login script

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
monkeymafia
Forum Commoner
Posts: 31
Joined: Mon Oct 08, 2007 3:08 pm

login script

Post by monkeymafia »

hi

im trying to get this login script working:

Code: Select all

<?php

session_start();
$fk_memberid=$_POST['fk_memberid'];
$pwd=$_POST['password'];
// now you can check the POST variables for possible code injection...
mysql_connect("localhost", "username", "mypass") or die(mysql_error());
mysql_select_db("mydb") or die(mysql_error());

if (isset($_POST['submit'])) {
   $sql="SELECT U_PK, fk_memberid FROM members WHERE fk_memberid='$fk_memberid' AND password='$pwd' ";
   if ($row=mysql_fetch_assoc($result)) {
      extract($row);
      if ($password == $pwd) {
         echo "Welcome back, $fk_memberid<br />";
        
      } else {
         echo "Incorrect Password. Try again<br />";
      }
   } else {
      echo "Incorrect Login. Try again<br />";
   }
}
?>
however when i try logging in it gives me the following error:

Warning: mysql_fetch_assoc(): supplied argument is not a valid MySQL result resource in /home/public_html/myaccount.php on line 12
Incorrect Login. Try again

does anyone know why this is happening 8O
thanks for any guidance
xitura
Forum Newbie
Posts: 20
Joined: Fri Sep 07, 2007 11:25 am

Post by xitura »

It looks like you forgot:

Code: Select all

$result = mysql_query($sql);
monkeymafia
Forum Commoner
Posts: 31
Joined: Mon Oct 08, 2007 3:08 pm

Post by monkeymafia »

thanks

that got rid of the error message. but now it displays incorrect password message :?
theres a problem matching the password field, but i dont know why
xitura
Forum Newbie
Posts: 20
Joined: Fri Sep 07, 2007 11:25 am

Post by xitura »

Did you add

Code: Select all

or die(mysql_error());
after the row of code i wrote?
monkeymafia
Forum Commoner
Posts: 31
Joined: Mon Oct 08, 2007 3:08 pm

Post by monkeymafia »

yes same response.
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Post by Mordred »

Don't use extract(), use $row['password'].
var_dump($row) to see what's there.
Then you'll see that you don't select password in your SQL statement.

You still haven't taken measures against SQL injection and session fixation.
monkeymafia
Forum Commoner
Posts: 31
Joined: Mon Oct 08, 2007 3:08 pm

Post by monkeymafia »

thanks that sorted it. i forgot to add the password.

ive prevented sql injection on my insert statements e.g.

Code: Select all

VALUES ('" . mysql_real_escape_string($userid) . "', '" . mysql_real_escape_string($subject) . "',...
but how would i apply them to my login script?
thanks again
xitura
Forum Newbie
Posts: 20
Joined: Fri Sep 07, 2007 11:25 am

Post by xitura »

Do the same to $_POST['fk_memberid'] and $_POST['password'].
Post Reply