Page 1 of 1

Login Form

Posted: Mon Oct 29, 2007 2:33 am
by johnnymac131
feyd | Please use

Code: Select all

,

Code: Select all

and [syntax="..."] tags where appropriate when posting code. Your post has been edited to reflect how we'd like it posted. Please read:  [url=http://forums.devnetwork.net/viewtopic.php?t=21171]Posting Code in the Forums[/url] to learn how to do it too.[/color]


This is my login script i thought i cant get it to work. 
if the userStatus from the user table = accountJ then i need it to go to the accountJ.php 
if the userStatus from the user table = accountM then i need it to go to the accountM.php 
if the userStatus from the user table = accountE then i need it to go to the accountE.php 

i am recieveing this error, 
Invalid query: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'Resource id #4' at line 1 Whole query:



this is my login form: loginForm.php
[syntax="html"]
<form action="login.php" method="post"> 
<table border="0"> 
<tr><td colspan=2><h1>Login</h1></td></tr> 
<tr><td>Username:</td><td> 
<input type="text" name="username" maxlength="40"> 
</td></tr> 
<tr><td>Password:</td><td> 
<input type="password" name="pass" maxlength="50"> 
</td></tr> 
<tr><td colspan="2" align="right"> 
<input type="submit" name="submit" value="Login"> 
</td></tr> 
</table> 
</form> 


This is my login Script: login.php[/syntax]

Code: Select all

<?php 
// Connects to your Database 
include('dbConnect.php');



//if the login form is submitted
if (isset($_POST['submit'])) 
{ // if form has been submitted

  // makes sure they filled it in
  if(!$_POST['username'] | !$_POST['pass']) 
  {
     die('You did not fill in a required field.');
  }
  // checks it against the database

   if (!get_magic_quotes_gpc()) {
   $_POST['email'] = addslashes($_POST['email']);
   }
   $check = mysql_query("SELECT * FROM users WHERE username = '".$_POST['username']."'")or die(mysql_error());


   //Gives error if user dosen't exist
   $check2 = mysql_num_rows($check);
   if ($check2 == 0) {
   die('That user does not exist in our database.
   <a href=index.php>Click Here to retry</a>');
   }
   while($info = mysql_fetch_array( $check )) 
   {
      $_POST['pass'] = stripslashes($_POST['pass']);
      $info['password'] = stripslashes($info['password']);
      $_POST['pass'] = md5($_POST['pass']);

      //gives error if the password is wrong
         if ($_POST['pass'] != $info['password']) {
            die('Incorrect password, please try again.');
         }
    
         else 
            { 


             $result = mysql_query($check);

             // Check result
             // This shows the actual query sent to MySQL, and the error. Useful for debugging.
                if (!$result) {
                  $message  = 'Invalid query: ' . mysql_error() . "\n";
                  $message .= 'Whole query: ' . $query;
                  die($message);
                }

             // Use result
             // Attempting to print $result won't allow access to information in the resource
             // One of the mysql result functions must be used
             // See also mysql_result(), mysql_fetch_array(), mysql_fetch_row(), etc.
             while ($row = mysql_fetch_assoc($result)) 
             {
                $userStatus=$row['userStatus'];
                echo $userStatus;
                //echo("<p><h4>" . $row['journ_fname'] . $row['journ_lname'] . "</h4></p>");
                //echo "<a href=article.php?art=" . $row['art_id'] . ">" . $row['journ_fname'] . $row['journ_lname'] . "</a>";

              }


              // if login is ok then we add a cookie 
              //$_POST['username'] = stripslashes($_POST['username']); 
              //$hour = time() + 3600; 
              //setcookie(ID_my_site, $_POST['username'], $hour); 
              //setcookie(Key_my_site, $_POST['pass'], $hour); 

              // If userStatus = acountJ then user is a journalist. add user to the journalist table and user table
               if ($userStatus == "accountJ")
               {
                   $location= "accountJ.php";
                   header("Location: $location"); 

    
               } 
                 else {
                     // If userStatus = acountE then user is a Editor. add user to the editor table and user table
                        if ($userStatus == "accountE")
                        {
                            $location= "accountE.php";
                            header("Location: $location"); 
            
                        }//2nd if statement 
                        else {
                             // If userStatus = acountJ then user is a manager. add user to the Manager table and user table
                             if ($userStatus == "accountM")
                             {
                                 $location= "accountM.php";
                                 header("Location: $location"); 
                              } // !mysql_query($query)
                        }
                 }
           }

   } 
} 

?>

feyd | Please use

Code: Select all

,

Code: Select all

and [syntax="..."] tags where appropriate when posting code. Your post has been edited to reflect how we'd like it posted. Please read:  [url=http://forums.devnetwork.net/viewtopic.php?t=21171]Posting Code in the Forums[/url] to learn how to do it too.[/color]

Posted: Mon Oct 29, 2007 3:18 am
by andym01480

Code: Select all

$check = mysql_query("SELECT * FROM users WHERE username = '".$_POST['username']."'")or die(mysql_error());
Separate out the query into a variable and check it...

Code: Select all

$sql = "SELECT * FROM users WHERE username = ".$_POST['username'];
echo $sql;
$check=mysql_query($sql) or die(mysql_error());
Also you are vulnerable to attack when it is working by not validating username to make sure it contains what you are expecting.

Posted: Mon Oct 29, 2007 4:19 am
by johnnymac131
Dont need it to be secure, its for an assignment it just has to work.

it is saying that the user is not in the database but it is, so im not sure what i should do next, as the query is right and the username and password are correct.

Posted: Mon Oct 29, 2007 11:58 am
by Christopher
Which specific check fails that you think should succeed?




PS - if I was you instructor and say all those if() { die() } blocks in there I would tell you to reprogram it properly structured.