3 Replies - 506 Views - Last Post: 30 July 2012 - 07:37 AM Rate Topic: -----

#1 ycpc55  Icon User is offline

  • New D.I.C Head

Reputation: 0
  • View blog
  • Posts: 4
  • Joined: 27-May 08

adding mysql_fetch_array to code

Posted 30 July 2012 - 06:46 AM

Hi everyone,
i have been updating my site trying to make it a little more secure, and am having a problem adding my new code. Anyone have any tips or info on how to do this? i already have the code done but am having a hard time adding it in the right place. Also i see that my login script already has mysql_fetch_array should i add the code under that like i have below? sorry guys i lost lol i have no clue on this one. thank you.

My login code:
session_start();
function returnheader($location){
    $returnheader = header("location: $location");
    return $returnheader;
}
include_once("dbc.php");
$errors = array();
if(isset($_POST["iebugaround"])){
    $uname = trim(htmlentities($_POST['username']));
    $passw = trim(htmlentities($_POST['password']));
    $datetime = trim(htmlentities($_POST['lastlogin']));
    $datetime = date("d")*10000000000 + date("m")*100000000 + date("Y")*10000 + date("G")*100 + date("i");
    if(empty($uname) || empty($passw)){
        $errors[] = "$required_fields";
    }
    if(!$errors){
        $passencrypt = hash('sha512', $_POST['password']);
        $query = "SELECT * FROM memberlist WHERE username='".mysql_real_escape_string($uname)."' AND password='".mysql_real_escape_string($passencrypt)."'";
        $result = mysql_query($query) OR die(mysql_error());
        $result_num = mysql_num_rows($result);
        if($result_num > 0){
            while($row = mysql_fetch_array($result)){
                $idsess = stripslashes($row["id"]);
                $firstnamesess = stripslashes($row["firstname"]);
                $username = stripslashes($row["username"]);
                $_SESSION["SESS_USERID"] = $idsess;
                $_SESSION["SESS_USERFIRSTNAME"] = $firstnamesess;
                $_SESSION["SESS_USERNAME"] = $username;
                setcookie("userloggedin", $username);
                setcookie("userloggedin", $username, time()+43200);
                returnheader("users.php");
            }
            } else {
            $errors[] = "$incorrectLogin";
        }
    }
    } else {
    $uname = "";
}

Code i'm trying to add to my login code:
foreach(mysql_fetch_array($result) as $row){
        if ($row["actnum"] == "0" || $row["numloginfail"] <= 5){
            $sql = "UPDATE memberlist Set lastlogin = '{$datetime}', numloginfail = '5' WHERE username = '{$uname}'";
            mysql_query($sql, $conn) OR die(mysql_error());
        }
        if ($row["lastloginfail"] >= ($datetime-5)){
            $sql = "UPDATE memberlist Set numloginfail = numloginfail + 1, lastloginfail = '{$datetime}' WHERE username = '{$uname}'";
            mysql_query($sql, $conn) OR die(mysql_error());
            }else{
            $sql = "UPDATE memberlist Set lastloginfail = '{$datetime}' WHERE username = '{$uname}'";
            mysql_query($sql, $conn) OR die(mysql_error());
        }
        if ($row["lastloginfail"] <= ($datetime-30)){
            $sql = "UPDATE memberlist Set numloginfail = '0' WHERE username = '{$uname}'";
            mysql_query($sql, $conn) OR die(mysql_error());
            $errors[] = "$underAttackReLogin, $uname";
            }else{
            $errors[] = "$underAttackPleaseWait";
            }else{
            $errors[] = "$accountNotActivated";
        }
    }

login code and Code i'm trying to add:
session_start();
function returnheader($location){
    $returnheader = header("location: $location");
    return $returnheader;
}
include_once("dbc.php");
$errors = array();
if(isset($_POST["iebugaround"])){
    $uname = trim(htmlentities($_POST['username']));
    $passw = trim(htmlentities($_POST['password']));
    $datetime = trim(htmlentities($_POST['lastlogin']));
    $datetime = date("d")*10000000000 + date("m")*100000000 + date("Y")*10000 + date("G")*100 + date("i");
    if(empty($uname) || empty($passw)){
        $errors[] = "$required_fields";
    }
    if(!$errors){
        $passencrypt = hash('sha512', $_POST['password']);
        $query = "SELECT * FROM memberlist WHERE username='".mysql_real_escape_string($uname)."' AND password='".mysql_real_escape_string($passencrypt)."'";
        $result = mysql_query($query) OR die(mysql_error());
        $result_num = mysql_num_rows($result);
        
        ////////////////////////New code
        if ($row["actnum"] == "0" || $row["numloginfail"] <= 5){
        $sql = "UPDATE memberlist Set lastlogin = '{$datetime}', numloginfail = '5' WHERE username = '{$uname}'";
        mysql_query($sql, $conn) OR die(mysql_error());
    }
    if ($row["lastloginfail"] >= ($datetime-5)){
        $sql = "UPDATE memberlist Set numloginfail = numloginfail + 1, lastloginfail = '{$datetime}' WHERE username = '{$uname}'";
        mysql_query($sql, $conn) OR die(mysql_error());
        }else{
        $sql = "UPDATE memberlist Set lastloginfail = '{$datetime}' WHERE username = '{$uname}'";
        mysql_query($sql, $conn) OR die(mysql_error());
    }
    if ($row["lastloginfail"] <= ($datetime-30)){
        $sql = "UPDATE memberlist Set numloginfail = '0' WHERE username = '{$uname}'";
        mysql_query($sql, $conn) OR die(mysql_error());
        $errors[] = "$underAttackReLogin, $uname";
        }else{
        $errors[] = "$underAttackPleaseWait";
        }else{
        $errors[] = "$accountNotActivated";
    }

        /////////////////////////////////////////////////////////
        
        
        if($result_num > 0){
            while($row = mysql_fetch_array($result)){
                $idsess = stripslashes($row["id"]);
                $firstnamesess = stripslashes($row["firstname"]);
                $username = stripslashes($row["username"]);
                $_SESSION["SESS_USERID"] = $idsess;
                $_SESSION["SESS_USERFIRSTNAME"] = $firstnamesess;
                $_SESSION["SESS_USERNAME"] = $username;
                setcookie("userloggedin", $username);
                setcookie("userloggedin", $username, time()+43200);
                returnheader("users.php");
            }
            } else {
            $errors[] = "$incorrectLogin";
        }
    }
    } else {
    $uname = "";
}


Is This A Good Question/Topic? 0
  • +

Replies To: adding mysql_fetch_array to code

#2 Slice  Icon User is offline

  • sudo pacman -S moneyz


Reputation: 244
  • View blog
  • Posts: 716
  • Joined: 24-November 08

Re: adding mysql_fetch_array to code

Posted 30 July 2012 - 06:59 AM

View Postycpc55, on 30 July 2012 - 02:46 PM, said:

Hi everyone,
i have been updating my site trying to make it a little more secure, and am having a problem adding my new code.


Well if you want to make your site more secure you should look at using prepared statements (PDO, MySqli) instead of the outdated and depreciated mysql_ functions. They will protect your site from most mysql injection attacks*.

*Assumes you use prepared statements correctly. Raw user data NEVER goes in a query.

As for your code, are you getting a specific error message?
Was This Post Helpful? 1
  • +
  • -

#3 ycpc55  Icon User is offline

  • New D.I.C Head

Reputation: 0
  • View blog
  • Posts: 4
  • Joined: 27-May 08

Re: adding mysql_fetch_array to code

Posted 30 July 2012 - 07:18 AM

Hi,
thanks for the reply, the error im getting is Parse error: syntax error, unexpected T_ELSE in on line 40 in the(login code and Code i'm trying to add:) script. As for the PDO i was thinking of going that way, but have no idea where to start. You know of any good sites that will teach you the right way on PDO? thanks.
Was This Post Helpful? 0
  • +
  • -

#4 Slice  Icon User is offline

  • sudo pacman -S moneyz


Reputation: 244
  • View blog
  • Posts: 716
  • Joined: 24-November 08

Re: adding mysql_fetch_array to code

Posted 30 July 2012 - 07:37 AM

We have an awesome tutorial on here by Dormilich: An introduction to PDO, which covers the basics and getting started.

You have an operater in there that I'm assuming is meant to be a less than sign (html operator).

&lt; should be <.

You are also missing a closing bracket on the line 40.

	if ($row["lastloginfail"] <= ($datetime-30)){
		$sql = "UPDATE memberlist Set numloginfail = '0' WHERE username = '{$uname}'";
		mysql_query($sql, $conn) OR die(mysql_error());
		$errors[] = "$underAttackReLogin, $uname";
	}else{
		$errors[] = "$underAttackPleaseWait";
	}
}else{
	$errors[] = "$accountNotActivated";
}


This post has been edited by Slice: 30 July 2012 - 07:39 AM

Was This Post Helpful? 0
  • +
  • -

Page 1 of 1