Page 1 of 1

Username Password

Posted: Thu Apr 01, 2004 8:26 am
by eoinmick
Wondering can anyone tell me what i could do with the code below...i have a login page programmed in HTML;where the user enters their username and password, then i have an adminlogin page which checks the iput..the problem is that by the time the user presses the sumbit button it goes right to the adminlogin page regardless of what they entered...could i put all the code in one form; if what they summit is correct,goes to another page: if incorrect stays on that form...hope this makes sense!!!
Code!
LOGIN.PHP
<html>
<head><title>Admin Login</title></head>

<body>

<body text="blue" BGCOLOR="FFFFCC">

<center><img src="http://www.webcom.com/graphics/formt.gif"
width=150 height=100</center>

<center>
<font size="3"><p align=center>
<h1>Admin Login</h1>
</center>
<p>

<form action="adminlogin.php" method="post">
Enter user name: <input type="text" name="username"><p>
Enter password: <input type="password" name="password"><p>
<input type='submit' value='submit'>
</form>

</body>

</html>

ADMINLOGIN
<html>

<head><title>Admin Login</title></head>

<body>

<h1><center>Admin Login</center></h1>

<body text="blue" BGCOLOR="FFFFCC">

<center>

Code: Select all

<?php


        $user="";
	$host="";
	$password="";
	$database="";
	$connection = mysql_connect($host,$user,$password) 
        or die ("connection to server failed.");

$connection = mysql_connect($host,$user,$password)
or die ("couldn't connect to server");
  
$db = mysql_select_db($database,$connection)
or die ("Couldn't select database");

$password= $HTTP_POST_VARS['password'];
$username=$HTTP_POST_VARS['username'];
$query ="SELECT password FROM users WHERE username= '$username'";
$result = mysql_query($query)
	or die("couldn't excute query.");
$row = mysql_fetch_array($result,MYSQL_ASSOC);

if ($username == $row['password'])
{

	/*  this only outputs the password as it is the only thing called in the query*/

	echo "<h1>$username:</h1>";
	echo "<h1>valid password!</h1>";
        
	
	$query1 = "SELECT * FROM users WHERE username= '$username'";
	$result1 = mysql_query($query1) 
		or die("couldn't excute query.");
		
	while ($row1 = mysql_fetch_array($result1))
	

		
	       
        {
		extract($row1);
                echo " <table border = 2 width=70%>";
                
		
	}
	
	echo "</table>";
}

else

	{
             echo "<h1>invalid User name or password</h1>";
             echo "<h2>Please retype!!<h2>";   
       }

?>

</center>
<p>

<center><img src="http://www.webcom.com/graphics/formt.gif"
width=150 height=100</center>

<br>
<align="center"><font size="3"><a href="http://~u2ell/flightsinput.php"><FONT COLOR="red">Enter Flight Details</a></font>
<br>
<align="center"><font size="3"><a href="http://~u2ell/flightpricesinput.php"><FONT COLOR="red">Enter Flight Prices</a></font>

</body>

</html>

Thanks.

Posted: Thu Apr 01, 2004 8:30 am
by markl999
if ($username == $row['password'])

The password is the same as the username ?

Posted: Thu Apr 01, 2004 8:38 am
by eoinmick
just changed that thanks

Posted: Thu Apr 01, 2004 8:44 am
by magicrobotmonkey
You could combine your pages or build one control php like this psuedo code
if(nothing posted or incorrect username or password)
include(login form)
else if(correct username password)
include(admin page)

Posted: Thu Apr 01, 2004 9:07 am
by eoinmick
when you say combine do you mean like this??
_________
<html>
<head><title>Admin Login</title></head>

<body>

<body text="blue" BGCOLOR="FFFFCC">

<center><img src="http://www.webcom.com/graphics/formt.gif"
width=150 height=100</center>

<center>
<font size="3"><p align=center>
<h1>Admin Login</h1>
</center>
<p>

<form method="post"action="<?php echo $PHP_SELF?>">
Enter user name: <input type="text" name="username"><p>
Enter password: <input type="password" name="password"><p>
<input type='submit' value='submit'>
</form>

Code: Select all

<?php 


   $user="u2ell"; 
   $host="mysql"; 
   $password=""; 
   $database="u2ell"; 
   $connection = mysql_connect($host,$user,$password) 
        or die ("connection to server failed."); 

$connection = mysql_connect($host,$user,$password) 
or die ("couldn't connect to server"); 
  
$db = mysql_select_db($database,$connection) 
or die ("Couldn't select database"); 

$password= $HTTP_POST_VARS['password']; 
$username=$HTTP_POST_VARS['username']; 
$query ="SELECT password FROM users WHERE username= '$username'"; 
$result = mysql_query($query) 
   or die("couldn't excute query."); 
$row = mysql_fetch_array($result,MYSQL_ASSOC); 

if ($password == $row['password']) 
{ 

   /*  this only outputs the password as it is the only thing called in the query*/ 

   echo "<h1>$username:</h1>"; 
   echo "<h1>valid password!</h1>"; 
        
    
   $query1 = "SELECT * FROM users WHERE username= '$username'"; 
   $result1 = mysql_query($query1) 
      or die("couldn't excute query."); 
       
   while ($row1 = mysql_fetch_array($result1))
} 
    
        
        { 
      extract($row1); 
                echo " <table border = 2 width=70%>"; 
                
       
   } 
    
   echo "</table>"; 
} 

else 

   { 
             echo "<h1>invalid User name or password</h1>"; 
             echo "<h2>Please retype!!<h2>";    
       } 

?>





</center>
<p>

<center><img src="http://www.webcom.com/graphics/formt.gif"
width=150 height=100</center>

<br>
<align="center"><font size="3"><a href="http://~u2ell/flightsinput.php"><FONT COLOR="red">Enter Flight Details</a></font>
<br>
<align="center"><font size="3"><a href="http://~u2ell/flightpricesinput.php"><FONT COLOR="red">Enter Flight Prices</a></font>

</body>

</html>

Posted: Thu Apr 01, 2004 9:14 am
by magicrobotmonkey
Yes, with a kind of.

The way you have it right now you are going to see the login screen every time. You know that you can use PHP to output html, right? So do that. Or just include different files depending on what comes through in the $_POST vars. like

Code: Select all

<?php
  if(!isset($_POST['username']) || $_POST['password']!=$password)
        include "login.inc";
  else
       include "dostuff.inc";
?>
or you may want to check to see if isset $_POST first, before you hit the dbase to avoid extraneous hits. but do you see what I mean? You can even put this code in the middle of a "template" page with headers and footers and the inc files will only contain the forms you want. Note that this is only psuedo code and you will have to check for a lot of other stuff before deciding what to do - like make sure the username is in the dbase and such

Then, within login.inc you can discover what the problem was and let the user know what they did wrong to help them do it right.

Posted: Thu Apr 01, 2004 9:18 am
by eoinmick
Really only new to PHP and do not completly understand..sorry.

Posted: Thu Apr 01, 2004 9:30 am
by Pozor
hello,

only two things:

dont do the unsafe way, and name your files .inc -> they could be read by everyone if you have it in the web folder!
solution: name they .inc.php is way better


you save a password clear in the DB -> dangerous solution
you should design every system,so that an evil admin hasn't the chance to figure out passwords -> this is a good programm style
save it as md5 hash.
forgot the password -> create a new one.

Code: Select all

<?php
//function: 
$md5hash =  md5($string);
?>

Code: Select all

<?php
  if((!isset($_POST['username']) or (md5($_POST['password'])!=$password))
  { 
     include_once('login.inc.php'); 
   }else
  {
     include_once('dostuff.inc.php'); 
  } 
  ?>

greez Pozor

Posted: Thu Apr 01, 2004 9:44 am
by magicrobotmonkey
Oh, yea true about the file endings I'm so used to hosting my own where I can customize apache so i dont allow anything but my driver file to be accessed so everything else i can just name whatever

Re: Username Password

Posted: Thu Apr 01, 2004 12:23 pm
by malcolmboston
just a quick note, you should update your syntax, as some of the syntax you are using is old and wont be guaranteed to work in the future

Code: Select all

// old posted data $HTTP_POST_VARS['data']
// new posted data $_POST['data']
// GET is exactly the same and should be $_GET['data']