Checking and logging user name in database tables...

[jbdesign]

I have most everything working on this script except one thing.

What I want to do is store that user's name and time they logged-in in a separate database table, so I can see who and when they logged in. The script I have thus far does everything perfectly fine up to the point where it tries to log the user's name in the database... which it doesn't. All I get is the auto generated time stamp, the "user_name" field is left blank in the database table.

The code is below, what am I doing wrong? Am I not setting a variable correctly? And this is for a non-secure project, so security isn't an issue.

PHP Code:

<?php 
ini_set("display_errors","on"); 
error_reporting(E_ALL | E_STRICT); 
ini_set("include_path","./includes");
include("reginfo.inc");
if(isset($_POST['submitted']) and $_POST['submitted'] == "yes") 
{ 
  foreach($_POST as $field => $value)         
  { 
    if(empty($value)) 
    { 
         $blank_array[] = $field; 
      } 
      $good_data[$field] = strip_tags(trim($value)); 
  }
  if(@sizeof($blank_array) > 0) 
  {
  /*Display error message if information is not entered*/ 
    $message = "<p style='color: red; margin-bottom: 0; 
                 font-weight: bold'> 
                 You didn't fill in one or more required fields. 
                 You must enter: 
                 <ul style='color: red; margin-top: 0; 
                 list-style: none' >";
    foreach($blank_array as $value) 
    { 
       $message .= "<li>$value</li>"; 
    } 
    $message .= "</ul>"; 
    echo $message; 
    extract($good_data); 
    include("logininfo.inc"); 
    exit();    
  } 
  foreach($_POST as $field => $value) 
{ 
  if(!empty($value)) 
  { 
    $user_patt = "/^[A-Za-z0-9_]{5,20}$/";
    $pass_patt = "/(?!^[0-9]*$)(?!^[a-zA-Z]*$)^([a-zA-Z0-9]{4,8})$/";
    if(preg_match("/user/i",$field)) 
    { 
      if(!preg_match($user_patt,$value)) 
      { 
        $error_array[] = "$value is not a valid name"; 
      } //end of username check
    }
    if(!preg_match("/pass/i",$field)) 
    { 
      if(preg_match($pass_patt,$value)) 
      { 
        $error_array[] = "Please enter a password that is between 4 to 8 characters and contains at least an letter and number"; 
      } //end of password check
    }
  } 
  $clean_data[$field] = strip_tags(trim($value)); 
} 
if(@sizeof($error_array) > 0) 
{ 
  $message = "<ul style='color: red; list-style: none' >"; 
  foreach($error_array as $value) 
  { 
    $message .= "<li>$value</li>"; 
  } 
  $message .= "</ul>"; 
  echo $message; 
  extract($clean_data); 
  include("logininfo.inc"); 
  exit(); 
} 
else 
{
$user_nameFromForm =$_POST['user_name']; 
$passwordFromForm =$_POST['password'];
$cxn = mysqli_connect($host,$user,$passwd,$dbname)             /* This is where it starts to check to see if the user's name and password are in the database */
             or die("Couldn't connect to server"); 
foreach($clean_data as $field => $value) 
{ 
  $clean_data[$field] = mysqli_real_escape_string($cxn,$value); 
} 
$query = "SELECT * from Registration 
                   WHERE user_name='$user_nameFromForm' 
                   AND password = '$passwordFromForm'"; 
$result = mysqli_query($cxn,$query) or die("Can't Execute query"); 
$nrows = mysqli_num_rows($result); 
if($nrows > 0)                                                /* If user name and password match in the database, log user's name into a table */
{ 
$cxn = mysqli_connect($host,$user,$passwd,$dbname) 
             or die("Couldn't connect to server"); 
foreach($clean_data as $field => $value) 
{ 
  $clean_data[$field] = mysqli_real_escape_string($cxn,$value); 
}                                                             /* Area where the problem apparently happens since it isn't posting the user's name into the table */
$sql = "INSERT INTO Login (user_name)
        VALUE ('$clean_data[user_name]')";
$result = mysqli_query($cxn,$sql) 
            or die("Couldn't execute query"); 
include("loginsucess.inc");  
} 
else 
{ 
  include("loginunsucessful.inc"); 
}
} 
} 
else 
{ 
  include("logininfo.inc"); 
} 
?>

[fguy64]

can we assume that you have the ability or the know-how to store information into a database on a basic level?

Have you established that your html form is POSTing to the script properly? This can be established using the echo command on the variable.

I don't have an answer for you, but if it was my problem I'd work with a brand new script, first establishing the ability to write (INSERT) info to a database and work backwards from there, expanding the functionality of the script till it has all the features I wanted.

someone else who is more adept than I at reading scripts may spot your problem right off.

hope that helps.

[misson]

And this is for a non-secure project, so security isn't an issue.

Does such a thing exist? If it's not secure, why have password-protected user accounts?

It looks like $_POST['user_name'] should make it through the script to the INSERT statement. Make sure there isn't a typo in the login form. Examine $_POST in the wtmp (login recording) script print while debugging, either by examining it in a debugger (check out XDebug and Notepad++ w/ dbgp or Eclipse w/ PDT) or by printing $_POST. Also examine/print the SQL statements.

Other issues:

• The script makes a duplicate DB connection after testing that the username exists in the Registration table.
• passwords are stored as plaintext. I know you said this is a non-secure project, but I don't buy that. Store passwords as salted hashes.
• The various "extract()" calls can clobber existing variables. It looks like extraction only happens when there's an error, so there isn't too much danger (depending on the contents of logininfo.php), but it might be a good idea to call extract() with an extract type of EXTR_SKIP.

[xav0989]

Some coding guidlines:
*Always, always, always indent your code.
*Always, always, always make security an issue.
*Understand what you code is meant to do, and what it does. If you don't, then it's not your code.

[BombTrak]

When you compose the $clean_data structure the $field variable is a string right? So to properly reference the user_name of the $clean_data wouldn't you need to use:

Code:

$clean_data['user_name']

I would change this:

Code:

$sql = "INSERT INTO Login (user_name) VALUE ('$clean_data[user_name]')";

To this:

Code:

$sql = "INSERT INTO Login (user_name) VALUE ('".$clean_data['user_name']."')";

I don't know if that will actually help or not, but that is all that really stood out to me.