Login Page

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
SirChick
Forum Contributor
Posts: 125
Joined: Tue Jul 31, 2007 11:55 am

Login Page

Post by SirChick »

I been designing a login page, and have been trying to get the code to check if firstly the username exists and then if it does check if the inputted password matches the password in the same record as the username.

I tried my best from what i know, but im out of ideas on how to get it to work... this is what i have:

Code: Select all

<?php
if (isset($_POST['Login'])) {

$Username = ($_POST['Username']); 
$Password = ($_POST['Password']);

mysql_connect("localhost", "root", "private") or die (mysql_error());
mysql_select_db("civilian") or die (mysql_error());
$chkUSERNAME = mysql_query("SELECT * FROM `userregistration` WHERE `Username` = '".$_GET['Username']."'");
 $getUSERNAME = mysql_fetch_object($chkUSERNAME);
 if($_GET['Username'] != $getUSR->Username) {
  die('Username or password is incorrect, please check your spelling!');

$chkPASSWORD = mysql_query("SELECT * FROM `userregistration` WHERE `Password` = '".$_GET['Password']."'");
 $getPASSWORD = mysql_fetch_object($chkPASSWORD);
 if($_GET['PASSWORD'] != $getPSW->Password) {
  die('Username or password is incorrect, please check your spelling!');

header("Location: success.php");
}}}
?>
User avatar
TheMoose
Forum Contributor
Posts: 351
Joined: Tue May 23, 2006 10:42 am

Post by TheMoose »

I believe you want $getUSR->Username to be $getUSERNAME->Username, and similar for $getPSW.

Also, filter user input. The script you have allows SQL injection to be easily accomplished! Don't put any direct $_GET or $_POST value straight into a SQL query.
SirChick
Forum Contributor
Posts: 125
Joined: Tue Jul 31, 2007 11:55 am

Post by SirChick »

i tried sql injection prevention using string escape function, but it screwed it up. Ill put it back in and see if any thing occurs with your added info you provided. will keep you informed.
SirChick
Forum Contributor
Posts: 125
Joined: Tue Jul 31, 2007 11:55 am

Post by SirChick »

This is what i have now, i tried putting in wrong passwords and usernames and clicked submit and it cleared the boxes and no errors like "username or password is incorrect" so thats not working. Also when i put valid username and password it doesn't redirect to the success.php page either.

Code: Select all

<?php
if (isset($_POST['Login'])) {

$Username = mysql_real_escape_string($_POST['Username']); 
$Password = mysql_real_escape_string($_POST['Password']);

mysql_connect("localhost", "root", "private") or die (mysql_error());
mysql_select_db("civilian") or die (mysql_error());
$chkUSERNAME = mysql_query("SELECT * FROM `userregistration` WHERE `Username` = '".$_GET['Username']."'");
 $getUSERNAME = mysql_fetch_object($chkUSERNAME);
 if($_GET['Username'] != $getUSERNAME->Username) {
  die('Username or password is incorrect, please check your spelling!');

$chkPASSWORD = mysql_query("SELECT * FROM `userregistration` WHERE `Password` = '".$_GET['Password']."'");
 $getPASSWORD = mysql_fetch_object($chkPASSWORD);
 if($_GET['PASSWORD'] != $getPASSWORD->Password) {
  die('Username or password is incorrect, please check your spelling!');

header("Location: success.php");
}}}
?>
User avatar
TheMoose
Forum Contributor
Posts: 351
Joined: Tue May 23, 2006 10:42 am

Post by TheMoose »

How are you sending the data to the script? Post or get? The $_GET global is only used for data items passed directly in the URL (IE: mypage.php?foo=bar), $_POST is used for data items sent "hidden" via the post method.

You have both $_GET and $_POST, if you're sending them via $_GET, it should work fine. Otherwise, you need to replace the $_GET['Username'] with your previously set variable of $Username (has the value of $_POST['Username']), and likewise for the password.
SirChick
Forum Contributor
Posts: 125
Joined: Tue Jul 31, 2007 11:55 am

Post by SirChick »

Well the form is a $_POST, so i changed them all to post but the same still occurs.

Code: Select all

<?php
if (isset($_POST['Login'])) {

$Username = mysql_real_escape_string($_POST['Username']); 
$Password = mysql_real_escape_string($_POST['Password']);

mysql_connect("localhost", "root", "private") or die (mysql_error());
mysql_select_db("civilian") or die (mysql_error());
$chkUSERNAME = mysql_query("SELECT * FROM `userregistration` WHERE `Username` = '".$_POST['Username']."'");
 $getUSERNAME = mysql_fetch_object($chkUSERNAME);
 if($_POST['Username'] != $getUSERNAME->Username) {
  die('Username or password is incorrect, please check your spelling!');

$chkPASSWORD = mysql_query("SELECT * FROM `userregistration` WHERE `Password` = '".$_POST['Password']."'");
 $getPASSWORD = mysql_fetch_object($chkPASSWORD);
 if($_POST['PASSWORD'] != $getPASSWORD->Password) {
  die('Username or password is incorrect, please check your spelling!');

header("Location: success.php");
}}}
?>
User avatar
VladSun
DevNet Master
Posts: 4313
Joined: Wed Jun 27, 2007 9:44 am
Location: Sofia, Bulgaria

Post by VladSun »

Do you use "root" user for connect to mysql in the script? Or this is just an example?
There are 10 types of people in this world, those who understand binary and those who don't
SirChick
Forum Contributor
Posts: 125
Joined: Tue Jul 31, 2007 11:55 am

Post by SirChick »

i just changed that when displaying my code in here. i change it back to my actual username and password when trying suggestions out.

I would not have thought that would matter though
User avatar
VladSun
DevNet Master
Posts: 4313
Joined: Wed Jun 27, 2007 9:44 am
Location: Sofia, Bulgaria

Post by VladSun »

SirChick wrote:I would not have thought that would matter though
I am asking it because it is very unsecure - it has nothing to do with the code.
There are 10 types of people in this world, those who understand binary and those who don't
SirChick
Forum Contributor
Posts: 125
Joined: Tue Jul 31, 2007 11:55 am

Post by SirChick »

my priority is to get the code working for now.
User avatar
TheMoose
Forum Contributor
Posts: 351
Joined: Tue May 23, 2006 10:42 am

Post by TheMoose »

Make sure that you have an item in your form named "Login", ie:

Code: Select all

<input type="submit" name="Login" value="Login">
<!-- Or you could do this -->
<input type="hidden" name="Login" value="true">
Post Reply