Problem with user profiles

  • (2 Pages)
  • +
  • 1
  • 2

21 Replies - 343 Views - Last Post: 10 July 2013 - 10:04 AM Rate Topic: -----

#1 mathiaskruse  Icon User is offline

  • New D.I.C Head

Reputation: 0
  • View blog
  • Posts: 14
  • Joined: 10-July 13

Problem with user profiles

Posted 10 July 2013 - 08:21 AM

Hello everyone.

I'm working on a game, and i have some problems about the user profiles..

$query = "SELECT * FROM users WHERE name='".mysql_real_escape_string($_POST['$name'])."'";


That's the line I'm using to get my user information, but the problem is that it doesnt work.

I tried using:

$query = "SELECT * FROM users WHERE id='".mysql_real_escape_string($_SESSION['user_id'])."'";


But obviously this only showed me for the user currently logged on (the user himself)...


anyhow i have some different tables in MySQL, where one being name.

Thanks in advance

Is This A Good Question/Topic? 0
  • +

Replies To: Problem with user profiles

#2 modi123_1  Icon User is online

  • Suitor #2
  • member icon



Reputation: 8909
  • View blog
  • Posts: 33,395
  • Joined: 12-June 08

Re: Problem with user profiles

Posted 10 July 2013 - 08:29 AM

Quote

That's the line I'm using to get my user information, but the problem is that it doesnt work.

Step number 1 - tell us _how_ it doesn't work. Is it giving you an error? If so what is the error text? Is it not working as expected? If so what is it doing and what *SHOULD* it be doing?

Remember - we are not there with you so the more information you provide to us the more we can help you!
Was This Post Helpful? 0
  • +
  • -

#3 mathiaskruse  Icon User is offline

  • New D.I.C Head

Reputation: 0
  • View blog
  • Posts: 14
  • Joined: 10-July 13

Re: Problem with user profiles

Posted 10 July 2013 - 08:54 AM

Well yea ofc, sorry :P

Here are some details.

I'm trying to achieve so that we can see a users profile by going to:

http://localhost/Vie...me=mathiaskruse

in this case my username is mathiaskruse.

I know how to make it show all users, the only problem is that i only want that page to show the user that they are searhcing for.

So in this case, i only want all information about mathiaskruse.

Name: mathiaskruse
Money: 2500
Health: 100
Points: 0
E-mail: mathiaskruse@cdnet.dk
Rank: 0
Exp: 0
Last Active: 2013-07-10 17:53:00



Possibly like that :)

THanks in advance!

Oh and btw, if i try to use this line:

$query = "SELECT * FROM users WHERE name='".mysql_real_escape_string($_POST['$name'])."'";


It tells me:

Quote

Notice: Undefined index: name in C:\xampp\htdocs\view_profile.php on line 4

Was This Post Helpful? 0
  • +
  • -

#4 modi123_1  Icon User is online

  • Suitor #2
  • member icon



Reputation: 8909
  • View blog
  • Posts: 33,395
  • Joined: 12-June 08

Re: Problem with user profiles

Posted 10 July 2013 - 08:57 AM

$query = "SELECT * FROM users WHERE name='".mysql_real_escape_string($_POST['$name'])."'";

Does this line work if you hardcode your user id in it?

Side note - you should be using parameterized queries and not appending lines like this.. the biggest problem is if I could just modify a post variable - and there is not buffer or cleansing - I could inject SQL attacks to take over the DB, erase the DB, or modify the DB. All are bad, right?
Was This Post Helpful? 0
  • +
  • -

#5 mathiaskruse  Icon User is offline

  • New D.I.C Head

Reputation: 0
  • View blog
  • Posts: 14
  • Joined: 10-July 13

Re: Problem with user profiles

Posted 10 July 2013 - 09:10 AM

<?php
include_once 'connect.php';

$query = "SELECT * FROM users WHERE name='".mysql_real_escape_string($_POST['name'])."'";

$result = mysql_query($query);

$num=mysql_numrows($result);


$i=0;

while ($i < $num) {


$name = mysql_result($result,$i,"name");
$id = mysql_result($result,$i,"id");
$money = mysql_result($result,$i,"money");
$health = mysql_result($result,$i,"health");
$points = mysql_result($result,$i,"points");
$mail = mysql_result($result,$i,"mail");
$rank = mysql_result($result,$i,"rank");
$exp = mysql_result($result,$i,"exp");
$lastactive = mysql_result($result,$i,"lastactive");

$i++;


echo "<br>Name: " . $name . "<br>  Money: " . $money . "<br>  Health: " . $health . "<br> Points: " . $points . "<br> E-mail: " . $mail . "<br> Rank: " . $rank . "<br> Exp: " . $exp . "<br> Last Active: " . $lastactive . "";



}

echo "<br><br><a href='game.php'>Go Back</a><br>";


?>


That's my entire view_profile.php page..
Was This Post Helpful? 0
  • +
  • -

#6 modi123_1  Icon User is online

  • Suitor #2
  • member icon



Reputation: 8909
  • View blog
  • Posts: 33,395
  • Joined: 12-June 08

Re: Problem with user profiles

Posted 10 July 2013 - 09:12 AM

Okay dokey.. but, for the sake of humoring me, if you hard code a user name in that line 04 what is the result? Let's walk through some debugging here and see if can shed light on the problem and explain what things are going on there.
Was This Post Helpful? 0
  • +
  • -

#7 mathiaskruse  Icon User is offline

  • New D.I.C Head

Reputation: 0
  • View blog
  • Posts: 14
  • Joined: 10-July 13

Re: Problem with user profiles

Posted 10 July 2013 - 09:12 AM

View Postmodi123_1, on 10 July 2013 - 08:57 AM, said:

$query = "SELECT * FROM users WHERE name='".mysql_real_escape_string($_POST['$name'])."'";

Does this line work if you hardcode your user id in it?

Side note - you should be using parameterized queries and not appending lines like this.. the biggest problem is if I could just modify a post variable - and there is not buffer or cleansing - I could inject SQL attacks to take over the DB, erase the DB, or modify the DB. All are bad, right?


If sorry if i sound stupid here, but I'm all new with this PHP and MySQL, just learning...

Ain't sure what u mean with hardcoding?
And i haven't got a clue about what you are saying about hacking my DB xD but sounds pretty bad :D
Was This Post Helpful? 0
  • +
  • -

#8 modi123_1  Icon User is online

  • Suitor #2
  • member icon



Reputation: 8909
  • View blog
  • Posts: 33,395
  • Joined: 12-June 08

Re: Problem with user profiles

Posted 10 July 2013 - 09:20 AM

Quote

Ain't sure what u mean with hardcoding?


04	$query = "SELECT * FROM users WHERE name='".mysql_real_escape_string($_POST['name'])."'";

Instead of using ".mysql_real_escape_string($_POST['name'])." just put your user name string in there. That makes it 'hardcoded' versus, say, dynamic which you would be trying to do with the ".mysql_real_escape_string($_POST['name']).".

Quote

And i haven't got a clue about what you are saying about hacking my DB xD but sounds pretty bad :D

It's called SQL injection and, yes, it is very bad. Go flip through the tutorials and look at how to user parameterized queries, parameters, etc. If you don't understand it just know it is bad enough that justifies you to *LEARN* how to use parameters.
Was This Post Helpful? 0
  • +
  • -

#9 mathiaskruse  Icon User is offline

  • New D.I.C Head

Reputation: 0
  • View blog
  • Posts: 14
  • Joined: 10-July 13

Re: Problem with user profiles

Posted 10 July 2013 - 09:23 AM

Ah i see, well yea. It works with:

$query = "SELECT * FROM users WHERE name='mathiaskruse'";


Output:

Name: mathiaskruse
Money: 2500
Health: 100
Points: 0
E-mail: mathiaskruse@cdnet.dk
Rank: 0
Exp: 0
Last Active: 2013-07-10 17:53:00

Was This Post Helpful? 0
  • +
  • -

#10 modi123_1  Icon User is online

  • Suitor #2
  • member icon



Reputation: 8909
  • View blog
  • Posts: 33,395
  • Joined: 12-June 08

Re: Problem with user profiles

Posted 10 July 2013 - 09:32 AM

Rad! So we totally know it's an issue with that line then.

If the error is saying "Notice: Undefined index:" ... and the only index you are using is "$_POST['$name']" then me thinks there is something wrong with '$name'. We know in PHP variables like to start with $name, but not so much POsT variables. How about dropping the $ off the $name and see what happens.
Was This Post Helpful? 0
  • +
  • -

#11 mathiaskruse  Icon User is offline

  • New D.I.C Head

Reputation: 0
  • View blog
  • Posts: 14
  • Joined: 10-July 13

Re: Problem with user profiles

Posted 10 July 2013 - 09:34 AM

You know what :D ? I figured it out!

I had to use

$query = "SELECT * FROM users WHERE name='".mysql_real_escape_string($_GET['name'])."'";


with $_GET instead, lol. Obvious now that i see it :P thanks for helping me tho, +1!

But since i see that your'e a mod, if I have a quadrillion more questions about some problems i currently have. Can i ask them here, or do i have to make new topics every time ? :)

Cuz i have like 3-4 problems atm.. xD
Was This Post Helpful? 0
  • +
  • -

#12 modi123_1  Icon User is online

  • Suitor #2
  • member icon



Reputation: 8909
  • View blog
  • Posts: 33,395
  • Joined: 12-June 08

Re: Problem with user profiles

Posted 10 July 2013 - 09:36 AM

Are the along the same vein or project? Might as well put 'em here.
Was This Post Helpful? 0
  • +
  • -

#13 mathiaskruse  Icon User is offline

  • New D.I.C Head

Reputation: 0
  • View blog
  • Posts: 14
  • Joined: 10-July 13

Re: Problem with user profiles

Posted 10 July 2013 - 09:41 AM

Well yea same project and kinda same things..

I have a register page, called register.php

Here is PHP & HTML Part of if:

<?php 
if (isset($_POST['Register'])) {


if(strlen($_POST['Username'])<3 || strlen($_POST['Username'])>32)
	{ // This check the characters of the username and it makes sure if it is longer that 3 letters.
		echo 'Your name must be between 3 and 32 characters!';
	
	}else{
	
	if(empty($_POST['Password'])){ // This checks the password field to see if it is empty
		echo 'You need to select a password!';
	}else{
	
	if(preg_match('/[^a-z0-9\-\_\.]+/i',$_POST['Username']))
	{// this checks the user for any symbols space etc .You can remove this is you choose
		echo 'Your name contains invalid characters!';
	}else{
	
	if(!checkEmail($_POST['Email']))
	{ // this is one of the functions we added on the function page. for this to work make sure the function is required on this page
		echo 'Your email is not valid!';
	}else{
	

if(empty($_POST['Agree'])){ // Check if the Checkbox is checked to agree with the terms of services
echo "You need to accept the Terms & conditions  in order to sign up.!";
}else{


// this check and makes sure that their are no duplication with the email
$sql = "SELECT id FROM users WHERE mail='".mysql_real_escape_string($_POST['Email'])."'";
$query = mysql_query($sql) or die(mysql_error());
$m_count = mysql_num_rows($query);
	  
if($m_count >= "1"){
echo 'This email has already been used.!';
}else{


// this makes sure that all the uses that sign up have their own names
$sql = "SELECT id FROM users WHERE name='".mysql_real_escape_string($_POST['Username'])."'";
$query = mysql_query($sql) or die(mysql_error());
$m_count = mysql_num_rows($query);
	  
if($m_count >= "1"){
echo 'This name has already been used.!';
}else{

$password = md5($_POST['Password']); // this is a md5 hash. its encrypt your password so it isn't easily hackable



// The id is blank because it is an auto_increment  which mean it will auto add a value to every user and the are all different. this is mainly so we dont have dupilcate. 
													
$sql = "INSERT INTO users SET id = '', name = '".$_POST['Username']."' , password= '$password', mail= '".$_POST["Email"]."'";
$res = mysql_query($sql);

$to = $_POST['Email'];
    $from = "no-reply@Game.co.uk";
    $subject = "Registration - Your Registration Details";

    $message = "<html>
   <body background=\"#4B4B4B\">
   <h1>Game Registration Details</h1>
   Dear ".$_POST['Username'].", <br>
    <center>
Your Username: ".$_POST['Username']."<p>

Your Password: ".$_POST['Password']."<p>

	  <p>
	  <font size=3> You recived this mail because someone used this mail to sign up to a game</font>
  </body>
</html>";
   
    $headers  = "From: Game Registration Details <no-reply@Game.co.uk>\r\n";
    $headers .= "Content-type: text/html\r\n";

	mail($to, $subject, $message, $headers);             

echo "".$_POST['Username'].", Welcome to the game.";
}}}
						}

					}
			}
	}
}

?>


<form method="post" >
  <center>
    <h1><strong>Register</strong></h1>
    <p>Username: 
      <input type="text" name="Username" id="Username">
    </p>
    <p>Password:
      <input type="password" name="Password" id="Password">
    </p>
    <p>E-mail:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
      <input type="text" name="Email" id="Email">
    </p>
    <p>
      <input type="checkbox" name="Agree" id="Agree">
      <br>
	<input type="submit" name="Register" id="Register" value="Register"/>
    </p> </br>
	<p><a href="Lost_pass.php">Forgot Password?</a></p>
	<p><a href="index.php">Already a member?</a></p>
  </center>
</form>



It was working 100% before, but suddenly it seems like it doesn't work at all.
When i press the "Register" Button on my page when filling out everything, it doesn't react at all.
Was This Post Helpful? 0
  • +
  • -

#14 modi123_1  Icon User is online

  • Suitor #2
  • member icon



Reputation: 8909
  • View blog
  • Posts: 33,395
  • Joined: 12-June 08

Re: Problem with user profiles

Posted 10 July 2013 - 09:43 AM

As in the button push does nothing, or it transfers to this page and it is blank?
Was This Post Helpful? 0
  • +
  • -

#15 mathiaskruse  Icon User is offline

  • New D.I.C Head

Reputation: 0
  • View blog
  • Posts: 14
  • Joined: 10-July 13

Re: Problem with user profiles

Posted 10 July 2013 - 09:43 AM

furthermore, the email function in that PHP never worked. Even when i made the account i use for testing (mathiaskruse), i didnt recieve any emails.. And i did change the SMTP settings in the php.ini file. (I'm using localhost & XAMPP)

View Postmodi123_1, on 10 July 2013 - 09:43 AM, said:

As in the button push does nothing, or it transfers to this page and it is blank?


As in does nothing :P
Was This Post Helpful? 0
  • +
  • -

  • (2 Pages)
  • +
  • 1
  • 2