Jump to content

password and username query

dazz_club

By dazz_club
in PHP Coding Help

Recommended Posts

dazz_club Member

dazz_club

Posted
Posted

Hi people,

 

I have just set up a data base, where by users login using a password and username.

 

i have just gone through sme testing. I have made it easier but giving the same password to everyone and the only thing is different is their email.

 

so i tested the login system by picking random people, some work while others dont?

 

apart from having say, miss splet the password wrong or username (their email in this case) can their be anyother reason to why some can log in, while others can't

 

here is the login script i use:

<?php
session_start();
require_once("includes/connection.php"); 

// check that the form is submitted
if(isset($_POST['submit']))
{
    // validate username
    if(isset($_POST['username']) && !empty($_POST['username']))
    {
        // use the built in mysql real escape string function to protect agains SQL Injection
        $username = mysql_real_escape_string($_POST['username']);
    }
    else
    {
        // username does not validate, define an error
	$no_username = '<div class=\"login\" >incorrrect username</div>';
        
    }

    // we apply the same for the password field.
    if(isset($_POST['password']) && !empty($_POST['password']))
    {
        $password = md5($_POST['password']);
    }
    else
    {
        $no_password = 'Password not provided';
    }

    // chekc that no errors have been set, if so display them
    if(isset($errors) && is_array($errors))
    {
        echo 'Errors: <ul><li>' . implode('</li><li>', $errors) . '</li></ul>';
    }
    // no errors are set so we'll continue
    else
    {
        $sql= " SELECT * FROM members WHERE username = '$username' AND password = '$password' ";
        $result = mysql_query($sql) or die('Query Error:<br />Query: <tt>'.$sql.'</tt><br />Error: ' . mysql_error($db));

        // check that the query return only ONE result
        if(mysql_num_rows($result) == 1)
        {
            $_SESSION['is_logged_in'] = true;

            // get result set from the query and assign it to the 'user' session.
            $row = mysql_fetch_assoc($result);
            $_SESSION['user'] = $row;

            // redirect to the login_success.php
            header('Location: free-sample/');
            exit;
        }

        // query failed, display error
        $both_pw_unme = "<img src=\"../images/warning_triangle.png\" /> Error";
    }
}
// for was not submitted, display error
else
{
    $form_login = '<div class=\"login\" >Please use this form to login </div>';
}
?>

 

and here is the script for the page they will see if they have successfully logged in

<?php
session_start();
require_once '../includes/connection.php';
// check that the  user has logged in
if(isset($_SESSION['is_logged_in']) && $_SESSION['is_logged_in'] !== true || !isset($_SESSION['is_logged_in']))
{
    die ("<div style=\"text-align:center;color:black;font-family:arial;\"><img src=\"../../images/padlock.png\" />You must <a href=\"../admin/..\" style=\"color:red;\">login</a> to view this page!</div>");
}
// no need to query members table, query the contacts table as you already have the username in the 'user' session
$sql  = "SELECT * FROM contacts WHERE username='{$_SESSION['user']['username']}'";
// perform the query
$result = mysql_query($sql);
// as you are only returning 1 row from the contact tables you don't need a while loop
$row = mysql_fetch_assoc($result);
// display contact data for user
	$sample = $row['sample'];
	$username = $row['username'];
	$type = $row['type'];
	$image = $row['image'];
	$title = $row['title'];
	$first_name = $row['first_name'];
	$surname = $row['surname'];
	$position= $row['position'];
	$company_name = $row['company_name'];
	$company_email = $row['company_email'];
	$company_fax = $row['company_fax'];
	$company_telephone_number = $row['company_telephone_number'];
	$company_fax = $row['company_fax'];
	$address_1 = $row['address_1'];
	$address_2 = $row['address_2'];
	$address_3 = $row['address_3'];
	$town = $row['town'];
	$county = $row['county'];
	$post_code = $row['post_code'];
/////
if(isset($_POST['submit']))
{
$sample=$_POST['sample'];
$type=$_POST['type'];
$title=$_POST['title'];
$first_name=$_POST['first_name'];
$surname=$_POST['surname'];
$position=$_POST['position'];
$company_name=$_POST['company_name'];
$company_email=$_POST['company_email'];
$company_fax=$_POST['company_fax'];
$company_telephone_number=$_POST['company_telephone_number'];
$address_1=$_POST['address_1'];
$address_2=$_POST['address_2'];
$address_3=$_POST['address_3'];
$town=$_POST['town'];
$county=$_POST['county'];
$post_code=$_POST['post_code'];
///spacer
$errors .= (empty($post_code)) ? "<span class=\"emptyFields\">postcode</span>" : "";
$errors .= (empty($company_name)) ? "<span class=\"emptyFields\">company name</span>" : "";
$errors .= (empty($company_telephone_number)) ? "<span class=\"emptyFields\">telepone number</span>" : "";
$errors .= (empty($company_email)) ? "<span class=\"emptyFields\">email</span>" : "";
//need to add country, product and state
if (!$errors)
{
if(!get_magic_quotes_gpc())
{
$sample = addslashes($sample);
$type = addslashes($type);
$title = addslashes($title);
$first_name = addslashes($first_name);
$surname = addslashes($surname);
$position= addslashes($position);
$company_name = addslashes($company_name);
$company_email = addslashes($company_email);
$company_fax = addslashes($company_fax);
$company_telephone_number= addslashes($company_telephone_number);
$address_1= addslashes($address_1);
$address_2= addslashes($address_2);
$address_3= addslashes($address_3);
$town= addslashes($town);
$county= addslashes($county);
$post_code= addslashes($post_code);
}
@ $db = mysql('localhost', 'root', 'DARREN', 'bulletins2');
if (mysql_error())
{
echo 'error';
}
$query = " INSERT INTO order_enquiries  (sample, type, title, first_name, surname, position, company_name, company_email,  company_fax, company_telephone_number, address_1, address_2, address_3, town, county, post_code ) VALUES ('".$sample."', '".$type."', '".$title."', '".$first_name."', '".$surname."', '".$position."','".$company_name."', '".$company_email."', '".$company_fax."','".$company_telephone_number."', '".$address_1."', '".$address_2."', '".$address_3."', '".$town."', '".$county."', '".$post_code."' )";
$result = mysql_query($query);
////spacer
$success .= "<div class=\"success\" >Thank you,<br /><br />Your free sample will be dispatched as soon as possible.<br /><br />Please <a href=\"logout.php\" style=\"font-weight:bold;color:black;\">Logout</a></span></div>";
//need to add country, product and state
if ($success);
}
}//else//{/
//send email aswell
//$sendTo  =  "[email protected]";
//$subject = "Free order sample of $sample";

//$headers  =  "From:$company_email \n ";
//$headers .= " $first_name $surname \r\n";
//$headers .= "Reply-To: $company_email \r\n";
//$message = " Sample order enquiry from:
		 //$title $first_name $surname has requested a free sample.

		 //TYPE:$type
		 //ADDRESS
		 //$company_name
		 //$address_1
		 //$address_2
		 //$address_3
		 //$town
		 //$county
		 //$post_code\n
		 //CONTACT DETAILS:
		 //tel:$company_telephone_number
		 //fax:$company_fax
		 //email:$company_email
		 //";

//mail($sendTo, $subject, $message, $headers);
//}
?>

 

kind regards

Dazzclub

Link to comment
https://forums.phpfreaks.com/topic/101043-password-and-username-query/
Share on other sites

Archived

This topic is now archived and is closed to further replies.

Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.