Page 1 of 1
Login Page
Posted: Thu Aug 02, 2007 9:14 am
by SirChick
I been designing a login page, and have been trying to get the code to check if firstly the username exists and then if it does check if the inputted password matches the password in the same record as the username.
I tried my best from what i know, but im out of ideas on how to get it to work... this is what i have:
Code: Select all
<?php
if (isset($_POST['Login'])) {
$Username = ($_POST['Username']);
$Password = ($_POST['Password']);
mysql_connect("localhost", "root", "private") or die (mysql_error());
mysql_select_db("civilian") or die (mysql_error());
$chkUSERNAME = mysql_query("SELECT * FROM `userregistration` WHERE `Username` = '".$_GET['Username']."'");
$getUSERNAME = mysql_fetch_object($chkUSERNAME);
if($_GET['Username'] != $getUSR->Username) {
die('Username or password is incorrect, please check your spelling!');
$chkPASSWORD = mysql_query("SELECT * FROM `userregistration` WHERE `Password` = '".$_GET['Password']."'");
$getPASSWORD = mysql_fetch_object($chkPASSWORD);
if($_GET['PASSWORD'] != $getPSW->Password) {
die('Username or password is incorrect, please check your spelling!');
header("Location: success.php");
}}}
?>
Posted: Thu Aug 02, 2007 9:18 am
by TheMoose
I believe you want $getUSR->Username to be $getUSERNAME->Username, and similar for $getPSW.
Also, filter user input. The script you have allows SQL injection to be easily accomplished! Don't put any direct $_GET or $_POST value straight into a SQL query.
Posted: Thu Aug 02, 2007 9:22 am
by SirChick
i tried sql injection prevention using string escape function, but it screwed it up. Ill put it back in and see if any thing occurs with your added info you provided. will keep you informed.
Posted: Thu Aug 02, 2007 9:25 am
by SirChick
This is what i have now, i tried putting in wrong passwords and usernames and clicked submit and it cleared the boxes and no errors like "username or password is incorrect" so thats not working. Also when i put valid username and password it doesn't redirect to the success.php page either.
Code: Select all
<?php
if (isset($_POST['Login'])) {
$Username = mysql_real_escape_string($_POST['Username']);
$Password = mysql_real_escape_string($_POST['Password']);
mysql_connect("localhost", "root", "private") or die (mysql_error());
mysql_select_db("civilian") or die (mysql_error());
$chkUSERNAME = mysql_query("SELECT * FROM `userregistration` WHERE `Username` = '".$_GET['Username']."'");
$getUSERNAME = mysql_fetch_object($chkUSERNAME);
if($_GET['Username'] != $getUSERNAME->Username) {
die('Username or password is incorrect, please check your spelling!');
$chkPASSWORD = mysql_query("SELECT * FROM `userregistration` WHERE `Password` = '".$_GET['Password']."'");
$getPASSWORD = mysql_fetch_object($chkPASSWORD);
if($_GET['PASSWORD'] != $getPASSWORD->Password) {
die('Username or password is incorrect, please check your spelling!');
header("Location: success.php");
}}}
?>
Posted: Thu Aug 02, 2007 9:32 am
by TheMoose
How are you sending the data to the script? Post or get? The $_GET global is only used for data items passed directly in the URL (IE: mypage.php?foo=bar), $_POST is used for data items sent "hidden" via the post method.
You have both $_GET and $_POST, if you're sending them via $_GET, it should work fine. Otherwise, you need to replace the $_GET['Username'] with your previously set variable of $Username (has the value of $_POST['Username']), and likewise for the password.
Posted: Thu Aug 02, 2007 9:35 am
by SirChick
Well the form is a $_POST, so i changed them all to post but the same still occurs.
Code: Select all
<?php
if (isset($_POST['Login'])) {
$Username = mysql_real_escape_string($_POST['Username']);
$Password = mysql_real_escape_string($_POST['Password']);
mysql_connect("localhost", "root", "private") or die (mysql_error());
mysql_select_db("civilian") or die (mysql_error());
$chkUSERNAME = mysql_query("SELECT * FROM `userregistration` WHERE `Username` = '".$_POST['Username']."'");
$getUSERNAME = mysql_fetch_object($chkUSERNAME);
if($_POST['Username'] != $getUSERNAME->Username) {
die('Username or password is incorrect, please check your spelling!');
$chkPASSWORD = mysql_query("SELECT * FROM `userregistration` WHERE `Password` = '".$_POST['Password']."'");
$getPASSWORD = mysql_fetch_object($chkPASSWORD);
if($_POST['PASSWORD'] != $getPASSWORD->Password) {
die('Username or password is incorrect, please check your spelling!');
header("Location: success.php");
}}}
?>
Posted: Thu Aug 02, 2007 10:39 am
by VladSun
Do you use "root" user for connect to mysql in the script? Or this is just an example?
Posted: Thu Aug 02, 2007 11:17 am
by SirChick
i just changed that when displaying my code in here. i change it back to my actual username and password when trying suggestions out.
I would not have thought that would matter though
Posted: Thu Aug 02, 2007 11:41 am
by VladSun
SirChick wrote:I would not have thought that would matter though
I am asking it because it is very unsecure - it has nothing to do with the code.
Posted: Thu Aug 02, 2007 12:33 pm
by SirChick
my priority is to get the code working for now.
Posted: Thu Aug 02, 2007 1:56 pm
by TheMoose
Make sure that you have an item in your form named "Login", ie:
Code: Select all
<input type="submit" name="Login" value="Login">
<!-- Or you could do this -->
<input type="hidden" name="Login" value="true">