No it doesn't. This one professional guy told me to do it because thats how you should code it so it looks professionally done.. ? I dont know.

Tenaciousmug Junior Poster in Training

Ok, I have my username set as 1 under admin and this other account set as 0 under admin. But it's not showing the page to any of the accounts and only showing the else statement. Does anyone know whats the problem? Im so confused and I have been staring at this code for a while now.

[CODE]<?php
include("haha.php");
$cxn = mysqli_connect($dbhost,$dbuser,$dbpassword,$dbdatabase) or die("Couldn't connect to server");
$sql = "SELECT admin FROM Member WHERE username='{$_SESSION['username']}'";
$result = mysqli_query($cxn,$query) or die(mysqli_error($cxn));
$row = mysqli_fetch_array($result);
if($row['admin'] == 1)
{
There is code here that shows the page, but that works fine and I already tested it so I wont hog up the space with it. xD
}
}else{
echo "You aren't allowed to view this page because you are not admin.

Click here to go back to the site!";
}
?>[/CODE]

Im not sure on making it 20 times daily yet, but Im creating a database for the game and... nevermind. I already know how to make it 20 times daily.

EverWebby, you are the best!!!! ITS WORKING NOW (:

This isnt working either. I dont get it.. its probably something so simple.

[QUOTE=chrishea;1251803]You don't have a loop so it makes sense that it would only execute once when $dice is equal to 6. If your intent is to keep generating random values and showing what was rolled, you need a While loop and you will need to change your code to put any one-time actions (like the mysqli) before you start the loop.[/QUOTE]

No I dont want them to roll until they roll a six. Its like a random game. They play 20 times a day. They roll 20 times to see if they can roll a six and every time they do, they get 500rp. The other times they just dont get anything.

And its still only generating once. Does anyone get what Im saying?? D:

Tenaciousmug Junior Poster in Training

Ok I don't understand why the update statement only works once.. and after it rolls another 6, it wont add another 500 to the RP amount.

[CODE]<?php
session_start();
include("logincheck.php");
?>
<?php include_once("header.php"); ?>

Tenaciousmug Junior Poster in Training

Wow, I have no clue what I'm doing.. I'm trying to make a random game and if you roll a 6, you will win 500 rp and I'm trying to insert the 500 rp into the user who is logged in ($_SESSION['username'). But I... just don't know where to begin.

Here is my crappy coding that I just.. am stumped on:

[CODE]

<?php
$dice = rand(1,6);
if($dice == 1){
echo "You rolled a

1";
}if($dice == 2){
echo "You rolled a

2";
}if($dice == 3){
echo "You rolled a

3";
}if($dice == 4){
echo "You rolled a

4";
}if($dice == 5){
echo "You rolled a

5";
}if($dice == 6){
echo "You rolled a

6";
}

$winner = "500";
if($dice == 6);
{
include("haha.php");
$cxn = mysqli_connect($dbhost,$dbuser,$dbpassword,$dbdatabase);
$sql = "INSERT INTO Member (rp) VALUES ('$winner')";
mysqli_query($cxn,$sql);
}
?>[/CODE]

Any help yet?...

Uhh don't you just hit the enter button?
And if you want them lined down on the actual web page that you are creating. You can just put
before the beginning of each line.

xofth commented: good +0

Ok it's not letting me edit the post. But here is the whole entire new code I have:

[CODE]<?php
session_start();
switch (@$_POST['Button'])
{
case "Log in":
include("haha.php");
$cxn = mysqli_connect($host,$user,$password,$database);
$fusername = $cxn->real_escape_string($_POST['fusername']);
$sql = "SELECT username FROM Member WHERE username='$fusername'";
$result = mysqli_query($cxn,$sql) or die("Query died: fusername");
$num = mysqli_num_rows($result);
if($num > 0)
//username was found
{
$fpassword = $cxn->real_escape_string($_POST['fpassword']);
$sql = "SELECT username FROM Member WHERE username='$fusername' AND password=md5('$fpassword')";
$result2 = mysqli_query($cxn,$sql) or die("Query died: fpassword");
$num = mysqli_num_rows($result2);
if($num > 0) //password matches
{
$_SESSION['auth']="yes";
$_SESSION['username'] = $fusername;
$sql = "INSERT INTO Login (username,loginTime) VALUES ('$fusername',NOW())";
$result = mysqli_query($cxn,$sql) or die("Query died: insert");
header("Location: testing.php");
}
else
{
$message_1="The username, '$fusername' exists. However you have not entered the correct password! Please try again.";
$fusername=strip_tags(trim($fusername));
include("login_form2.php");
}
}
else // username was not found
{
$message_1 = "The username you entered does not exist! Please try again.";
include("login_form2.php");
}
break;

case "Register":
/* Check for blanks */
foreach($_POST as $field => $value)
{
    if(empty($value))
    {
        $blanks[] = $field;
    }
    else
    {
        $good_data[$field] = strip_tags(trim($value));
    }
}
if(isset($blanks))
{
    $message_2 = "The following fields are blank. Please enter the required information: ";
    foreach($blanks as $value)
    {
    $message_2 .="$value, ";
    }
    extract($good_data);
    include("login_form2.php");
    exit();
}
/* validate data */
foreach($_POST as $field => $value)
{
    if(!empty($value))
    {
        if(preg_match("/name/i",$field) and !preg_match("/user/i",$field) and !preg_match("/log/i",$field))
        {
            if(!preg_match("/^[A-Za-z' -]{1,15}$/",$value))
            {
                $errors[] = "$value is not a valid name. ";
            }
        }
        if(preg_match("/email/i",$field))
        {
            if(!preg_match("/^.+@.+\\..+$/",$value))
            {
                $errors[]="$value is not a valid email address.";
            }
        } ...
Tenaciousmug Junior Poster in Training

Ok, I have all my functions working along with the real_escape_string(). Now I just need to find out WHY the password check isn't working properly. Whenever I try to login with the username: Dyl and the password it was signed up with, it says "Dyl is an existing username, but it's not the right password" when it is.. Can anyone see what I'm doing wrong?

[CODE]<?php
session_start();
switch (@$_POST['Button'])
{
case "Log in";
include("haha.php");
$cxn = mysqli_connect($host,$user,$password,$database);
$fusername = $cxn->real_escape_string($_POST['fusername']);
$sql = "SELECT username FROM Member WHERE username='$fusername'";
$result = mysqli_query($cxn,$sql) or die("Query died: fusername");
$num = mysqli_num_rows($result);
if($num > 0)
//username was found
{
include("haha.php");
$cxn = mysqli_connect($host,$user,$password,$database);
$fpassword = $cxn->real_escape_string($_POST['fpassword']);
$sql = "SELECT username FROM Member WHERE username='$fusername' AND password=md5('$fpassword')";
$result2 = mysqli_query($cxn,$sql) or die("Query died: fpassword");
$num = mysqli_num_rows($result2);
if($num > 0) //password matches
{
include("haha.php");
$cxn = mysqli_connect($host,$user,$password,$database);
$_SESSION['auth']="yes";
$_SESSION['username'] = $fusername;
$sql = "INSERT INTO Login (username,loginTime) VALUES ('$fusername',NOW())";
$result = mysqli_query($cxn,$sql) or die("Query died: insert");
header("Location: testing.php");
}

THERE IS MORE CODE BUT IT DOESNT DEAL WITH THE PASSWORD CONFIRMATION[/CODE]

Ok so can anyone see anything that is wrong? I've checked and looked 5 million times and I really can't find anything..
And I KNOW I don't have to include the haha.php and do the $cxn every time. I'm just making sure it follows everything because I was trying to find the error. After I find it, I will delete it because there is no point having that much includes and connections when one ...

Oh ok. A friend just told me it's my login in general.
I was able to login as Username: Dyl
Password: abc123

I can use any password and it will let me login under any username in the database.

This is my login.php:

[CODE]<?php
session_start();
switch (@$_POST['Button'])
{
case "Log in";
include("haha.php");
$cxn = mysqli_connect($host,$user,$password,$database);
$fusername = $cxn->real_escape_string($_POST['fusername']);
$sql = "SELECT username FROM Member WHERE username='$fusername'";
$result = mysqli_query($cxn,$sql) or die("Query died: fusername");
$num = mysqli_num_rows($result);
if($num > 0)
//username was found
{
$fpassword = $cxn->real_escape_string($_POST['fpassword']);
$sql2 = "SELECT username FROM Member WHERE username='$fusername' AND password=md5('$fpassword')";
$result2 = mysqli_query($cxn,$sql2) or die("Query died: fpassword");
$num2 = mysqli_num_rows($result2);
if($num > 0) //password matches
{
$_SESSION['auth']="yes";
$_SESSION['username'] = $fusername;
$sql = "INSERT INTO Login (username,loginTime) VALUES ('$fusername',NOW())";
$result = mysqli_query($cxn,$sql) or die("Query died: insert");
header("Location: testing.php");
}
else
{
$message_1="The username, '$fusername' exists. However you have not entered the correct password! Please try again.";
$fusername=strip_tags(trim($fusername));
include("login_form2.php");
}
}
else // username was not found
{
$message_1 = "The username you entered does not exist! Please try again.";
include("login_form2.php");
}
break;

case "Register":
/* Check for blanks */
foreach($_POST as $field => $value)
{
    if(empty($value))
    {
        $blanks[] = $field;
    }
    else
    {
        $good_data[$field] = strip_tags(trim($value));
    }
}
if(isset($blanks))
{
    $message_2 = "The following fields are blank. Please enter the required information: ";
    foreach($blanks as $value)
    {
    $message_2 .="$value, ";
    }
    extract($good_data);
    include("login_form2.php");
    exit();
}
/* validate data */
foreach($_POST as $field => $value)
{
    if(!empty($value))
    {
        if(preg_match("/name/i",$field) and !preg_match("/user/i",$field) and !preg_match("/log/i",$field))
        {
            if(!preg_match("/^[A-Za-z' -]{1,15}$/",$value)) ...

So is there anyway to fix this?... I tried everything and it just doesn't want to work. I don't get it.

[QUOTE=JRM;1250568]see this:
[URL="http://us.php.net/manual/en/mysqli.real-escape-string.phphttp://"]mysqli.real-escape-string[/URL]

You might want to use the object version[/QUOTE]

I replaced it with that one and it's still letting me log in with x=x as the password :(

[CODE]<?php
session_start();
switch (@$_POST['Button'])
{
case "Log in";
include("haha.php");
$cxn = mysqli_connect($host,$user,$password,$database);
$fusername = $cxn->real_escape_string($_POST['fusername']);
$sql = "SELECT username FROM Member WHERE username='$fusername'";
$result = mysqli_query($cxn,$sql) or die("Query died: fusername");
$num = mysqli_num_rows($result);
if($num > 0)
//username was found
{
$fpassword = $cxn->real_escape_string($_POST['fpassword']);
$sql = "SELECT username FROM Member WHERE username='$fusername' AND password=md5('$fpassword')";
$result2 = mysqli_query($cxn,$sql) or die("Query died: fpassword");
$num2 = mysqli_num_rows($result2);
if($num > 0) //password matches
{
$_SESSION['auth']="yes";
$_SESSION['username'] = $fusername;
$sql = "INSERT INTO Login (username,loginTime) VALUES ('$fusername',NOW())";
$result = mysqli_query($cxn,$sql) or die("Query died: insert");
header("Location: testing.php");
}
else
{
$message_1="The username, '$fusername' exists. However you have not entered the correct password! Please try again.";
$fusername=strip_tags(trim($fusername));
include("login_form.php");
}
}
else // username was not found
{
$message_1 = "The username you entered does not exist! Please try again.";
include("login_form.php");
}
break;

case "Register":
/* Check for blanks */
foreach($_POST as $field => $value)
{
    if(empty($value))
    {
        $blanks[] = $field;
    }
    else
    {
        $good_data[$field] = strip_tags(trim($value));
    }
}
if(isset($blanks))
{
    $message_2 = "The following fields are blank. Please enter the required information: ";
    foreach($blanks as $value)
    {
    $message_2 .="$value, ";
    }
    extract($good_data);
    include("login_form.php");
    exit();
}
/* validate data */
foreach($_POST as $field => $value)
{
    if(!empty($value))
    {
        if(preg_match("/name/i",$field) and !preg_match("/user/i",$field) and !preg_match("/log/i",$field))
        {
            if(!preg_match("/^[A-Za-z' -]{1,50}$/",$value))
            {
                $errors[] = "$value is not a valid name. ";
            }
        }
        if(preg_match("/email/i",$field)) ...

[QUOTE=CFROG;1250556]Your first parameter is your connection, the second parameter is the string you are trying to escape:

[code]

mysqli_real_escape_string($connection, $fusername);

[/code]

I'm not 100% on what your connection needs to be, try $cxn I believe that may do the trick.[/QUOTE]

Well it's working perfectly, but I can still sign in with x=x as my password... I thought that was suppose to fix it..

[QUOTE=JRM;1250218]Mysqli has it's own special PHP methods. I think you are getting an error because you are out of scope.
[URL="http://us3.php.net/manual/en/book.mysqli.php"]mysqli[/URL]

The fix may be as simple as:
[CODE]$fusername = mysqli_real_escape_string($_POST['fusername']);[/CODE]
Add the i onto all instances of mysql_real_escape_string

Hope that was it.[/QUOTE]

It got my connection to work. xD But here is the error message it is showing now:
[QUOTE]Warning: mysqli_real_escape_string() expects exactly 2 parameters, 1 given in /home2/asterock/public_html/login.php on line 8[/QUOTE]

Here is line 8:

[CODE]$fusername = mysqli_real_escape_string($_POST['fusername']);[/CODE]

I know it only has one parameter, but what do I put for the second?.. It doesn't need a second. xD

Oh and this is how Haha.php looks:

[CODE]<?php
$host="**";
$user="****";
$password="**";
$database="****";
?>[/CODE]

Am I doing that right since it says my connection isn't there?..

[QUOTE=rajarajan07;1250047]whats the error shown?[/QUOTE]

[QUOTE]Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: Access denied for user 'asterock'@'localhost' (using password: NO) in /home2/asterock/public_html/login.php on line 8

Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: A link to the server could not be established in /home2/asterock/public_html/login.php on line 8[/QUOTE]

I know. It's not establishing that connection, but before I use the Mysql_real_escape_string, my connection is fine and I can log in. But I want to fix the SQL Injection problem.

Here is my whole PHP code if anyone knows how to help:
[CODE]<?php
session_start();
switch (@$_POST['Button'])
{
case "Log in";
include("haha.php");
$cxn = mysqli_connect($host,$user,$password,$database) or die("Query died: connect");
$fusername = mysql_real_escape_string($_POST['fusername']);
$sql = "SELECT username FROM Member WHERE username='$fusername'";
$result = mysqli_query($cxn,$sql) or die("Query died: fusername");
$num = mysqli_num_rows($result);
if($num > 0)
//username was found
{
$fpassword = mysql_real_escape_string($_POST['fpassword']);
$sql = "SELECT username FROM Member WHERE username='$fusername' AND password=md5('$fpassword')";
$result2 = mysqli_query($cxn,$sql) or die("Query died: fpassword");
$num2 = mysqli_num_rows($result2);
if($num > 0) //password matches
{
$_SESSION['auth']="yes";
$_SESSION['username'] = $_POST['fusername'];
$sql = "INSERT INTO Login (username,loginTime) VALUES ('$_SESSION[username]',NOW())";
$result = mysqli_query($cxn,$sql) or die("Query died: insert");
header("Location: testing.php");
}
else
{
$message_1="The username, '$_POST[fusername]' exists. However you have not entered the correct password! Please try again.";
$fusername=strip_tags(trim($_POST['fusername']));
include("login_form.php");
}
}
else // username was not found
{
$message_1 = "The username you entered does not exist! Please try again.";
include("login_form.php");
}
break;

case "Register":
/* Check for blanks */
foreach($_POST as $field => $value)
{
    if(empty($value))
    {
        $blanks[] = $field;
    }
    else
    {
        $good_data[$field] = strip_tags(trim($value));
    }
}
if(isset($blanks))
{
    $message_2 = "The following ...

[QUOTE=rajarajan07;1249991]you should make the connection before using the mysql_real_escape_string otherwise it utilized the last connection link.[/QUOTE]

Yes, I know. I did mention that I posted the $fusername variable after every line to see if it made a difference. It didn't. I put it after the $cxn, then after the $sql, then after the $result, and then after the $num and still.. the same error.

[QUOTE=CFROG;1249598]I need to ask just to be sure ... are you calling your include for the db connection BEFORE the escape_string function? Put your include at the very top of the page if it's not already.
[code]
<?PHP

include(dbc.php);
[/code][/QUOTE]

Yes.

[CODE]<?php
session_start();
switch (@$_POST['Button'])
{
case "Log in";
include("haha.php");
$fusername = mysql_real_escape_string($_POST['fusername']);
$cxn = mysqli_connect($host,$user,$password,$database) or die("Query died: connect");
$sql = "SELECT username FROM Member WHERE username='$fusername'";
$result = mysqli_query($cxn,$sql) or die("Query died: fusername");
$num = mysqli_num_rows($result);
if($num > 0)
//username was found[/CODE]

Just a little top preview of my code. After that case "Log in";
It includes that haha.php which is my connection to the database.
And then the CXN variable starts it up.
But I even tried putting the fusername variable underneath the $cxn and it still won't work.

[QUOTE=CFROG;1249591]The mysql_real_escape_string function is dependent on SQL therefore a connection to your SQL server is needed. It's not the string that is throwing the error, it's your connection to the database. Make sure a connection is established before invoking the function.[/QUOTE]

But I include the document that gives the connection. Before I mess with those Mysql_real_escape_string functions, my connection is fine and I am able to login.. but I am also able to login with the password x=x.. so I'm trying to fix that, but.. that shouldn't make my connection fail.
How do I establish that connection then if it is already working?

Yeah that's what I was doing, but whenever I do this, this error pops up:

Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: Access denied for user 'asterock'@'localhost' (using password: NO) in /home2/asterock/public_html/login.php on line 7

Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: A link to the server could not be established in /home2/asterock/public_html/login.php on line 7

And this is line 7:
$fusername = mysql_real_escape_string($_POST['fusername']);

This is how the whole first case looks now:
[CODE]<?php
session_start();
switch (@$_POST['Button'])
{
case "Log in";
include("haha.php");
$fusername = mysql_real_escape_string($_POST['fusername']);
$cxn = mysqli_connect($host,$user,$password,$database) or die("Query died: connect");
$sql = "SELECT username FROM Member WHERE username='$fusername'";
$result = mysqli_query($cxn,$sql) or die("Query died: fusername");
$num = mysqli_num_rows($result);
if($num > 0)
//username was found
{
$fpassword = mysql_real_escape_string($_POST['fpassword']);
$sql = "SELECT username FROM Member WHERE username='$fusername' AND password=md5('$fpassword')";
$result2 = mysqli_query($cxn,$sql) or die("Query died: fpassword");
$num2 = mysqli_num_rows($result2);
if($num > 0) //password matches
{
$_SESSION['auth']="yes";
$_SESSION['username'] = $_POST['fusername'];
$sql = "INSERT INTO Login (username,loginTime) VALUES ('$_SESSION[username]',NOW())";
$result = mysqli_query($cxn,$sql) or die("Query died: insert");
header("Location: testing.php");
}
else
{
$message_1="The username, '$_POST[fusername]' exists. However you have not entered the correct password! Please try again.";
$fusername=strip_tags(trim($_POST['fusername']));
include("login_form.php");
}
}
else // username was not found
{
$message_1 = "The username you entered does not exist! Please try again.";
include("login_form.php");
}
break;[/CODE]

Tenaciousmug Junior Poster in Training

I am having huge trouble with this Mysql_real_escape_string to prevent SQL Injection. I have tried everywhere possible to input it in my code. My code looks a lot different than most peoples. I mean my login/registration system works PERFECT.. besides that it's not protected from SQL Injection yet which is why I'm trying to secure it.

[CODE=PHP]$cxn = mysqli_connect($host,$user,$password,$database) or die("Query died: connect");
$sql = "SELECT username FROM Member WHERE username='$_POST[fusername]'";
$result = mysqli_query($cxn,$sql) or die("Query died: fusername");
$num = mysqli_num_rows($result);[/CODE]

Okay now I know you input it in username=... after that. But I tried everything with the stupid quotation and single marks and I just cant' seem to get it right. I hope some genius can come along and help me. xD

Also, how do you prevent SQL Injection from the url? How they can delete your whole Member database by putting something in the url after .php?id= something. How do you prevent that?

Thanks for all this information. After this, I will be completely satisfied and can start moving on further with my site. Thank you!