[SOLVED] How do I get this database to return a valid id#?

  • I was following a tutorial on this site on how to make a login using ajax, php and MySQL.

    I got stuck however (obviously)

    My question is near the end of this post in bold text

    Thanks for reading..

    1

    I have made a database named 'barnoldswickinbloom'..

    Made a table in there called 'members'..

    In the table are 4 columns: id (int) , username (varchar), email (varchar) and password (varchar).

    2

    Now obviously I am not going to paste the password although there is nothing on there anyway but here is the php script..

    <?php header('Access-Control-Allow-Origin: *');

    $username = $_GET['fname'];

    $password = $_GET['fpass'];

    $con=mysqli_connect('theipadress','theusername','thepassword','barnoldswickinbloom');

    // Check connection

    if (mysqli_connect_errno())

    {

    echo "Failed to connect to MySQL: " . mysqli_connect_error();

    }

    $qz = "SELECT id FROM members WHERE username='$username' AND password='$password'" ;

    $qz = str_replace("\'","",$qz);

    $result = mysqli_query($con,$qz);

    while($row = mysqli_fetch_array($result))

    {

    echo $row['id'];

    }

    mysqli_close($con);

    ?>

    3

    And here is a screenshot of the eventsheet:

    Now my QUESTION!!!!

    I would expect at least to see a return value in my Text field. The Textfield does change from the initial "..." to blank so the AJAX is getting to completion.

    But nothing at all. It does not give me any error which I have had before due to using localhost insetad of an ipadress in the php script. I had a NaN and a Can't connect to server error before, but those are both fixed. Now I simply get nothing.

    If you want to see how it currently works and that the text field does indeed change in it's current state, here it is online http://barnoldswickinbloom.co.uk/

    As username use: Guest

    As password use: 1234

    Even if it fails from what I understand it should return a 0 instead of a positive number.

    Here is a link to both the capx and the php script. I did ofcourse change the login information in the php script.

    https://dl.dropboxusercontent.com/u/175 ... truct.capx

    https://dl.dropboxusercontent.com/u/1750576/login.php

  • Get ready to kick yourself. You have the username and password mixed up - you're sending the username as the password and vice versa.

  • Oh Dear..

    Thank you so much Ramones. I thought it would be in the php or mysql cause those were new to me. That is just so silly I cannot believe it. Really appreciate it!

  • UberDark

    Is very easy to hack by sql injection if you don't use mysql_real_escape_string.

    look at this page for more information, ad une POST method : http://php.net/manual/en/function.mysql-real-escape-string.php

    let me know if you have some question

  • Try Construct 3

    Develop games in your browser. Powerful, performant & highly capable.

    Try Now Construct 3 users don't see these ads
  • I think that should be mysqli_real_escape_string instead? The link you placed says that one is deprecated.

    I was actually aware of the risks but first wanted to learn how to do that bit since this was my first database effort. Funny how I got stuck on something I have done many times before. The construct2 bit. Thanks for the heads up though and I will make sure to ask if I can't figure it out

    Oh a question right away!!

    It says the character set has to be set serverside.

    I am assuming that setting it in the mysql database would work then? Doesn't construct2 set it as well and woudn't that make it unsafe?

    And is this what you mean?

    $qz = "SELECT id FROM members WHERE username='$username' AND password='$password'", mysql_real_escape_string($username), mysql_real_escape_string($password);

    Or should I do this at the very beginning of the script?

    $username = $_GET['fname'], mysql_real_escape_string($username);

    $password = $_GET['fpass'], mysql_real_escape_string($password);

  • It says the character set has to be set serverside.

    I am assuming that setting it in the mysql database would work then? Doesn't construct2 set it as well and woudn't that make it unsafe?

    I don't have my old project right now (I have it in another computer), if I remember, you have to set:

    $username = mysql_real_escape_string($_POST['username']);

    and when you call the query, should be the same (if I remember well), you can try with this method anyway, and see if there are some error in your ftp folder

    another think, you should use POST method...

    GET method can be show very easly from the browser (you can see what data you are sending) with a method POST, you can't see that data...so, just easy example, if you are making a game and you want to send 100 gold to an account, the user can see the variable where you are sending the gold like: mywebsite.com/file.php?user=myname&gold=100 and if someone want to hack the game, is very easy to do...

    and with GET method you have limit of 2083 characters to send... so, if you want to send an array can be a problem, with POST, you don't have any limit...

    a perfect example is this: http://www.w3schools.com/php/func_mysqli_real_escape_string.asp

    try to edit this example and see if works

    a lot of website have these problems... SQL injection is very easy to do

Jump to:
Active Users
There are 1 visitors browsing this topic (0 users and 1 guests)