Page 1 of 1

log in system

Posted: Sat Feb 07, 2004 4:30 pm
by Trevor_needs_help
i am try to create a page where a user name and password has to be typed in so the user has to log in. i have a script but i dont know why it keeps on coming up with an error message. it keeps on saying that the users is not on record when they are. can anyone help im going mad.

<?php

if (isset($_POST['submit'])) { // Handle the form.

require_once ('../mysql_connect.php'); // Connect to the db.

$message = NULL; // Create an empty new variable.

// Check for a username.
if (empty($_POST['username'])) {
$u = FALSE;
$message .= '<p>You forgot to enter your username!</p>';
} else {
$u = escape_data($_POST['username']);
}

// Check for a password.
if (empty($_POST['password'])) {
$p = FALSE;
$message .= '<p>You forgot to enter your password!</p>';
} else {
$p = escape_data($_POST['password']);
}

if ($u && $p) { // If everything's OK.

// Retrieve the user_id and first_name for that username/
$query = "SELECT user_id,first_name FROM users WHERE (username='$u' AND password=PASSWORD('$p'))";


$result = @mysql_query ($query); // Run the query.
$row = mysql_fetch_array ($result, MYSQL_NUM); // Return a record, if applicable.

if ($row) { // A record was pulled from the database.

// Set the cookies & redirect.
//setcookie ('first_name', $row[1]);
//setcookie ('user_id', $row[0]);
header ("Location: http://" . $_SERVER['HTTP_HOST'] . dirname($_SERVER['PHP_SELF']) . "/loggedin.php");
exit(); // Quit the script.

} else { // No record matched the query.
$message = '<p>The username and password entered do not match those on file.</p>';
}

mysql_close(); // Close the database connection.

} else {
$message .= '<p>Please try again.</p>';
}

} // End of the main Submit conditional.

// Set the page title and include the HTML header.


// Print the error message if there is one.
if (isset($message)) {
echo '<font color="red">', $message, '</font>';
}
?>

<form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post">
<fieldset><legend>Enter your information in the form below:</legend>

<p><b>User Name:</b> <input type="text" name="username" size="10" maxlength="20" value="<?php if (isset($_POST['username'])) echo $_POST['username']; ?>" /></p>

<p><b>Password:</b> <input type="password" name="password" size="20" maxlength="20" /></p>

<div align="center"><input type="submit" name="submit" value="Login" /></div>

</form><!-- End of Form -->

</fieldset><?php
// Include the HTML footer.
?>

Use the Built in PHP Syntax Highlighter!

Posted: Sat Feb 07, 2004 5:44 pm
by partiallynothing
Now that it is easier to read, I'll take a look at it...

Code: Select all

<?php

if (isset($_POST['submit'])) { // Handle the form.

require_once ('../mysql_connect.php'); // Connect to the db.

$message = NULL; // Create an empty new variable.

// Check for a username.
if (empty($_POST['username'])) {
$u = FALSE;
$message .= '<p>You forgot to enter your username!</p>';
} else {
$u = escape_data($_POST['username']);
}

// Check for a password.
if (empty($_POST['password'])) {
$p = FALSE;
$message .= '<p>You forgot to enter your password!</p>';
} else {
$p = escape_data($_POST['password']);
}

if ($u && $p) { // If everything's OK.

// Retrieve the user_id and first_name for that username/
$query = "SELECT user_id,first_name FROM users WHERE (username='$u' AND password=PASSWORD('$p'))";
$result = @mysql_query ($query); // Run the query.
$row = mysql_fetch_array ($result, MYSQL_NUM); // Return a record, if applicable.

if ($row) { // A record was pulled from the database.

// Set the cookies & redirect.
//setcookie ('first_name', $row[1]);
//setcookie ('user_id', $row[0]);
header ("Location: http://" . $_SERVER['HTTP_HOST'] . dirname($_SERVER['PHP_SELF']) . "/loggedin.php");
exit(); // Quit the script.

} else { // No record matched the query.
$message = '<p>The username and password entered do not match those on file.</p>';
}

mysql_close(); // Close the database connection.

} else {
$message .= '<p>Please try again.</p>';
}

} // End of the main Submit conditional.

// Set the page title and include the HTML header.


// Print the error message if there is one.
if (isset($message)) {
echo '<font color="red">', $message, '</font>';
}
?>

<form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post">
<fieldset><legend>Enter your information in the form below:</legend>

<p><b>User Name:</b> <input type="text" name="username" size="10" maxlength="20" value="<?php if (isset($_POST['username'])) echo $_POST['username']; ?>" /></p>

<p><b>Password:</b> <input type="password" name="password" size="20" maxlength="20" /></p>

<div align="center"><input type="submit" name="submit" value="Login" /></div>

</form><!-- End of Form -->

</fieldset><?php
// Include the HTML footer. 
?>

Posted: Sat Feb 07, 2004 5:48 pm
by partiallynothing
First of all, I have no clue what the function escape_data() does. I could not find it at php.net... Can anyone explain what that does?

Posted: Sat Feb 07, 2004 6:46 pm
by DuFF
The MySQL query is probably whats causing the problem. I would suggest using an alternate method of encryption rather than PASSWORD().
MySQL.COM wrote:Note: The PASSWORD() function is used by the authentication system in MySQL Server, you should NOT use it in your own applications. For that purpose, use MD5() or SHA1() instead. Also see RFC-2195 for more information about handling passwords and authentication securely in your application.
I would suggest using MD5 personally.