Page 1 of 1

Problem with Login Page

Posted: Mon Mar 08, 2004 10:29 pm
by BigMC22
Hello,
I am having trouble creating a login page. I am just beginning with PHP and MySQL so I'm going straight from the book here. I have set up a database that has the user John Doe in it with a password (that has been hashed). the username is jdoe and pass is doepass. However when I put those in the login forms and hit submit it just goes to a blank page. I'm pretty sure I've typed everything in correctly (and by pretty sure I mean double checked it 5 times) so, is there anything I need to do with Apache, like the mod_auth_dbm to get this to work or do in fact have a syntax error that is causing it not work.

Here is the code for the login page:

Code: Select all

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<title>15.7 User Login</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
</head>

<body>
<h1>Login Form</h1>
<form method="post" action="listing15.8.php">
<p><strong>Username:</strong><br>
<input type="text" name="username"></p>
<p><strong>Password:</strong><br>
<input type="password" name="password"></p>
<p></p><input type="submit" name="submit" value="Login"></p></form>
</body>
</html>
and here is the code for the script it is running:

Code: Select all

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<?
if ((!$_POST&#1111;username]) || (!$_POST&#1111;password])) &#123;
	header("Location: listing15.7.php");
	exit;
&#125;

$conn=mysql_connect("localhost", "****", "********")
	or die(mysql_error());
mysql_select_db("sample_db", $conn) or die(mysql_error());

$sql = "select f_name, l_name from auth_users where username =
	'$_POST&#1111;username]' AND password = password('$_POST&#1111;password]')";
$result = mysql_query($sql, $conn) or die(mysql_error());

if (mysql_num_rows($result) == 1) &#123;
	
	$f_name = mysql_result($result, 0, 'f_name');
	$l_name = mysql_result($result, 0, 'l_name');
	
	setcookie("auth", "1", 0, "/", "mysite.com", 0);
	
	$msg = "<p>$f_name $l_name is authorized!</p>";
	$msg .="<p>Authorized Users' Menu:";
	
	
&#125; else &#123;
	
	header("Location: listing15.7.php");
	exit;
&#125;
?>
<html>
<head>
<title>Listing 15.8 User Login</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
</head>

<body>
<? print "$msg"; 
?>

</body>
</html>


Any advice would be greatly appreciated. Thanks.

BigMC

Posted: Mon Mar 08, 2004 10:42 pm
by PrObLeM
now is the php file called listing15.8.php (the page that prosesses the login)

Posted: Mon Mar 08, 2004 10:45 pm
by BigMC22
yes the PHP file that runs the login script is called listing15.8.php and the file that has the input boxes is listing15.7.php.

Posted: Mon Mar 08, 2004 10:52 pm
by PrObLeM
change this

Code: Select all

$sql = "select f_name, l_name from auth_users where username =
   '$_POST[username]' AND password = password('$_POST[password]')";
to

Code: Select all

$sql = "select f_name, l_name from auth_users where username='".$_POST[username]."' AND password='".$_POST[password]."'";

Posted: Mon Mar 08, 2004 11:11 pm
by BigMC22
OK that worked as long as I put the stored hash fingerprint for 'doepass' which turns out to be 2fae5c9d478ec4b1 (that is exactly how it appears in the database) as the password. What do I have to add to this:

$sql = "select f_name, l_name from auth_users where username='".$_POST[username]."' AND password='".$_POST[password]."'";

to allow the user to just type in doepass?

Thanks alot for the help!!

BigMC

Posted: Mon Mar 08, 2004 11:15 pm
by PrObLeM
doh

you need to change it to this

Code: Select all

$sql = "select $username, $password from auth_users where username='".$_POST[username]."' AND password='".$_POST[password]."'";
and if that dont work its

Code: Select all

$sql = "select ".$_GET['username'].", ". $_GET['password']." from auth_users where username='".$_POST[username]."' AND password='".$_POST[password]."'";

Posted: Tue Mar 09, 2004 3:20 am
by twigletmac
Slightly OT: Note the second link in my signature, $_POST[username] should be $_POST['username'].
PrObLeM wrote:doh

you need to change it to this

Code: Select all

$sql = "select $username, $password from auth_users where username='".$_POST[username]."' AND password='".$_POST[password]."'";
and if that dont work its

Code: Select all

$sql = "select ".$_GET['username'].", ". $_GET['password']." from auth_users where username='".$_POST[username]."' AND password='".$_POST[password]."'";
That aint going to work - you are specifying fields to return from the database that don't exist.
BigMC22 wrote: OK that worked as long as I put the stored hash fingerprint for 'doepass' which turns out to be 2fae5c9d478ec4b1 (that is exactly how it appears in the database) as the password. What do I have to add to this:

Code: Select all

$sql = "select f_name, l_name from auth_users where username='".$_POST[username]."' AND password='".$_POST[password]."'";
to allow the user to just type in doepass?
When the data is inserted into the database, how are you generating the hash? You need to do the same to the posted password before you compare it to the one in the database.

Mac

Posted: Tue Mar 09, 2004 8:59 am
by partiallynothing
I would recommend that you used MD5 hashing. To do that, just add the following line above your mySQL query.

Code: Select all

<?php
$enc_password = md5($_POST['password']);
$sql = "select f_name, l_name from auth_users where username='".$_POST[username]."' AND password='".$enc_password."'";
?>
The above code tells it to hash the variable $_POST['password'] and save it into the variable $enc_password. Then it caries out the mySQL query with the new variable.