I would like to get some clear information or reply how to solve the next issue.
Currently i used MySQL connection, but now i want to move onto MySQLi. I dont want to use PDO, so please do not prefer it.
The new mysqli code is this, but its not working also i think i used a bit too much else, which is not needed.
<?php
include('includes/functions.php');
session_start();
if(isset($_POST['login'])) {
if(isset($_POST['username'])) {
if(isset($_POST['password'])) {
$username = $_POST['username'];
mysqli_query($query, "SELECT * FROM cm_users WHERE Username = '$username'") or die(mysql_error());
foreach ($query as $user)
if(sha3($_POST['password'],256) == $user['Password']) {
$_SESSION['user'] = $user['Username'];
if(isset($_POST['g-recaptcha-response'])){
$captcha=$_POST['g-recaptcha-response'];
}
if(!$captcha){
header("Location: login.php");
echo "<button class='btn btn-block btn-warning btn-sm'>Please check your login details.</button>";
exit;
}
$response=file_get_contents("https://www.google.com/recaptcha/api/siteverify?secret=******&response=".$captcha."&remoteip=".$_SERVER['REMOTE_ADDR']);
if($response.success==false)
{
echo '<h2>You are spammer ! Get the @$%K out</h2>';
} else {
echo '<h2>Thanks for posting comment.</h2>';
}
header("Location: redirect.php");
} else {
echo "<button class='btn btn-block btn-warning btn-sm'>Please check your login details.</button>";
include('login.php');
}
} else {
echo "<button class='btn btn-block btn-warning btn-sm'>Please check that you filled out the login form!</button>";
include('login.php');
}
}
}
?>
Any idea how to fix the issue to get work?
Making this as a wiki - I have nothing to gain from this, but more for the OP and future visitors to the question.
Pulled from comments and slightly modified:
Firstly, you're still mixing APIs using mysql_error() where it should read as mysqli_error($query) assuming that $query is your connection variable used in your connection codes.
Then this is failing you foreach ($query as $user) because there is nothing assigned to $query (for the query), as you are checking a foreach against your db connection's variable and that alone should have thrown you an error, had you used the right error function.
Being mysqli_error($query) where that function requires a database connection as a parameter.
- http://php.net/manual/en/mysqli.error.php
Your present code is open to SQL injection. Use mysqli_* with prepared statements, or PDO with prepared statements.
As suggested, use one of ircmaxell's answers and using a better hashing/query function.
Pulled from his answer:
Just use a library. Seriously. They exist for a reason.
- PHP 5.5+: use
password_hash()
- PHP 5.3.7+: use
password-compat (a compatibility pack for above)
- All others: use phpass
Don't do it yourself. If you're creating your own salt, YOU'RE DOING IT WRONG. You should be using a library that handles that for you.
$dbh = new PDO(...);
$username = $_POST["username"];
$email = $_POST["email"];
$password = $_POST["password"];
$hash = password_hash($password, PASSWORD_DEFAULT);
$stmt = $dbh->prepare("insert into users set username=?, email=?, password=?");
$stmt->execute([$username, $email, $hash]);
And on login:
$sql = "SELECT * FROM users WHERE username = ?";
$stmt = $dbh->prepare($sql);
$result = $stmt->execute([$_POST['username']]);
$users = $result->fetchAll();
if (isset($users[0]) {
if (password_verify($_POST['password'], $users[0]->password) {
// valid login
} else {
// invalid password
}
} else {
// invalid username
}
@Fred -ii- answered my question, so he helped a lot :)
and there you go ;-) assign a variable to the query other than your db connection. solved. $other_var = mysqli_query($connection, query)... and use that variable in your foreach. would you like my comments as an answer? ;-) – Fred -ii-
test = mysqli_query($query, "SELECT * FROM cm_users WHERE Username = '$username'") or die(mysqli_error($query)); foreach ($test as $user) like that?:D
you missed the $ --- $test = mysqli_query.... sure. then foreach($test..). – Fred -ii-
