Login bug

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
sparky753
Forum Commoner
Posts: 51
Joined: Fri Nov 03, 2006 10:39 am

Login bug

Post by sparky753 »

I've been trying to resolve this issue for some time but haven't been able to figure out why my code is doing what it is. I have a simple login page 'login.php' that contains a form with 2 fields 'username' and 'password', and the Login button. When the form is submitted, the authentication takes place in another page called 'logincheck.php' (this is the page that 'login.php' posts to)

I've written lines of code on my 'logincheck.php' page that will first check if valid data has been entered on the login page. If valid username and password are entered, the user is redirected to a page 'welcome.php' or else warnings are shown to the user, such as "Username does not exist", "Please Enter Password".

Everything works fine except if a valid username and an invalid password have been entered. My code issues a warning for the following cases: if nothing is entered in either field, if an invalid username is entered, if an invalid username and invalid password are entered, if valid username and no password is entered. But if i input a valid username and an invalid password, nothing happens - i see a blank page...

Code: Select all

$username=mysql_real_escape_string($_POST['username']);
   $password=mysql_real_escape_string($_POST['password']);

   $query = "SELECT username, password, first_name, last_name FROM users WHERE username='$username'";
	$result = @mysql_query ($query);
    $row = mysql_fetch_array ($result);

     	   
	if(strlen($username) > 0){
           if ($row) { 
	          $username = stripslashes($username);
			         } 
		   else
		     {$msg=$msg."Please Enter Valid Username<BR>";}
     }
    else{
    $msg=$msg."Please Enter Username<BR>";
    $status= "NOTOK";
     }
	
	if(strlen($password) > 0){
	   	      if ($password == $row[1]) { 
	          $passworddec = stripslashes($password);
	                 } 
		      else
		      {$msg=$msg."Please Enter Valid Password<BR>";}
    }
    else{
    $msg=$msg."Please Enter Password<BR>";
    $status= "NOTOK";
     }
I can't seem to figure out what i'm doing wrong here...
User avatar
Cameri
Forum Commoner
Posts: 87
Joined: Tue Apr 12, 2005 4:12 pm
Location: Santo Domingo, Dominican Republic

Post by Cameri »

You must check if the variables have been set using isset().

Code: Select all

$username = (isset($_POST['username'])) ? mysql_real_escape_string($_POST['username']) : "";
//OR

if (isset($_POST['username'])){
 $username = mysql_real_escape_string($_POST['username']);
} else {
 $username = '';
}
timvw
DevNet Master
Posts: 4897
Joined: Mon Jan 19, 2004 11:11 pm
Location: Leuven, Belgium

Re: Login bug

Post by timvw »

Either the credentials are valid, or they are not. But i would not give away that they've at least guessed a password or username rights...

Code: Select all

if (!isset($_POST['username']) || !isset($_POST['password'])) {
  // not all values are available -> handle this problem
  exit();
}

$mysql = array();
$mysql['username'] = mysql_real_escape_string($_POST['username']);
$mysql['password'] = mysql_real_escape_string($_POST['password']);

$query = "SELECT first_name, last_name FROM users where username='{mysql['username']}' AND password='{mysql['password']}'";

$result = mysql_query($query);

if (mysql_num_rows($result) == 1) {
  // valid credentials were provided
  $row = mysql_fetch_assoc($result);
} else {
  // invalid credentials
  exit();
}
sparky753
Forum Commoner
Posts: 51
Joined: Fri Nov 03, 2006 10:39 am

Post by sparky753 »

good point - i shouldn't give the user an inkling that they have entered a valid username...I'll give this a shot..
Post Reply