Page 1 of 1

login script

Posted: Wed Oct 24, 2007 10:51 am
by monkeymafia
hi

im trying to get this login script working:

Code: Select all

<?php

session_start();
$fk_memberid=$_POST['fk_memberid'];
$pwd=$_POST['password'];
// now you can check the POST variables for possible code injection...
mysql_connect("localhost", "username", "mypass") or die(mysql_error());
mysql_select_db("mydb") or die(mysql_error());

if (isset($_POST['submit'])) {
   $sql="SELECT U_PK, fk_memberid FROM members WHERE fk_memberid='$fk_memberid' AND password='$pwd' ";
   if ($row=mysql_fetch_assoc($result)) {
      extract($row);
      if ($password == $pwd) {
         echo "Welcome back, $fk_memberid<br />";
        
      } else {
         echo "Incorrect Password. Try again<br />";
      }
   } else {
      echo "Incorrect Login. Try again<br />";
   }
}
?>
however when i try logging in it gives me the following error:

Warning: mysql_fetch_assoc(): supplied argument is not a valid MySQL result resource in /home/public_html/myaccount.php on line 12
Incorrect Login. Try again

does anyone know why this is happening 8O
thanks for any guidance

Posted: Wed Oct 24, 2007 10:59 am
by xitura
It looks like you forgot:

Code: Select all

$result = mysql_query($sql);

Posted: Wed Oct 24, 2007 11:08 am
by monkeymafia
thanks

that got rid of the error message. but now it displays incorrect password message :?
theres a problem matching the password field, but i dont know why

Posted: Wed Oct 24, 2007 11:12 am
by xitura
Did you add

Code: Select all

or die(mysql_error());
after the row of code i wrote?

Posted: Wed Oct 24, 2007 11:14 am
by monkeymafia
yes same response.

Posted: Wed Oct 24, 2007 11:57 am
by Mordred
Don't use extract(), use $row['password'].
var_dump($row) to see what's there.
Then you'll see that you don't select password in your SQL statement.

You still haven't taken measures against SQL injection and session fixation.

Posted: Wed Oct 24, 2007 12:28 pm
by monkeymafia
thanks that sorted it. i forgot to add the password.

ive prevented sql injection on my insert statements e.g.

Code: Select all

VALUES ('" . mysql_real_escape_string($userid) . "', '" . mysql_real_escape_string($subject) . "',...
but how would i apply them to my login script?
thanks again

Posted: Wed Oct 24, 2007 12:32 pm
by xitura
Do the same to $_POST['fk_memberid'] and $_POST['password'].