Page 1 of 1

Stumped

Posted: Wed Oct 29, 2003 9:39 pm
by bobthebobert
What I am trying to do is create a PHP/MYSQL based login and register system. So far, I have managed to make it so you can register, which will create a table with a name the user specifies in my database. I can login fine after I create it, it's just my problem is for dealing with people who entered in a login name that doesn't exist. Please tell me what i am doing wrong, or at least some type of clue :)

Login.php

Code: Select all

<?php
$link = mysql_pconnect("localhost:3306","The master", "")
	or die ;
mysql_select_db(RPG);

$loginname = $_POST&#1111;'loginname'];
$password = $_POST&#1111;'password'];
$blank = "";
$result = mysql_query("SELECT password FROM $loginname WHERE (loginname = '$loginname')");
	
while ($row = mysql_fetch_array($result)) &#123;
	$passcheck = ("$row&#1111;0]");
&#125;

if ($password <> $passcheck)  &#123;
	echo "Did you type the wrong password in?  Click" ?> <a href="http://localhost/login.html">here</a> to go back. 
<?php
&#125; 
elseif ($passcheck == $blank)  &#123;
	echo "That login name does not exist. Click" ?> <a href="http://localhost/login.html">here</a>to go back.
<?php &#125; ?>
And yes, it does work if you enter in a viable loginname, just if you don't it gives error messages..

Posted: Wed Oct 29, 2003 9:56 pm
by markl999
If your only checking for one user then you don't need to do a while on the result set.
I'd just do something like:

Code: Select all

$row = mysql_fetch_array($result);
if ($password != $row['password']){
   //error message here
}
I also wouldn't do the "That login name does not exist" bit as it tells someone that the password was correct but the username was bad, you should just generally say "Bad login" and don't tell the user if it was down to a bad username and/or password.

check

Posted: Wed Oct 29, 2003 11:15 pm
by itsmani1
check
mysql_fetch_array
function in help
....................................

Posted: Thu Oct 30, 2003 5:20 am
by volka
why do you create a table for each user?
is there a very special reason why you don't simply add a new record to an existing user table?
Never put userinput untreated into a database query

Code: Select all

$loginname = mysql_escape_string($_POST['loginname']);
$password = mysql_escape_string($_POST['password']);
$query = "SELECT count(*) FROM $usertable WHERE loginname=$loginname AND password='$password'"
$result = mysql_query($query);
// <- if the database reports no error ->
$num = array_pop(mysql_fetch_row($result));

if ($num > 0)
{	valid login }

Posted: Thu Oct 30, 2003 3:55 pm
by bobthebobert
Thanks for your help :)

No volka, there isn't really, I just wanted to try it.