Check with me

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

mr-punkstar
Forum Newbie
Posts: 19
Joined: Mon May 31, 2004 1:12 pm

Check with me

Post by mr-punkstar »

OKay basically this is the processing page for a user login script. The information will be past from a 'post' form by the names 'username' and 'password'.

Whenever I test this script out, it tells me Im accepted! Even if my crudentials are completely wrong!

Code: Select all

<html>
<?php
//getting the information from the form and saving them as variables

$username = $_POST&#1111;'username'];
$password = $_POST&#1111;'password'];

//servername
$server = '******';

//username
$user = '*****';

//connect to mysql
$connect = mysql_connect($server, $user, *******) or die("FATAL ERROR - Could not connect - Please contact the webmaster");

//database name
$database = 'theclubdatabase';

//select the database
mysql_select_db($database) or die("FATAL ERROR - Could not select database - Please contact the webmaster");

//the query
$query = "Select * from userinfo where '$username'=username and '$password'=password";

//carrying out the query
$result = mysql_query($query, $connect);

//questioning wether login is accepted
if(!$result)
&#123;
echo "<head><title>Login not accepted</title></head><body>Login not accepted. Please check your username and/or password</body>";
&#125;
else
&#123;
echo ""; 
&#125;

?>
</html>
Could you please tell me where I am going wrong, and wether this way is secure enough?

Cheers,

Nick
User avatar
andre_c
Forum Contributor
Posts: 412
Joined: Sun Feb 29, 2004 6:49 pm
Location: Salt Lake City, Utah

Post by andre_c »

Instead of doing "if (!$result)" do something like "if (mysql_num_rows($result))"

mysql_query only returns a handle to the result.
Paddy
Forum Contributor
Posts: 244
Joined: Wed Jun 11, 2003 8:16 pm
Location: Hobart, Tas, Aussie
Contact:

Post by Paddy »

Your query is around the wrong way. You have

Code: Select all

<?php
$query = "Select * from userinfo where '$username'=username and '$password'=password"; 
?>
and you want

Code: Select all

<?php
$query = "Select * from userinfo where username='".$username."' and password='".$password."'"; 
?>
And as for safety. Read this. I think you will truly find it invaluable.

viewtopic.php?t=6521&start=0
mr-punkstar
Forum Newbie
Posts: 19
Joined: Mon May 31, 2004 1:12 pm

Post by mr-punkstar »

mysql_num_rows?

How does that work?

What does it do

Ive read up about it, but could you give me an example?

Cheers
mr-punkstar
Forum Newbie
Posts: 19
Joined: Mon May 31, 2004 1:12 pm

Post by mr-punkstar »

I actually read that as soon as I posted this!

lol

Very handy!

Sessions only exists for aslong as the browser is open yeah?
Paddy wrote:Your query is around the wrong way. You have

Code: Select all

<?php
$query = "Select * from userinfo where '$username'=username and '$password'=password"; 
?>
and you want

Code: Select all

<?php
$query = "Select * from userinfo where username='".$username."' and password='".$password."'"; 
?>
And as for safety. Read this. I think you will truly find it invaluable.

viewtopic.php?t=6521&start=0
Paddy
Forum Contributor
Posts: 244
Joined: Wed Jun 11, 2003 8:16 pm
Location: Hobart, Tas, Aussie
Contact:

Post by Paddy »

Yep.
mr-punkstar
Forum Newbie
Posts: 19
Joined: Mon May 31, 2004 1:12 pm

Post by mr-punkstar »

so can you see anything else that is wrong with my code?
Paddy
Forum Contributor
Posts: 244
Joined: Wed Jun 11, 2003 8:16 pm
Location: Hobart, Tas, Aussie
Contact:

Post by Paddy »

Wrong as in security wise or wrong as in it doesn't work I need more of a hand?
mr-punkstar
Forum Newbie
Posts: 19
Joined: Mon May 31, 2004 1:12 pm

Post by mr-punkstar »

the latter

lol
Paddy
Forum Contributor
Posts: 244
Joined: Wed Jun 11, 2003 8:16 pm
Location: Hobart, Tas, Aussie
Contact:

Post by Paddy »

What is the result you are getting?
mr-punkstar
Forum Newbie
Posts: 19
Joined: Mon May 31, 2004 1:12 pm

Post by mr-punkstar »

now I am getting a totally blank page!

Ahh!
Paddy
Forum Contributor
Posts: 244
Joined: Wed Jun 11, 2003 8:16 pm
Location: Hobart, Tas, Aussie
Contact:

Post by Paddy »

*lol* Isn't that what you expected? Try changing this

Code: Select all

<?php
if(!$result) 
{ 
echo "<head><title>Login not accepted</title></head><body>Login not accepted. Please check your username and/or password</body>"; 
} 
else 
{ 
echo ""; 
} 

?>
to this

Code: Select all

<?php
if(!$result) 
{ 
echo "<head><title>Login not accepted</title></head><body>Login not accepted. Please check your username and/or password</body>"; 
} 
else 
{ 
echo "I am logged in now. Paddy is such a legend."; 
} 

?>
mr-punkstar
Forum Newbie
Posts: 19
Joined: Mon May 31, 2004 1:12 pm

Post by mr-punkstar »

yrah but the point is, that i am giving the wrong info to get logged in!
mr-punkstar
Forum Newbie
Posts: 19
Joined: Mon May 31, 2004 1:12 pm

Post by mr-punkstar »

$query = "Select memberid from userinfo where username='".$username."' and password='".$password."'";

is the query correct

they supply the username and password, the it checks it, gives meback a member id, the I can take them on to their own screen using that id, but if there is no id, they dont get in yeah?
Paddy
Forum Contributor
Posts: 244
Joined: Wed Jun 11, 2003 8:16 pm
Location: Hobart, Tas, Aussie
Contact:

Post by Paddy »

Try changing this

Code: Select all

<?php
$result = mysql_query($query, $connect); 
?>
to this

Code: Select all

<?php
$result = mysql_query($query); 
?>
I have never seen an example with a connect. Too damn early to be thinking. :P
Post Reply