ok, here is the full code, if someone can spot the error, then bravo, I have tried to find it for like an hour.
index.php main file.
Code: Select all
<html>
<head>
<title>Title comes later</title>
<link rel='stylesheet' href='index-layout.css'>
<?php
//login box code
session_start();
if(isset($_SESSION)){
session_unset();
}
include('data/SQL_Connect.php'); //all sql database handleing
include('data/basics.php'); //some basic functions used
//Connects to the server MySQL database 'users'
$con = connectToServer();
if($con){
$dat = connectToDatabase('users');
if(!$dat){
print('Could not connect to database');
}
} else {
print('Could not connect to server');
}
//Global Variables
$username = '';
$password = '';
/* NOT DONE needs SQL database */
$ipAddress = $_SERVER['REMOTE_ADDR']; //gets users ip address
/*
if( ipAddress is on banlist ){
header('Location: data/banned.html');
}*/
/*
This code will only be executed if the user clicks the submit button in index.html
The information in the forms username and password will be sent here.
*/
if(isset($_POST['submit1']))
{
//strip tags to remove hamful scripting input into the boxes
$username = strip_tags($_POST['username1']);
$password = strip_tags($_POST['password1']);
$file_handle = query("SELECT * FROM tb_users WHERE username = '$username' AND password = '$password'"); //get tb_users
//if it username and password match
if($file_handle){
$userInfo = query("SELECT * FROM tb_users WHERE username = '$username'");
foreach(getElements($userInfo) as $field => $value){
if(isset($_SESSION[$field])){
unset($_SESSION[$field]);
}
$_SESSION[$field] = $value;
}
closeDatabase(); //close database
header('Location: data/main.php'); //goto the main page
}
print 'Username or password are incorrect <br>';
}
?>
</head>
<body>
<div id='login'>
<form class='log' name='form1' method='POST' action='index.php'>
<p>Username</p>
<input class='field' name='username1' type=Text><br>
<p>Password</p>
<input class='field' name='password1' type='Password'><br><br>
<input class='button' name='submit1' type='Submit' value='Login'>
<p><a href=signup.php>Create an Account</a></p>
</form>
</div>
</body>
</html>
SQL_Connect.php
Code: Select all
<?php
/*
Class Name: SQL_Connect.php
This class will contain most SQL database handleing
to use these functions in a website use the include()
function at head of the desired webpage
EX.
include(SQL_Connect.php)
please make sure this file is hidden on server
it contains the server root username and password
include calls to this file should also be hidden
in source code.
*/
//Global Variables
$server_handle; //resource id of database
$db_name; //current database name
//returns true if connected to mySQL
if (!function_exists('connectToServer')) {
function connectToServer(){
Global $server_handle;
$server_handle = mysql_connect('127.0.0.1', 'root', '') or die(mysql_error());
if($server_handle){
return True;
} else {
return False;
}
}
} else {
print('connectToServer() already exists');
}
//returns true if connected to a database in mySQL
if (!function_exists('connectToDatabase')) {
function connectToDatabase($name){
Global $db_name, $server_handle;
if($server_handle == null){
return False; //if you havent connected to the server yet
} else {
$db_name = $name;
$result = mysql_select_db($db_name, $server_handle) or die(mysql_error());
if($result){
return True;
} else {
return False;
}
}
}
} else {
print('connectToDatabase() already exists');
}
//returns a query
//each query can only be used once
if (!function_exists('query')) {
function query($query){
return mysql_query($query) or die(mysql_error());
}
} else {
print('query() already exists');
}
//returns true if all fields == all vars match
if (!function_exists('getElements')) {
function getElements($file_handle){
$db_field = mysql_fetch_assoc($file_handle);
foreach ($db_field as $element => $value) {
if(!isset($arr)){
$arr = array();
}
$arr[$element] = $value;
}
return $arr;
}
} else {
print('getElements() already exists');
}
//closes current database resets global variables
if (!function_exists('closeDatabase')) {
function closeDatabase(){
Global $server_handle, $db_name;
mysql_close($server_handle) or die(mysql_error()); //close
//reset
$server_handle = null;
$db_name = '';
}
} else {
print('closeDatabase() already exists');
}
?>
The error is that, if the user tries to login, if he uses the wrong password, he is rejected which is good, but if he uses the right username, then the password can be anything. It doesn't matter, the program will pass him along to the next page.