Page 1 of 1

login in code problem

Posted: Thu Feb 28, 2008 12:09 am
by kostassketo
Hi there,

I am novice in PHP & MySQL and I'm trying to learn how to do a simple login. I'm trying to do the checking for whenever a password and a username exist or not in the database. However, there is something wrong in my code and I can't find what.
Could you please give me a hand!?
------------------------------------------------------------------------------------------------------------------------
CODE:

**** PLEASE USE THE CODE TAG *****

Code: Select all

<?php session_start() ?>
 
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Login</title>
</head>
 
<body>
    <h2>Login</h2>
    <?php
        $links = "<a href='main.php'>Click here to proceed to the main page</a> <br><br>";
        $links .= "<a href='logout.php'>Click here to log out.</a>";
        $user = $_POST[user];
        $pass = $_POST[pass];
        
        if($user && $pass)
        {
            if($logged_in_user == $user)
            {
                echo $user . "you are already logged in.<br>";
                echo $links;
                exit;
            }
            $db =mysql_connect("localhost", "root", "1983ab") or die("Connection failed");
            mysql_select_db("userlist", $db);
            $result = mysql_query("select * from users where name = '" . $user . "'
                                    and password = PASSWORD('" . $pass . "')");
            
            if(!$result)
            {
                echo "Sorry, there has been a technical hitch. We cannot enter your details.";
                exit;   
            }
            
            if(mysql_num_rows($result) > 0)
            {
                $logged_in_user = $user;
                $_SESSION['logged_in_user'];
                echo "Welcome, " . $logged_in_user . ". <br><br>";
                echo $links;
                exit;
            }
            else
            {
                echo mysql_num_rows($result);
                echo "Invalid login. Please, try again. <br><br>";
            }
        }
        else if($user || $pass)
        {
            echo "Please fill in both fields. <br><br>";
        }
    ?>
    <form method=post action="login.php">
        Your username:
        <input name="user" type=text maxlength=20 size=20>
        <br>
        Your password:
        <input name="pass" type=pasword maxlength=10 size=10>
        <br>
        <input type=submit value="login">
    </form>
    
</body>
</html>

Re: login in code problem

Posted: Thu Feb 28, 2008 12:22 am
by Peter Anselmo
I spotted a couple errors:

Code: Select all

if($logged_in_user == $user)
You havn't defined $logged_in_user, so this will probably throw an error. Here you would want to check if the user in the _SESSION scope matches the current value. Which brings us to problem 2...

Code: Select all

$logged_in_user = $user;
$_SESSION['logged_in_user'];
echo "Welcome, " . $logged_in_user . ". <br><br>";
You need to assign the _SESSION variable the value. It should probably read:

Code: Select all

 
$_SESSION['logged_in_user'] = $user;
echo "Welcome, " . $user . ". <br><br>";
Now your 'logged_in_user' will persist between page requests, and you can replace the first snippet of code with:

Code: Select all

if($_SESSION['logged_in_user']) == $user)
Try that out, see if it helps.

Re: login in code problem

Posted: Thu Feb 28, 2008 12:42 am
by kostassketo
Actually, the problem that I have is in the following part of the code:

$db =mysql_connect("localhost", "root", "1983ab") or die("Connection failed");
mysql_select_db("userlist", $db);
$result = mysql_query("select * from users where name = '" . $user . "'
and password = PASSWORD('" . $pass . "')");

if(!$result)
{
echo "Sorry, there has been a technical hitch. We cannot enter your details.";
exit;
}

if(mysql_num_rows($result) > 0)
{
//$logged_in_user = $user;
$_SESSION['logged_in_user'] = $user;
echo "Welcome, " . $user . ". <br><br>";
echo $links;
exit;
}
else
{
echo mysql_num_rows($result);
echo "Invalid login. Please, try again. <br><br>";
}

When the code is executed it always gets into the 'else' part -

"select * from users where name = '" . $user . "'
and password = PASSWORD('" . $pass . "')");

which means the query does not return any results (of course I have inserted couple of users in the database).
So, there must be something wrong with my query or with the variables within the query or something like that,
I don't know what! Any suggestions!?

Re: login in code problem

Posted: Thu Feb 28, 2008 1:23 am
by kostassketo
SOME HELP, PLEAZZZZZzzzzzzzzzz!

Re: login in code problem

Posted: Thu Feb 28, 2008 7:56 am
by Zoxive
Echo the query, make sure it built the way it needs to be.


Also..

Code: Select all

$user = $_POST[user];
$pass = $_POST[pass];
->

Code: Select all

$user = !empty($_POST['user'])? $_POST['user'] : NULL;
$pass = !empty($_POST['pass'])? $_POST['pass'] : NULL;

Re: login in code problem

Posted: Thu Feb 28, 2008 8:52 am
by Mordred
1. Use mysql_real_escape_string on $user and $pass (and read up "SQL injection")
2. Don't use MySQL's PASSWORD() function, use MD5 or SHA(or was it SHA1)

Re: login in code problem

Posted: Thu Feb 28, 2008 1:40 pm
by Jonah Bron
Also, there is no semicolon after session_start()
Should be

Code: Select all

<?php session_start(); ?>