PHP UPDATE AGAIN

[Berk]

Hi.
So basically,
When your login is succeeded, It should add some variables to database. (for online users) values are (username, ip, habbo.com/habbo-imaging/avatarimage?user=USERNAMEHERE&direction=3 etc.
But When I post variables, I get this error:

You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near '::1,

You must be registered for see links

' at line 1
The SQL:

$sql1 = "INSERT INTO `shop_online` (`name`, `ip`, `avatarurl`) VALUES ($username, $ip, https://www.habbo.com.tr/habbo-imaging/avatarimage?user=$username&direction=3&head_direction=2&gesture=sml&action=wav&size=l&headonly=true')";

 

[Markshall]

You've got an ending quote, but no starting quote next to

You must be registered for see links

.............. etc

 

[Berk]

Alright, fixed this, How can I delete the row when logging out?

 

[Markshall]

DELETE FROM `shop_online` WHERE `username` = '$username'

You'll need to replace $username with your variable, and place it in your logout script

 

[JynX]

Alright, fixed this, How can I delete the row when logging out?

In your logout.php just mysql_query("DELETE FROM table WHERE `username` = ");

 

[Berk]

This is confusing abit, On login.php I use the $_POST['username'] and what here?
my connection code below:

$username = $_POST['username'];
    $password = md5($_POST['password']);
$sql = "SELECT * from users WHERE username LIKE '{$username}' AND password LIKE '{$password}' LIMIT 1";
    $result = $mysqli->query($sql);
    if (!$result->num_rows == 1) {
        echo "<p style='color:white;'>Invalid username/password combination</p>";
    } else {
        echo "<p>Logged in successfully</p>";
        
        $mysqli->query($sql1);
        echo mysqli_error($mysqli);
        header("Location: index.php");
    }
}

 

[Sledmore]

You'll have to set a session with the username, in order to know what row to delete based on that key.

 

[Berk]

You'll have to set a session with the username, in order to know what row to delete based on that key.

I'm such a noob, how can I do this?
 
Would session_register($username) work?

 

[JynX]

Pastebin or post your logout for me please.

 

[Weasel]

This is confusing abit, On login.php I use the $_POST['username'] and what here?
my connection code below:

$username = $_POST['username'];
    $password = md5($_POST['password']);
$sql = "SELECT * from users WHERE username LIKE '{$username}' AND password LIKE '{$password}' LIMIT 1";
    $result = $mysqli->query($sql);
    if (!$result->num_rows == 1) {
        echo "<p style='color:white;'>Invalid username/password combination</p>";
    } else {
        echo "<p>Logged in successfully</p>";
       
        $mysqli->query($sql1);
        echo mysqli_error($mysqli);
        header("Location: index.php");
    }
}

First, don't use LIKE in the SQL statement. Second, always escape user input, for example:

$username = mysqli_real_escape_string($_POST['username']);

Otherwise, your code could be open for SQL injections. As for the question regarding the session, on every page you need to access SESSION variables, include session_start(); at the top of the file. It's the best to do this in one file, and require this file on every page. You can set session variables quite easily, for example: $_SESSION['username'] = $username. On every page you have a initialized session, you can access this variable.

 

[BIOS]

This is confusing abit, On login.php I use the $_POST['username'] and what here?
my connection code below:

$username = $_POST['username'];
    $password = md5($_POST['password']);
$sql = "SELECT * from users WHERE username LIKE '{$username}' AND password LIKE '{$password}' LIMIT 1";
    $result = $mysqli->query($sql);
    if (!$result->num_rows == 1) {
        echo "<p style='color:white;'>Invalid username/password combination</p>";
    } else {
        echo "<p>Logged in successfully</p>";
       
        $mysqli->query($sql1);
        echo mysqli_error($mysqli);
        header("Location: index.php");
    }
}

You'd do something along the lines of:

$_SESSION['username'] = $username;

And then on resources which require you to be authorized, check if this session key exists; although it is probably best to use the user's ID as this will never change and is seen to be more reliable than depending on a username.

Another few tips for improvement:
You're using "SELECT *", when you're not actually using any of these; for a num-row check you can simply do "SELECT null FROM users WHERE username = ? AND password = ? LIMIT 1..". For some reason you're using "LIKE", I'm not sure if this is how the system is intended to work but you shouldn't use LIKE for this sort of operation if you are authenticating a user as may match other user credentials and allow unauthorized access.

You're using MySQLi which is good but you're inserting raw data into the query without prior validation/escaping, if you use this in production you'd be vulnerable to SQL Injection. Look into input validation and to note it's also good practice to use

You must be registered for see links

statements so that the actual input is separate to the query.

From what I can see you're also using md5 for your passwords, this is an extremely outdated practice and is no longer considered secure; instead look into using PHP's built-in

You must be registered for see links

&

You must be registered for see links

functions.

 

[Berk]

Alright, I'm so fucking confused after those posts. Can somebody give me a logout.php code and some session code please?

 

[JayC]

Why not just store a global variable in php that controls your number of logged in sessions? Then when anyone logs out , subtract 1?

 

[BIOS]

Why not just store a global variable in php that controls your number of logged in sessions? Then when anyone logs out , subtract 1?

If that's what he's trying to achieve that'd be the wrong way to go about it since someone may not specifically end their session, but close the tab etc.

Instead you could use some sort of socket to continuously check for online users, or you could also give each session a key holding the time of their last action with the site; if it's past so long then regard them as being offline as they have not interacted in a while.

 

[Berk]

fuck my life nevermind.

 

[JayC]

Here, I will make this really easy for you Forget these other posts.

Create a column in your users table called like lastActivity or something similar. This is going to keep track of how often someone does something / visits a new page.

Next, in your header put a statement that whenever the header gets loaded, it updates lastActivity with the current time. So here is how you would do this:

lastActivity = int with the length of 11
mysql_query("UPDATE users SET lastActivity = '".time()."' WHERE username = '".$_SESSION['user']['username']."' LIMIT 1");

then when you need to figure out who is active on the site:
$numberOfUsersActive = mysql_num_rows(mysql_query("SELECT null FROM users WHERE lastActivity >= '".(time() - (5 * 60) ."' ");

echo $numberOfUsersActive