Page 1 of 1

Login Session Problem....

Posted: Thu Apr 20, 2006 12:25 pm
by Scholes
feyd | Please use

Code: Select all

,

Code: Select all

and [syntax="..."] tags where appropriate when posting code. Your post has been edited to reflect how we'd like it posted. Please read:  [url=http://forums.devnetwork.net/viewtopic.php?t=21171]Posting Code in the Forums[/url] to learn how to do it too.[/color]


I've been trying to make loggin in on my website possible with php. I've made 2 files: inloggen.php (just with a simple form where you can login) and
test2.php (where it's supposed to check if the given username (gebruikersnaam) and password (wachtwoord) match.
My problem is that it checks whether the textfields are filled in or not, but it doesn't check any of the other if statements. Whatever I fill in. It always redirect to the link it supposed to redirect to when the username and password match.....

Here's my code:
test2.php:

Code: Select all

<?php
$username = $_GET['gebruikersnaam'];
$password = $_GET['wachtwoord'];

if ( empty($username) && (empty($password)) ) {    // Check if username and password fields were empty		
    echo "Voer uw gegevens in";
    exit();

} else {

    mysql_connect("localhost", "root");
    mysql_select_db("test1");

    // Define a query to check if the submitted username is found in the database
    $check_user = "SELECT gebruikersnaam, wachtwoord FROM inloggen WHERE gebruikersnaam ='" . $gebruikersnaam . "' AND wachtwoord = '" . $wachtwoord . "'";
    $r = mysql_query($check_user);

    if (!$r) {    // If query unsucessful, username not found, redirect to login
form
        header ('Location: ../mario/error.php');
        exit();

    } else {    // username found, check password

    // Define a query to check if the password is correct for the username
    $check_pass = "SELECT gebruikersnaam, wachtwoord FROM inloggen WHERE gebruikersnaam = '" . $gebruikernaam . "' && wachtwoord = '" . $password . "'";
    $r = mysql_query($check_pass);

    if (!$r) {    // If query unsucessful, password is not correct for username, redirect to login form
        //header ('Location: ../mario/error.php');
        echo "MISLUKT";
        exit();
    } else {
        session_start();
        $_SESSION['gebruikersnaam'] = $_GET['gebruikersnaam'];
        $_SESSION['loggedin'] = time();
        header ('Location: ../mario/test.php');
        exit();
    }
} 
}
mysql_close();
?>
inloggen.php:

Code: Select all

<html>
<body>		
<form name="inloggen" action="test2.php" method="GET">
	<table>
		<tr>
	<td>Gebruikersnaam:</td> <td><input type="text" size="10" maxlength="50" name="gebruikersnaam"></td></tr>
	<tr>
<td>Wachtwoord:</td> <td><input type="password" size="10" maxlength="50" name="wachtwoord"></td></tr>
<tr><td colspan="2" align="right"><input type="submit" name="submit" value="Inloggen"></td></tr></table>
</form>

</body>
</html>
thx in advance


feyd | Please use

Code: Select all

,

Code: Select all

and [syntax="..."] tags where appropriate when posting code. Your post has been edited to reflect how we'd like it posted. Please read:  [url=http://forums.devnetwork.net/viewtopic.php?t=21171]Posting Code in the Forums[/url] to learn how to do it too.[/color]

Posted: Thu Apr 20, 2006 12:27 pm
by Scholes
oh damn I should have used php tags. Sorry about that :lol:

Posted: Thu Apr 20, 2006 12:44 pm
by n00b Saibot
you can always edit your post to change it ;)

replace your query with following

Code: Select all

// Define a query to check if the password is correct for the username
$check_pass = "SELECT COUNT(*) FROM inloggen WHERE gebruikersnaam = '" . $gebruikernaam . "' AND wachtwoord = '" . $password . "'";
you used && instead of AND and were checking only for mysql query errors not the uname/pass mismatch.

Re: Login Session Problem....

Posted: Thu Apr 20, 2006 12:58 pm
by timvw
Scholes wrote:

Code: Select all

$username = $_GET['gebruikersnaam'];
$password = $_GET['wachtwoord'];
You're assigning values that might not exist...

Code: Select all

if (isset($_GET['gebruikersnaam']) && isset($_GET['wachtwoord'])) {
 $username = $_GET['gebruikersnaam'];
 $password = $_GET['wachtwoord'];
} else {
 echo 'Voer uw gegevens in';
 exit();
}
Scholes wrote:

Code: Select all

/ Define a query to check if the submitted username is found in the database
    $check_user = "SELECT gebruikersnaam, wachtwoord FROM inloggen WHERE gebruikersnaam ='" . $gebruikersnaam . "' AND wachtwoord = '" . $wachtwoord . "'";
You're not making sure you can use the username and password in a query... First clean up:

Code: Select all

$sql = array();
$sql['username'] = mysql_real_escape_string($username);
$sql['password'] = mysql_real_escape_string($password);

$check_user = "SELECT COUNT(gebruikersnaam) AS count FROM inloggen WHERE gebruikersnaam='{$sql['username']}' AND wachtwoord = '{$sql['password']}'";
Scholes wrote:

Code: Select all

header ('Location: ../mario/error.php');

There are browsers that can't handle relative redirects.. Use an absolute URL instead.

Code: Select all

header('Location: http://example.com/mario/error.php');
Scholes wrote:

Code: Select all

// Define a query to check if the password is correct for the username
    $check_pass = "SELECT gebruikersnaam, wachtwoord FROM inloggen WHERE gebruikersnaam = '" . $gebruikernaam . "' && wachtwoord = '" . $password . "'";
    $r = mysql_query($check_pass);

    if (!$r) {    // If query unsucessful, password is not correct for username, redirect to login form
I really don't understand the logic in here (btw, SQL uses AND instead of &&)
If you select count(col) you know how many rows that had the same username/password combo...

Code: Select all

$row = mysql_fetch_assoc($rs);
if ($row['count'] > 0) {
 // success
} else {
 // though luck
}
Btw, if i were a user i wouldn't appreciate it if my username/password were visible in the URL, so use POST instead of GET as the method in the form...(and don't forget to use $_POST instead of $_GET in your code)

Posted: Thu Apr 20, 2006 1:55 pm
by Scholes
oh I see I've made some pretty newb mistakes. Thx alot. I'll give it a try!

Posted: Thu Apr 20, 2006 2:44 pm
by Scholes
hmm I changed most things like you guys said but it's still not working :?

my code looks like this at the moment:

Code: Select all

<?php

if (isset($_POST['gebruikersnaam']) && isset($_POST['wachtwoord'])) { 
 $username = $_POST['gebruikersnaam']; 
 $password = $_POST['wachtwoord']; 
} else { 
 echo "Voer uw gegevens in!"; 
 exit(); 
} 

if ( empty($username) && (empty($password)) ) {	
    echo "Voer uw gegevens in!";
    exit();

} else {

    mysql_connect("localhost", "root");
    mysql_select_db("test1");
    	
    	$sql = array(); 
			$sql['username'] = mysql_real_escape_string($username); 
			$sql['password'] = mysql_real_escape_string($password); 

			$check_user = "SELECT COUNT(gebruikersnaam) AS count FROM inloggen WHERE gebruikersnaam='{$sql['username']}' AND wachtwoord = '{$sql['password']}'"; 

    $r = mysql_query($check_user);

    if (!$r) {
        echo "MISLUKT!";
        exit();

    } else {
    	 
    $check_pass = "SELECT gebruikersnaam, wachtwoord FROM inloggen WHERE gebruikersnaam = '" . $gebruikernaam . "' AND wachtwoord = '" . $password . "'";
    $r = mysql_query($check_pass);

    if (!$r) {
        echo "MISLUKT";
        exit();

    } else {

        session_start();
        $_SESSION['gebruikersnaam'] = $_POST['gebruikersnaam'];
        $_SESSION['loggedin'] = time();
        echo "Gelukt! ";
        exit();

    }

} 
}
mysql_close();
?>
oh and I don't really understand how to use the row and fetch thingy....

Posted: Thu Apr 20, 2006 5:03 pm
by timvw
Where have you copied the code from?? Since it appears you have no clue what is going in your code...

Posted: Fri Apr 21, 2006 12:27 am
by Scholes
Of course I know what's goin on in my code....the only thing I don't understand is the session stuff at the end...

Posted: Fri Apr 21, 2006 6:20 am
by timvw
Apart from your fuzzy logic, the only thing you might want to do is call http://www.php.net/session_write_close before you redirect to location and exit.

Posted: Fri Apr 21, 2006 11:46 am
by n00b Saibot
timvw wrote:Apart from your fuzzy logic
its not fuzzy logic, it's dizzy logic :lol: