Andrew12313413

Thanks for not being helpful. Don't tell me what to fucking do.

members.php <?php /*** begin the session ***/ session_start(); if(!isset($_SESSION['user_id'])) { $message = 'You must be logged in to access this page'; } else { try { /*** connect to database ***/ /*** mysql hostname ***/ $mysql_hostname = 'localhost'; /*** mysql username ***/ $mysql_username = 'root'; /*** mysql password ***/ $mysql_password = 'root'; /*** database name ***/ $mysql_dbname = 'login'; /*** select the users name from the database ***/ $dbh = new PDO("mysql:host=$mysql_hostname;dbname=$mysql_dbname", $mysql_username, $mysql_password); /*** $message = a message saying we have connected ***/ /*** set the error mode to excptions ***/ $dbh->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION); /*** prepare the insert ***/ $stmt = $dbh->prepare("SELECT phpro_username FROM phpro_users WHERE phpro_user_id = :phpro_user_id"); /*** bind the parameters ***/ $stmt->bindParam(':phpro_user_id', $_SESSION['user_id'], PDO::PARAM_INT); /*** execute the prepared statement ***/ $stmt->execute(); /*** check for a result ***/ $phpro_username = $stmt->fetchColumn(); /*** if we have no something is wrong ***/ if($phpro_username == false) { $message = 'Access Error'; } else { $message = 'Welcome '.$phpro_username; } } catch (Exception $e) { /*** Error!! ***/ $message = 'We are unable to process your request. Please try again later"'; } } ?> <html> <head> <title>My Feed</title> <link rel="stylesheet" type="text/css" href="css/main.css" /> </head> <body> <h3><?php echo $message; ?></h3> </body> </html> login.php <html> <head> <title>Log into Friend Konnect</title> </head> <body> <h2>Login Here</h2> <form action="login_submit.php" method="post"> <fieldset> <p> <label for="phpro_username">Username</label> <input type="text" id="phpro_username" name="phpro_username" value="" maxlength="20" /> </p> <p> <label for="phpro_password">Password</label> <input type="text" id="phpro_password" name="phpro_password" value="" maxlength="20" /> </p> <p> <input type="submit" value="Login" /> </p> </fieldset> </form> </body> </html> login_submit.php <?php /*** begin our session ***/ session_start(); /*** check if the users is already logged in ***/ if(isset( $_SESSION['user_id'] )) { $message = 'Users is already logged in'; } /*** check that both the username, password have been submitted ***/ if(!isset( $_POST['phpro_username'], $_POST['phpro_password'])) { $message = 'Please enter a valid username and password'; } /*** check the username is the correct length ***/ elseif (strlen( $_POST['phpro_username']) > 20 || strlen($_POST['phpro_username']) < 4) { $message = 'Incorrect Length for Username'; } /*** check the password is the correct length ***/ elseif (strlen( $_POST['phpro_password']) > 20 || strlen($_POST['phpro_password']) < 4) { $message = 'Incorrect Length for Password'; } /*** check the username has only alpha numeric characters ***/ elseif (ctype_alnum($_POST['phpro_username']) != true) { /*** if there is no match ***/ $message = "Username must be alpha numeric"; } /*** check the password has only alpha numeric characters ***/ elseif (ctype_alnum($_POST['phpro_password']) != true) { /*** if there is no match ***/ $message = "Password must be alpha numeric"; } else { /*** if we are here the data is valid and we can insert it into database ***/ $phpro_username = filter_var($_POST['phpro_username'], FILTER_SANITIZE_STRING); $phpro_password = filter_var($_POST['phpro_password'], FILTER_SANITIZE_STRING); /*** now we can encrypt the password ***/ $phpro_password = sha1( $phpro_password ); /*** connect to database ***/ /*** mysql hostname ***/ $mysql_hostname = 'localhost'; /*** mysql username ***/ $mysql_username = 'root'; /*** mysql password ***/ $mysql_password = 'root'; /*** database name ***/ $mysql_dbname = 'login'; try { $dbh = new PDO("mysql:host=$mysql_hostname;dbname=$mysql_dbname", $mysql_username, $mysql_password); /*** $message = a message saying we have connected ***/ /*** set the error mode to excptions ***/ $dbh->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION); /*** prepare the select statement ***/ $stmt = $dbh->prepare("SELECT phpro_user_id, phpro_username, phpro_password FROM phpro_users WHERE phpro_username = :phpro_username AND phpro_password = :phpro_password"); /*** bind the parameters ***/ $stmt->bindParam(':phpro_username', $phpro_username, PDO::PARAM_STR); $stmt->bindParam(':phpro_password', $phpro_password, PDO::PARAM_STR, 40); /*** execute the prepared statement ***/ $stmt->execute(); /*** check for a result ***/ $user_id = $stmt->fetchColumn(); /*** if we have no result then fail boat ***/ if($user_id == false) { $message = 'Login Failed'; } /*** if we do have a result, all is well ***/ else { /*** set the session user_id variable ***/ $_SESSION['user_id'] = $user_id; /*** tell the user we are logged in ***/ $message = 'You are now logged in'; } } catch(Exception $e) { /*** if we are here, something has gone wrong with the database ***/ $message = 'We are unable to process your request. Please try again later"'; } } ?> <html> <head> <title>Friend Konnect</title> </head> <body> <p><?php echo $message; ?> </body> </html>

<?php /*** begin the session ***/ session_start(); if(!isset($_SESSION['user_id'])) { $message = 'You must be logged in to access this page'; } else { try { /*** connect to database ***/ /*** mysql hostname ***/ $mysql_hostname = 'localhost'; /*** mysql username ***/ $mysql_username = 'root'; /*** mysql password ***/ $mysql_password = 'root'; /*** database name ***/ $mysql_dbname = 'login'; /*** select the users name from the database ***/ $dbh = new PDO("mysql:host=$mysql_hostname;dbname=$mysql_dbname", $mysql_username, $mysql_password); /*** $message = a message saying we have connected ***/ /*** set the error mode to excptions ***/ $dbh->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION); /*** prepare the insert ***/ $stmt = $dbh->prepare("SELECT phpro_username FROM phpro_users WHERE phpro_user_id = :phpro_user_id"); /*** bind the parameters ***/ $stmt->bindParam(':phpro_user_id', $_SESSION['user_id'], PDO::PARAM_INT); /*** execute the prepared statement ***/ $stmt->execute(); /*** check for a result ***/ $phpro_username = $stmt->fetchColumn(); /*** if we have no something is wrong ***/ if($phpro_username == false) { $message = 'Access Error'; } else { $message = 'Welcome '.$phpro_username; } } catch (Exception $e) { /*** Error!! ***/ $message = 'We are unable to process your request. Please try again later"'; } } ?> <html> <head> <title>My Account</title> <link rel="stylesheet" type="text/css" href="css/main.css" /> </head> <body> <h3><?php echo $message; ?></h3> </body> </html> members.php <html> <head> <title>Log in</title> </head> <body> <h2>Login Here</h2> <form action="login_submit.php" method="post"> <fieldset> <p> <label for="phpro_username">Username</label> <input type="text" id="phpro_username" name="phpro_username" value="" maxlength="20" /> </p> <p> <label for="phpro_password">Password</label> <input type="text" id="phpro_password" name="phpro_password" value="" maxlength="20" /> </p> <p> <input type="submit" value="Login" /> </p> </fieldset> </form> </body> </html> login.php <?php /*** begin our session ***/ session_start(); /*** check if the users is already logged in ***/ if(isset( $_SESSION['user_id'] )) { $message = 'Users is already logged in'; } /*** check that both the username, password have been submitted ***/ if(!isset( $_POST['phpro_username'], $_POST['phpro_password'])) { $message = 'Please enter a valid username and password'; } /*** check the username is the correct length ***/ elseif (strlen( $_POST['phpro_username']) > 20 || strlen($_POST['phpro_username']) < 4) { $message = 'Incorrect Length for Username'; } /*** check the password is the correct length ***/ elseif (strlen( $_POST['phpro_password']) > 20 || strlen($_POST['phpro_password']) < 4) { $message = 'Incorrect Length for Password'; } /*** check the username has only alpha numeric characters ***/ elseif (ctype_alnum($_POST['phpro_username']) != true) { /*** if there is no match ***/ $message = "Username must be alpha numeric"; } /*** check the password has only alpha numeric characters ***/ elseif (ctype_alnum($_POST['phpro_password']) != true) { /*** if there is no match ***/ $message = "Password must be alpha numeric"; } else { /*** if we are here the data is valid and we can insert it into database ***/ $phpro_username = filter_var($_POST['phpro_username'], FILTER_SANITIZE_STRING); $phpro_password = filter_var($_POST['phpro_password'], FILTER_SANITIZE_STRING); /*** now we can encrypt the password ***/ $phpro_password = sha1( $phpro_password ); /*** connect to database ***/ /*** mysql hostname ***/ $mysql_hostname = 'localhost'; /*** mysql username ***/ $mysql_username = 'root'; /*** mysql password ***/ $mysql_password = 'root'; /*** database name ***/ $mysql_dbname = 'login'; try { $dbh = new PDO("mysql:host=$mysql_hostname;dbname=$mysql_dbname", $mysql_username, $mysql_password); /*** $message = a message saying we have connected ***/ /*** set the error mode to excptions ***/ $dbh->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION); /*** prepare the select statement ***/ $stmt = $dbh->prepare("SELECT phpro_user_id, phpro_username, phpro_password FROM phpro_users WHERE phpro_username = :phpro_username AND phpro_password = :phpro_password"); /*** bind the parameters ***/ $stmt->bindParam(':phpro_username', $phpro_username, PDO::PARAM_STR); $stmt->bindParam(':phpro_password', $phpro_password, PDO::PARAM_STR, 40); /*** execute the prepared statement ***/ $stmt->execute(); /*** check for a result ***/ $user_id = $stmt->fetchColumn(); /*** if we have no result then fail boat ***/ if($user_id == false) { $message = 'Login Failed'; } /*** if we do have a result, all is well ***/ else { /*** set the session user_id variable ***/ $_SESSION['user_id'] = $user_id; /*** tell the user we are logged in ***/ $message = 'You are now logged in'; } } catch(Exception $e) { /*** if we are here, something has gone wrong with the database ***/ $message = 'We are unable to process your request. Please try again later"'; } } ?> <html> <head> </head> <body> <p><?php echo $message; ?> </body> </html> login_sumbit.php I am unable to see the $message = 'Welcome '.$phpro_username; that the successful login should be generating

Error_reporting is set to E_ALL phpinfo(0; shows it as 32767 however. And yeah is just my db settings, which is working.

If the query matches a row, it returns the values like you had said. My question is why does my script not redirect when the condition returns true? I have no conflicting redirect in welcome.php if($row = mysql_fetch_array($result)) { $userid = $_SESSION['id'] = $row['id']; $username = $_SESSION['username'] = $row['username']; echo $userid; echo $username; } else{ echo "Wrong username or password."; }

Thanks for your reply. All the settings in my php.ini file match those you mentioned. For simplicity purposes, I will add a salt function later to my script. Note: I added the session vars, as well as an else statement, I did do what you suggested which was to echo a success/fail in the if statement. However when I comment out the header("Location: welcome.php"); my code works, does not when I de-comment it. Here's my code <?php include('config.php'); if (isset($_POST['submit'])) { $username= $_POST['username']; $password= $_POST['password']; $myusername = mysql_real_escape_string($username); $mypassword = mysql_real_escape_string($password); $sql="SELECT * FROM users WHERE username='$myusername' and password='$mypassword'"; $result= mysql_query($sql) or die(mysql_error()); // If result matched $myusername and $mypassword, table row must be 1 row if($row = mysql_fetch_array($result)) { $_SESSION['id'] = $row['id']; $_SESSION['username'] = $row['username']; //header("Location:welcome.php"); } else{ echo "Wrong username or password."; exit; } } ?>

processlogin.php <?php include('config.php'); if (isset($_POST['submit'])) { $username= $_POST['username']; $password= $_POST['password']; $myusername = mysql_real_escape_string($username); $mypassword = mysql_real_escape_string($password); $sql="SELECT * FROM users WHERE username='$myusername' and password='$mypassword'"; $result= mysql_query($sql) or die(mysql_error()); // If result matched $myusername and $mypassword, table row must be 1 row if($row = mysql_fetch_array($result)) { header("Location: welcome.php"); exit; } } ?> login.php <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" /> <title>Login Page</title> <style type="text/css"> body { font-family:Arial, Helvetica, sans-serif; font-size:14px; } label { font-weight:bold; width:100px; font-size:14px; } .box { border:#666666 solid 1px; } </style> </head> <body bgcolor="#FFFFFF"> <div align="center"> <div style="width:300px; border: solid 1px #333333; " align="left"> <div style="background-color:#333333; color:#FFFFFF; padding:3px;"><b>Login</b></div> <div style="margin:30px"> <form action="processlogin.php" method="post"> <label>UserName :</label><input type="text" name="username" class="box"/><br /><br /> <label>Password :</label><input type="password" name="password" class="box" /><br/><br /> <input type="submit" value=" Submit " name="submit"/><br /> </form> <div style="font-size:11px; color:#cc0000; margin-top:10px"></div> </div> </div> </div> </body> </html>

and yeah both the username and password correspond to each other

I tried that, but the form isn't even doing anything, it should display processlogin.php Here's the code I have: <?php include('config.php'); if (isset($_POST['submit'])) { $username= $_POST['username']; $password= $_POST['password']; $myusername = mysql_real_escape_string($username); $mypassword = mysql_real_escape_string($password); $sql="SELECT * FROM users WHERE username='$myusername' and password='$mypassword'"; $result= mysql_query($sql) or die(mysql_error()); echo 'Number of matches:' . mysql_num_rows($result); // If result matched $myusername and $mypassword, table row must be 1 row if($row = mysql_fetch_array($result)) { header("Location: welcome.php"); exit; } } ?>

Some pregress: When I try that $sql; exit; I get the following SELECT * FROM users WHERE username='admin' and password='admin' So why isn't it redirecting as it should?

I removed the @ob_start(); <?php include('config.php'); if (isset($_POST['submit'])) { $username= $_POST['username']; $password= $_POST['password']; $myusername = mysql_real_escape_string($username); $mypassword = mysql_real_escape_string($password); $sql="SELECT * FROM users WHERE username='$myusername' and password='$mypassword'"; $result= mysql_query($sql) or die(mysql_error()); // If result matched $myusername and $mypassword, table row must be 1 row if($row = mysql_fetch_array($result)) { header("Location: welcome.php"); exit; } } ?> I'm still seeing a blank page @processlogin.php

Yea, I get a blank page. Thanks for your continued help on this.

When I try that I'm not seeing any output

I tried that, but no luck yet.

Corrections: Using a separate file for login check: processlogin.php Here the code for that: <?php include('config.php'); @ob_start(); if (isset($_POST['submit'])) { $username= $_POST['username']; $password= $_POST['password']; $myusername = mysql_real_escape_string($username); $mypassword = mysql_real_escape_string($password); $sql="SELECT * FROM users WHERE username='$myusername' and password='$mypassword'"; $result= mysql_query($sql) or die(mysql_error()); // If result matched $myusername and $mypassword, table row must be 1 row if($row = mysql_fetch_array($result)) { header("Location: welcome.php"); exit; } } i used the following function and it returned the username/password as an array, print '<pre>' . print_r($_POST, true) . '</pre>'; So I'm guessing that there must be something I'm not seeing in my SQL exec