0

I have PHP + AS3 user login&register modul.I want to check registered user by username.But can't do it because I'm new at PHP.If you can help it will helpfull thx.(result_message part is my AS3 info text box.)

<?php 



include_once("connect.php");



$username = $_POST['username'];
$password = $_POST['password'];
$userbio = $_POST['userbio'];


$sql = "INSERT INTO users (username, password, user_bio) VALUES ('$username', '$password', '$userbio')";

mysql_query($sql) or exit("result_message=Error");

exit("result_message=success.");                  



?>
Improve this question
3
  • 1
    You are wide open to SQL injection attacks, and you will be hacked if you haven't been already. Use prepared/parameterized queries with PDO or similar to avoid this problem entirely, by fundamentally separating the data from the command. Commented Mar 1, 2014 at 20:07
  • Nothing in this code appears to be attempting to validate the user, so I'm not sure why you have pasted it here. This site isn't really the right place to ask for people to write your code from scratch, you need to show us what you have written so far, and where you are stuck. Commented Mar 1, 2014 at 20:24
  • Refrain from using mysql_* in NEW code, it's officially deprecated as of PHP 5.5.0. Instead, you should be using mysqli_* or PDO. See a comparison of said APIs here. Commented Mar 1, 2014 at 22:18

2 Answers 2

Reset to default
1

Use MySQLi as your PHP function. Start there, it's safer.

Connect your DB -

$host = "////";
$user = "////";
$pass = "////";
$dbName = "////";

$db = new mysqli($host, $user, $pass, $dbName);
if($db->connect_errno){
    echo "Failed to connect to MySQL: " . 
          $db->connect_errno . "<br>";
}

If you are getting the information from the form -

$username = $_POST['username'];
$password = $_POST['password'];
$userbio = $_POST['userbio'];

you can query the DB and check the username and password -

$query = "SELECT * FROM users WHERE username = '$username'";
$result = $db->query($query);

If you get something back -

if($result) {
    //CHECK PASSWORD TO VERIFY
} else {
    echo "No user found.";
}

then verify the password. You could also attempt to verify the username and password at the same time in your MySQL query like so -

$query = "SELECT * FROM users WHERE username = '$username' AND password = '$password';

@Brad is right, though. You should take a little more precaution when writing this as it is easily susceptible to hacks. This is a pretty good starter guide - http://codular.com/php-mysqli

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

I think there is still a security hole if charset is not declared.
0

Using PDO is a good start, your connect.php should include something like the following:

try {
$db = new PDO('mysql:host=host','dbname=name','mysql_username','mysql_password');
    catch (PDOException $e) {
        print "Error!: " . $e->getMessage() . "<br/>";
        die();
    }

Your insert would go something like:

$username = $_POST['username'];
$password = $_POST['password'];
$userbio = $_POST['userbio'];

$sql = "INSERT INTO users (username, password, user_bio) VALUES (?, ?, ?)";

$std = $db->prepare($sql);

$std = execute(array($username, $password, $userbio));

To find a user you could query similarly setting your $username manually of from $_POST:

$query = "SELECT * FROM users WHERE username = ?";

$std = $db->prepare($query)

$std = execute($username); 

$result = $std->fetchAll();

if($result) {
    foreach ($result as $user) { print_r($user); }
} else { echo "No Users found."; }

It is important to bind your values, yet another guide for reference, since I do not have enough rep yet to link for each PDO command directly from the manual, this guide and website has helped me out a lot with PHP and PDO.

Improve this answer

2 Comments

I can't add new user with this way.And my post add same user again and again.(it is my main problem)
What is your http form's action? If your insert continually adds the same user repeatedly you could try using unsetting $_POST after you have already used the user's input.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.