Linux, Apache, MySQL, PHP

Re: Only Home page opening after going live

26-Sep-16 2:07

Member 12758039 wrote:
000webhosting

I hope you used a unique password for that account that you haven't re-used anywhere else:
000webhost hacked, 13 million customers exposed | ZDNet[^]
Troy Hunt: Breaches, traders, plain text passwords, ethical disclosure and 000webhost[^]

The hack was last year, but given their response at the time, I wouldn't trust their current implementation to be any more secure.

"These people looked deep within my soul and assigned me a number based on the order in which I joined."
- Homer

Richard MacCutchan26-Sep-16 2:48

Re: Only Home page opening after going live

26-Sep-16 2:48

you already posted this question at http://www.codeproject.com/Questions/1131620/Other-pages-not-showing-after-moving-wordpress-sit[^]. Please use one forum only.

ZurdoDev26-Sep-16 3:18

ZurdoDev

26-Sep-16 3:18

We can't see anything at all so I would suggest contacting your hoster first.

There are only 10 types of people in the world, those who understand binary and those who don't.

I am really stumped on how to check if user exists and redirects.

samflex15-Sep-16 7:08

Re: I am really stumped on how to check if user exists and redirects.

15-Sep-16 7:08

Greetings experts.

I think I made this more complicated than it needs to be.

Users are required to log in to take a test.

If a user tries logging in, the system checks to see if the user has taken the test or not.

If the user has taken the test, s/he is redirected to a page called registered.php which displays benefits of membership.

If no record exists for this user, the user is taken to the called register.php so s/he can take the test.

The scenarios described above works fine.

However, we are running into a problem where if a user mistakenly enters incorrect username/password, the system assumes the user has logged in correctly but has not taken the test and redirects her to register.php.

We would like to modify the code to perform three checks.

If username/password is not correct, display a message to user that either username or password is incorrect.

If username/password is correct and the user has not taken the test, redirect to register.php.

If username/password is correct and the user has taken the test, redirect user to registered.php.

Any ideas how to modify the code below?

I have spent so much time trying to fix this but it is not working for me.

Thanks a lot in advance for your help.

PHP

   $strSQL = "SELECT u.empl_first, u.username, u.empl_first +' '+ empl_last as fullname, e.Department, e.UnitName, e.empnum FROM users u inner join Employee e on u.Employee_Id = e.EmpNum inner join tblTBA t on u.Employee_Id = t.Employee_Id WHERE USERNAME = '".ms_escape_string($_POST['user'])."'
	and PASSWORD = '".ms_escape_string($pass)."' ";
//	echo $strSQL;
	$sqll = sqlsrv_query($con, $strSQL);

if ($objResult = sqlsrv_fetch_array($sqll, SQLSRV_FETCH_ASSOC)) {
    $firstname = $objResult["empl_first"];
 	$_SESSION["username"] = $objResult["username"];
	header('location:registered.php?user=' . urlencode($firstname));
  }
  If ($user == $_SESSION["username"]) {
    header("location:register.php?user='".ms_escape_string($user)."'&pass='".ms_escape_string($pass)."' ");
  }
  else
  {
  echo "Username and Password Incorrect!";
  }

Richard Deeming15-Sep-16 7:27

Re: I am really stumped on how to check if user exists and redirects.

15-Sep-16 7:27

First off, your urgently need to fix the SQL Injection[^] vulnerabilities in your code.

Everything you wanted to know about SQL injection (but were afraid to ask) | Troy Hunt[^]
How can I explain SQL injection without technical jargon? | Information Security Stack Exchange[^]
Query Parameterization Cheat Sheet | OWASP[^]

Next, fix your password storage. You're currently storing password in plain text, which is an extremely bad idea. You should only ever store a salted hash of the user's password, using a unique salt per record.

Secure Password Authentication Explained Simply[^]
Salted Password Hashing - Doing it Right[^]

Also, NEVER put the user's password in the URL. The browser retains a history of every URL visited, making it trivial for someone with access to the user's history to discover their password.

Finally, to fix your problem, you need to split your validation into two steps:

Is the username and password valid?
Has the user completed the test?

Currently, you're trying to do both at once, which is why you're getting confused.

"These people looked deep within my soul and assigned me a number based on the order in which I joined."
- Homer

samflex15-Sep-16 7:41

Re: I am really stumped on how to check if user exists and redirects.

15-Sep-16 7:41

You to the rescue again. Thank you very much sir.

First off, I am using a hash.

$pass = md5($pass);

I did not paste it as part of my initial code.

Second, I created this custom script that I thought helps keep my code from sql injection attack:

</<pre lang="PHP">// this function is used to sanitize code against sql injection attack.
function ms_escape_string($data) {
        if ( !isset($data) or empty($data) ) return '';
        if ( is_numeric($data) ) return $data;

        $non_displayables = array(
            '/%0[0-8bcef]/',            // url encoded 00-08, 11, 12, 14, 15
            '/%1[0-9a-f]/',             // url encoded 16-31
            '/[\x00-\x08]/',            // 00-08
            '/\x0b/',                   // 11
            '/\x0c/',                   // 12
            '/[\x0e-\x1f]/'             // 14-31
        );
        foreach ( $non_displayables as $regex )
            $data = preg_replace( $regex, '', $data );
        $data = str_replace("'", "''", $data );
        return $data;
    }

pre>

However, I can change it to use parameterized query:

PHP

$strSQL = "SELECT u.empl_first, u.username, u.empl_first +' '+ empl_last as fullname, e.Department, e.UnitName, e.empnum FROM users u inner join Employee e on u.Employee_Id = e.EmpNum inner join tblTBA t on u.Employee_Id = t.Employee_Id WHERE USERNAME = ?
 and PASSWORD = ? ";
 $params = array($_POST["user"], $_POST["pass"]);
 $sqll = sqlsrv_query($con, $strSQL, $params);

Now, if I am on the right track on those two, could please be kind to help with the last part where I am trying to check whether username and / or password is correct and redirecting to appropriate page as described?

Thanks again for your help.

Richard Deeming15-Sep-16 7:52

Re: I am really stumped on how to check if user exists and redirects.

15-Sep-16 7:52

samflex wrote:
First off, I am using a hash.
$pass = md5($pass);

An unsalted MD5 hash doesn't offer much protection:
Troy Hunt: Our password hashing has no clothes[^]

samflex wrote:
check whether username and / or password is correct and redirecting to appropriate page

As I said, use two steps:

1) Validate the username and password:

SQL

SELECT 
    u.empl_first, 
    u.username, 
    u.empl_first +' '+ u.empl_last as fullname, 
    e.Department, 
    e.UnitName, 
    e.empnum 
FROM 
    users u 
    INNER JOIN Employee e 
    ON u.Employee_Id = e.EmpNum 
WHERE 
    u.USERNAME = ? 
And 
    u.PASSWORD = ?

If no data is returned, then the username or password is invalid.

2) Check whether the user has completed the test:

SQL

SELECT Employee_Id FROM tblTBA WHERE Employee_Id = ?

If no data is returned, then the user has not taken the test.

NB: If the Employee record doesn't get created until the user has taken the test, then you'll need to move that part of the query from step 1 to step 2.

"These people looked deep within my soul and assigned me a number based on the order in which I joined."
- Homer

samflex15-Sep-16 9:10

Re: I am really stumped on how to check if user exists and redirects.

15-Sep-16 9:10

ahhh got!

I am slow.

Thanks so much. I learn so much when I am fortunate to get your help.

I would not have thought of doing it this way.

Thanks a lot Richard.

samflex15-Sep-16 10:30

Re: I am really stumped on how to check if user exists and redirects.

15-Sep-16 10:30

Sorry Richard,

I tried doing it separately like you spec'ed it out and it is just not working.

The first part which validates username/password works but when I added the second part, then it doesn't matter whether I have correct username and password, it just takes me to login page.

The code you see here shows I am doing them together again with if...else but that's just what I am trying since separating them isn't working.

PHP

 $user = trim($_POST["user"]);
 $pass = trim($_POST["pass"]);

     // hash to sanitize the input further

//	$tsql = md5($pass);

   $tsql = "SELECT u.empl_first, u.username, u.empl_first +' '+ empl_last as fullname FROM users u WHERE u.USERNAME = ? and u.PASSWORD = ? ";
	//echo $strSQL;
	$params = array($user, $pass);
    $result = sqlsrv_query( $con, $tsql, $params, array(), array( "Scrollable" => 'static' ));

    $row_count = sqlsrv_num_rows($result);
    //echo $row_count;

    if ($row_count == 0){
       header('location:login.php?msg=1');
       exit;

}

else
{
   $tSQL = "SELECT u.empl_first, u.username FROM users u inner join tblTBA t on u.Employee_Id = t.Employee_ID WHERE USERNAME = '".ms_escape_string($user)."'
	and PASSWORD = '".ms_escape_string($pass)."' ";
	echo $strSQL;
    //$params = array($user, $pass);
	$sqll = sqlsrv_query($con, $tSQL);
}
if ($objResult = sqlsrv_fetch_array($sqll, SQLSRV_FETCH_ASSOC)) {
    $firstname = $objResult["empl_first"];
 	$_SESSION["username"] = $objResult["username"];
	header('location:donetba.php?user=' . urlencode($firstname));
  }
  else
    header("location:registered.php?user='".ms_escape_string($user)."'&pass='".ms_escape_string($pass)."' ");
   // header("location:register.php?user=. urlencode($user)&pass=. urlencode($pass)");

sqlsrv_close($con);

?>

Richard Deeming15-Sep-16 10:50

Re: I am really stumped on how to check if user exists and redirects.

15-Sep-16 10:50

Nothing obvious in the code, although you still need to parameterize the second query in the same way as the first, and you're still passing the password in the query-string to the registered.php page.

You could probably remove the else, since you've got an exit; in the if block.

Are you sure it's this page that's redirecting the user to the login page? Try tracing the network requests in your browser's developer tools, to see if either registered.php or dotnetba.php is doing the redirection instead.

"These people looked deep within my soul and assigned me a number based on the order in which I joined."
- Homer

samflex15-Sep-16 11:14

Button working on second click and not first.

15-Sep-16 11:14

That was it!!!

Removing the else since I have exit seems to have fixed it.

I have fixed the parameterized query stuff.

Thanks so much Richard.

I really, really am grateful for your help.

Member 1189879629-Aug-16 4:51

Member 11898796

29-Aug-16 4:51

I'm not sure what I'm doing wrong, but for some reason my page works fine only after hitting the submit button twice.

Below is the code. Any help or a point in the right direction would be greatly appreciated.

The removejob.php is a small page that just makes a connection and updates a single field based on the jobid.

HTML

<html>
	<head>
		<title>Phoenix Metals Job Interface</title>
		<script src="//ajax.googleapis.com/ajax/libs/jquery/1.10.2/jquery.min.js"></script>
		<script type="text/javascript">

		function like(Job) 
	    {
	
	        $.ajax({
	            url: "RemoveJob.php",
	            type: "POST",
	            data: { 'JobID': Job },                   
	            success: function()
	                        {
									    window.location.reload();                          
	                        }
	        });
	    }
	    </script>
		<style>
			body 
			{
			    font-size: 200%;
			} 
			table 
			{
				width: 900px;			    
			   font-size:40px;  
			   font-weight: bold; 
			}
			td 
			{
    			text-align: center;
    			vertical-align: center;
    			border: 1px solid black;
    			padding: 10px;
			}
			.button 
			{
				 background-color: #ff3386;
			    color: white;
			    width: 175px;
			    height: 65px;
			    text-align: center;
			    vertical-align: middle;
			    font-size: 20px;
			    font-weight: bold; 
			}
		</style>
	</head>
	<body>

		<?php
		$con=mysqli_connect('localhost', 'xxxxxxx', 'xxxxxxx','xxxxxxx');

			if (mysqli_connect_errno())
			  {
			  echo "Failed to connect to MySQL: " . mysqli_connect_error();
			  }

		$JobResults = mysqli_query($con,"SELECT * FROM JobInterface WHERE Completed is null ORDER BY JobNumber"); 
			  	
		echo"<table>";
			echo"<tr>";
				echo"<tr><td colspan='3'>Phoenix Metals Job Interface</td></tr>";
				echo"<td>";
				echo"Job Number";
				echo"</td>";
				echo"<td>";
				echo"Project Name";
				echo"</td>";
				echo"<td>";
				echo"Account";
				echo"</td>";
				echo"<td>";
				echo"Edit";
				echo"</td>";
				echo"<td>";
				echo"Remove";
				echo"</td>";		
			echo"</tr>";	
			$JobRow = array();
			while($JobRow = mysqli_fetch_array($JobResults))		
				{
					$back = 'white';
					$message = 'Not Finished';
					if(($JobRow['Sheets'] != 1) && ($JobRow['Burned'] != 1) && ($JobRow['FormUp'] != 1) && ($JobRow['CoilLine'] != 1) && ($JobRow['Liner'] != 1) && ($JobRow['Vanes'] != 1) && ($JobRow['Assembled'] != 1) && ($JobRow['Wrapped'] != 1) && ($JobRow['HandFab'] != 1) && ($JobRow['Welded'] != 1) && ($JobRow['Supplies'] != 1) && ($JobRow['WardFrames'] != 1) && ($JobRow['Special'] != 1))
					{
						$back = 'aqua';
						$message = 'Possibly Done';
					}
					echo"<tr>";
						echo"<td>";
						echo $JobRow['JobNumber'];
						echo"</td>";
						echo"<td>";
						echo $JobRow['ProjectName'];
						echo"</td>";
						echo"<td>";
						echo $JobRow['AccountName'];
						echo"</td>";												
						if ($JobRow['RTS'] == 0)
							{
								echo"<td style='background-color:".$back.";'>";
								echo"<form style='margin-bottom:0; align:center;' name='EditJob' action='JobEdit.php' method='POST'><input type='hidden' name='JobID' value='".$JobRow['IDJob']."'/><input class='button' type='submit' name='submit-btn' value='Details'/></form>";
								echo"</td>";
								echo"<td>".$message."</td>";
							}
						if ($JobRow['RTS'] == 1)
							{
								echo"<td style='background-color:aqua;'>";
								echo"RTS";
								echo"</td>";
								echo"<td bgcolor='#FF0000'>";
								echo"<form style='margin-bottom:0; align:center;' name='ReloadJob' action='JobInterfaceMain.php' method='POST'>";	
								echo"<input class='button' type='submit' name='submit-btn' onclick='like(".$JobRow['IDJob'].")' value='Gone'/>";
								echo"</form>";
								echo"</td>";
							}	

					echo"</tr>";				
				}
		echo"</table>";
		?>
	</body>
</html>

Re: Button working on second click and not first.

Planet Thomas4-Jul-17 1:22

Planet Thomas

4-Jul-17 1:22

What do you see in console?

Passing Values to the next Page in PHP

Androoidhotspot Hotspot19-Aug-16 2:28

Androoidhotspot Hotspot

19-Aug-16 2:28

I am in a PHP project, which is needs to pass the parameter to the next page. But only using the values, not with the variable name.

PHP

index.php/1+2

And in the next page, i want to get the values in different variable.

Santhosh Kumar

Re: Passing Values to the next Page in PHP

ZurdoDev19-Aug-16 3:26

ZurdoDev

19-Aug-16 3:26

I don't know if php has something different but the easy way to do this in any web language is to use the querystring. index.php?var1=1&var2=2. Then on the next page you can read then from the querystring.

There are only 10 types of people in the world, those who understand binary and those who don't.

Basic Join Not Working

Django_Untaken19-Aug-16 0:43

Django_Untaken

19-Aug-16 0:43

Hello there. I am trying to get data from 3 different tables based on simple join. One of the tables can have multiple values against one primary key. Here are the table designs

Table 1 - EmployeeDetails

SQL

EmployeeId INT, FirstName VARCHAR, SurName VARCHAR, SexId INT

Table 2 - EmployeeSex

SQL

SexId INT, Sex VARCHAR
-- Values inserted
-- 1, Male
-- 2, Female

Table 3 - EmployeeContacts

SQL

EmployeeId INT, Contact VARCHAR -- may or may not be null AND can contain multiple values

I am using following query

SQL

SELECT ED.EmployeeId, ED.FirstName, ED.SurName, GROUP_CONCAT(EC.Contact) 
FROM EmployeeDetails ED, EmployeeSex ES, EmployeeContacts EC
WHERE ED.SexId = ES.SexId AND ED.EmployeeId = EC.EmployeeId AND ED.EmployeeId = 'emp_password';

Now this query works fine if we have at least one contact number. But if there are not contacts, then this results in empty set. What is wrong with this query ? How can I improve so that it works in all scenarios (regardless of number of contacts in EmployeeContacts table). Thanks for any input.

modified 19-Aug-16 7:10am.

Richard MacCutchan19-Aug-16 2:00

19-Aug-16 2:00

This question would probably be better posted in the DataBase forum.

Django_Untaken19-Aug-16 2:17

Django_Untaken

19-Aug-16 2:17

Well I am using MySQL as my database, that is why posted here). Can copy there as well.

Richard MacCutchan19-Aug-16 3:14

19-Aug-16 3:14

I appreciate that, but most of the DB experts don't visit this forum that often.

johnjonny10-Oct-16 8:18

johnjonny

10-Oct-16 8:18

whats whappen on log?

assignment

Eto'o3-Aug-16 12:15

Eto'o

3-Aug-16 12:15

Can anyone help me with the following two PHP scripts on the machine running Centos 7. Scripts written on a command line editor

1) a PHP script that will connect to the database and create the tables and populate default data, this script will be executed from command line using PHP -f createdatabase.php

2) the databasename will be the same as your username

3) a PHP script that will load from a browser and use HTML and CSS to display the populated information, the script will be loaded as http://localhost/myname/showme.php, you will get extra points for having fewer lines code, less SQL queries, and for commenting and indenting your code nicely.

The database contains the following tables with attributes:

Class, Students, and Marks

Re: assignment

Richard MacCutchan3-Aug-16 22:02