Page 1 of 1

Login system not working...?

Posted: Fri Jul 03, 2009 7:25 am
by Ibanez
pickle | Please use [ code=php ], [ code=text ], etc tags where appropriate when posting code. Your post has been edited to reflect how we'd like it posted. Please read: :arrow: Posting Code in the Forums to learn how to do it too.


Hey everybody!

Im having a little problem with my login system, that is, its just not working....

Its probably just something small that I missed, but could somebody please point me in the right direction?

Thank you in advance!

Here is my code:

index.php:

Code: Select all

<h1>Multiflora Admin</h1>
        <h2>Please enter your login details below:</h2>
        <h2 class="error"><?php if ($_GET["error"]!=""); echo ("$_GET[error]")?></h2>
        <form action="login.php" name="adminloginform" id="adminloginform" method="post">
            <table width="195" cellpadding="2" cellspacing="0" border="0">
                <tr><td><label for="username">Username</label></td><td align="right"><input name="adminuser" type="text" id="adminuser" size="15" /></td></tr>
                <tr><td><label for="password">Password</label></td><td align="right"><input name="adminpass" type="password" id="adminpass" size="15" /></td></tr>
                <tr><td colspan="2" id="buttons"><input type="submit" value="Login" name="login" id="login" /><input type="reset" value="Reset" name="reset" id="reset" /></td></tr>
            </table>
        </form>
login.php:

Code: Select all

<?
$host="localhost";
$username="root";
$password="";
$db_name="multiflora";
$tbl_name="admin";
 
$con=mysql_connect("$host","$username","$password")
or die("Cannot connect"); 
mysql_select_db("$db_name")
or die("Cannot Select Database");
 
$adminuser=$_POST['adminuser']; 
$adminpass=$_POST['adminpass'];
 
$adminuser = stripslashes($adminuser);
$adminpass = stripslashes($adminpass);
$adminuser = mysql_real_escape_string($username);
$adminpass = mysql_real_escape_string($adminpass);
 
$sql="SELECT * FROM $tbl_name WHERE username='$adminuser' and password='$adminpass'";
$result=mysql_query($sql);
 
$count=mysql_num_rows($result);
 
if($count==1){
session_register("adminuser");
session_register("adminpass");
header("location:success.php");
}
else {
header("location:index.php?error=Incorrect Username Or Password, Please Try Again");
}
 
mysql_close($con);
?>
success.php:

Code: Select all

<? 
session_start();
if(!session_is_registered(adminuser)){
header("location:adminlogin.php");
}
 

pickle | Please use [ code=php ], [ code=text ], etc tags where appropriate when posting code. Your post has been edited to reflect how we'd like it posted. Please read: :arrow: Posting Code in the Forums to learn how to do it too.

Re: Login system not working...?

Posted: Fri Jul 03, 2009 9:47 am
by pickle
We're going to need more than "its just not working".

What exactly isn't working? How have you narrowed down the problem?

Re: Login system not working...?

Posted: Fri Jul 03, 2009 1:55 pm
by kaisellgren
Did you know that your index.php file is vulnerable to XSS attacks?

Your code doesn't work, because of the lines 18-19 where you set the login credentials to database account credentials.

Re: Login system not working...?

Posted: Mon Jul 06, 2009 3:05 am
by Ibanez
Pickle: Sorry for not using the correct tags... :oops:
What I meant with not working is that, every time I try to login, I receive my error message "Incorrect Username Or Password, Please Try Again" - even if I use the correct credentials...
I hate calling myself a "Newbie", but, this is my first PHP project... :banghead:

Kaisellgren: No, I dint know that... Security is very important - obviously - could you please explain how I can make my systems more secure in the future?

Thank you in advance!

Re: Login system not working...?

Posted: Mon Jul 06, 2009 3:13 am
by Ibanez
Thank you Kai!

I changed the login credentials and now its working!

I really want to learn how to do this properly, and I thought it would work, but could you please tell me what I did wrong, and why?

Thank you!

Re: Login system not working...?

Posted: Mon Jul 06, 2009 5:25 am
by kaisellgren
Your database credentials

Code: Select all

[color=#FF8000]$username[/color]="root";
$password="";

Code: Select all

$adminuser = mysql_real_escape_string([color=#FF8000]$username[/color]);
$adminpass = mysql_real_escape_string($adminpass);
were used for the user account credentials and that's why the following query failed:
 

Code: Select all

$sql="SELECT * FROM $tbl_name WHERE username='$adminuser' and password='$adminpass'";