Login pages... (quickie)

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

Check $result to make sure it's not false....
User avatar
Ollie Saunders
DevNet Master
Posts: 3179
Joined: Tue May 24, 2005 6:01 pm
Location: UK

Post by Ollie Saunders »

Call it without any parameters.
Edit: sorry no, completely wrong there.
Last edited by Ollie Saunders on Mon Jan 15, 2007 8:40 pm, edited 1 time in total.
Mightywayne
Forum Contributor
Posts: 237
Joined: Sat Dec 09, 2006 6:46 am

Post by Mightywayne »

Okay, I checked it with this code

Code: Select all

if($result==false)
{
printf("False result.");
}
And it appears it IS false.

However. I have absolutely no idea why it's false, or how it became false. I think it may have something to do with the query being username AND password, but then $count would be messed up if I broke them apart into seperate queries... =/
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

A false return value denotes an error happened. I would imagine it's using "password," but you can check it with mysql_error().
matthijs
DevNet Master
Posts: 3360
Joined: Thu Oct 06, 2005 3:57 pm

Post by matthijs »

Mightywayne, if I look at the code, it still is vulnerable to sql injection. Meaning that even if you get it to work, any hacker can hack your script, without having a valid username/password. If I enter a single quote as my username:

Code: Select all

<?php
$username = $_POST['username']; // '
$password = $_POST['password'];

$sql = "SELECT * FROM user WHERE username='$username' and password='$password'"; 
// $sql = "SELECT * FROM user WHERE username = '''

// etc
?>
Mightywayne
Forum Contributor
Posts: 237
Joined: Sat Dec 09, 2006 6:46 am

Post by Mightywayne »

Matt, I editted my post before the one you made to tell you that I like to add that stuff at the end to stop any confusion that may come from it. feyd, I'll check now.
Mightywayne
Forum Contributor
Posts: 237
Joined: Sat Dec 09, 2006 6:46 am

Post by Mightywayne »

Okay this is making absolutely NO sense at all. I did the SAME process from my "verification" one that I made, which turned out perfect, and for absolutely NO reason at all, the values are false. It's connecting properly, and I changed from the "AND password" thing, to

Code: Select all

$sql1 = "SELECT * FROM user WHERE username='$username'";
$result1 = mysql_query($sql1);

$sql2 = "SELECT * FROM user WHERE password='$password'";
$result2 = mysql_query($sql2);
Is there a tutorial any of you can suggest? Because obviously this tutorial from 2002 is messed up for some reason. Is there a different way to do it than using headers()? It doesn't seem like it should be hard, but I hate when coding does this; things that should work normally randomly don't.
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

What does mysql_error() tell you?
User avatar
Ollie Saunders
DevNet Master
Posts: 3179
Joined: Tue May 24, 2005 6:01 pm
Location: UK

Post by Ollie Saunders »

Perhaps the initial connection is failing
Mightywayne
Forum Contributor
Posts: 237
Joined: Sat Dec 09, 2006 6:46 am

Post by Mightywayne »

Editted out in case some folks try to hax0r me. Seriously. o_O;;
Last edited by Mightywayne on Fri Apr 06, 2007 2:19 pm, edited 2 times in total.
User avatar
Ollie Saunders
DevNet Master
Posts: 3179
Joined: Tue May 24, 2005 6:01 pm
Location: UK

Post by Ollie Saunders »

read up on how to use mysql_error again.
User avatar
Christopher
Site Administrator
Posts: 13596
Joined: Wed Aug 25, 2004 7:54 pm
Location: New York, NY, US

Post by Christopher »

I see a lot of code like that posted. It is pretty difficult to debug. I think, at least, some basic Structured Programming would be helpful. At a minimum a PHP database script ought to look something like this:

Code: Select all

<?php
// initialize variables
$errmsg = '';
$row = array();

// Connect to server
$con = mysql_connect("localhost","burnttoa_umonbre","don't_post_passwords");

if (mysql_errno()) {
     $errmsg = 'Could not connect:' . mysql_error();
} else {

     // Select database.
     mysql_select_db("burnttoa_monbre");

     if (mysql_errno()) {
          $errmsg = 'Could not select:' . mysql_error();
     } else {
          // Setup and do query

          // filter untrusted post variable
          $username = preg_replace('/[^a-zA-Z0-9]/', '', $_POST['username']);

          // escape untrusted post variable
          $username = mysql_real_escape_string($_POST['username']);

          $sql1 = "SELECT * FROM user WHERE username='$username'";
          $result1 = mysql_query($sql1);

          if (mysql_errno()) {
               $errmsg = 'Query failed:' . mysql_error();
          } else {
               $row = mysql_fetch_assoc($result);
          }
     }
}

// now the response
if ($errmsg) {
     // error goes here
     echo "Error: $errmsg<br/>";
} else {
     // success goes here
     dump($row);
}

// handy for debugging
function dump($value) {
     echo '<pre>' . print_r($value, 1) . '</pre>';
}
No die(), clear logic, thorough error checking, separation of connection and response (reporting an error is also a response), and basic security ...
(#10850)
User avatar
daedalus__
DevNet Resident
Posts: 1925
Joined: Thu Feb 09, 2006 4:52 pm

Post by daedalus__ »

arborint wrote:I see a lot of code like that posted. It is pretty difficult to debug. I think, at least, some basic Structured Programming would be helpful. At a minimum a PHP database script ought to look something like this:

Code: Select all

<?php
// initialize variables
$errmsg = '';
$row = array();

// Connect to server
$con = mysql_connect("localhost","burnttoa_umonbre","don't_post_passwords");

if (mysql_errno()) {
     $errmsg = 'Could not connect:' . mysql_error();
} else {

     // Select database.
     mysql_select_db("burnttoa_monbre");

     if (mysql_errno()) {
          $errmsg = 'Could not select:' . mysql_error();
     } else {
          // Setup and do query

          // filter untrusted post variable
          $username = preg_replace('/[^a-zA-Z0-9]/', '', $_POST['username']);

          // escape untrusted post variable
          $username = mysql_real_escape_string($_POST['username']);

          $sql1 = "SELECT * FROM user WHERE username='$username'";
          $result1 = mysql_query($sql1);

          if (mysql_errno()) {
               $errmsg = 'Query failed:' . mysql_error();
          } else {
               $row = mysql_fetch_assoc($result);
          }
     }
}

// now the response
if ($errmsg) {
     // error goes here
     echo "Error: $errmsg<br/>";
} else {
     // success goes here
     dump($row);
}

// handy for debugging
function dump($value) {
     echo '<pre>' . print_r($value, 1) . '</pre>';
}
No die(), clear logic, thorough error checking, separation of connection and response (reporting an error is also a response), and basic security ...
+1 for snippets
Mightywayne
Forum Contributor
Posts: 237
Joined: Sat Dec 09, 2006 6:46 am

Post by Mightywayne »

Uhm okay. I think I'm going to switch to cookies now. Instead of sessions. How bad is that? I've heard of cookie manipulation, but my friend suggests cookies, and sessions are right now confusing me majorly.

Also, I'm not really getting mysql_error either. It just keeps giving me Warning: mysql_error(): supplied argument is not a valid MySQL-Link resource in /home/burnttoa/public_html/monbre/checklogin.php on line 22 which google is no help for.

My friend just gave me a good cookie script so I'll check that out, it seems pretty good, sans some functions I'll have to learn. :) I hope the cookies aren't a security thing though... are they?
User avatar
aaronhall
DevNet Resident
Posts: 1040
Joined: Tue Aug 13, 2002 5:10 pm
Location: Back in Phoenix, missing the microbrews
Contact:

Post by aaronhall »

First, you need to read how to use mysql_error()

Second, sessions use cookies, and the problem you are having now has nothing to do with either.
Post Reply