Page 1 of 1

help us with the login function

Posted: Tue Jul 10, 2007 12:08 am
by carsky
guys can you help with our login module..we placed our login form at the left table of the homepage..

this our code

******** PLEASE USE

Code: Select all

TAGS AROUND CODE ***********[/color]

Code: Select all

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>the homepage</title>
<LINK REL=StyleSheet HREF="shop.css" TYPE="text/css">
</style>
</head>

<body>
<div id="index">
<table width="795" cellpadding="0" cellspacing="0" border="0">
<tr>
	<td colspan="2" align="right">Hi Customer!(0 items | subtotal Php 0.00)</td>
<tr>
	<td><img src="header.jpg" /></td>
	<td><object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" codebase="http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=8,0,0,0" width="395" height="75" id="header" align="middle">
<param name="allowScriptAccess" value="sameDomain" />
<param name="movie" value="header.swf" /><param name="menu" value="false" /><param name="quality" value="high" /><param name="bgcolor" value="#3a2a67" /><embed src="header.swf" menu="false" quality="high" bgcolor="#3a2a67" width="395" height="75" name="header" align="middle" allowScriptAccess="sameDomain" type="application/x-shockwave-flash" pluginspage="http://www.macromedia.com/go/getflashplayer" />
</object>
	</td>
</tr>
</table>

<table width="795" cellpadding="0" cellspacing="0" border="0" >
<tr>
	<td colspan="2" align="center" class="mainmenu">
	<table width="700" cellpadding="0" cellspacing="0" border="0" align="center" id="mainmenu">
		<tr>
			<td align="center"><a href="index.htm">HOME</a></td>
			<td align="center"><a href="ProductMainCategory.html">PRODUCTS</a></td>
			<td align="center"><a href="BrandCategory.html">BRANDS</a></td>
			<td align="center"><a href="Cart.html">CART</a></td>
			<td align="center"><a href="MyAccount.html">MY ACCOUNT</a></td>
			<td align="center"><a href="registration.html">REGISTER</a></td>
			<td align="center">SUPPORT LINKS</td>
			<td align="center">FAQs</td>
			<td align="center">ABOUT US</td>
		</tr>
	</table>
	</td>
</tr>
<tr>
	<td width="195">
		<table width="193" cellpadding="10" cellspacing="0" border="1" class="leftnav">
			<tr>
				<td width="193">Keyword Search<br /><input type="text" /><br /><input type="submit" value="search" /></td>
			</tr>
			<tr>
				<td width="193">
					<br />
					ACCESSORIES<br />
					DESKTOP<br />
					LAPTOP<br />
					COMPUTER COMPONENTS<br />
					DIGITAL CAMERAS<br />
					PRINTERS<br />
					MODEMS/ROUTERS<br>
					MP3 PLAYERS<br>
					IPOD<br />
					FAX MACHINES<br />
					PDA COMPUTERS
				</td>
			</tr>
			<tr>
				<td width="193"><br />
<?php

$DBhost = "localhost";
$DBuser = "root";
$DBpass = "";
$DBName = "thesis";
$table = "tblcustomer";


mysql_connect($DBhost,$DBuser,$DBpass) or die("Unable to connect to database");
	
	// if we found an error save the error message in this variable
	$errorMessage = '';
	
	$userName = $_POST['username'];
	$password = $_POST['password'];
	
	// first, make sure the username & password are not empty
	if ($userName == '') {
		$errorMessage = 'You must enter your username';
	} else if ($password == '') {
		$errorMessage = 'You must enter the password';
	} else {
		// check the database and see if the username and password combo do match
		$sql = "SELECT Customerno
		        FROM tblcustomer 
				WHERE Username = '$userName' AND Password = md5('$password')";
		$result = dbQuery($sql);
	
		if (dbNumRows($result) == 1) {
			$row = dbFetchAssoc($result);
			$_SESSION['plaincart_user_id'] = $row['user_id'];
			
			/*
			// log the time when the user last login
			$sql = "UPDATE tblcustomer
			        SET user_last_login = NOW() 
					WHERE user_id = '{$row['user_id']}'";
		          */
			dbQuery($sql);

			// now that the user is verified we move on to the next page
            // if the user had been in the admin pages before we move to
			// the last page visited
			if (isset($_SESSION['login_return_url'])) {
				header('Location: ' . $_SESSION['login_return_url']);
				exit;
			} else {
				header('Location: index.php');
				exit;
			}
		} else {
			$errorMessage = 'Wrong username or password';
		}		
			
	}
	
	return $errorMessage;

?>

<?php
if ($errorMessage != '') {
?>
<p align="center"><strong><font color="#990000"><?php echo $errorMessage; ?></font></strong></p>
<?php
}
?>
				<form name="login" action="index.php" method="post">
					<h5 align="center">user login</h5>
					username:<input type="text" name="username" size="20" /><br />
					password:<input type="password" name="password" size="20"/><br />
					<input type="submit" value="login" /><br />
				</form>
				register click here<br />
				forgot password click here
				</td>
			</tr>
			<tr>
				<td width="193" align="left">
					Hi Customer, Welcome<br />
					Change Account Info<br />
					Go to Cart<br />
					View Order History<br />
					Sign Out
				</td>
			</tr>
		</table>
	</td>
	<td width="600" align="center">homepage content</td>
</tr>
<tr>
	<td colspan="2" align="center">footer</td>
</tr>
</table>
</div>
</body>
</html>


and right now we get this error..

Fatal error: Call to undefined function: dbquery() in D:\Server\xampp\htdocs\IECC proj\index.php on line 94..

we dont know what kind of error is this.

maybe you could help us out. salmat po paalam.

Posted: Tue Jul 10, 2007 3:19 am
by aceconcepts
The function dbQuery() has not been defined. Try replacing

Code: Select all

$result = dbQuery($sql);
with

Code: Select all

$result = mysql_Query($sql);
Also, you will need to replace all instances of the undefined function dbQuery().

Take a look at: http://uk.php.net/function.mysql-db-query

Posted: Tue Jul 10, 2007 8:21 am
by Mordred
1. You need to require() an additional module where those db* functions are defined.
2. You have an SQL injection vulnerability with both username and password.

Posted: Tue Jul 10, 2007 10:48 am
by carsky
im kinda new with php and im not familiar with other terms or functions..may i know if what is sql injections?is it a serious threat to our system?

Posted: Tue Jul 10, 2007 11:06 am
by superdezign
carsky wrote:im kinda new with php and im not familiar with other terms or functions..may i know if what is sql injections?is it a serious threat to our system?
8O YES!

Someone could potentially destroy your entire database using YOUR website to do it.