First time PHP Login

Collapse
X
 
  • Time
  • Show
Clear All
new posts
  • biondizzle
    New Member
    • Jan 2012
    • 1

    First time PHP Login

    Hey guys, I'm brand new to PHP (have been coding for about 2 days).

    I made a simple form that pulls from a MySQL database, it worked fine and dandy. I tried to password protect it and it just keeps giving me the error message that I defined for a wrong password.

    #1 Here's my code:
    Code:
    <?php
    
    include 'dbc.php';
    
    $passfromhtml = $_POST["passhtml"];
    $emailfromhtml = $_POST["emailhtml"];
    
    $password_select = mysql_query("SELECT pwd FROM client WHERE client_email = '$emailfromhtml'");
    
    if($passfromhtml == $password_select) 
    {
    
    $q=$_GET["q"];
    
    $data_array = mysql_query("SELECT * FROM client WHERE client_email = '".$q."'");
    while($row = mysql_fetch_array($data_array))
    {
    $id = $row['id'];
    $full_name = $row['full_name'];
    $company_name = $row['company_name'];
    $client_email = $row['client_email'];
    $designer_email = $row['designer_email'];
    $user_level = $row['user_level'];
    $pwd = $row['pwd'];
    $address = $row['address'];
    $country = $row['country'];
    $tel = $row['tel'];
    $fax = $row['fax'];
    $website = $row['website'];
    $temp_website = $row['temp_website'];
    $price = $row['price'];
    $price_per_hour = $row['price_per_hour'];
    $percent_done = $row['percent_done'];
    $hours_worked = $row['hours_worked'];
    $services = $row['services'];
    $additional = $row['additional'];
    $status = $row['status'];
    }
    
    $total_cost = $price_per_hour * $hours_worked ;
    
    echo <<<HTML
    
    
    <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
    <html xmlns="http://www.w3.org/1999/xhtml">
    <head>
    <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
    <title>Admin Panel</title>
    <link href="css/admin.css" rel="stylesheet" type="text/css">
    <script type="text/javascript">
    function showUser(str)
    {
    if (str=="")
      {
      document.getElementById("panel").innerHTML="";
      return;
      } 
    if (window.XMLHttpRequest)
      {// code for IE7+, Firefox, Chrome, Opera, Safari
      xmlhttp=new XMLHttpRequest();
      }
    else
      {// code for IE6, IE5
      xmlhttp=new ActiveXObject("Microsoft.XMLHTTP");
      }
    xmlhttp.onreadystatechange=function()
      {
      if (xmlhttp.readyState==4 && xmlhttp.status==200)
        {
        document.getElementById("panel").innerHTML=xmlhttp.responseText;
        }
      }
    xmlhttp.open("GET","admin_cp.php?q="+str,true);
    xmlhttp.send();
    }
    </script>
    </head>
    <body>
    <div id="panel">
    <p>&nbsp;</p>
    <p>
    <form>
    <select name="users" onchange="showUser(this.value)">
    <option value="">Select a person:</option>
    <option value="biondizzle@gmail.com">Michael Biondi</option>
    <option value="saltolve@gmail.com">Salvatore Tolve</option>
    <option value="3">Glenn Quagmire</option>
    <option value="4">Joseph Swanson</option>
    </select>
    </form>
    $company_name | <a href=http://$temp_website target=_blank>My Websites progress</a> | Send Message to my designer |</p>
    <hr />
    
    <ol>
      
    <li>
    <div class="left">
    <p>
    <b>Client ID:</b> $id <br />
    <b>Company Name:</b> $company_name <br />
    <b>Email:</b> $client_email <br />
    <b>Website Price:</b> $price <br />
    <b>Price Per Hour:</b> $price_per_hour <br />
    <b>Percentage Done:</b> $percent_done <br />
    <b>Services:</b><br />
    $services<br />
    <b>Additional Comments:</b><br />
    $additional<br />
    <b>Hours Worked:</b> $hours_worked <b>Total Cost:</b> $total_cost
    </p>
    </div>
    </li>
    
    <li>
    <div class="middle">
    <p>
    <h2>Status Update to Client:<h2><br />
    <textarea name="textarea" id="textarea" cols="25" rows="5"></textarea>
    </p>
    </div>
    </li>
    
    <li>
    <div class="right">
    <p>
    <h2>Status:<h2><br />
    $status
    </p>
    </div>
    </li>
    
    </ol>
    </div>
    </body>
    </html>
    
    
    HTML;
    }
    else
    {
    echo "Wrong password dipshit";
    }
    ?>

    and #2:
    here's the link for you guys to see what I mean:

    Between the Dimensions is a content production house that focuses on interactive projection mapping and experiential marketing.

    Try to log in as me:
    <removed for your safety>

    Like I said, I'm pretty new to PHP, so take it easy on me :) Thanks a bunch guys!
    Last edited by Dormilich; Jan 5 '12, 11:35 AM. Reason: removed login data so bad things don’t happen
  • Rabbit
    Recognized Expert MVP
    • Jan 2007
    • 12517

    #2
    You may want to take down your login info... Someone can do bad things with it.

    Comment

    • Dormilich
      Recognized Expert Expert
      • Aug 2008
      • 8694

      #3
      I tried to password protect it and it just keeps giving me the error message that I defined for a wrong password.
      that’s because you compare apples with pears. while $passfromhtml is indeed the password (a string) $password_selec t is a resource (a different data type). you either need to fetch the data from the mysql resource or (better) test inside mysql for a match.

      ex. (this code may look like overkill, but this is necessary to prevent SQL Injection attacks. besides that is allows a graceful degadation, should your database fail (and you don’t give out system details in case of an error))
      Code:
      try
      {
        // connect
        $pdo = new PDO("mysql:host=localhost;dbname=my_database", $login, $pass);
        // enable error handling
        $pdo->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
        // create a safe query
        $ps = $pdo->prepare("SELECT COUNT(*) FROM client WHERE client_email = :mail AND pwd = :pass");
        // submit user data
        $ps->bindValue("mail", $_POST["emailhtml"], PDO::PARAM_STR);
        $ps->bindValue("pass", $_POST["passhtml"], PDO::PARAM_STR);
        // get result
        $ps->execute();
        $logged_in = (bool) $ps->fetchColumn();
      }
      catch (Exception $e)
      {
        // apologise to users
        echo "<p>Sorry, an error occurred</p>";
        // send details to you
        mail("admin@example.com", "error", $e->getMessage(), "From: noreply@example.com");
      }
      
      // proceed
      if ($logged_in)
      {
        // …
      }

      Comment

      Working...