Login script problem

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

User avatar
John Cartwright
Site Admin
Posts: 11470
Joined: Tue Dec 23, 2003 2:10 am
Location: Toronto
Contact:

Login script problem

Post by John Cartwright »

No matter what I input I am always getting authed...
To my understanding my query statement checks to see if there is a matching username and password in the same row and if there isnt the script is exited... (stopped on that line)..

am I incorrect?

Code: Select all

<?php
<? session_start();
   include('inc/connect.php');
?> <link href="inc/css.css" rel="stylesheet" type="text/css"> <?

			if ($_SESSION['auth'] != 'authed') 
			{ 
			$login='1';
			include ('form.php');
			}
			if (isset($_POST['submit']))
			{
			
			$email = $_POST['email'];
			$password = $_POST['password'];
			//$_POST['email'] = $email;
			//$_POST['password'] = $password;
			
			$result = @mysql_query("SELECT * FROM user WHERE email='$email' && password='$password'") or die("Name and password not found or not matched".exit());

			$_SESSION['auth'] = 'authed';
			
			}

//debugging
			echo $_SESSION['auth'];
			echo $_POST['email'];
			echo $email;
			echo $password;
			echo $_POST['submit'];

?>

?>
User avatar
markl999
DevNet Resident
Posts: 1972
Joined: Thu Oct 16, 2003 5:49 pm
Location: Manchester (UK)

Post by markl999 »

mysql_query always returns a value, it doesn't return any results. So try:

$result = @mysql_query("SELECT * FROM user WHERE email='$email' && password='$password'") or die(mysql_error());
if(!mysql_num_rows($result)){
die('Invalid username and/or password');
}
User avatar
tim
DevNet Resident
Posts: 1165
Joined: Thu Feb 12, 2004 7:19 pm
Location: ohio

Post by tim »

the mysql doesnt specify rows like your wanting it too in your example(like u might expect/think it would)

check out mysql_num_rows or break down the rows with mysql_fetch_array and compare n contrast the given username witht he others in the table

:/ edit, shooter beat me. add another to the list!
User avatar
John Cartwright
Site Admin
Posts: 11470
Joined: Tue Dec 23, 2003 2:10 am
Location: Toronto
Contact:

Post by John Cartwright »

Thanks mark.. that makes more sense :P

It's just they are still getting validated no matter what... if i enter an invalid email/pass or even if i leave it blank
User avatar
markl999
DevNet Resident
Posts: 1972
Joined: Thu Oct 16, 2003 5:49 pm
Location: Manchester (UK)

Post by markl999 »

Can you post the updated code?
User avatar
John Cartwright
Site Admin
Posts: 11470
Joined: Tue Dec 23, 2003 2:10 am
Location: Toronto
Contact:

Post by John Cartwright »

Code: Select all

<?php
<? session_start();
   include('inc/connect.php');
?> <link href="inc/css.css" rel="stylesheet" type="text/css"> <?

			if ($_SESSION['auth'] != 'authed') 
			{ 
			$login='1';
			include ('form.php');
			}
			if (isset($_POST['submit']))
			{
			
			$email = $_POST['email'];
			$password = $_POST['password'];
			//$_POST['email'] = $email;
			//$_POST['password'] = $password;
			
			$result = @mysql_query("SELECT * FROM user WHERE email='$email' && password='$password'") or die(mysql_error()); 
			if(!mysql_num_rows($result))
			{ 
			die('Invalid username and/or password'); 
			}else{
			$_SESSION['auth'] = 'authed';
			}
			}

//debugging
			echo $_SESSION['auth'];
			echo $_POST['email'];
			echo $email;
			echo $password;
			echo $_POST['submit'];

?>

?>
*added* does die terminate the script on that one?
if not exit does that right?
User avatar
markl999
DevNet Resident
Posts: 1972
Joined: Thu Oct 16, 2003 5:49 pm
Location: Manchester (UK)

Post by markl999 »

Yeah, die() is just like exit() but you can specify a message.
Not sure why it's not working, but just to be sure it's not a stray authed session from a previous attempt you should close the browser and retry it.
User avatar
John Cartwright
Site Admin
Posts: 11470
Joined: Tue Dec 23, 2003 2:10 am
Location: Toronto
Contact:

Post by John Cartwright »

Yea I've done that.. I'm not THAT noob :)

EDIT - stupid me.. in my database I had a row with no username / pass :P Thats why it was returning authed :P

thanks mark and tim
User avatar
markl999
DevNet Resident
Posts: 1972
Joined: Thu Oct 16, 2003 5:49 pm
Location: Manchester (UK)

Post by markl999 »

Yea I've done that.. I'm not THAT noo
I know, i just don't like to assume ;)
"When you ASSUME you make an ASS out of U and ME."
User avatar
John Cartwright
Site Admin
Posts: 11470
Joined: Tue Dec 23, 2003 2:10 am
Location: Toronto
Contact:

Post by John Cartwright »

1 more problem... how do i send a header in the middle of a script without getitng the header already sent error... :S
User avatar
markl999
DevNet Resident
Posts: 1972
Joined: Thu Oct 16, 2003 5:49 pm
Location: Manchester (UK)

Post by markl999 »

Depends, a header can go anywhere before output is sent, that could be at the bottom of a script if you want.
If you're going to do a header("Location: foo.php"); then there's no reason to have output before it, so it can go anywhere (before output).
User avatar
John Cartwright
Site Admin
Posts: 11470
Joined: Tue Dec 23, 2003 2:10 am
Location: Toronto
Contact:

Post by John Cartwright »

Code: Select all

<?php
<? session_start();
   include('inc/connect.php');
?> <link href="inc/css.css" rel="stylesheet" type="text/css"> <?
			
			if ($_SESSION['userlvl']=='admin')
			{
			header('Location: adminpanel.php');
			}elseif ($_SESSION['userlvl']=='customer'){
			header('Location: userpanel.php');
			}

			if ($_SESSION['auth'] != 'authed') 
			{ 
			$login='1';
			include ('form.php');
			}
			if (isset($_POST['submit']))
			{
			$email = $_POST['email'];
			$password = $_POST['password'];

			$result = @mysql_query("SELECT * FROM user WHERE email='$email' && password='$password'") or die(mysql_error()); 
			
			if(!mysql_num_rows($result))
			{ 
			die('Invalid username and/or password'); 
			}else{
			$row = mysql_fetch_array($result);
			$userlevel = $row['userlevel'];
			$_SESSION['auth'] = 'authed';
			$_SESSION['userlvl'] = $userlevel
			}
			} // line 37


?>

?>
This is what I'm ending up with but I'm getting unexpected } on line 37 but even if I remove it, add another or anything always getting that error... I'm boggled.
User avatar
markl999
DevNet Resident
Posts: 1972
Joined: Thu Oct 16, 2003 5:49 pm
Location: Manchester (UK)

Post by markl999 »

$_SESSION['userlvl'] = $userlevel <-- missing the ;

Also the <link href="inc/css.css" rel="stylesheet" type="text/css"> would be classed as output so the headers would fail. You should move that line down past the point where you no longer want to redirect.
User avatar
John Cartwright
Site Admin
Posts: 11470
Joined: Tue Dec 23, 2003 2:10 am
Location: Toronto
Contact:

Post by John Cartwright »

wow i am so blind... thanks mark

everything seems to be working fine but if i correctly put in the login info i have to manually refresh the page before it is redirected....
User avatar
markl999
DevNet Resident
Posts: 1972
Joined: Thu Oct 16, 2003 5:49 pm
Location: Manchester (UK)

Post by markl999 »

Code: Select all

if ($_SESSION['userlvl']=='admin')
         {
         header('Location: adminpanel.php');
         }elseif ($_SESSION['userlvl']=='customer'){
         header('Location: userpanel.php');
         }
This code needs to come after you do the auth checking below it...or, put a header("Location: at the point when authentication is confirmed.
Post Reply