Printable View
I have pretty much no experience with php, but is there a way to connect to a database in MMF to login to a game? Could someone direct me to a help file or tutorail? Also, is there a way to create directories on my site in MMF using vitalized extensions? (www.mysite.com/newdirectory)
If you can answer either of these questions, that would be very helpful. :D
Here's a tutorial:
http://www.clickteam.com/eng/resources/online_score/dxn-scoreboards.zip
(Though I recommend you use Live Receiver instead of Moosock, the theory is much the same - I promise I will update it to Live Receiver some day even though I've been saying that for the last year.)
Like I said, I do not know much php. So if you could explain how to code this, that would be much appreciated.
Even for people who have no PHP coding knowledge, the tutorial explains most of the PHP code and you really hardly need to understand very little of it, copy and paste will suffice.
How did I know you'd be posting a reply, Brandon? Are you following me around? ;) I bet you've caught on to my evil scheme already. :D
EDIT: I didn't even notice the files that came with the MMF file. I guess it may be smart to look at them.
I'm having trouble checking a user's name with its password for logging in. I know it's simple php, but I'm not sure how to do it. I created a new php file and called it "user_check.php" and I set it to get the username from the url, but how do I compare it to the password on the database?
OK. This is what I have in my php file that checks if the user's name and password match:
If the name and password match, there should be a "1" on the screen, but when I try it, the page is blank. What did I do wrong?Code:<html>
<head>
<title>User Check</title>
</head>
<?
$name = $_GET['name'];
$userpassword = $_GET['userpassword'];
$service = "localhost";
$username = "pauliuko";
$password = "sdfsfsf";
$database = "pauliuko_games";
mysql_connect($service, $username, $password);
@mysql_select_db($database) or die( "Unable to select database");
$get=mysql_query("SELECT (id) FROM users WHERE name=$user and password=$pass");
$result=mysql_query($query);
echo"$result"
?>
</body>
</html>
EDIT: My MySQL table has 4 columns: id, name, password, and datejoined.
your result line is wrong, you're asking another query here :
$result=mysql_query($query);
I don't remember very well but isn't it something like mysql_fetcharray ? or something like that ?
EDIT : found this :
$result = mysql_query("SELECT id, name FROM mytable");
while ($row = mysql_fetch_array($result, MYSQL_NUM)) {
printf("ID: %s Name: %s", $row[0], $row[1]);
}
I have no idea. This is my first time ever actually using php and MySQL. :D
What you found just returns the entire table. What I want is to check if 2 values are the same.Quote:
Originally Posted by Corentin
I DID IT! If you're curious as to what the code is.....
Code:<?php
$name = $_GET['name'];
$userpassword = $_GET['userpassword'];
$service = "localhost";
$username = "pauliuko";
$password = "sdfsfsf";
$database = "pauliuko_games";
mysql_connect($service, $username, $password);
@mysql_select_db($database) or die( "Unable to select database");
$result = mysql_query("SELECT * FROM users WHERE name='$name' and password='$userpassword'") or die(mysql_error());
$row = mysql_fetch_array( $result );
if($row=='') echo "0";
else echo "1";
?>
You shouldn't store passwords directly in the database, you should store a hash of the password, eg md5
I believe php has an md5() function for this.
You're also trusting user input without escaping it. What happens if someone uses a ' in their password in your code? How about "' or '1'='1" as the password?
Answer: You end up with this query:
"SELECT * FROM users WHERE name='hacker' and password='' or '1'='1'"
and the "or '1'='1'" is always true, so it will allow login, with whatever username they want, even an admin account (or even if that username's not in the database at all!)
EDIT: Also make sure that the username you're using to connect to the database from php only has permission to do what it needs to (Add records and read records, maybe modify records). Whatever you do don't log in to your database from php with an account that has "drop database" permissions, or a hacker will be able to destroy your entire database with ease.
Can you post the revised code with the MD5 hashing of the password.
$userpassword = md5($_GET['userpassword']);
Good to know you got the query worked out - PHP has many ways to do the same thing, and mysql_fetch_array() and mysql_query() both do roughly the same job.
The original problem when you were using mysql_query() as in my tutorial, as far as I can see, was that you were calling the query string "$get" when you were setting it up, and then running a query called "$query", which didn't exist.
Dynasoft, the reason that I didn't add the code in to check that the username and password are alphanumeric is because I want to do the least amount of php coding as possible. I literally just learned what I had to in order to do what I did and I don't want to have to learn any more. I have a perfectly working alphanumeric check in MMF2 that I programmed instead. :)
Are you saying that I should submit the password as a MD5 hash and then store it as the real password, or store it as a MD5 hash as well? I really don't think it's necessary. I don't expect my users to be saving anything really important.
Why not use?PHP Code:mysql_num_rows()
For example:
PHP Code:$myQuery = mysql_query("SELECT * FROM $table WHERE userName = '$userName' AND userPassword = '$userPassword'");
return mysql_num_rows($myQuery);
It's not hard, just call mysql_escape_string() on the variables to prevent the injection attack. It's one function :)Quote:
Originally Posted by pinacoladaxb
Store it as md5. It's bad security to store actual passwords, because users tend to use the same password for everything, and they don't take too kindly to someone knowing it. Again, it's not hard to do, php has an md5() function you can use :)Quote:
Originally Posted by pinacoladaxb
EDIT: Like this, I think:
Code:<?php
$name = $_GET['name'];
$userpassword = md5($_GET['userpassword']);
$service = "localhost";
$username = "pauliuko";
$password = "sdfsfsf";
$database = "pauliuko_games";
mysql_connect($service, $username, $password);
@mysql_select_db($database) or die( "Unable to select database");
$result = mysql_query("SELECT * FROM users WHERE name='".mysql_escape_string($name)."' and password='".mysql_escape_string($userpassword)."'") or die(mysql_error());
$row = mysql_fetch_array( $result );
if($row=='') echo "0";
else echo "1";
?>
OK. I'll take your advice.
I did it! It was easier than I thought. I'll use your advice for the injection attack thing as well. Thanks for your help! :D
EDIT: Oops. I didn't see that you gave me the code. I did it on my own. :blush:
It's fine, you always learn more by doing something yourself :)
Very true.