Page 1 of 2

Login script problem

Posted: Thu Apr 15, 2004 5:40 pm
by John Cartwright
No matter what I input I am always getting authed...
To my understanding my query statement checks to see if there is a matching username and password in the same row and if there isnt the script is exited... (stopped on that line)..

am I incorrect?

Code: Select all

<?php
<? session_start();
   include('inc/connect.php');
?> <link href="inc/css.css" rel="stylesheet" type="text/css"> <?

			if ($_SESSION['auth'] != 'authed') 
			{ 
			$login='1';
			include ('form.php');
			}
			if (isset($_POST['submit']))
			{
			
			$email = $_POST['email'];
			$password = $_POST['password'];
			//$_POST['email'] = $email;
			//$_POST['password'] = $password;
			
			$result = @mysql_query("SELECT * FROM user WHERE email='$email' && password='$password'") or die("Name and password not found or not matched".exit());

			$_SESSION['auth'] = 'authed';
			
			}

//debugging
			echo $_SESSION['auth'];
			echo $_POST['email'];
			echo $email;
			echo $password;
			echo $_POST['submit'];

?>

?>

Posted: Thu Apr 15, 2004 5:43 pm
by markl999
mysql_query always returns a value, it doesn't return any results. So try:

$result = @mysql_query("SELECT * FROM user WHERE email='$email' && password='$password'") or die(mysql_error());
if(!mysql_num_rows($result)){
die('Invalid username and/or password');
}

Posted: Thu Apr 15, 2004 5:44 pm
by tim
the mysql doesnt specify rows like your wanting it too in your example(like u might expect/think it would)

check out mysql_num_rows or break down the rows with mysql_fetch_array and compare n contrast the given username witht he others in the table

:/ edit, shooter beat me. add another to the list!

Posted: Thu Apr 15, 2004 5:46 pm
by John Cartwright
Thanks mark.. that makes more sense :P

It's just they are still getting validated no matter what... if i enter an invalid email/pass or even if i leave it blank

Posted: Thu Apr 15, 2004 5:48 pm
by markl999
Can you post the updated code?

Posted: Thu Apr 15, 2004 5:50 pm
by John Cartwright

Code: Select all

<?php
<? session_start();
   include('inc/connect.php');
?> <link href="inc/css.css" rel="stylesheet" type="text/css"> <?

			if ($_SESSION['auth'] != 'authed') 
			{ 
			$login='1';
			include ('form.php');
			}
			if (isset($_POST['submit']))
			{
			
			$email = $_POST['email'];
			$password = $_POST['password'];
			//$_POST['email'] = $email;
			//$_POST['password'] = $password;
			
			$result = @mysql_query("SELECT * FROM user WHERE email='$email' && password='$password'") or die(mysql_error()); 
			if(!mysql_num_rows($result))
			{ 
			die('Invalid username and/or password'); 
			}else{
			$_SESSION['auth'] = 'authed';
			}
			}

//debugging
			echo $_SESSION['auth'];
			echo $_POST['email'];
			echo $email;
			echo $password;
			echo $_POST['submit'];

?>

?>
*added* does die terminate the script on that one?
if not exit does that right?

Posted: Thu Apr 15, 2004 5:55 pm
by markl999
Yeah, die() is just like exit() but you can specify a message.
Not sure why it's not working, but just to be sure it's not a stray authed session from a previous attempt you should close the browser and retry it.

Posted: Thu Apr 15, 2004 5:57 pm
by John Cartwright
Yea I've done that.. I'm not THAT noob :)

EDIT - stupid me.. in my database I had a row with no username / pass :P Thats why it was returning authed :P

thanks mark and tim

Posted: Thu Apr 15, 2004 6:02 pm
by markl999
Yea I've done that.. I'm not THAT noo
I know, i just don't like to assume ;)
"When you ASSUME you make an ASS out of U and ME."

Posted: Thu Apr 15, 2004 6:10 pm
by John Cartwright
1 more problem... how do i send a header in the middle of a script without getitng the header already sent error... :S

Posted: Thu Apr 15, 2004 6:12 pm
by markl999
Depends, a header can go anywhere before output is sent, that could be at the bottom of a script if you want.
If you're going to do a header("Location: foo.php"); then there's no reason to have output before it, so it can go anywhere (before output).

Posted: Thu Apr 15, 2004 6:34 pm
by John Cartwright

Code: Select all

<?php
<? session_start();
   include('inc/connect.php');
?> <link href="inc/css.css" rel="stylesheet" type="text/css"> <?
			
			if ($_SESSION['userlvl']=='admin')
			{
			header('Location: adminpanel.php');
			}elseif ($_SESSION['userlvl']=='customer'){
			header('Location: userpanel.php');
			}

			if ($_SESSION['auth'] != 'authed') 
			{ 
			$login='1';
			include ('form.php');
			}
			if (isset($_POST['submit']))
			{
			$email = $_POST['email'];
			$password = $_POST['password'];

			$result = @mysql_query("SELECT * FROM user WHERE email='$email' && password='$password'") or die(mysql_error()); 
			
			if(!mysql_num_rows($result))
			{ 
			die('Invalid username and/or password'); 
			}else{
			$row = mysql_fetch_array($result);
			$userlevel = $row['userlevel'];
			$_SESSION['auth'] = 'authed';
			$_SESSION['userlvl'] = $userlevel
			}
			} // line 37


?>

?>
This is what I'm ending up with but I'm getting unexpected } on line 37 but even if I remove it, add another or anything always getting that error... I'm boggled.

Posted: Thu Apr 15, 2004 6:41 pm
by markl999
$_SESSION['userlvl'] = $userlevel <-- missing the ;

Also the <link href="inc/css.css" rel="stylesheet" type="text/css"> would be classed as output so the headers would fail. You should move that line down past the point where you no longer want to redirect.

Posted: Thu Apr 15, 2004 6:42 pm
by John Cartwright
wow i am so blind... thanks mark

everything seems to be working fine but if i correctly put in the login info i have to manually refresh the page before it is redirected....

Posted: Thu Apr 15, 2004 6:54 pm
by markl999

Code: Select all

if ($_SESSION['userlvl']=='admin')
         {
         header('Location: adminpanel.php');
         }elseif ($_SESSION['userlvl']=='customer'){
         header('Location: userpanel.php');
         }
This code needs to come after you do the auth checking below it...or, put a header("Location: at the point when authentication is confirmed.