Page 1 of 1

Help with this login code

Posted: Tue Apr 07, 2009 9:44 am
by HokieTracks
Hi, I am trying to create a members only portion of my website but right now I am having trouble with enabling users to login. Here is my code for users trying to log in:

Code: Select all

<?php
session_start();    
?>                                  
 
<body>
<html>
 
<?php
include "layout.php";
?>
<div id="contnt">
<?php
 include("dogs.inc");                        
 switch (@$_POST['do'])                             
 {
   case "login":                                    
     $cxn = mysqli_connect($host, $user,$passwd,$dbname) 
            or die ("Couldn't connect to server.");   
 
     $sql = "SELECT loginName FROM Member 
             WHERE loginName='$_POST[loginName]'";   
     $result = mysqli_query($cxn,$sql)
               or die("Couldn't execute query.");     
     $num = mysqli_num_rows($result);               
     if ($num > 0)  // login name was found           
     {
        $sql = "SELECT loginName FROM Member 
                WHERE loginName='$_POST[loginName]'
                AND password=md5('$_POST[password]')";
        $result2 = mysqli_query($cxn,$sql)
                   or die("Couldn't execute query 2.");
        $num2 = mysqli_num_rows($result2);
        if ($num2 > 0)  // password is correct       
        {
           $_SESSION['auth']="yes";                 
           $logname=$_POST['loginName']; 
           $_SESSION['logname'] = $logname;          
           $today = date("Y-m-d h:i:s");               
           $sql = "INSERT INTO Login (loginName,loginTime)
                   VALUES ('$logname','$today')";
           $result = mysqli_query($cxn,$sql) 
                     or die("Can't execute insert query.");
           header("Location: Member_page.php");        
        }
        else    // password is not correct           
        {
           $message="The Login Name, '$_POST[loginName]' 
                     exists, but you have not entered the 
                     correct password! Please try again.<br>";
           include("login_form.inc");                
        } 
     }                                               
     elseif ($num == 0)  // login name not found       
     {   
        $message = "The Login Name you entered does not 
                    exist! Please try again.<br>";
        include("login_form.inc");
     }
   break;                                                                               
 
    default:                                          
        include("login_form.inc");
  }
?>
 
</div>
 
</div> 
</body>
</html>
As you can see the passwords and usernames are kept in the member table of my databse. But, whenever I try this code out it finds the username but displays that the password is wrong. Anyone know if I forgot something or if I am doing something wrong?

Re: Help with this login code

Posted: Tue Apr 07, 2009 10:09 am
by naeem1984
use the following code for authentication

Code: Select all

 
$username = $_POST['username'];
$password = $_POST['password'];
$db_query = "select * from login where username='".$username."' and password='".$password."'";
$result = mysql_query($db_query);
if (!$result) {
    die('Invalid query: ' . mysql_error());
}
 
while ($row = mysql_fetch_array($result)) {
$username_db=$row['username'];
$password_db=$row['password'];
 
//echo $row;
 }
//session_register($username);
mysql_free_result($result);
if(isset($username_db) && isset($password_db))
{
    if(($username==$username_db) && ($password==$password_db))
    {
            echo "username  and password are correct";  
    }
}           
else
{
        
    echo "username and password are wrong";
}   
 

Re: Help with this login code

Posted: Tue Apr 07, 2009 12:33 pm
by HokieTracks
Ok, but I get an error in return now that says access was denied to the user but its not using the password specified so how do I tell it what password to use to access the database?

Re: Help with this login code

Posted: Tue Apr 07, 2009 1:49 pm
by HokieTracks
Any ideas?

Re: Help with this login code

Posted: Tue Apr 07, 2009 7:26 pm
by ghogilee
If your passwords are md5 encrypted in your database (like I see it in your code), then in naeem1984 script you must encrypt user input

line 3

Code: Select all

$password = md5($_POST['password']);
And I see that you don't clean user inputs anywhere. I advise you to sanitize inputs before using them in queries.