Page 1 of 1

Need help how to properly call db_connect

Posted: Wed Sep 25, 2013 4:34 am
by hybris
This is my fist post here so HI all ;),

I'm really new to mysql and php and I'm trying to learn it by using tutorials.

At the moment I'm trying to create a somewhat secure login system but I do not understand how to get the connect_db.php to work.

I have created a file in my root directory called connect_db.php with the following code (from http://www.wikihow.com/Create-a-Secure- ... -and-MySQL):

Code: Select all

<?php
DEFINE('DB_HOST','localhost');
DEFINE('DB_USER','*****');
DEFINE('DB_PASSWORD','*****');
DEFINE('DB_NAME','******');
$mysqli = new mysqli(DB_HOST, DB_USER, DB_PASSWORD, DB_NAME) or die('Grrrrrr');
?>
Then I created a testpage called test.php

containing the following code:

Code: Select all

<?php
require('connect_db.php');
//$mysqli
?>
<?php
$tbl_name='forum_question';
$sql="SELECT * FROM $tbl_name ORDER BY id DESC";
// OREDER BY id DESC is order result by descending

$result=mysql_query($sql);
?>

<table width="90%" border="0" align="center" cellpadding="3" cellspacing="1" bgcolor="#CCCCCC">
<tr>
<td width="6%" align="center" bgcolor="#E6E6E6"><strong>#</strong></td>
<td width="53%" align="center" bgcolor="#E6E6E6"><strong>Topic</strong></td>
<td width="15%" align="center" bgcolor="#E6E6E6"><strong>Views</strong></td>
<td width="13%" align="center" bgcolor="#E6E6E6"><strong>Replies</strong></td>
<td width="13%" align="center" bgcolor="#E6E6E6"><strong>Date/Time</strong></td>
</tr>

<?php
 
// Start looping table row
while($rows=mysql_fetch_array($result)){
?>
<tr>
<td bgcolor="#FFFFFF"><? echo $rows['id']; ?></td>
<td bgcolor="#FFFFFF"><a href="view_topic.php?id=<? echo $rows['id']; ?>"><? echo $rows['topic']; ?></a><BR></td>
<td align="center" bgcolor="#FFFFFF"><? echo $rows['view']; ?></td>
<td align="center" bgcolor="#FFFFFF"><? echo $rows['reply']; ?></td>
<td align="center" bgcolor="#FFFFFF"><? echo $rows['datetime']; ?></td>
</tr>

<?php
// Exit looping and close connection 
}
$mysql_close();
?>

<tr>
<td colspan="5" align="right" bgcolor="#E6E6E6"><a href="create_topic.php"><strong>Create New Topic</strong> </a></td>
</tr>
</table>
(The testpage is a copy of a page from a forum I created using another tutorial. The forum is working (so I know i set up the databases and all that correct) when I use the login info in the test.php file like this:

Code: Select all

<?php

$host="localhost"; // Host name 
$username="*****"; // Mysql username 
$password="*******"; // Mysql password 
$db_name="********"; // Database name 
$tbl_name="forum_question"; // Table name 

// Connect to server and select databse.
mysql_connect("$host", "$username", "$password")or die("cannot connect"); 
mysql_select_db("$db_name")or die("cannot select DB");
$sql="SELECT * FROM $tbl_name ORDER BY id DESC";
// OREDER BY id DESC is order result by descending

$result=mysql_query($sql);
?>
Why wont it work when I put the login info in db_connect? (i know in the forum script it says mysql but in db_connect mysqli (but i tried with mysql in the dbconnect too without success).

I want to use mysqli (not mysql) and I think the code in db_connect.php is correct so if I want to call (require or include?) this from test.php to browse the table "forum_question" how do I do it? I'm getting crazy over this.

Thanks in advance :)

Re: Need help how to properly call db_connect

Posted: Wed Sep 25, 2013 5:34 am
by Celauran
It's not how you're calling db_connect.php that's the issue. It's being included fine, and then being summarily ignored. mysql_ and mysqli_ are not interchangeable. You need to go through your code and rewrite your mysql_ functions to use the correct mysqli_ functions. Better still, take a look at PDO.

Re: Need help how to properly call db_connect

Posted: Wed Sep 25, 2013 5:46 am
by hybris
Yeah thanks I just noticed, managed to add stuff to the DB using

$mysqli->query("INSERT INTO tablename (user_id, time) VALUES ('xxx', 'yyy ')");

so I guess the connectpart finally works :)

So if I want to create a really safe login system is PDO better than mysqli ?

Re: Need help how to properly call db_connect

Posted: Wed Sep 25, 2013 6:22 am
by Celauran
It's not so much that it's better -- MySQLi is perfectly adequate -- I just find it less cumbersome to use. PDO allows you to use named placeholders when creating prepared statements, whose values can then be passed to execute as an array. MySQLi requires you use ? as placeholders and your bind parameters call can suffer from readability issues pretty quickly.

Re: Need help how to properly call db_connect

Posted: Wed Sep 25, 2013 6:24 am
by Celauran
hybris wrote:

Code: Select all

$mysqli->query("INSERT INTO tablename (user_id, time) VALUES ('xxx', 'yyy ')");
Don't do that. If you're passing variables into your query, use prepared statements.

Re: Need help how to properly call db_connect

Posted: Wed Sep 25, 2013 7:10 am
by hybris
Yeah, I'm pretty new to this (started yesterday) so I'm just playing around learning so far.

the inserting was just to test if I could connect properly to the DB and add something into the table. Won't do like that in my final code :)

Thank You for Your help :) Now I will get back to coding :)

Re: Need help how to properly call db_connect

Posted: Wed Sep 25, 2013 9:44 am
by hybris
Hi so I have a new question :)

I made a register form that sends some variables to register.php that is supposed to check if the email + verify email and pw + ver pw is correct.

if it is then it should store the user into the user database.

So I got the checking of email and pw to work.. and I actually managed to store the result into the database

BUT

it only works to store in the database if I use all numbers Like user: 234234 email: 123 verify email: 123 pw: 222 ver pw: 222
if i try to type in some text the check if the email and pw match works but it wont store into the DB

The form code below: (in like register_user.php)

Code: Select all

<table width="600" border="0" align="center" cellpadding="0" cellspacing="1" bgcolor="#CCCCCC">
<tr>
<form id="form1" name="form1" method="post" action="register.php">
<td>
<table width="100%" border="0" cellpadding="3" cellspacing="1" bgcolor="#FFFFFF">
<tr>
<td colspan="3" bgcolor="#E6E6E6"><strong>Register new user</strong> </td>
</tr>
<tr>
<td width="20%"><strong>User name</strong></td>
<td width="2%">:</td>
<td width="78%"><input name="username" type="text" id="username" size="50" /></td>
</tr>
<tr>
<td valign="top"><strong>Email</strong></td>
<td valign="top">:</td>
<td><input name="email" type="text" id="email" size="50" /></td>
</tr>
<tr>
<td><strong>Confirm Email</strong></td>
<td>:</td>
<td><input name="emailchk" type="text" id="emailchk" size="50" /></td>
</tr>
<tr>
<td><strong>Password</strong></td>
<td>:</td>
<td><input name="password" type="password" id="password" size="50" /></td>
</tr>
<tr>
<td><strong>Confirm Password</strong></td>
<td>:</td>
<td><input name="passwordchk" type="password" id="passwordchk" size="50" /></td>
</tr>
<tr>
<td>&nbsp;</td>
<td>&nbsp;</td>
<td><input type="submit" name="Submit" value="Submit" /> <input type="reset" name="Submit2" value="Reset" /></td>
</tr>
</table>
</td>
</form>
</tr>
</table>
and the code in register.php:

Code: Select all

<?php
require('../db_connect.php');
   
// get values that sent from form 
$user_name=$_POST['username'];
$email=$_POST['email'];
$email_chk=$_POST['emailchk']; 
$password=$_POST['password'];
$password_chk=$_POST['passwordchk'];

    
//$datetime=date("d/m/y H:i:s"); // create date and time

echo $user_name;
echo $email;
echo $email_chk;
echo $password;
echo $password_chk;
//echo $datetime
echo "                          ";

//if ($email==$email_chk) {
//    echo 'mailen matchar';
//} else {
//    echo 'mailen matchar inte';
//}

//if ($password==$password_chk) {
//    echo 'Password passar';
//} else {
//    echo 'password matchar inte';
//}
// Alternativ kodning for att kolla bada samtidigt
if (($email==$email_chk) && ($password==$password_chk)) {
    echo 'OKEJJJJJ Bade mail o passw stammmer'; //da uppdaterar vi databasen
   
    $mysqli->query("INSERT INTO users (id, username, email, password, salt) VALUES ('', $user_name, $email, $password, 'SALT')");
} else {
    echo 'NAJJJJJ Email eller pw stammer inte';
    
}

?>
I suspect everything gets converted to integers somewhere but if so how do I get it back to text?

Thanks.

Re: Need help how to properly call db_connect

Posted: Wed Sep 25, 2013 11:20 am
by Celauran
You need to enclose strings in quotes in your SQL query.

Also, again, don't do this:

Code: Select all

$mysqli->query("INSERT INTO users (id, username, email, password, salt) VALUES ('', $user_name, $email, $password, 'SALT')");
What happens if I set my username to '; DROP TABLE users ?

Re: Need help how to properly call db_connect

Posted: Wed Sep 25, 2013 1:35 pm
by hybris
You will have a very strange username??? :)

Nah I see Your point and I will code better when I do the final version, right now im just trying to get a feeling for the language. I never used PHP before and i never programmed Howards a DB before...did some HTML like 15 Years ago... So Im totally new to this :) Its alot of trial and error atm heh

Re: Need help how to properly call db_connect

Posted: Fri Oct 04, 2013 6:33 am
by igen121
i dont understand, can anyone please help me more?

Re: Need help how to properly call db_connect

Posted: Fri Oct 04, 2013 7:08 am
by hybris
igen121 wrote:i dont understand, can anyone please help me more?
Which part? About how to connect or the DROP TABLE thing?

About the connect you do a .php file with information how to connect to the database. Then when you need to connect to the database you just call that file.

About DROP TABLE thing its to protect the code from hackers, where you use prepared statements before inserting things into your database rather than to insert the userinput directly.