Page 1 of 2
Login script problem
Posted: Thu Apr 15, 2004 5:40 pm
by John Cartwright
No matter what I input I am always getting authed...
To my understanding my query statement checks to see if there is a matching username and password in the same row and if there isnt the script is exited... (stopped on that line)..
am I incorrect?
Code: Select all
<?php
<? session_start();
include('inc/connect.php');
?> <link href="inc/css.css" rel="stylesheet" type="text/css"> <?
if ($_SESSION['auth'] != 'authed')
{
$login='1';
include ('form.php');
}
if (isset($_POST['submit']))
{
$email = $_POST['email'];
$password = $_POST['password'];
//$_POST['email'] = $email;
//$_POST['password'] = $password;
$result = @mysql_query("SELECT * FROM user WHERE email='$email' && password='$password'") or die("Name and password not found or not matched".exit());
$_SESSION['auth'] = 'authed';
}
//debugging
echo $_SESSION['auth'];
echo $_POST['email'];
echo $email;
echo $password;
echo $_POST['submit'];
?>
?>
Posted: Thu Apr 15, 2004 5:43 pm
by markl999
mysql_query always returns a value, it doesn't return any results. So try:
$result = @mysql_query("SELECT * FROM user WHERE email='$email' && password='$password'") or die(mysql_error());
if(!mysql_num_rows($result)){
die('Invalid username and/or password');
}
Posted: Thu Apr 15, 2004 5:44 pm
by tim
the mysql doesnt specify rows like your wanting it too in your example(like u might expect/think it would)
check out mysql_num_rows or break down the rows with mysql_fetch_array and compare n contrast the given username witht he others in the table
:/ edit, shooter beat me. add another to the list!
Posted: Thu Apr 15, 2004 5:46 pm
by John Cartwright
Thanks mark.. that makes more sense
It's just they are still getting validated no matter what... if i enter an invalid email/pass or even if i leave it blank
Posted: Thu Apr 15, 2004 5:48 pm
by markl999
Can you post the updated code?
Posted: Thu Apr 15, 2004 5:50 pm
by John Cartwright
Code: Select all
<?php
<? session_start();
include('inc/connect.php');
?> <link href="inc/css.css" rel="stylesheet" type="text/css"> <?
if ($_SESSION['auth'] != 'authed')
{
$login='1';
include ('form.php');
}
if (isset($_POST['submit']))
{
$email = $_POST['email'];
$password = $_POST['password'];
//$_POST['email'] = $email;
//$_POST['password'] = $password;
$result = @mysql_query("SELECT * FROM user WHERE email='$email' && password='$password'") or die(mysql_error());
if(!mysql_num_rows($result))
{
die('Invalid username and/or password');
}else{
$_SESSION['auth'] = 'authed';
}
}
//debugging
echo $_SESSION['auth'];
echo $_POST['email'];
echo $email;
echo $password;
echo $_POST['submit'];
?>
?>
*added* does die terminate the script on that one?
if not exit does that right?
Posted: Thu Apr 15, 2004 5:55 pm
by markl999
Yeah, die() is just like exit() but you can specify a message.
Not sure why it's not working, but just to be sure it's not a stray authed session from a previous attempt you should close the browser and retry it.
Posted: Thu Apr 15, 2004 5:57 pm
by John Cartwright
Yea I've done that.. I'm not THAT noob
EDIT - stupid me.. in my database I had a row with no username / pass

Thats why it was returning authed
thanks mark and tim
Posted: Thu Apr 15, 2004 6:02 pm
by markl999
Yea I've done that.. I'm not THAT noo
I know, i just don't like to assume

"When you ASSUME you make an ASS out of U and ME."
Posted: Thu Apr 15, 2004 6:10 pm
by John Cartwright
1 more problem... how do i send a header in the middle of a script without getitng the header already sent error... :S
Posted: Thu Apr 15, 2004 6:12 pm
by markl999
Depends, a header can go anywhere before output is sent, that could be at the bottom of a script if you want.
If you're going to do a header("Location: foo.php"); then there's no reason to have output before it, so it can go anywhere (before output).
Posted: Thu Apr 15, 2004 6:34 pm
by John Cartwright
Code: Select all
<?php
<? session_start();
include('inc/connect.php');
?> <link href="inc/css.css" rel="stylesheet" type="text/css"> <?
if ($_SESSION['userlvl']=='admin')
{
header('Location: adminpanel.php');
}elseif ($_SESSION['userlvl']=='customer'){
header('Location: userpanel.php');
}
if ($_SESSION['auth'] != 'authed')
{
$login='1';
include ('form.php');
}
if (isset($_POST['submit']))
{
$email = $_POST['email'];
$password = $_POST['password'];
$result = @mysql_query("SELECT * FROM user WHERE email='$email' && password='$password'") or die(mysql_error());
if(!mysql_num_rows($result))
{
die('Invalid username and/or password');
}else{
$row = mysql_fetch_array($result);
$userlevel = $row['userlevel'];
$_SESSION['auth'] = 'authed';
$_SESSION['userlvl'] = $userlevel
}
} // line 37
?>
?>
This is what I'm ending up with but I'm getting unexpected } on line 37 but even if I remove it, add another or anything always getting that error... I'm boggled.
Posted: Thu Apr 15, 2004 6:41 pm
by markl999
$_SESSION['userlvl'] = $userlevel <-- missing the ;
Also the <link href="inc/css.css" rel="stylesheet" type="text/css"> would be classed as output so the headers would fail. You should move that line down past the point where you no longer want to redirect.
Posted: Thu Apr 15, 2004 6:42 pm
by John Cartwright
wow i am so blind... thanks mark
everything seems to be working fine but if i correctly put in the login info i have to manually refresh the page before it is redirected....
Posted: Thu Apr 15, 2004 6:54 pm
by markl999
Code: Select all
if ($_SESSION['userlvl']=='admin')
{
header('Location: adminpanel.php');
}elseif ($_SESSION['userlvl']=='customer'){
header('Location: userpanel.php');
}
This code needs to come after you do the auth checking below it...or, put a header("Location: at the point when authentication is confirmed.