Page 1 of 1

My Log In Script

Posted: Tue Jan 16, 2007 7:44 pm
by Garcia
feyd | Please use

Code: Select all

,

Code: Select all

and [syntax="..."] tags where appropriate when posting code. Your post has been edited to reflect how we'd like it posted. Please read:  [url=http://forums.devnetwork.net/viewtopic.php?t=21171]Posting Code in the Forums[/url] to learn how to do it too.[/color]


Hello,

I created a log in script recently it worked and all but I found out I wasn't using correct MySql syntax and forgot the WHERE to identify the specific username and password.

At first it wasn't grabbing the Username and now I fixed that error now I get the following error stating the password can not be found. Is it because possibly do with my md5 hashes?

Here is my login code:

Code: Select all

<?php
//login page
session_start();
require ("config.php");
switch (@$_POST['do'] )
{
	case "new":
		//if entered blank form returns error
foreach ($_POST as $field => $value)
{
	  if ($value == "")
		{
		  $blanks[] = $field;
		}
}

if (isset ($blanks) )
{
	$message = "Following fields are blank. Please enter the required information:   ";
	foreach ($blanks as $value)
	{
		$message .= "$value, ";
	}
	extract ($_POST);
	include ('login_form.php');
	exit();
}

$sql = "SELECT username FROM members WHERE username = '$_POST[username]'";
$rs = mysql_query($sql, $con);
print mysql_error();
$num = mysql_num_rows($rs);
if ($num > 0) // login name found!
{
	$sql = "SELECT username FROM members WHERE username = '$_POST[username]' AND password=md5('$_POST[password]')";
	$result2 = mysql_query ($sql,$con);
                 print mysql_error();
	$num2 = mysql_num_rows ($result2);
	if ($num2 > 0) //correct passy
	{
		//Grab session id 
$user = mysql_query("SELECT id FROM members WHERE username = ".$_POST['username']." LIMIT 0,1");
$result = mysql_fetch_assoc($user);
$_SESSION['id'] = $result['id'];
		$_SESSION['auth'] = "yes";
		$_SESSION['gid'] = $gid;
		$_SESSION['id'] = $id;
		header ("Location: userarea.php");
	}
       else
	{
		   $message = "The Login Name, '$_POST[username]' exists, but you have not entered the correct password!<br/>";
	   include ("login_form.php");
	}
}
elseif ($num == 0)
{
	$message = "Login Name does not exist";
	include ("login_form.php");
}
break;

default:
include ('login_form.php');

}

?>
Login Form"

Code: Select all

<html>
<head>
<title>Member Login</title>
</head>
<body>
<h1>Member Login:</h1><br />
<?php
     if (isset ($message) )
	 {
		 print " $message ";
	 }
?>
<form action="login.php?do=new" method="POST">
Member ID: <input type="text" name="username" size="20" /><br /><br />
Password: <input type="password" name="password" size="20" /><br /><br />
<input type="hidden" name="do" value="new">
<input type="submit" name="Submit" value="Login" />
</form>
</body>
</html>
Any help on ideas why it isn't working is appreciated.


feyd | Please use

Code: Select all

,

Code: Select all

and [syntax="..."] tags where appropriate when posting code. Your post has been edited to reflect how we'd like it posted. Please read:  [url=http://forums.devnetwork.net/viewtopic.php?t=21171]Posting Code in the Forums[/url] to learn how to do it too.[/color]

Posted: Tue Jan 16, 2007 8:11 pm
by volka
Three querries on the same table only to fetch some userdata. Why?

Code: Select all

$sql = "SELECT `username`,`password`, `id` FROM members WHERE username = '$_POST[username]'";
$result = mysql_query($sql, $con) or die(mysql_error());
$row = mysql_fetch_array($result);
if ( false!==$row && $row['password']===md5($_POST['username']) ) {
	$_SESSION['id'] = $result['id'];
	$_SESSION['username'] = $result['username'];
}

Posted: Tue Jan 16, 2007 8:21 pm
by Garcia
Ah ya my lack of using efficient ways, I can also blame my book I reference off of. Thanks volka I will try that code out.

Posted: Tue Jan 16, 2007 8:27 pm
by Z3RO21

Code: Select all

switch (@$_POST['do'] )
Not a good choice either. You should look into isset() and array_key_exists(). Not good practice to supers errors with '@'. Do some validation and checking, it is much safer as well. 8) (and cooler)

Posted: Tue Jan 16, 2007 9:19 pm
by Garcia
feyd | Please use

Code: Select all

,

Code: Select all

and [syntax="..."] tags where appropriate when posting code. Your post has been edited to reflect how we'd like it posted. Please read:  [url=http://forums.devnetwork.net/viewtopic.php?t=21171]Posting Code in the Forums[/url] to learn how to do it too.[/color]


I will change the switch as soon as I get this to work I still get an error message for wrong username or password...

Code: Select all

<?php
//login page
session_start();
require ("config.php");
switch (@$_POST['do'] )
{
	case "new":
		//if entered blank form returns error
foreach ($_POST as $field => $value)
{
	  if ($value == "")
		{
		  $blanks[] = $field;
		}
}

if (isset ($blanks) )
{
	$message = "Following fields are blank. Please enter the required information:   ";
	foreach ($blanks as $value)
	{
		$message .= "$value, ";
	}
	extract ($_POST);
	include ('login_form.php');
	exit();
}

$sql = "SELECT `username`,`password`, `id` FROM members WHERE username = '$_POST[username]'";
$result = mysql_query($sql, $con) or die(mysql_error());
$row = mysql_fetch_array($result);
if ( false!==$row && $row['password']===md5($_POST['username']) ) {
        $_SESSION['id'] = $result['id'];
        $_SESSION['username'] = $result['username'];
		header ("Location: userarea.php");
}
       else
	{
		   $message = "The username and or password is incorrect.!<br/>";
	   include ("login_form.php");
	}
break;

default:
include ('login_form.php');

}

?>
Help is appreciated :) .

Thanks!


feyd | Please use

Code: Select all

,

Code: Select all

and [syntax="..."] tags where appropriate when posting code. Your post has been edited to reflect how we'd like it posted. Please read:  [url=http://forums.devnetwork.net/viewtopic.php?t=21171]Posting Code in the Forums[/url] to learn how to do it too.[/color]

Posted: Tue Jan 16, 2007 11:31 pm
by aaronhall
Aside from the XSS and SQL injection vulnerabilities, the following is likely your problem:

Code: Select all

$row['password']===md5($_POST['username'])

Posted: Wed Jan 17, 2007 9:14 am
by Mordred
Read this post, you have many problems in common.