Logging in doesn't work???

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
User avatar
cturner
Forum Contributor
Posts: 153
Joined: Sun Jul 16, 2006 3:03 am
Location: My computer

Logging in doesn't work???

Post by cturner »

After logging in the username displays 1 and not the real username. Can someone please tell me why and how I can fix it? Thanks in advance.

Here is the code for the login page:

Code: Select all

require "config2.php";
$arrErrors = array();
// login button has been pressed
if (isset($_POST['login'])) {
$username = mysql_real_escape_string($_POST['username']);
$password = md5(mysql_real_escape_string($_POST['password']));
if ($username == '') {
	$arrErrors['username'] = 'Please enter your username.';
}
if ($password == '') {
	$arrErrors['password'] = 'Please enter your password.';
}
$login_check = "SELECT * FROM users WHERE username= '$username'" or die ("Could not select database because: " . mysql_error());

$login_query = mysql_query ( $login_check ) or die ( 'Query failed because: ' . mysql_error () );

$login_result = mysql_result ( $login_query, 0, 0 );

if ($login_result == 1) {
	setcookie ("username", $login_result[username]);
	setcookie ("password", $login_result[password]);
	header('Location: add_a_comment.php');
	exit;	
} else {
	echo "<center>Sorry, you don't know who you are!</center>";
}
}
mysql_close();
and here is the code for the page after loggin in:

Code: Select all

session_start();
if (isset($_COOKIE['username']) && ($_COOKIE['password'])) {
	print "You are logged in as: ".$_COOKIE['username'];
	print "<a href=logout.php>Logout</a>";
} else {
	print "You are not logged in. Please <a href=login.php>click here</a> to login.";
}
is_null
Forum Newbie
Posts: 6
Joined: Tue Oct 17, 2006 12:50 am

Post by is_null »

Please try this code :

Code: Select all

require "config2.php";
$arrErrors = array();
// login button has been pressed
if (isset($_POST['login'])) {
$username = mysql_real_escape_string($_POST['username']);
$password = md5(mysql_real_escape_string($_POST['password']));
if ($username == '') {
        $arrErrors['username'] = 'Please enter your username.';
}
if ($password == '') {
        $arrErrors['password'] = 'Please enter your password.';
}
$login_check = "SELECT * FROM users WHERE username= '$username'" or die ("Could not select database because: " . mysql_error());

$login_query = mysql_query ( $login_check ) or die ( 'Query failed because: ' . mysql_error () );

//debug purpose
print_r($login_query);

$login_result = mysql_result ( $login_query, 0, 0 );

//debug purpose
print_r($login_result);

if ($login_result == 1) {
        setcookie ("username", $login_result[username]);
        setcookie ("password", $login_result[password]);
        header('Location: add_a_comment.php');
        exit;   
} else {
        echo "<center>Sorry, you don't know who you are!</center>";
}
}
mysql_close();
User avatar
Christopher
Site Administrator
Posts: 13596
Joined: Wed Aug 25, 2004 7:54 pm
Location: New York, NY, US

Post by Christopher »

Shouln' t this:

Code: Select all

$login_check = "SELECT * FROM users WHERE username= '$username'" or die ("Could not select database because: " . mysql_error());
just be:

Code: Select all

$login_check = "SELECT * FROM users WHERE username= '$username'";
(#10850)
ZephyrWest
Forum Newbie
Posts: 7
Joined: Mon Oct 16, 2006 9:39 pm

Post by ZephyrWest »

You are using mysql_result() incorrectly; it is used to fetch a single cell from a MySQL result set which does not seem to be what you are doing. Try using something like mysql_fetch_row().

Code: Select all

list( $username, $password ) = mysql_fetch_row( $login_query );
User avatar
thomas777neo
Forum Contributor
Posts: 214
Joined: Mon Mar 10, 2003 6:12 am
Location: Johannesburg,South Africa

Post by thomas777neo »

Just a couple of tips regarding your script:

1. You don't identify the user using both the username and password. Making things much easier to gain access to your system.
2. Opinion: use addslashes instead of mysql_real_escape_string.
3. You have the die() function after a string?
4. Using a deprecated method regarding cookies / sessions
5. Lacking security basics

Not bad for a first attempt, just keep in mind that authentication is discussed in great depth on this site, so do search to further your security and use better authentication principles.

Here is an example that should sort out your problem and make life a bit easier:

Code: Select all

// script not tested

session_start();

// build the sql query to execute
$sql = "SELECT username, password 
		FROM users 
		WHERE username = '".addslashes($_POST['username']."' 
		AND password = '".addslashes($_POST['password'])."'";

// execute the query
$check = mysql_query($sql) 
			or die("Authentication SQL Failed ".mysql_error()); // notice the die location
			
$rows = mysql_num_rows($check); // get the number of rows returned

// if the forced integer rows is greater than 0, the user exists
if ((int)$rows > 0)
{
	/*
		* easier way to store variables
		* don't store login information in the session
	*/
	
	$_SESSION['authenticated'] = "yes";
	
               // if you were to store the variables in the session...
               // $_SESSION['username'] = mysql_result($check,0,"username"); 

	header('Location: add_a_comment.php'); // better to put full path here
} // if ((int)$rows > 0)
	else
	{
		$_SESSION['authenticated'] = "no";
		
		echo "<div align=\"center\"><p>Authorisation Failed</p></div>";
	} // else for if ((int)$rows > 0)
	
// after logging in

session_start();	

if ($_SESSION['authenticated'] == "yes")
{
	// ....
} // if ($_SESSION['authenticated'] == "yes")
	else
	{
		// ....
	} // else for if ($_SESSION['authenticated'] == "yes")
jmut
Forum Regular
Posts: 945
Joined: Tue Jul 05, 2005 3:54 am
Location: Sofia, Bulgaria
Contact:

Post by jmut »

thomas777neo wrote: ...
2. Opinion: use addslashes instead of mysql_real_escape_string.
...
mysql_real_escape_string is the correct way to escape data for mysql db. Although addslashes will probably be good enough in most cases.
ZephyrWest
Forum Newbie
Posts: 7
Joined: Mon Oct 16, 2006 9:39 pm

Post by ZephyrWest »

There are ways to get around addslashes()... always use mysql_real_escape_string() for sanitizing data before insertion into a database.
User avatar
thomas777neo
Forum Contributor
Posts: 214
Joined: Mon Mar 10, 2003 6:12 am
Location: Johannesburg,South Africa

Post by thomas777neo »

hence, my opinion
Post Reply