Page 1 of 1

Problems please help

Posted: Sat Jun 30, 2007 2:18 pm
by tigomark
Hello,

I am having a problem with a login script not responding how I would hope

Code: Select all

<?php

session_start();


 if (isset($_POST['username']) && isset($_POST['password'])){
 
  
$username = $_POST['username'];
$password = $_POST['password'];


include ("../includes/prefs.php");

$db_name = "weekends";

$table_name = "users";

$connection = @mysql_connect("$host", "$root", "$password") or die("Couldn't connect.");

$db = @mysql_select_db($db_name, $connection) or die("Couldn't select database.");

$sql = "SELECT * FROM $table_name
WHERE username = \"$username\" AND password = \"$password\"
";

$result = @mysql_query($sql, $connection) or die("Couldn't execute query.");




			if (mysql_num_rows($result) > 0){

		//looks for registered users
				$_SESSION['valid_user'] = $username;
					}
		
		
		} 

?>

Right now if I add the information

Code: Select all

$num_rows = mysql_num_rows($result);

		echo "$num_rows";
I get a result of 0 even though I have verified that username and password are correct. I have done a query straight to My_SQL and I do recieve the data I am looking for.

Thank you in advance for any help.

Posted: Sat Jun 30, 2007 2:27 pm
by miro_igov
Try to

Code: Select all

echo $sql;
then copy it and paste in your database interface and see the result.

Posted: Sat Jun 30, 2007 2:39 pm
by d3ad1ysp0rk
Get rid of all the @ signs; maybe you're not connecting properly and it can't tell you since errors are suppressed?

Descriptive Subjects

Posted: Sat Jun 30, 2007 2:49 pm
by feyd
[url=http://forums.devnetwork.net/viewtopic.php?t=30037]Forum Rules[/url] Section 1.1 wrote:2. Use descriptive subjects when you start a new thread. Vague titles such as "Help!", "Why?" are misleading and keep you from receiving an answer to your question.

Posted: Sat Jun 30, 2007 3:42 pm
by Ambush Commander
Your code is vulnerable to SQL injection. Read up on why magic quotes is bad and mysql_real_escape_string()

Also, general coding tips:

- Try not to nest includes. In this case, if username and password aren't set in the $_POST array, exit out
- Quoting variables is not necessary, i.e. "$var" == $var
- You don't use $db, so there's no need to assign it to a variable
- It's generally a good idea to add back-ticks around all column names
- Indent properly. It's very helpful