Login Session Problem....

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
Scholes
Forum Newbie
Posts: 5
Joined: Thu Apr 20, 2006 12:20 pm

Login Session Problem....

Post by Scholes »

feyd | Please use

Code: Select all

,

Code: Select all

and [syntax="..."] tags where appropriate when posting code. Your post has been edited to reflect how we'd like it posted. Please read:  [url=http://forums.devnetwork.net/viewtopic.php?t=21171]Posting Code in the Forums[/url] to learn how to do it too.[/color]


I've been trying to make loggin in on my website possible with php. I've made 2 files: inloggen.php (just with a simple form where you can login) and
test2.php (where it's supposed to check if the given username (gebruikersnaam) and password (wachtwoord) match.
My problem is that it checks whether the textfields are filled in or not, but it doesn't check any of the other if statements. Whatever I fill in. It always redirect to the link it supposed to redirect to when the username and password match.....

Here's my code:
test2.php:

Code: Select all

<?php
$username = $_GET['gebruikersnaam'];
$password = $_GET['wachtwoord'];

if ( empty($username) && (empty($password)) ) {    // Check if username and password fields were empty		
    echo "Voer uw gegevens in";
    exit();

} else {

    mysql_connect("localhost", "root");
    mysql_select_db("test1");

    // Define a query to check if the submitted username is found in the database
    $check_user = "SELECT gebruikersnaam, wachtwoord FROM inloggen WHERE gebruikersnaam ='" . $gebruikersnaam . "' AND wachtwoord = '" . $wachtwoord . "'";
    $r = mysql_query($check_user);

    if (!$r) {    // If query unsucessful, username not found, redirect to login
form
        header ('Location: ../mario/error.php');
        exit();

    } else {    // username found, check password

    // Define a query to check if the password is correct for the username
    $check_pass = "SELECT gebruikersnaam, wachtwoord FROM inloggen WHERE gebruikersnaam = '" . $gebruikernaam . "' && wachtwoord = '" . $password . "'";
    $r = mysql_query($check_pass);

    if (!$r) {    // If query unsucessful, password is not correct for username, redirect to login form
        //header ('Location: ../mario/error.php');
        echo "MISLUKT";
        exit();
    } else {
        session_start();
        $_SESSION['gebruikersnaam'] = $_GET['gebruikersnaam'];
        $_SESSION['loggedin'] = time();
        header ('Location: ../mario/test.php');
        exit();
    }
} 
}
mysql_close();
?>
inloggen.php:

Code: Select all

<html>
<body>		
<form name="inloggen" action="test2.php" method="GET">
	<table>
		<tr>
	<td>Gebruikersnaam:</td> <td><input type="text" size="10" maxlength="50" name="gebruikersnaam"></td></tr>
	<tr>
<td>Wachtwoord:</td> <td><input type="password" size="10" maxlength="50" name="wachtwoord"></td></tr>
<tr><td colspan="2" align="right"><input type="submit" name="submit" value="Inloggen"></td></tr></table>
</form>

</body>
</html>
thx in advance


feyd | Please use

Code: Select all

,

Code: Select all

and [syntax="..."] tags where appropriate when posting code. Your post has been edited to reflect how we'd like it posted. Please read:  [url=http://forums.devnetwork.net/viewtopic.php?t=21171]Posting Code in the Forums[/url] to learn how to do it too.[/color]
Scholes
Forum Newbie
Posts: 5
Joined: Thu Apr 20, 2006 12:20 pm

Post by Scholes »

oh damn I should have used php tags. Sorry about that :lol:
User avatar
n00b Saibot
DevNet Resident
Posts: 1452
Joined: Fri Dec 24, 2004 2:59 am
Location: Lucknow, UP, India
Contact:

Post by n00b Saibot »

you can always edit your post to change it ;)

replace your query with following

Code: Select all

// Define a query to check if the password is correct for the username
$check_pass = "SELECT COUNT(*) FROM inloggen WHERE gebruikersnaam = '" . $gebruikernaam . "' AND wachtwoord = '" . $password . "'";
you used && instead of AND and were checking only for mysql query errors not the uname/pass mismatch.
timvw
DevNet Master
Posts: 4897
Joined: Mon Jan 19, 2004 11:11 pm
Location: Leuven, Belgium

Re: Login Session Problem....

Post by timvw »

Scholes wrote:

Code: Select all

$username = $_GET['gebruikersnaam'];
$password = $_GET['wachtwoord'];
You're assigning values that might not exist...

Code: Select all

if (isset($_GET['gebruikersnaam']) && isset($_GET['wachtwoord'])) {
 $username = $_GET['gebruikersnaam'];
 $password = $_GET['wachtwoord'];
} else {
 echo 'Voer uw gegevens in';
 exit();
}
Scholes wrote:

Code: Select all

/ Define a query to check if the submitted username is found in the database
    $check_user = "SELECT gebruikersnaam, wachtwoord FROM inloggen WHERE gebruikersnaam ='" . $gebruikersnaam . "' AND wachtwoord = '" . $wachtwoord . "'";
You're not making sure you can use the username and password in a query... First clean up:

Code: Select all

$sql = array();
$sql['username'] = mysql_real_escape_string($username);
$sql['password'] = mysql_real_escape_string($password);

$check_user = "SELECT COUNT(gebruikersnaam) AS count FROM inloggen WHERE gebruikersnaam='{$sql['username']}' AND wachtwoord = '{$sql['password']}'";
Scholes wrote:

Code: Select all

header ('Location: ../mario/error.php');

There are browsers that can't handle relative redirects.. Use an absolute URL instead.

Code: Select all

header('Location: http://example.com/mario/error.php');
Scholes wrote:

Code: Select all

// Define a query to check if the password is correct for the username
    $check_pass = "SELECT gebruikersnaam, wachtwoord FROM inloggen WHERE gebruikersnaam = '" . $gebruikernaam . "' && wachtwoord = '" . $password . "'";
    $r = mysql_query($check_pass);

    if (!$r) {    // If query unsucessful, password is not correct for username, redirect to login form
I really don't understand the logic in here (btw, SQL uses AND instead of &&)
If you select count(col) you know how many rows that had the same username/password combo...

Code: Select all

$row = mysql_fetch_assoc($rs);
if ($row['count'] > 0) {
 // success
} else {
 // though luck
}
Btw, if i were a user i wouldn't appreciate it if my username/password were visible in the URL, so use POST instead of GET as the method in the form...(and don't forget to use $_POST instead of $_GET in your code)
Scholes
Forum Newbie
Posts: 5
Joined: Thu Apr 20, 2006 12:20 pm

Post by Scholes »

oh I see I've made some pretty newb mistakes. Thx alot. I'll give it a try!
Scholes
Forum Newbie
Posts: 5
Joined: Thu Apr 20, 2006 12:20 pm

Post by Scholes »

hmm I changed most things like you guys said but it's still not working :?

my code looks like this at the moment:

Code: Select all

<?php

if (isset($_POST['gebruikersnaam']) && isset($_POST['wachtwoord'])) { 
 $username = $_POST['gebruikersnaam']; 
 $password = $_POST['wachtwoord']; 
} else { 
 echo "Voer uw gegevens in!"; 
 exit(); 
} 

if ( empty($username) && (empty($password)) ) {	
    echo "Voer uw gegevens in!";
    exit();

} else {

    mysql_connect("localhost", "root");
    mysql_select_db("test1");
    	
    	$sql = array(); 
			$sql['username'] = mysql_real_escape_string($username); 
			$sql['password'] = mysql_real_escape_string($password); 

			$check_user = "SELECT COUNT(gebruikersnaam) AS count FROM inloggen WHERE gebruikersnaam='{$sql['username']}' AND wachtwoord = '{$sql['password']}'"; 

    $r = mysql_query($check_user);

    if (!$r) {
        echo "MISLUKT!";
        exit();

    } else {
    	 
    $check_pass = "SELECT gebruikersnaam, wachtwoord FROM inloggen WHERE gebruikersnaam = '" . $gebruikernaam . "' AND wachtwoord = '" . $password . "'";
    $r = mysql_query($check_pass);

    if (!$r) {
        echo "MISLUKT";
        exit();

    } else {

        session_start();
        $_SESSION['gebruikersnaam'] = $_POST['gebruikersnaam'];
        $_SESSION['loggedin'] = time();
        echo "Gelukt! ";
        exit();

    }

} 
}
mysql_close();
?>
oh and I don't really understand how to use the row and fetch thingy....
timvw
DevNet Master
Posts: 4897
Joined: Mon Jan 19, 2004 11:11 pm
Location: Leuven, Belgium

Post by timvw »

Where have you copied the code from?? Since it appears you have no clue what is going in your code...
Scholes
Forum Newbie
Posts: 5
Joined: Thu Apr 20, 2006 12:20 pm

Post by Scholes »

Of course I know what's goin on in my code....the only thing I don't understand is the session stuff at the end...
timvw
DevNet Master
Posts: 4897
Joined: Mon Jan 19, 2004 11:11 pm
Location: Leuven, Belgium

Post by timvw »

Apart from your fuzzy logic, the only thing you might want to do is call http://www.php.net/session_write_close before you redirect to location and exit.
User avatar
n00b Saibot
DevNet Resident
Posts: 1452
Joined: Fri Dec 24, 2004 2:59 am
Location: Lucknow, UP, India
Contact:

Post by n00b Saibot »

timvw wrote:Apart from your fuzzy logic
its not fuzzy logic, it's dizzy logic :lol:
Post Reply