Problem with Login Page

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
BigMC22
Forum Newbie
Posts: 5
Joined: Sun Mar 07, 2004 1:33 pm

Problem with Login Page

Post by BigMC22 »

Hello,
I am having trouble creating a login page. I am just beginning with PHP and MySQL so I'm going straight from the book here. I have set up a database that has the user John Doe in it with a password (that has been hashed). the username is jdoe and pass is doepass. However when I put those in the login forms and hit submit it just goes to a blank page. I'm pretty sure I've typed everything in correctly (and by pretty sure I mean double checked it 5 times) so, is there anything I need to do with Apache, like the mod_auth_dbm to get this to work or do in fact have a syntax error that is causing it not work.

Here is the code for the login page:

Code: Select all

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<title>15.7 User Login</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
</head>

<body>
<h1>Login Form</h1>
<form method="post" action="listing15.8.php">
<p><strong>Username:</strong><br>
<input type="text" name="username"></p>
<p><strong>Password:</strong><br>
<input type="password" name="password"></p>
<p></p><input type="submit" name="submit" value="Login"></p></form>
</body>
</html>
and here is the code for the script it is running:

Code: Select all

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<?
if ((!$_POST&#1111;username]) || (!$_POST&#1111;password])) &#123;
	header("Location: listing15.7.php");
	exit;
&#125;

$conn=mysql_connect("localhost", "****", "********")
	or die(mysql_error());
mysql_select_db("sample_db", $conn) or die(mysql_error());

$sql = "select f_name, l_name from auth_users where username =
	'$_POST&#1111;username]' AND password = password('$_POST&#1111;password]')";
$result = mysql_query($sql, $conn) or die(mysql_error());

if (mysql_num_rows($result) == 1) &#123;
	
	$f_name = mysql_result($result, 0, 'f_name');
	$l_name = mysql_result($result, 0, 'l_name');
	
	setcookie("auth", "1", 0, "/", "mysite.com", 0);
	
	$msg = "<p>$f_name $l_name is authorized!</p>";
	$msg .="<p>Authorized Users' Menu:";
	
	
&#125; else &#123;
	
	header("Location: listing15.7.php");
	exit;
&#125;
?>
<html>
<head>
<title>Listing 15.8 User Login</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
</head>

<body>
<? print "$msg"; 
?>

</body>
</html>


Any advice would be greatly appreciated. Thanks.

BigMC
User avatar
PrObLeM
Forum Contributor
Posts: 418
Joined: Sun Mar 07, 2004 2:30 pm
Location: Mesa, AZ
Contact:

Post by PrObLeM »

now is the php file called listing15.8.php (the page that prosesses the login)
BigMC22
Forum Newbie
Posts: 5
Joined: Sun Mar 07, 2004 1:33 pm

Post by BigMC22 »

yes the PHP file that runs the login script is called listing15.8.php and the file that has the input boxes is listing15.7.php.
User avatar
PrObLeM
Forum Contributor
Posts: 418
Joined: Sun Mar 07, 2004 2:30 pm
Location: Mesa, AZ
Contact:

Post by PrObLeM »

change this

Code: Select all

$sql = "select f_name, l_name from auth_users where username =
   '$_POST[username]' AND password = password('$_POST[password]')";
to

Code: Select all

$sql = "select f_name, l_name from auth_users where username='".$_POST[username]."' AND password='".$_POST[password]."'";
BigMC22
Forum Newbie
Posts: 5
Joined: Sun Mar 07, 2004 1:33 pm

Post by BigMC22 »

OK that worked as long as I put the stored hash fingerprint for 'doepass' which turns out to be 2fae5c9d478ec4b1 (that is exactly how it appears in the database) as the password. What do I have to add to this:

$sql = "select f_name, l_name from auth_users where username='".$_POST[username]."' AND password='".$_POST[password]."'";

to allow the user to just type in doepass?

Thanks alot for the help!!

BigMC
User avatar
PrObLeM
Forum Contributor
Posts: 418
Joined: Sun Mar 07, 2004 2:30 pm
Location: Mesa, AZ
Contact:

Post by PrObLeM »

doh

you need to change it to this

Code: Select all

$sql = "select $username, $password from auth_users where username='".$_POST[username]."' AND password='".$_POST[password]."'";
and if that dont work its

Code: Select all

$sql = "select ".$_GET['username'].", ". $_GET['password']." from auth_users where username='".$_POST[username]."' AND password='".$_POST[password]."'";
User avatar
twigletmac
Her Royal Site Adminness
Posts: 5371
Joined: Tue Apr 23, 2002 2:21 am
Location: Essex, UK

Post by twigletmac »

Slightly OT: Note the second link in my signature, $_POST[username] should be $_POST['username'].
PrObLeM wrote:doh

you need to change it to this

Code: Select all

$sql = "select $username, $password from auth_users where username='".$_POST[username]."' AND password='".$_POST[password]."'";
and if that dont work its

Code: Select all

$sql = "select ".$_GET['username'].", ". $_GET['password']." from auth_users where username='".$_POST[username]."' AND password='".$_POST[password]."'";
That aint going to work - you are specifying fields to return from the database that don't exist.
BigMC22 wrote: OK that worked as long as I put the stored hash fingerprint for 'doepass' which turns out to be 2fae5c9d478ec4b1 (that is exactly how it appears in the database) as the password. What do I have to add to this:

Code: Select all

$sql = "select f_name, l_name from auth_users where username='".$_POST[username]."' AND password='".$_POST[password]."'";
to allow the user to just type in doepass?
When the data is inserted into the database, how are you generating the hash? You need to do the same to the posted password before you compare it to the one in the database.

Mac
User avatar
partiallynothing
Forum Commoner
Posts: 61
Joined: Fri Nov 21, 2003 5:02 pm
Location: connecticut, usa

Post by partiallynothing »

I would recommend that you used MD5 hashing. To do that, just add the following line above your mySQL query.

Code: Select all

<?php
$enc_password = md5($_POST['password']);
$sql = "select f_name, l_name from auth_users where username='".$_POST[username]."' AND password='".$enc_password."'";
?>
The above code tells it to hash the variable $_POST['password'] and save it into the variable $enc_password. Then it caries out the mySQL query with the new variable.
Post Reply