Page 1 of 1

Login bug

Posted: Wed Nov 15, 2006 12:33 pm
by sparky753
I've been trying to resolve this issue for some time but haven't been able to figure out why my code is doing what it is. I have a simple login page 'login.php' that contains a form with 2 fields 'username' and 'password', and the Login button. When the form is submitted, the authentication takes place in another page called 'logincheck.php' (this is the page that 'login.php' posts to)

I've written lines of code on my 'logincheck.php' page that will first check if valid data has been entered on the login page. If valid username and password are entered, the user is redirected to a page 'welcome.php' or else warnings are shown to the user, such as "Username does not exist", "Please Enter Password".

Everything works fine except if a valid username and an invalid password have been entered. My code issues a warning for the following cases: if nothing is entered in either field, if an invalid username is entered, if an invalid username and invalid password are entered, if valid username and no password is entered. But if i input a valid username and an invalid password, nothing happens - i see a blank page...

Code: Select all

$username=mysql_real_escape_string($_POST['username']);
   $password=mysql_real_escape_string($_POST['password']);

   $query = "SELECT username, password, first_name, last_name FROM users WHERE username='$username'";
	$result = @mysql_query ($query);
    $row = mysql_fetch_array ($result);

     	   
	if(strlen($username) > 0){
           if ($row) { 
	          $username = stripslashes($username);
			         } 
		   else
		     {$msg=$msg."Please Enter Valid Username<BR>";}
     }
    else{
    $msg=$msg."Please Enter Username<BR>";
    $status= "NOTOK";
     }
	
	if(strlen($password) > 0){
	   	      if ($password == $row[1]) { 
	          $passworddec = stripslashes($password);
	                 } 
		      else
		      {$msg=$msg."Please Enter Valid Password<BR>";}
    }
    else{
    $msg=$msg."Please Enter Password<BR>";
    $status= "NOTOK";
     }
I can't seem to figure out what i'm doing wrong here...

Posted: Wed Nov 15, 2006 12:46 pm
by Cameri
You must check if the variables have been set using isset().

Code: Select all

$username = (isset($_POST['username'])) ? mysql_real_escape_string($_POST['username']) : "";
//OR

if (isset($_POST['username'])){
 $username = mysql_real_escape_string($_POST['username']);
} else {
 $username = '';
}

Re: Login bug

Posted: Wed Nov 15, 2006 1:28 pm
by timvw
Either the credentials are valid, or they are not. But i would not give away that they've at least guessed a password or username rights...

Code: Select all

if (!isset($_POST['username']) || !isset($_POST['password'])) {
  // not all values are available -> handle this problem
  exit();
}

$mysql = array();
$mysql['username'] = mysql_real_escape_string($_POST['username']);
$mysql['password'] = mysql_real_escape_string($_POST['password']);

$query = "SELECT first_name, last_name FROM users where username='{mysql['username']}' AND password='{mysql['password']}'";

$result = mysql_query($query);

if (mysql_num_rows($result) == 1) {
  // valid credentials were provided
  $row = mysql_fetch_assoc($result);
} else {
  // invalid credentials
  exit();
}

Posted: Wed Nov 15, 2006 3:00 pm
by sparky753
good point - i shouldn't give the user an inkling that they have entered a valid username...I'll give this a shot..