Board index   FAQ   Search  
Register  Login
Board index php forum :: php coding PHP coding => General

How to display data from database after login

Ask about general coding issues or problems here.

Moderators: macek, egami, gesf

How to display data from database after login

Postby syquek » Wed Oct 31, 2012 12:00 am

This is my code which i edited from my lecturer. I have tried several times but it couldn't relieve the results from the database. Is there anything wrong with the coding? I am able to connect to the database not not able to display the datas.

<html>
<head>
<title>User interface</title>
</head>
<body>
<h1>user interface</h1>
<?php
// create short variable names
$user=$_POST['user'];
$pwd=trim($_POST['pwd']);

if (!$user || !$pwd) {
echo 'You have not entered search details. Please go back and try again.';
exit;
}

if (!get_magic_quotes_gpc()){
$user = addslashes($user);
$pwd = addslashes($pwd);
}

@ $db = new mysqli('localhost', '', '', 'EE4717G39');

if (mysqli_connect_errno()) {
echo 'Error: Could not connect to database. Please try again later.';
exit;
}

$query = "select * from newsignup where ".$user." like '%".$pwd."%'";
$result = $db->query($query);

$num_results = $result->num_rows;

echo "<p>Number of books found: ".$num_results."</p>";

for ($i=0; $i <$num_results; $i++) {
$row = $result->fetch_assoc();
echo "<p><strong>".($i+1).". Title: ";
echo htmlspecialchars(stripslashes($row['Username']));
echo "</strong><br />Author: ";
echo "</p>";
}

$result->free();
$db->close();

?>
</body>
</html>
syquek
New php-forum User
New php-forum User
 
Posts: 1
Joined: Tue Oct 30, 2012 11:55 pm

Re: How to display data from database after login

Postby egami » Fri Nov 02, 2012 9:27 am

You're not off to a very good start with your PHP scripting, and I'm not trying to be rude.
So, I'll give you my $0.02 worth, and you can take it from there.


First, never take user input as valid data. Ever.

$user = $_POST['user'];

This is very, very bad.

$user = mysql_real_escape_string(strip_tags(trim($_POST['user'])));
$pass = mysql_real_escape_string(strip_tags(trim($_POST['pass'])));

php.net/mysql_real_escape_string == Removes SQL injection from variables
php.net/strip_tags == removes possible tags for injection (html, body, div, etc.)
php.net/trim = remove any white spaces before and after the string.

This eliminates any SQL injection probabilities. VERY IMPORTANT TO REMEMBER.


This..
Code: Select all

if 
(!$user || !$pwd) {
 echo 'You have not entered search details. Please go back and try again.';
 exit;
 }
 


Is all kinds of wrong. If the $_POST vars exist, but are empty, your variables will exist, but be empty. Thus the literal saying:

if NOT $user OR NOT $pwd

There are two things wrong here.
The first being the variable does exist.
The second you're saying if the user OR the password doesn't exist... throw the error. It really should be both.

So it should be written more like this..

Code: Select all

if 
($_POST['user'] != NULL || $_POST['user'] != '') { 
  $user 
= mysql_real_escape_string(strip_tags(trim($_POST['user'])));
}
 else { 
  $error
[] = "Username cannot be empty.";
}

if ($_POST['pwd'] != NULL || $_POST['pwd'] != '') { 
  $pwd 
= mysql_real_escape_string(strip_tags(trim($_POST['pwd'])));
  // However, you should *NEVER* store passwords in clear text. 
  // $pwd = md5(mysql_real_escape_string(strip_tags(trim($_POST['pwd']))));
} else { 
  $error
[] = "Password cannot be empty or blank.";
}

if (!isset($error)) { 
  do
..the...rest...
}
 



But really, now that's out of the way..
Your SQL problem is this..


$query = "select * from newsignup where ".$user." like '%".$pwd."%'";
This means..
SELECT EVERYTHING FROM newsignup WHERE whatever-user-name-was-put-in-the-form LOOKS LIKE whatever-password-was-put-in-the-form. (But even then, the syntax is all kinds of wrong.)

It should probably look a bit more like..

$query = "SELECT * FROM newsignup WHERE user = '$user' AND pwd = '$pwd'";
This means..
SELECT EVERYTHING FROM newsignup WHERE the field 'user' is exactly what-ever-username-was-entered AND the pwd field is exactly what-ever-password-was-entered-by-the-user.

This is a correctly formatted SQL query. And it's also the query you SHOULD be using as it is looking for exact matches, and not "any-thing-like". Searching for LIKE in a username/pass combo is a bad idea.
User avatar
egami
php-forum GURU
php-forum GURU
 
Posts: 2197
Joined: Wed Oct 06, 2010 11:19 am
Location: Happy Valley, UT

Re: How to display data from database after login

Postby seandisanti » Fri Nov 02, 2012 2:22 pm

You can also use helper functions to consolidate some of your code too. for example
Code: Select all
<?php
function clean($s)
{
   return mysql_real_escape_string(strip_tags(trim($s)));
}


Then you can just do
Code: Select all
$user = clean($_POST['user']);
seandisanti
php-forum Fan User
php-forum Fan User
 
Posts: 838
Joined: Mon Oct 01, 2012 12:32 pm


Return to PHP coding => General

Who is online

Users browsing this forum: Google [Bot] and 3 guests

Sponsored by Sitebuilder Web hosting and Traduzioni Italiano Rumeno and antispam for cPanel.

cron