous versions of PHP. I am thinking of moving all my websites to PHP 7 so that my sites enjoy a better loading speeds.
|
|
|
|
|
Cloud / Dedicated or Shared?
With Cloud Hosting, you are your own boss with your own mind and can go with anyone like Amazon, DigitalOcean, Google Compute etc. So any Cloud hosting company would be suitable for PHP 7. In my opinion, I'm personally using PHP 7 on Cloudways, they have 100% uptime and also have 24/7 awesome Customer Support.
If you need PHP7 in the shared hosting, then I would suggest you WebHostingHub, InMotion Hosting, and HostPapa. Usually, shared hosting providers are going a step behind the current software versions, but those companies must have the most recent software on the shared image sooner than everyone else.
|
|
|
|
|