Problems please help

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
tigomark
Forum Newbie
Posts: 1
Joined: Sat Jun 30, 2007 2:12 pm

Problems please help

Post by tigomark »

Hello,

I am having a problem with a login script not responding how I would hope

Code: Select all

<?php

session_start();


 if (isset($_POST['username']) && isset($_POST['password'])){
 
  
$username = $_POST['username'];
$password = $_POST['password'];


include ("../includes/prefs.php");

$db_name = "weekends";

$table_name = "users";

$connection = @mysql_connect("$host", "$root", "$password") or die("Couldn't connect.");

$db = @mysql_select_db($db_name, $connection) or die("Couldn't select database.");

$sql = "SELECT * FROM $table_name
WHERE username = \"$username\" AND password = \"$password\"
";

$result = @mysql_query($sql, $connection) or die("Couldn't execute query.");




			if (mysql_num_rows($result) > 0){

		//looks for registered users
				$_SESSION['valid_user'] = $username;
					}
		
		
		} 

?>

Right now if I add the information

Code: Select all

$num_rows = mysql_num_rows($result);

		echo "$num_rows";
I get a result of 0 even though I have verified that username and password are correct. I have done a query straight to My_SQL and I do recieve the data I am looking for.

Thank you in advance for any help.
miro_igov
Forum Contributor
Posts: 485
Joined: Fri Mar 31, 2006 5:06 am
Location: Bulgaria

Post by miro_igov »

Try to

Code: Select all

echo $sql;
then copy it and paste in your database interface and see the result.
d3ad1ysp0rk
Forum Donator
Posts: 1661
Joined: Mon Oct 20, 2003 8:31 pm
Location: Maine, USA

Post by d3ad1ysp0rk »

Get rid of all the @ signs; maybe you're not connecting properly and it can't tell you since errors are suppressed?
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Descriptive Subjects

Post by feyd »

[url=http://forums.devnetwork.net/viewtopic.php?t=30037]Forum Rules[/url] Section 1.1 wrote:2. Use descriptive subjects when you start a new thread. Vague titles such as "Help!", "Why?" are misleading and keep you from receiving an answer to your question.
User avatar
Ambush Commander
DevNet Master
Posts: 3698
Joined: Mon Oct 25, 2004 9:29 pm
Location: New Jersey, US

Post by Ambush Commander »

Your code is vulnerable to SQL injection. Read up on why magic quotes is bad and mysql_real_escape_string()

Also, general coding tips:

- Try not to nest includes. In this case, if username and password aren't set in the $_POST array, exit out
- Quoting variables is not necessary, i.e. "$var" == $var
- You don't use $db, so there's no need to assign it to a variable
- It's generally a good idea to add back-ticks around all column names
- Indent properly. It's very helpful
Post Reply