Hey I just made this issue...so solve it maybe? - SOLVED

[Thunderbob]

?? How do I post that on the forum?
Screenshot?
(final sql code)
I have 12 fields

id_user
name
email
phone_number
username
password
confirmcode
user_picture
user_about
user_location
user_gender
user_inbox

id_user is int with 11 , it is not null, set to auto increment and is primary key.
From my understanding it should be storing a number since each user on my page has an assigned ID
which you can see by manually changing the "uid=" numerical ending.

[Temor]

the same way you post all code.

[syntax=php]$result = mysql_query("SELECT `user_id` FROM `users` WHERE `username` = '{$user}' AND `password` = '{$pass}'");[/syntax]

does it look like that? If not, then what does it look like?

[Thunderbob]

I have this

[syntax=php]function validate_credentials($user, $pass){
$user = mysql_real_escape_string($user);
$pass = sha1($pass);

$result = mysql_query("SELECT `user_id` FROM `users` WHERE `username` = '{$user}' AND `password` = '{$pass}'");

if (mysql_num_rows($result) != 1){
return false;
}[/syntax]

[Temor]

You forgot the last return line. What you have now is : if the information is invalid -> Return false ( Validation failed ). If the information is correct -> Do nothing. You want to return the users ID.
That is this line:
[syntax=php] return mysql_result($result, 0);[/syntax]

The entire function should look like this:
[syntax=php]
function validate_credentials($user, $pass){
$user = mysql_real_escape_string($user);
$pass = sha1($pass);

$result = mysql_query("SELECT `user_id` FROM `users` WHERE `username` = '{$user}' AND `password` = '{$pass}'");

if (mysql_num_rows($result) != 1){
return false;
}

return mysql_result($result, 0);
}[/syntax]

[Thunderbob]

sorry but it didn't change anything.

(also this is the session problem I mentioned having in the other forum topic I posted)

I made a discovery which may or may not be useful to you.

When I am logged in my account where the user id = 1.... I get

this is what shows http://www.yourtechview.com/source/profile.php?uid=id

when I am logged into my other account where the user id = 14.... I get

http://www.yourtechview.com/source/profile.php?uid=id

It seems you were right that if anyone is logged in it will return just 1 or id. (I assumed this was only for my account
and I made another account which proved to be false)

Would it be easier to change the method from profile.php?uid=# to profile.php?uid=username ?

I think this would be much easier than having their user id at the end.

[Temor]

The principle still remains the same.
[syntax=php]$result = mysql_query("SELECT `user_id` FROM `users` WHERE `username` = '{$user}' AND `password` = '{$pass}'");[/syntax]
The only difference is that you select username instead of user_id. And because this clearly fails to return the ID, it won't return a username either.
[syntax=php]$result = mysql_query("SELECT `username` FROM `users` WHERE `username` = '{$user}' AND `password` = '{$pass}'");[/syntax]

And by the way, I see your id field is called id_user, not user_id. You might want to change that.

[Thunderbob]

no dice.
I just get id at the end =(

updated code
[syntax=php]<?PHP
/*
Registration/Login script from HTML Form Guide
V1.0

This program is free software published under the
terms of the GNU Lesser General Public License.
http://www.gnu.org/copyleft/lesser.html


This program is distributed in the hope that it will
be useful - WITHOUT ANY WARRANTY; without even the
implied warranty of MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.

For updates, please visit:
http://www.html-form-guide.com/php-form ... -form.html
http://www.html-form-guide.com/php-form ... -form.html

*/
require_once("class.phpmailer.php");
require_once("formvalidator.php");

class FGMembersite
{
var $admin_email;
var $from_address;

var $username;
var $pwd;
var $database;
var $tablename;
var $connection;
var $rand_key;

var $error_message;

//-----Initialization -------
function FGMembersite()
{
$this->sitename = 'YourWebsiteName.com';
$this->rand_key = '0iQx5oBk66oVZep';
}

function InitDB($host,$uname,$pwd,$database,$tablename)
{
$this->db_host = $host;
$this->username = $uname;
$this->pwd = $pwd;
$this->database = $database;
$this->tablename = $tablename;

}

function fetch_users(){
$result = mysql_query("SELECT `id_user` AS `id`, `username` AS `username` FROM `fgusers3` ");
$users = array();
while (($row = mysql_fetch_assoc($result)) !== false){
$users[] = $row;
}echo mysql_error();
return $users;
}
function fetch_user_info($uid){
$uid = (int)$uid;
$sql = "SELECT
`username` AS `username`,
`user_about` AS `about`,
`user_location` AS `location`,
`user_gender` AS `gender`
FROM `fgusers3`
WHERE `id_user`= '{$uid}'" ;
$result = mysql_query($sql);
return mysql_fetch_assoc($result);
}


function SetAdminEmail($email)
{
$this->admin_email = $email;
}

function SetWebsiteName($sitename)
{
$this->sitename = $sitename;
}

function SetRandomKey($key)
{
$this->rand_key = $key;
}

//-------Main Operations ----------------------
function RegisterUser()
{
if(!isset($_POST['submitted']))
{
return false;
}

$formvars = array();

if(!$this->ValidateRegistrationSubmission())
{
return false;
}

$this->CollectRegistrationSubmission($formvars);

if(!$this->SaveToDatabase($formvars))
{
return false;
}

if(!$this->SendUserConfirmationEmail($formvars))
{
return false;
}

$this->SendAdminIntimationEmail($formvars);

return true;
}

function ConfirmUser()
{
if(empty($_GET['code'])||strlen($_GET['code'])<=10)
{
$this->HandleError("Please provide the confirm code");
return false;
}
$user_rec = array();
if(!$this->UpdateDBRecForConfirmation($user_rec))
{
return false;
}

$this->SendUserWelcomeEmail($user_rec);

$this->SendAdminIntimationOnRegComplete($user_rec);

return true;
}

function validate_credentials($user, $pass){
$user = mysql_real_escape_string($user);
$pass = sha1($pass);

$result = mysql_query("SELECT `id_user` FROM `fgusers3` WHERE `username` = '{$user}' AND `password` = '{$pass}'");

if (mysql_num_rows($result) != 1){
return false;
}

return mysql_result($result, 0);
}

function Login($user, $pass){
$user = mysql_real_escape_string($user);
$pass = sha1($pass);

$result = mysql_query("SELECT `id_user` FROM `fgusers3` WHERE `username` = '{$user}' AND `password` = '{$pass}'");

if (mysql_num_rows($result) != 1){
return false;
}

return mysql_result($result, 0);
}

function UserID()
{
return isset($_SESSION['id_of_user'])?$_SESSION['id_of_user']:'';
}

function CheckLogin()
{
if (($uid = validate_credentials($_POST['user'], $_POST['pass']) !== false){
$_SESSION['uid'] = $uid;
header('Location: somewhere.php');
die();
}
}

function UserFullName()
{
return isset($_SESSION['name_of_user'])?$_SESSION['name_of_user']:'';
}


function UserEmail()
{
return isset($_SESSION['email_of_user'])?$_SESSION['email_of_user']:'';
}

function LogOut()
{
session_start();

$sessionvar = $this->GetLoginSessionVar();

$_SESSION[$sessionvar]=NULL;

unset($_SESSION[$sessionvar]);
}

function EmailResetPasswordLink()
{
if(empty($_POST['email']))
{
$this->HandleError("Email is empty!");
return false;
}
$user_rec = array();
if(false === $this->GetUserFromEmail($_POST['email'], $user_rec))
{
return false;
}
if(false === $this->SendResetPasswordLink($user_rec))
{
return false;
}
return true;
}

function ResetPassword()
{
if(empty($_GET['email']))
{
$this->HandleError("Email is empty!");
return false;
}
if(empty($_GET['code']))
{
$this->HandleError("reset code is empty!");
return false;
}
$email = trim($_GET['email']);
$code = trim($_GET['code']);

if($this->GetResetPasswordCode($email) != $code)
{
$this->HandleError("Bad reset code!");
return false;
}

$user_rec = array();
if(!$this->GetUserFromEmail($email,$user_rec))
{
return false;
}

$new_password = $this->ResetUserPasswordInDB($user_rec);
if(false === $new_password || empty($new_password))
{
$this->HandleError("Error updating new password");
return false;
}

if(false == $this->SendNewPassword($user_rec,$new_password))
{
$this->HandleError("Error sending new password");
return false;
}
return true;
}

function ChangePassword()
{
if(!$this->CheckLogin())
{
$this->HandleError("Not logged in!");
return false;
}

if(empty($_POST['oldpwd']))
{
$this->HandleError("Old password is empty!");
return false;
}
if(empty($_POST['newpwd']))
{
$this->HandleError("New password is empty!");
return false;
}

$user_rec = array();
if(!$this->GetUserFromEmail($this->UserEmail(),$user_rec))
{
return false;
}

$pwd = trim($_POST['oldpwd']);

if($user_rec['password'] != md5($pwd))
{
$this->HandleError("The old password does not match!");
return false;
}
$newpwd = trim($_POST['newpwd']);

if(!$this->ChangePasswordInDB($user_rec, $newpwd))
{
return false;
}
return true;
}

//-------Public Helper functions -------------
function GetSelfScript()
{
return htmlentities($_SERVER['PHP_SELF']);
}

function SafeDisplay($value_name)
{
if(empty($_POST[$value_name]))
{
return'';
}
return htmlentities($_POST[$value_name]);
}

function RedirectToURL($url)
{
header("Location: $url");
exit;
}

function GetSpamTrapInputName()
{
return 'sp'.md5('KHGdnbvsgst'.$this->rand_key);
}

function GetErrorMessage()
{
if(empty($this->error_message))
{
return '';
}
$errormsg = nl2br(htmlentities($this->error_message));
return $errormsg;
}
//-------Private Helper functions-----------

function HandleError($err)
{
$this->error_message .= $err."\r\n";
}

function HandleDBError($err)
{
$this->HandleError($err."\r\n mysqlerror:".mysql_error());
}

function GetFromAddress()
{
if(!empty($this->from_address))
{
return $this->from_address;
}

$host = $_SERVER['SERVER_NAME'];

$from ="nobody@$host";
return $from;
}

function GetLoginSessionVar()
{
$retvar = md5($this->rand_key);
$retvar = 'usr_'.substr($retvar,0,10);
return $retvar;
}

function CheckLoginInDB($username,$password)
{
if(!$this->DBLogin())
{
$this->HandleError("Database login failed!");
return false;
}
$username = $this->SanitizeForSQL($username);
$pwdmd5 = md5($password);
$qry = "Select name, email from $this->tablename where username='$username' and password='$pwdmd5' and confirmcode='y'";

$result = mysql_query($qry,$this->connection);

if(!$result || mysql_num_rows($result) <= 0)
{
$this->HandleError("Error logging in. The username or password does not match");
return false;
}

$row = mysql_fetch_assoc($result);

$_SESSION['id_of_user'] = $row['id_user'];
$_SESSION['name_of_user'] = $row['name'];
$_SESSION['email_of_user'] = $row['email'];


return true;
}

function UpdateDBRecForConfirmation(&$user_rec)
{
if(!$this->DBLogin())
{
$this->HandleError("Database login failed!");
return false;
}
$confirmcode = $this->SanitizeForSQL($_GET['code']);

$result = mysql_query("Select name, email from $this->tablename where confirmcode='$confirmcode'",$this->connection);
if(!$result || mysql_num_rows($result) <= 0)
{
$this->HandleError("Wrong confirm code.");
return false;
}
$row = mysql_fetch_assoc($result);
$user_rec['name'] = $row['name'];
$user_rec['email']= $row['email'];

$qry = "Update $this->tablename Set confirmcode='y' Where confirmcode='$confirmcode'";

if(!mysql_query( $qry ,$this->connection))
{
$this->HandleDBError("Error inserting data to the table\nquery:$qry");
return false;
}
return true;
}

function ResetUserPasswordInDB($user_rec)
{
$new_password = substr(md5(uniqid()),0,10);

if(false == $this->ChangePasswordInDB($user_rec,$new_password))
{
return false;
}
return $new_password;
}

function ChangePasswordInDB($user_rec, $newpwd)
{
$newpwd = $this->SanitizeForSQL($newpwd);

$qry = "Update $this->tablename Set password='".md5($newpwd)."' Where id_user=".$user_rec['id_user']."";

if(!mysql_query( $qry ,$this->connection))
{
$this->HandleDBError("Error updating the password \nquery:$qry");
return false;
}
return true;
}

function GetUserFromEmail($email,&$user_rec)
{
if(!$this->DBLogin())
{
$this->HandleError("Database login failed!");
return false;
}
$email = $this->SanitizeForSQL($email);

$result = mysql_query("Select * from $this->tablename where email='$email'",$this->connection);

if(!$result || mysql_num_rows($result) <= 0)
{
$this->HandleError("There is no user with email: $email");
return false;
}
$user_rec = mysql_fetch_assoc($result);


return true;
}

function SendUserWelcomeEmail(&$user_rec)
{
$mailer = new PHPMailer();

$mailer->CharSet = 'utf-8';

$mailer->AddAddress($user_rec['email'],$user_rec['name']);

$mailer->Subject = "Welcome to ".$this->sitename;

$mailer->From = $this->GetFromAddress();

$mailer->Body ="Hello ".$user_rec['name']."\r\n\r\n".
"Welcome! Your registration with ".$this->sitename." is completed.\r\n".
"\r\n".
"Regards,\r\n".
"Webmaster\r\n".
$this->sitename;

if(!$mailer->Send())
{
$this->HandleError("Failed sending user welcome email.");
return false;
}
return true;
}

function SendAdminIntimationOnRegComplete(&$user_rec)
{
if(empty($this->admin_email))
{
return false;
}
$mailer = new PHPMailer();

$mailer->CharSet = 'utf-8';

$mailer->AddAddress($this->admin_email);

$mailer->Subject = "Registration Completed: ".$user_rec['name'];

$mailer->From = $this->GetFromAddress();

$mailer->Body ="A new user registered at ".$this->sitename."\r\n".
"Name: ".$user_rec['name']."\r\n".
"Email address: ".$user_rec['email']."\r\n";

if(!$mailer->Send())
{
return false;
}
return true;
}

function GetResetPasswordCode($email)
{
return substr(md5($email.$this->sitename.$this->rand_key),0,10);
}

function SendResetPasswordLink($user_rec)
{
$email = $user_rec['email'];

$mailer = new PHPMailer();

$mailer->CharSet = 'utf-8';

$mailer->AddAddress($email,$user_rec['name']);

$mailer->Subject = "Your reset password request at ".$this->sitename;

$mailer->From = $this->GetFromAddress();

$link = $this->GetAbsoluteURLFolder().
'/resetpwd.php?email='.
urlencode($email).'&code='.
urlencode($this->GetResetPasswordCode($email));

$mailer->Body ="Hello ".$user_rec['name']."\r\n\r\n".
"There was a request to reset your password at ".$this->sitename."\r\n".
"Please click the link below to complete the request: \r\n".$link."\r\n".
"Regards,\r\n".
"Webmaster\r\n".
$this->sitename;

if(!$mailer->Send())
{
return false;
}
return true;
}

function SendNewPassword($user_rec, $new_password)
{
$email = $user_rec['email'];

$mailer = new PHPMailer();

$mailer->CharSet = 'utf-8';

$mailer->AddAddress($email,$user_rec['name']);

$mailer->Subject = "Your new password for ".$this->sitename;

$mailer->From = $this->GetFromAddress();

$mailer->Body ="Hello ".$user_rec['name']."\r\n\r\n".
"Your password is reset successfully. ".
"Here is your updated login:\r\n".
"username:".$user_rec['username']."\r\n".
"password:$new_password\r\n".
"\r\n".
"Login here: ".$this->GetAbsoluteURLFolder()."/login.php\r\n".
"\r\n".
"Regards,\r\n".
"Webmaster\r\n".
$this->sitename;

if(!$mailer->Send())
{
return false;
}
return true;
}

function ValidateRegistrationSubmission()
{
//This is a hidden input field. Humans won't fill this field.
if(!empty($_POST[$this->GetSpamTrapInputName()]) )
{
//The proper error is not given intentionally
$this->HandleError("Automated submission prevention: case 2 failed");
return false;
}

$validator = new FormValidator();
$validator->addValidation("name","req","Please fill in Name");
$validator->addValidation("email","email","The input for Email should be a valid email value");
$validator->addValidation("email","req","Please fill in Email");
$validator->addValidation("username","req","Please fill in UserName");
$validator->addValidation("password","req","Please fill in Password");


if(!$validator->ValidateForm())
{
$error='';
$error_hash = $validator->GetErrors();
foreach($error_hash as $inpname => $inp_err)
{
$error .= $inpname.':'.$inp_err."\n";
}
$this->HandleError($error);
return false;
}
return true;
}

function CollectRegistrationSubmission(&$formvars)
{
$formvars['name'] = $this->Sanitize($_POST['name']);
$formvars['email'] = $this->Sanitize($_POST['email']);
$formvars['username'] = $this->Sanitize($_POST['username']);
$formvars['password'] = $this->Sanitize($_POST['password']);
}

function SendUserConfirmationEmail(&$formvars)
{
$mailer = new PHPMailer();

$mailer->CharSet = 'utf-8';

$mailer->AddAddress($formvars['email'],$formvars['name']);

$mailer->Subject = "Your registration with ".$this->sitename;

$mailer->From = $this->GetFromAddress();

$confirmcode = $formvars['confirmcode'];

$confirm_url = $this->GetAbsoluteURLFolder().'/confirmreg.php?code='.$confirmcode;

$mailer->Body ="Hello ".$formvars['name']."\r\n\r\n".
"Thanks for your registration with ".$this->sitename."\r\n".
"Please click the link below to confirm your registration.\r\n".
"$confirm_url\r\n".
"\r\n".
"Regards,\r\n".
"Webmaster\r\n".
$this->sitename;

if(!$mailer->Send())
{
$this->HandleError("Failed sending registration confirmation email.");
return false;
}
return true;
}
function GetAbsoluteURLFolder()
{
$scriptFolder = (isset($_SERVER['HTTPS']) && ($_SERVER['HTTPS'] == 'on')) ? 'https://' : 'http://';
$scriptFolder .= $_SERVER['HTTP_HOST'] . dirname($_SERVER['REQUEST_URI']);
return $scriptFolder;
}

function SendAdminIntimationEmail(&$formvars)
{
if(empty($this->admin_email))
{
return false;
}
$mailer = new PHPMailer();

$mailer->CharSet = 'utf-8';

$mailer->AddAddress($this->admin_email);

$mailer->Subject = "New registration: ".$formvars['name'];

$mailer->From = $this->GetFromAddress();

$mailer->Body ="A new user registered at ".$this->sitename."\r\n".
"Name: ".$formvars['name']."\r\n".
"Email address: ".$formvars['email']."\r\n".
"UserName: ".$formvars['username'];

if(!$mailer->Send())
{
return false;
}
return true;
}

function SaveToDatabase(&$formvars)
{
if(!$this->DBLogin())
{
$this->HandleError("Database login failed!");
return false;
}
if(!$this->Ensuretable())
{
return false;
}
if(!$this->IsFieldUnique($formvars,'email'))
{
$this->HandleError("This email is already registered");
return false;
}

if(!$this->IsFieldUnique($formvars,'username'))
{
$this->HandleError("This UserName is already used. Please try another username");
return false;
}
if(!$this->InsertIntoDB($formvars))
{
$this->HandleError("Inserting to Database failed!");
return false;
}
return true;
}

function IsFieldUnique($formvars,$fieldname)
{
$field_val = $this->SanitizeForSQL($formvars[$fieldname]);
$qry = "select username from $this->tablename where $fieldname='".$field_val."'";
$result = mysql_query($qry,$this->connection);
if($result && mysql_num_rows($result) > 0)
{
return false;
}
return true;
}

function DBLogin()
{

$this->connection = mysql_connect($this->db_host,$this->username,$this->pwd);

if(!$this->connection)
{
$this->HandleDBError("Database Login failed! Please make sure that the DB login credentials provided are correct");
return false;
}
if(!mysql_select_db($this->database, $this->connection))
{
$this->HandleDBError('Failed to select database: '.$this->database.' Please make sure that the database name provided is correct');
return false;
}
if(!mysql_query("SET NAMES 'UTF8'",$this->connection))
{
$this->HandleDBError('Error setting utf8 encoding');
return false;
}
return true;
}

function Ensuretable()
{
$result = mysql_query("SHOW COLUMNS FROM $this->tablename");
if(!$result || mysql_num_rows($result) <= 0)
{
return $this->CreateTable();
}
return true;
}

function CreateTable()
{
$qry = "Create Table $this->tablename (".
"id_user INT NOT NULL AUTO_INCREMENT ,".
"name VARCHAR( 128 ) NOT NULL ,".
"email VARCHAR( 64 ) NOT NULL ,".
"phone_number VARCHAR( 16 ) NOT NULL ,".
"username VARCHAR( 16 ) NOT NULL ,".
"password VARCHAR( 32 ) NOT NULL ,".
"confirmcode VARCHAR(32) ,".
"PRIMARY KEY ( id_user )".
")";

if(!mysql_query($qry,$this->connection))
{
$this->HandleDBError("Error creating the table \nquery was\n $qry");
return false;
}
return true;
}

function InsertIntoDB(&$formvars)
{

$confirmcode = $this->MakeConfirmationMd5($formvars['email']);

$formvars['confirmcode'] = $confirmcode;

$insert_query = 'insert into '.$this->tablename.'(
name,
email,
username,
password,
confirmcode
)
values
(
"' . $this->SanitizeForSQL($formvars['name']) . '",
"' . $this->SanitizeForSQL($formvars['email']) . '",
"' . $this->SanitizeForSQL($formvars['username']) . '",
"' . md5($formvars['password']) . '",
"' . $confirmcode . '"
)';
if(!mysql_query( $insert_query ,$this->connection))
{
$this->HandleDBError("Error inserting data to the table\nquery:$insert_query");
return false;
}
return true;
}
function MakeConfirmationMd5($email)
{
$randno1 = rand();
$randno2 = rand();
return md5($email.$this->rand_key.$randno1.''.$randno2);
}
function SanitizeForSQL($str)
{
if( function_exists( "mysql_real_escape_string" ) )
{
$ret_str = mysql_real_escape_string( $str );
}
else
{
$ret_str = addslashes( $str );
}
return $ret_str;
}

/*
Sanitize() function removes any potential threat from the
data submitted. Prevents email injections or any other hacker attempts.
if $remove_nl is true, newline chracters are removed from the input.
*/
function Sanitize($str,$remove_nl=true)
{
$str = $this->StripSlashes($str);

if($remove_nl)
{
$injections = array('/(\n+)/i',
'/(\r+)/i',
'/(\t+)/i',
'/(%0A+)/i',
'/(%0D+)/i',
'/(%08+)/i',
'/(%09+)/i'
);
$str = preg_replace($injections,'',$str);
}

return $str;
}
function StripSlashes($str)
{
if(get_magic_quotes_gpc())
{
$str = stripslashes($str);
}
return $str;
}
}
?>[/syntax]

[Temor]

Unless you're actually storing "id" as the id, this does not make sense. It should return the ID. The same exact code does what it's supposed to do on my system.

I have to admit I'm stumped.

My suggestion is to scrap that insanely clotted login script you've downloaded and instead try and follow along on some of Jacek's tutorials to create your own. You can do without the majority of the stuff in your script. It will be easier to read and understand as well as maintain and build upon. And you'll learn some in the process as well. Just downloading something someone else wrote wont teach you much.

Just my two cents.

[Thunderbob]

Thank you for your time.