Copy link to clipboard
Copied
First, thanks goes out to both Nancy O. & osgood_ in helping me figure out how PHP's and MySQLi work but I still have a long way to go. As of now I'm working on a simple PHP script I attainted through Nancy O. at http://stackoverflow.com/questions/24397969/simple-but-secure-user-registration-with-php-and-mysqli
So far it is working well and I made a few changes to give it the type of look I want....
However, one little problem arises: WHERE exactly do I insert my ('localhost' , 'username , 'password' , 'database_name') at? I tried to find a "$con = mysqli_connect" followed by but couldn't find exactly that anywhere. Well below I put a copy of the beginning of the script where I assume it will go and if anyone know where I should put that I would love to know. Thanks.
<html>
<head>
<meta charset="utf-8">
<title>Login & Registration System Page</title>
</head>
<?php
include('config.php'); // Database connection and settings
error_reporting(E_ALL);
ini_set('display_errors', 1);
if(isset($_POST['register'])){
$name = trim(mysqli_escape_string($conn,$_POST['username'])); <-here?
$first_name = trim(mysqli_escape_string($conn,$_POST['first_name'])); <-here?
$last_name = trim(mysqli_escape_string($conn,$_POST['last_name'])); <-here?
$display_name = trim(mysqli_escape_string($conn,$_POST['display_name'])); <-here?
$email = trim(mysqli_escape_string($conn,$_POST['email'])); <-here?
$passwords = trim(mysqli_escape_string($conn,$_POST['password'])); <-here?
$password = md5($passwords);
$query_verify_email = "SELECT * FROM users WHERE email ='$email'";
$verified_email = mysqli_query($conn,$query_verify_email) or die("Error: ".mysqli_error($conn)); <-here?
if (!$verified_email) {
echo ' System Error';
}
if (mysqli_num_rows($verified_email) == 0) { <-here?
// Generate a unique code:
$hash = md5(uniqid(rand(), true));
$query_create_user = "INSERT INTO users (username, email, password, hash,first_name,last_name,display_name,pic,gender,isactive)
VALUES ( '$name', '$email', '$password', '$hash','$first_name','$last_name','$display_name','','',0)"; <-here
$created_user = mysqli_query($conn,$query_create_user) or die("Error: ".mysqli_error($conn)); <-here
if (!$created_user) {
echo 'Query Failed ';
}
if (mysqli_affected_rows($conn) == 1) { //If the Insert Query was successfull.
$subject = 'Activate Your Email';
$headers = "From: admin@infotuts.com \r\n";
$headers .= "MIME-Version: 1.0\r\n";
$headers .= "Content-Type: text/html; charset=ISO-8859-1\r\n";
$url= 'verify.php?email=' . urlencode($email) . "&key=$hash";
$message ='<p>To activate your account please click on Activate buttton</p>';
$message.='<table cellspacing="0" cellpadding="0"> <tr>';
$message .= '<td align="center" width="300" height="40" bgcolor="#000091" style="-webkit-border-radius: 5px; -moz-border-radius: 5px; border-radius: 5px;
color: #ffffff; display: block;">';
$message .= '<a href="'.$url.'" style="color: #ffffff; font-size:16px; font-weight: bold; font-family: Helvetica, Arial, sans-serif; text-decoration: none;
line-height:40px; width:100%; display:inline-block">Click to Activate</a>';
$message .= '</td> </tr> </table>';
mail($email, $subject, $message, $headers);
echo '<div class="alert alert-success">A confirmation email
has been sent to <b>'. $email.' </b> Please click on the Activate Button to Activate your account </div>';
} else { // If it did not run OK.
echo '<div class="alert alert-info">You could not be registered due to a system
error. We apologize for any
inconvenience.</div>';
die(mysqli_error($conn));
}
}
else{
echo '<div class="alert alert-danger">Email already registered</div>';}
}
?>
(the rest of the script would be below and if anyone wants to see the rest of it feel free to let me know)
Copy link to clipboard
Copied
The first line of your php script has the following. As the comment for that line implies, config.php is most likely where you'd enter the database connection and settings.
include('config.php'); // Database connection and settings
best,
Shocker
Copy link to clipboard
Copied
What the_shocker said.
config.php is a separate file that connects to your MySQL database.
For security reasons, I like to put my db connection files inside an obscurely named folder that has .htaccess protection from would-be hackers with Deny from all.
Nancy O.
Copy link to clipboard
Copied
Hi Nancy O.
I did create an "obscurely named folder" for all the information that will be collected but can you link me to exactly how to apply .htaccess protection from would-be hackers along with how to "Deny from all"? I completely understand how that will be very, very important due to the information that will be collected through the site.
I understand it's a great way to allow just me (i.e. just my IP address) to access all the data collected but want to figure out exactly where and how it is applied to the script in order to protect it.
Thanks,
John
Copy link to clipboard
Copied
obscurely_named_folder
config.php (your db connect file)
.htaccess
Apache directives inside your .htaccess file:
order deny,allow
deny from all
Nancy O.
Copy link to clipboard
Copied
Re: new php file named config.php
I made it and got Failed to connect to MySQL: Failed to connect to MySQL: Can't connect to local MySQL server through socket '/var/run/mysqld/mysqld.sock' (2)
Here's a jpeg of it:
Re: .htaccess protection
Where exactly on my php script should I place that (i.e. the entire second message I assume) and is "your db connect file" the same folder you told me to make with a generic name which would be difficult for hackers track?
Copy link to clipboard
Copied
Are you trying to connect to a local testing server database from DW?
.htaccess = a separate plain text file. It's not PHP.
Note the dot prefix.
Copy link to clipboard
Copied
Hi the_shocker. So I would be turning this (original first line directly below php script):
include('config.php'); // Database connection and settings
into this (my personal php lead):
$con = mysqli_connect("localhost","John","mypassword","database1");
as the second line applies the terms which relate to the folder name, password, etc. Does that look right?
Copy link to clipboard
Copied
You never want to put your database connection string inside the log-in script.
Always put db connections into a separate php file. It's one more layer of security.
Create a new php file with code below and name it config.php.
<?php
$con = mysqli_connect("localhost","your_user","your_password","your_db");
// Check connection
if (mysqli_connect_errno())
{
echo "Failed to connect to MySQL: " . mysqli_connect_error();
}
?>
Nancy O.
Copy link to clipboard
Copied
Hi Nancy O.
I'm not 100% sure what you're referring to in reference to a local testing server database but the database I've created is through my host, FatCow's MySQL (see pictures). I have no reason to do any testing and didn't know DW had that...but it's interesting lol. Below are the pics. of the database I made through FatCow:
I'm simply trying to make php web pages for regular traffic and/or web "members" to have the option to create an account/login/logout/hello & goodbye pages. That's why I created a database along with a separate folder with a generic name to store the data as you suggested for privacy...although nothing is on it yet because the site is not hasn't been promoted yet.
As for the .htaccess privacy....is this all I need, at the bottom and OUTSIDE of the PHP scripts:
obscurely_named_folder
config.php (here being my db connect folder you told me to make with oblivious name)
.htaccess
Apache directives inside your .htaccess file:
order deny,allow
deny from all
I'd be surprised because with the reading I did I thought my own IP address was needed to allow just me to have access to the data...but my "research" source could be outdated of course.
Copy link to clipboard
Copied
I don't add my IP address to my .htaccess files. I see no need for it. In fact, adding an IP might make you more vulnerable to IP copycats.
Nancy O.
Copy link to clipboard
Copied
Hi Nancy,
Ok obviously you can see I haven't been working on the site 24-7 but I'm looking to start working on it more it lol
OK here are the login/open account pages I created with the general script "plan" you provided for me. I like them a lot and if you want to see any of the actual codes I'd be more then happy to share with you (or anybody else who's interested). In order it's:
Create account page ----> Login & Registration System Page
Basic Sign in page -------> Login Page
Password Wrong Page --> Login Page - Another Attept
Previous Use Page -------> Login & Registration System Page Again because of Email or Name Repeat
So now that the pages are made and look ok for me, is the next step connecting the incoming data to the MySQL account I made (pictured above in previous message) at my host? I "assume" 1.) folders will need to be opened for the MySQL account I made at my host and 2.) some more adjustments are going to have to be made to my the PHP pages to "link" the two of them together (?). I know I could be wrong though and I may have trouble doing both so if you know where videos are showing/explaining how I'm all eyes and ears
Copy link to clipboard
Copied
I added a Thank You for Registration page to open right AFTER the Login & Registration page so that once all a visitors name, email, etc. is collected/inserted they can login with it. The only thing I would need is directions on how to get all the data directly submitted to my host account (a MySQL I opened?) but I'll continue to wait for that...