Echo $website, just like $username

Question

I have this login code. When I write on a page to request someones username, I enter <?php echo $username; ?> but that's not the only thing I want to echo on the page. I also want to echo $website but that doesn't work. What am I doing wrong in the code? Is there a way to also add $website to the code so it echo's the

require('connect.php');
session_start();

if (isset($_POST['username']) and isset($_POST['password'])){

$username = $_POST['username'];
$password = $_POST['password'];

$query = "SELECT * FROM `user` WHERE username='$username' and password='$password'";

$result = mysql_query($query) or die(mysql_error());
$count = mysql_num_rows($result);

if ($count == 1){
$_SESSION['username'] = $username;
}else{
echo "";
}
}

if (isset($_SESSION['username'])){
$username = $_SESSION['username'];
echo "Your username is " . $username;
echo "Your domain is " . $website;
} else {
?>
<!--loginpage follows here -->

EDIT

I mean when a customer registers their account, they need to fill out a form and they need to enter their site. How can I, by using the above script, echo the $website so they see their own website printed?

as it stands, `$website` is unassigned. So, assign something to it ;-) — Funk Forty Niner, May 12 '15 at 16:12
sidenote: hoping you're not intending to use this as a live site, not without hashing passwords. *hacker's heaven awaits* — Funk Forty Niner, May 12 '15 at 16:13
sql injection, plain-text passwords, deprecated `mysql_*` functions; you should probably start over using something like PDO with prepared statements and salted & hashed passwords: http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php?rq=1 and http://stackoverflow.com/questions/401656/secure-hash-and-salt-for-php-passwords?rq=1 — jeroen, May 12 '15 at 16:14
*"Is there a way to also add $website to the code so it echo's the"* - that's an unfinished sentence. — Funk Forty Niner, May 12 '15 at 16:14
By $website do you mean $_SERVER['SERVER_NAME']? http://stackoverflow.com/questions/10717249/get-current-domain — littleibex, May 12 '15 at 16:14
Define $website as you defined your `$username = $_POST['username'];`. — Steven Tomko, May 12 '15 at 16:15
Well that [code is just copied from whereever](http://stackoverflow.com/questions/22570797/simple-logout-script), so chances are there isn't a per-user website even from the database query. (And given the guessed answers so far, this question may remain unanswered without further details.) — mario, May 12 '15 at 16:17
^ totally right on the "guess" part. Edit: @mario answers given below, but "unanswered" meaning "we're all guessing here too". — Funk Forty Niner, May 12 '15 at 16:18
@Fred-ii- I am using it as a live site, how can I make it so it hash passwords? You mean hashing passwords when they register? — derpydoran, May 12 '15 at 16:21
@derpydoran *Yepper!* For password storage, use [**CRYPT_BLOWFISH**](http://security.stackexchange.com/q/36471) or PHP 5.5's [`password_hash()`](http://www.php.net/manual/en/function.password-hash.php) function. For PHP < 5.5 use the [`password_hash() compatibility pack`](https://github.com/ircmaxell/password_compat). Plus, use [**`mysqli` with prepared statements**](http://www.php.net/manual/en/mysqli.quickstart.prepared-statements.php), or [**PDO with prepared statements**](http://php.net/pdo.prepared-statements), *they're much safer*. — Funk Forty Niner, May 12 '15 at 16:21
@Fred-ii- Okay I will try the hashing passwords function, but I need to rebuild the whole system if I'm going to use MySQLi if it currently runs at mysql? — derpydoran, May 12 '15 at 16:24
That is correct. Best to do this now rather than work twice as hard later ;-) — Funk Forty Niner, May 12 '15 at 16:24
@Fred-ii- I'll take this serious. Do you have found any good SQLi logins, which are simple to setup? Dont want my customers to get hacked — derpydoran, May 12 '15 at 16:31
@Fred-ii- It may work but if this system isn't safe at all, I'm not taking any risks to bring my customers' data in danger. Then I'm just going to install a mysqli login — derpydoran, May 12 '15 at 16:38
it answered the original question. Accepting it would close the question properly and marking/showing it as solved to the community. — Funk Forty Niner, May 12 '15 at 16:40
@Fred-ii- It's marked as solved now, I have downloaded a login script using mysqli. Do you think this is worth the install or just a don't? http://sourceforge.net/projects/fastloginscript/files/latest/download — derpydoran, May 12 '15 at 16:47
Great. As for the link, I couldn't say. I'd have to download it and test it. If it doesn't use prepared statements along with `password_hash()`, it's not worth it. — Funk Forty Niner, May 12 '15 at 16:50
@Fred-ii- I've done a search through register.php and there's no word matching "hash".. should I download some other script? — derpydoran, May 12 '15 at 16:56
This answer on Stack that I gave you earlier http://stackoverflow.com/a/29778421/ uses PDO with prepared statements and `password_hash()`. You can't have any better than that ;-) you just need to fill in your own stuff. — Funk Forty Niner, May 12 '15 at 16:59
You're probably better off looking for something more modern. (As additional note, you may want to apply `htmlspecialchars()` when outputting any variables. But fix the outdated database API and querying first.) — mario, May 12 '15 at 16:59

score 1 · Accepted Answer · edited May 12 '15 at 16:28

1

~~I think you want:~~

$website = $_SERVER['HTTP_REFERER'];

You can check out all of the possible information at the PHP man page at http://php.net/manual/en/reserved.variables.server.php.

EDIT - as per your edited question.

You simple need to check the $_POST for whatever they entered in a "webpage" field.

Such as and using a ternary operator:

$webpage = (isset($_POST['webpage'])) ? $_POST['webpage'] : "No webpage entered";

edited May 12 '15 at 16:28

Funk Forty Niner

73,764
15
63
131

answered May 12 '15 at 16:16

Sablefoste

3,680
3
35
52

@Fred-ii-, true but if security were an issue, than SQL injection would be very much a bigger risk. – Sablefoste May 12 '15 at 16:20
made a slight edit; hope you don't mind since it now addresses the real issue ;-) – Funk Forty Niner May 12 '15 at 16:27

Always Sunny · Answer 2 · 2015-05-12T16:36:51.957

0

if i didn't misunderstood your question,try to set $website variable like this way

if(isset($_POST['website'])){
  $website=$_POST['website']; //from your form
 }else{
  $website="user didn't provide website name";
}

edited May 12 '15 at 16:36

answered May 12 '15 at 16:15

Always Sunny

29,081
6
43
74

score 0 · Answer 3 · answered May 12 '15 at 16:19

0

To get the name if the website use the php $_SERVER global variable

$website=$_SERVER['SERVER_NAME'];

answered May 12 '15 at 16:19

Michael Presečan

112
1
2
12

That is very high assumption, you don't know whether he wants website of the user or the current website address. – Khan Shahrukh May 12 '15 at 16:20
You r right. First I thought he wants echo entire website (HTML code) – Michael Presečan May 12 '15 at 16:21

Echo $website, just like $username

3 Answers3