PHP Basic Login Problems

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
aarongunner
Forum Newbie
Posts: 4
Joined: Fri Mar 05, 2010 9:29 am

PHP Basic Login Problems

Post by aarongunner »

Hi, I'm having some difficulties in getting a basic php login system to work. I'm new to php but have read tutorials and books on the topic. I'm sure the code i have is close, just down to one error now that's really bugging me!

Code: Select all

<?php
    include('db_login.php');
$con = mysql_connect($db_host, $db_username, $db_password);
 
if (!$con)
  {
  die('Could not connect: ' . mysql_error());
  }
 
mysql_select_db("ccn", $con);
  if (isset($_GET["op"])) {
    if ($_GET["op"] == "login")
    {
       if (!$_POST["username"] || !$_POST["password"])
       {
          die("You need to provide a username and password.");
       }
 
 // Create query
 $q = "SELECT * FROM `user` "
  ."WHERE `username`='".$_POST["username"]."' "
  ."AND `password`=PASSWORD('".$_POST["password"]."') "
  ."LIMIT 1";
 // Run query
 
 echo $q."<br>";
 
 $r = mysql_query($q);
 
 if ( $obj = @mysql_fetch_object($r) )
  {
  // Login good, create session variables
  $_SESSION["valid_id"] = $obj->id;
  $_SESSION["valid_user"] = $_POST["username"];
  $_SESSION["valid_time"] = time();
 
  // Redirect to member page
  Header("Location: http://localhost/members.php");
  }
 else
  {
  // Login not successful
  die("Sorry, could not log you in. Wrong login information.");
  }
 } // op isn't login
 } // op isn't set
else
 {
//If all went right the Web form appears and users can log in
 echo "<form action=\"?op=login\" method=\"POST\">";
 echo "Username: <input name=\"username\" size=\"15\"><br />";
 echo "Password: <input type=\"password\" name=\"password\" size=\"8\"><br />";
 echo "<input type=\"submit\" value=\"Login\">";
 echo "</form>";
 }
?>
It's producing the "Sorry, could not log you in. Wrong login information." error when i enter a username and password that exist in the 'user' table of the database. It seems as if the query isn't returning anything....

Any suggestions appreciated
thanks :)
davex
Forum Contributor
Posts: 101
Joined: Sat Feb 27, 2010 4:10 pm
Location: Namibia

Re: PHP Basic Login Problems

Post by davex »

Hi,

Are your passwords encoded already with the MySQL password() function? Your select query is using it.

I would suggest that you print your query and then try it manually in phpMyAdmin or in the mysql client and see what's happening.

I have to also point out that your code is entirely open to SQL injection as you are performing no validation or input filtering on your username and password. At the very least I would suggest you mysql_escape_string() any user-generated input in your query (others would probably say you would want to do a whole lot more to sanitise for certain).

Regards,

Dave.
aarongunner
Forum Newbie
Posts: 4
Joined: Fri Mar 05, 2010 9:29 am

Re: PHP Basic Login Problems

Post by aarongunner »

Hi,

My passwords are using the PASSWORD() function, but certainly a good point, as i did miss that originally!

I have printed the query and tried it in phpMyAdmin, and it's running successfully, but returning an 'empty result set' (i have double and triple checked that the password and username are correct!).

Also, thanks for pointing out the fact that its open to SQL injection; I am not aware too much about these things, but on your recommendation its something i'll look into.
davex
Forum Contributor
Posts: 101
Joined: Sat Feb 27, 2010 4:10 pm
Location: Namibia

Re: PHP Basic Login Problems

Post by davex »

Hi,

Looks like something is up with the username/password. Are you sure the passwords were encoded with the same very of MySQL, I've had problems before where an upgrade changes the way PASSWORD() works.

What I'd suggest as a trial is to try a user with a plaintext password and then try the query without using the PASSWORD() function.

If that works then encode using PASSWORD(), update your query and try again.

No prob with the injection pointer - it's something we've all done at some point in the past I'm sure.

Well worth sorting out from the off though as not only don't you want to get hacked but it's a pain to update a massive application after the fact.

Cheers,

Dave.
aarongunner
Forum Newbie
Posts: 4
Joined: Fri Mar 05, 2010 9:29 am

Re: PHP Basic Login Problems

Post by aarongunner »

Hi, thanks again for the suggestions, as i'm new to php i'm taking them all on board for future troubleshooting!

I've tried the plain text password with the appropriate query to match, and this just appeared to reload the login page. Noticeably, it did not show the 'wrong login information' error though...
davex
Forum Contributor
Posts: 101
Joined: Sat Feb 27, 2010 4:10 pm
Location: Namibia

Re: PHP Basic Login Problems

Post by davex »

Hi,

My guess is you've had some output before the header() call. Often this is whitespace in included files.

Try just echoing "Login successful" or something and see if it comes up - if it does then that is most likely your problem (it does normally show a warning if you try and set headers after some output has been sent but you may have those turned off).

If that is the problem then I'd suggest using output buffering (link) to buffer then flush the output. You should also do an exit() call after the header to avoid anything else being sent.

Cheers,

Dave.
ell0bo
Forum Commoner
Posts: 79
Joined: Wed Aug 13, 2008 4:15 pm

Re: PHP Basic Login Problems

Post by ell0bo »

Here's my 2c.

I notice you pass in the link identified when you call the select_db, but you don't when you run your query. Now, I know that MySQL is supposed to use the most recent connection, but perhaps your change to the database is getting lost in the wash, so I would recommend you pass in the link identifier to the query:

if ( ($r = mysql_query($q, $con)) == false )
echo mysql_error($con);

While I'm at it though, you might want to look into using the mysqli extension and have your code be OO rather then functional. It helps you out because that way you don't need to worry about passing around the link identifier, and if you ever want to use transactions it'll give you that ability.
aarongunner
Forum Newbie
Posts: 4
Joined: Fri Mar 05, 2010 9:29 am

Re: PHP Basic Login Problems

Post by aarongunner »

Ok, its finally running properly.

It turns out that my password field in the user table of the database wasn't long enough to contain every character of the 41bit 'code' of the PASSWORD() function!

Also i hadn't started the session in the login page!

thanks a lot for your help! Hopefully i wont be making those mistakes again.

Thanks again.
Post Reply