PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!
Hi, I'm having some difficulties in getting a basic php login system to work. I'm new to php but have read tutorials and books on the topic. I'm sure the code i have is close, just down to one error now that's really bugging me!
<?php
include('db_login.php');
$con = mysql_connect($db_host, $db_username, $db_password);
if (!$con)
{
die('Could not connect: ' . mysql_error());
}
mysql_select_db("ccn", $con);
if (isset($_GET["op"])) {
if ($_GET["op"] == "login")
{
if (!$_POST["username"] || !$_POST["password"])
{
die("You need to provide a username and password.");
}
// Create query
$q = "SELECT * FROM `user` "
."WHERE `username`='".$_POST["username"]."' "
."AND `password`=PASSWORD('".$_POST["password"]."') "
."LIMIT 1";
// Run query
echo $q."<br>";
$r = mysql_query($q);
if ( $obj = @mysql_fetch_object($r) )
{
// Login good, create session variables
$_SESSION["valid_id"] = $obj->id;
$_SESSION["valid_user"] = $_POST["username"];
$_SESSION["valid_time"] = time();
// Redirect to member page
Header("Location: http://localhost/members.php");
}
else
{
// Login not successful
die("Sorry, could not log you in. Wrong login information.");
}
} // op isn't login
} // op isn't set
else
{
//If all went right the Web form appears and users can log in
echo "<form action=\"?op=login\" method=\"POST\">";
echo "Username: <input name=\"username\" size=\"15\"><br />";
echo "Password: <input type=\"password\" name=\"password\" size=\"8\"><br />";
echo "<input type=\"submit\" value=\"Login\">";
echo "</form>";
}
?>
It's producing the "Sorry, could not log you in. Wrong login information." error when i enter a username and password that exist in the 'user' table of the database. It seems as if the query isn't returning anything....
Are your passwords encoded already with the MySQL password() function? Your select query is using it.
I would suggest that you print your query and then try it manually in phpMyAdmin or in the mysql client and see what's happening.
I have to also point out that your code is entirely open to SQL injection as you are performing no validation or input filtering on your username and password. At the very least I would suggest you mysql_escape_string() any user-generated input in your query (others would probably say you would want to do a whole lot more to sanitise for certain).
My passwords are using the PASSWORD() function, but certainly a good point, as i did miss that originally!
I have printed the query and tried it in phpMyAdmin, and it's running successfully, but returning an 'empty result set' (i have double and triple checked that the password and username are correct!).
Also, thanks for pointing out the fact that its open to SQL injection; I am not aware too much about these things, but on your recommendation its something i'll look into.
Looks like something is up with the username/password. Are you sure the passwords were encoded with the same very of MySQL, I've had problems before where an upgrade changes the way PASSWORD() works.
What I'd suggest as a trial is to try a user with a plaintext password and then try the query without using the PASSWORD() function.
If that works then encode using PASSWORD(), update your query and try again.
No prob with the injection pointer - it's something we've all done at some point in the past I'm sure.
Well worth sorting out from the off though as not only don't you want to get hacked but it's a pain to update a massive application after the fact.
Hi, thanks again for the suggestions, as i'm new to php i'm taking them all on board for future troubleshooting!
I've tried the plain text password with the appropriate query to match, and this just appeared to reload the login page. Noticeably, it did not show the 'wrong login information' error though...
My guess is you've had some output before the header() call. Often this is whitespace in included files.
Try just echoing "Login successful" or something and see if it comes up - if it does then that is most likely your problem (it does normally show a warning if you try and set headers after some output has been sent but you may have those turned off).
If that is the problem then I'd suggest using output buffering (link) to buffer then flush the output. You should also do an exit() call after the header to avoid anything else being sent.
I notice you pass in the link identified when you call the select_db, but you don't when you run your query. Now, I know that MySQL is supposed to use the most recent connection, but perhaps your change to the database is getting lost in the wash, so I would recommend you pass in the link identifier to the query:
While I'm at it though, you might want to look into using the mysqli extension and have your code be OO rather then functional. It helps you out because that way you don't need to worry about passing around the link identifier, and if you ever want to use transactions it'll give you that ability.
It turns out that my password field in the user table of the database wasn't long enough to contain every character of the 41bit 'code' of the PASSWORD() function!
Also i hadn't started the session in the login page!
thanks a lot for your help! Hopefully i wont be making those mistakes again.