Page 1 of 2

Check with me

Posted: Mon May 31, 2004 1:12 pm
by mr-punkstar
OKay basically this is the processing page for a user login script. The information will be past from a 'post' form by the names 'username' and 'password'.

Whenever I test this script out, it tells me Im accepted! Even if my crudentials are completely wrong!

Code: Select all

<html>
<?php
//getting the information from the form and saving them as variables

$username = $_POST&#1111;'username'];
$password = $_POST&#1111;'password'];

//servername
$server = '******';

//username
$user = '*****';

//connect to mysql
$connect = mysql_connect($server, $user, *******) or die("FATAL ERROR - Could not connect - Please contact the webmaster");

//database name
$database = 'theclubdatabase';

//select the database
mysql_select_db($database) or die("FATAL ERROR - Could not select database - Please contact the webmaster");

//the query
$query = "Select * from userinfo where '$username'=username and '$password'=password";

//carrying out the query
$result = mysql_query($query, $connect);

//questioning wether login is accepted
if(!$result)
&#123;
echo "<head><title>Login not accepted</title></head><body>Login not accepted. Please check your username and/or password</body>";
&#125;
else
&#123;
echo ""; 
&#125;

?>
</html>
Could you please tell me where I am going wrong, and wether this way is secure enough?

Cheers,

Nick

Posted: Mon May 31, 2004 1:19 pm
by andre_c
Instead of doing "if (!$result)" do something like "if (mysql_num_rows($result))"

mysql_query only returns a handle to the result.

Posted: Mon May 31, 2004 1:22 pm
by Paddy
Your query is around the wrong way. You have

Code: Select all

<?php
$query = "Select * from userinfo where '$username'=username and '$password'=password"; 
?>
and you want

Code: Select all

<?php
$query = "Select * from userinfo where username='".$username."' and password='".$password."'"; 
?>
And as for safety. Read this. I think you will truly find it invaluable.

viewtopic.php?t=6521&start=0

Posted: Mon May 31, 2004 1:23 pm
by mr-punkstar
mysql_num_rows?

How does that work?

What does it do

Ive read up about it, but could you give me an example?

Cheers

Posted: Mon May 31, 2004 1:24 pm
by mr-punkstar
I actually read that as soon as I posted this!

lol

Very handy!

Sessions only exists for aslong as the browser is open yeah?
Paddy wrote:Your query is around the wrong way. You have

Code: Select all

<?php
$query = "Select * from userinfo where '$username'=username and '$password'=password"; 
?>
and you want

Code: Select all

<?php
$query = "Select * from userinfo where username='".$username."' and password='".$password."'"; 
?>
And as for safety. Read this. I think you will truly find it invaluable.

viewtopic.php?t=6521&start=0

Posted: Mon May 31, 2004 1:25 pm
by Paddy
Yep.

Posted: Mon May 31, 2004 1:26 pm
by mr-punkstar
so can you see anything else that is wrong with my code?

Posted: Mon May 31, 2004 1:29 pm
by Paddy
Wrong as in security wise or wrong as in it doesn't work I need more of a hand?

Posted: Mon May 31, 2004 1:33 pm
by mr-punkstar
the latter

lol

Posted: Mon May 31, 2004 1:40 pm
by Paddy
What is the result you are getting?

Posted: Mon May 31, 2004 1:48 pm
by mr-punkstar
now I am getting a totally blank page!

Ahh!

Posted: Mon May 31, 2004 1:52 pm
by Paddy
*lol* Isn't that what you expected? Try changing this

Code: Select all

<?php
if(!$result) 
{ 
echo "<head><title>Login not accepted</title></head><body>Login not accepted. Please check your username and/or password</body>"; 
} 
else 
{ 
echo ""; 
} 

?>
to this

Code: Select all

<?php
if(!$result) 
{ 
echo "<head><title>Login not accepted</title></head><body>Login not accepted. Please check your username and/or password</body>"; 
} 
else 
{ 
echo "I am logged in now. Paddy is such a legend."; 
} 

?>

Posted: Mon May 31, 2004 2:06 pm
by mr-punkstar
yrah but the point is, that i am giving the wrong info to get logged in!

Posted: Mon May 31, 2004 2:08 pm
by mr-punkstar
$query = "Select memberid from userinfo where username='".$username."' and password='".$password."'";

is the query correct

they supply the username and password, the it checks it, gives meback a member id, the I can take them on to their own screen using that id, but if there is no id, they dont get in yeah?

Posted: Mon May 31, 2004 2:13 pm
by Paddy
Try changing this

Code: Select all

<?php
$result = mysql_query($query, $connect); 
?>
to this

Code: Select all

<?php
$result = mysql_query($query); 
?>
I have never seen an example with a connect. Too damn early to be thinking. :P