[SOLVED] How do I get this database to return a valid id#?

Get help using Construct 2

Post » Tue Apr 21, 2015 9:53 pm

I was following a tutorial on this site on how to make a login using ajax, php and MySQL.
I got stuck however (obviously)
My question is near the end of this post in bold text
Thanks for reading..

1
I have made a database named 'barnoldswickinbloom'..
Made a table in there called 'members'..
In the table are 4 columns: id (int) , username (varchar), email (varchar) and password (varchar).

2
Now obviously I am not going to paste the password although there is nothing on there anyway but here is the php script..

<?php header('Access-Control-Allow-Origin: *');
$username = $_GET['fname'];
$password = $_GET['fpass'];
$con=mysqli_connect('theipadress','theusername','thepassword','barnoldswickinbloom');
// Check connection
if (mysqli_connect_errno())
{
echo "Failed to connect to MySQL: " . mysqli_connect_error();
}
$qz = "SELECT id FROM members WHERE username='$username' AND password='$password'" ;
$qz = str_replace("\'","",$qz);
$result = mysqli_query($con,$qz);

while($row = mysqli_fetch_array($result))
{
echo $row['id'];
}
mysqli_close($con);
?>

3
And here is a screenshot of the eventsheet:
Image


Now my QUESTION!!!!
I would expect at least to see a return value in my Text field. The Textfield does change from the initial "..." to blank so the AJAX is getting to completion.
But nothing at all. It does not give me any error which I have had before due to using localhost insetad of an ipadress in the php script. I had a NaN and a Can't connect to server error before, but those are both fixed. Now I simply get nothing.


If you want to see how it currently works and that the text field does indeed change in it's current state, here it is online http://barnoldswickinbloom.co.uk/
As username use: Guest
As password use: 1234
Even if it fails from what I understand it should return a 0 instead of a positive number.

Here is a link to both the capx and the php script. I did ofcourse change the login information in the php script.
https://dl.dropboxusercontent.com/u/175 ... truct.capx
https://dl.dropboxusercontent.com/u/1750576/login.php
Last edited by UberDark on Wed Apr 22, 2015 1:51 pm, edited 1 time in total.
B
54
S
7
G
8
Posts: 150
Reputation: 5,817

Post » Wed Apr 22, 2015 12:10 pm

Get ready to kick yourself. You have the username and password mixed up - you're sending the username as the password and vice versa.
B
55
S
29
G
19
Posts: 1,520
Reputation: 25,630

Post » Wed Apr 22, 2015 1:52 pm

Oh Dear..
Thank you so much Ramones. I thought it would be in the php or mysql cause those were new to me. That is just so silly I cannot believe it. Really appreciate it!
B
54
S
7
G
8
Posts: 150
Reputation: 5,817

Post » Wed Apr 22, 2015 3:53 pm

@UberDark

Is very easy to hack by sql injection if you don't use mysql_real_escape_string.

look at this page for more information, ad une POST method : http://php.net/manual/en/function.mysql-real-escape-string.php

let me know if you have some question :D
B
21
S
9
Posts: 298
Reputation: 2,967

Post » Wed Apr 22, 2015 4:24 pm

I think that should be mysqli_real_escape_string instead? The link you placed says that one is deprecated.
I was actually aware of the risks but first wanted to learn how to do that bit since this was my first database effort. Funny how I got stuck on something I have done many times before. The construct2 bit. Thanks for the heads up though and I will make sure to ask if I can't figure it out :)

Oh a question right away!!
It says the character set has to be set serverside.
I am assuming that setting it in the mysql database would work then? Doesn't construct2 set it as well and woudn't that make it unsafe?

And is this what you mean?
$qz = "SELECT id FROM members WHERE username='$username' AND password='$password'", mysql_real_escape_string($username), mysql_real_escape_string($password);

Or should I do this at the very beginning of the script?
$username = $_GET['fname'], mysql_real_escape_string($username);
$password = $_GET['fpass'], mysql_real_escape_string($password);
B
54
S
7
G
8
Posts: 150
Reputation: 5,817

Post » Wed Apr 22, 2015 10:26 pm

UberDark wrote:It says the character set has to be set serverside.
I am assuming that setting it in the mysql database would work then? Doesn't construct2 set it as well and woudn't that make it unsafe?


I don't have my old project right now (I have it in another computer), if I remember, you have to set:

$username = mysql_real_escape_string($_POST['username']);

and when you call the query, should be the same (if I remember well), you can try with this method anyway, and see if there are some error in your ftp folder

another think, you should use POST method...

GET method can be show very easly from the browser (you can see what data you are sending) with a method POST, you can't see that data...so, just easy example, if you are making a game and you want to send 100 gold to an account, the user can see the variable where you are sending the gold like: mywebsite.com/file.php?user=myname&gold=100 and if someone want to hack the game, is very easy to do...

and with GET method you have limit of 2083 characters to send... so, if you want to send an array can be a problem, with POST, you don't have any limit...

a perfect example is this: http://www.w3schools.com/php/func_mysqli_real_escape_string.asp

try to edit this example and see if works

a lot of website have these problems... SQL injection is very easy to do
B
21
S
9
Posts: 298
Reputation: 2,967


Return to How do I....?

Who is online

Users browsing this forum: ismailsawan, ketramtu18, mekonbekon and 10 guests