waynewex Posted April 28, 2008 Share Posted April 28, 2008 Okay. I'm pretty new to Php. My course is all about Java (wont make any friends by saying that). I'm trying to create a pretty simple login for my website; nothing special at all because I am a newbie/n00b (your bread, your butter). Anyway, my registration page works well; delivers the results I want to etc. The problem is my login page. And for some reason that I'm sure I'll be banging my head off over later, its not working. At first, it was allowing anyone to log in, which was bad; now, its not allowing anyone to log in. Here's the code. Please have a look over and let me know. I want to learn off you guys from my mistakes. <?php session_start(); $user="************"; $password="**********"; $database="**********"; mysql_connect("*************" ,$user,$password); @mysql_select_db($database) or die( "FATAL ERROR"); $usertrying = $_POST[username]; $ptrying = $_POST[password]; $secured_password = sha1($password); $user_check = "SELECT USERNAME FROM USERS WHERE USERNAME = '$username'"; $result = mysql_query ($user_check); $username_correct = false; $password_correct = false; while($row = mysql_fetch_array($result) ) { if ($row[uSERNAME] == $usertrying) { $username_correct = true; break; } } if ($username_correct) { $pw_check = "SELECT PASSWORD FROM USERS WHERE USERNAME = '$username'"; $result = mysql_query ($pw_check); if ($result == $secured_password) { $password_correct = true; } } if($username_correct && $password_correct) { session_register('username'); header('Location:http://**********.com/privatedata.php'); } else { header('Location:http://*********.com/login.php'); } mysql_close($conn); ?> Quote Link to comment Share on other sites More sharing options...
twilightnights Posted April 28, 2008 Share Posted April 28, 2008 if($username_correct && $password_correct) { session_register('username'); header('Location:http://**********.com/privatedata.php'); } Correct me if I am wrong but don't you have to do something like if(($username_correct == "true") && ($password_correct =="true")) With or without the quotes. I am not too positive on how booleans are read and created in PHP. Also you should store $user="************"; $password="**********"; $database="**********"; mysql_connect("*************" ,$user,$password); @mysql_select_db($database) or die( "FATAL ERROR"); in a seperate file and use an include function Quote Link to comment Share on other sites More sharing options...
moselkady Posted April 28, 2008 Share Posted April 28, 2008 Looks like you are reading the username into $usertrying but using $username in your SQL queries Quote Link to comment Share on other sites More sharing options...
soycharliente Posted April 28, 2008 Share Posted April 28, 2008 First, your code is over complicated. There's no need, IMO, to use if statements for comparison after you MySQL queries. If you get any rows back, you know it found a match in the database and the username/password combination they typed in. You can just ask how many rows it returned. Your error could be in the fact taht you're comparing $result to the password. $result in your case is just a resources that contains data. It's not the actual data. You can greatly simplify your code with something like the following: <?php if (isset($_POST["login_submit"])) { // make data safe for insertion into query if (isset($_POST)) { foreach ($_POST as $key => $val) { $_POST[$key] = myEscape($val); } } $un = $_POST["un"]; $pw = md5($_POST["pw"]); dbconnect(); $query = "SELECT * FROM `users` WHERE `username`='$un' AND `password`='$pw'"; $result = mysql_query($query) OR DIE ("Error:<br />".mysql_error()); dbclose(); if (mysql_num_rows($result) > 0) { $r = mysql_fetch_assoc($result); $user = $r["username"]; $_SESSION['user'] = $user; $_SESSION['login'] = TRUE; header("Location: options.php"); exit; } else { $_SESSION['login'] = FALSE; $error = TRUE; } } ?> Hope this helps some. Quote Link to comment Share on other sites More sharing options...
waynewex Posted April 28, 2008 Author Share Posted April 28, 2008 Here's my changed code, its still returning me to the login page which means the last if statement is falling on the IF. <?php session_start(); $user="*******"; $password="********"; $database="*********"; mysql_connect("**************" ,$user,$password); @mysql_select_db($database) or die( "FATAL ERROR"); $usertrying = $_POST[username]; $ptrying = $_POST[password]; $secured_password = sha1($ptrying); $user_check = "SELECT USERNAME FROM USERS WHERE USERNAME = '$usertrying'"; $result = mysql_query ($user_check); $username_correct = false; $password_correct = false; while($row = mysql_fetch_array($result) ) { if ($row[uSERNAME] == $usertrying) { $username_correct = true; break; } } if ($username_correct) { $pw_check = "SELECT PASSWORD FROM USERS WHERE USERNAME = '$usertrying'"; $result = mysql_query ($pw_check); if ($result == $secured_password) { $password_correct = true; } } if(($username_correct == "true") && ($password_correct == "true")) { session_register('username'); header('Location:http://*********.com/privatedata.php'); } else { header('Location:http://**********.com/login.php'); } mysql_close($conn); ?> Charlie Holder. I'll have a look at your code now. Thanks for helping. Quote Link to comment Share on other sites More sharing options...
waynewex Posted April 28, 2008 Author Share Posted April 28, 2008 Okay, I've changed it a bit; but its keeping me on the page and not responding to the redirects. (Btw, thanks for the corrections) $usertrying = $_POST[username]; $ptrying = $_POST[password]; $secured_password = sha1($ptrying); $user_correct = false; $pw_correct = false; $query = "SELECT * FROM `USERS` WHERE `USERNAME`='$usertrying' AND `PASSWORD`='$secured_password'"; $result = mysql_query($query) if (mysql_num_rows($result) > 0) { $user_correct = true; $pw_correct = true; } if(($username_correct == true) && ($password_correct == true)) { session_register('username'); header('Location:http://*********.com/privatedata.php'); } else { header('Location:http://*******.com/login.php'); } mysql_close($conn); Quote Link to comment Share on other sites More sharing options...
waynewex Posted April 28, 2008 Author Share Posted April 28, 2008 Btw, I changed the $username_correct to $user_correct and the same with $pw_correct. Still the same result. Quote Link to comment Share on other sites More sharing options...
waynewex Posted April 28, 2008 Author Share Posted April 28, 2008 Here's the current code. Still staying on the same page and not redirecting. DB connection is okay etc. $usertrying = $_POST[username]; $ptrying = $_POST[password]; $secured_password = sha1($ptrying); $user_correct = false; $pw_correct = false; $query = "SELECT * FROM `USERS` WHERE `USERNAME`='$usertrying' AND `PASSWORD`='$secured_password'"; $result = mysql_query($query) if (mysql_num_rows($result) > 0) { $user_correct = true; $pw_correct = true; } if(($user_correct == true) && ($pw_correct == true)) { session_register('username'); header('Location:http://****.com/privatedata.php'); } else { header('Location:http://*****.com/login.php'); } Quote Link to comment Share on other sites More sharing options...
waynewex Posted April 28, 2008 Author Share Posted April 28, 2008 Any ideas? Quote Link to comment Share on other sites More sharing options...
realjumper Posted April 28, 2008 Share Posted April 28, 2008 Any ideas? I would do it something like this: $usertrying = $_POST[username]; $ptrying = $_POST[password]; $secured_password = sha1($ptrying); // Retrieve all the data from the table $result = mysql_query("SELECT * FROM users WHERE username = '$usertrying' && password = '$secured_password'") or die(mysql_error()); // store the record of the table into $row $row= mysql_fetch_array( $result ); if(($usertrying == $row[username]) && ($secured_password == $row[password])) { session_register('username'); header('Location:http://****.com/privatedata.php'); } else { header('Location:http://*****.com/login.php'); } Quote Link to comment Share on other sites More sharing options...
waynewex Posted April 29, 2008 Author Share Posted April 29, 2008 Okay, my code looks like this at the moment but its still not going anywhere. $username = $_POST[username]; $ptrying = $_POST[password]; $secured_password = sha1($ptrying); $query = ("SELECT * FROM USERS WHERE USERNAME='$username' AND PASSWORD ='$secured_password'") or die(mysql_error); $result = mysql_query($query) if (mysql_num_rows($result) > 0) { $row= mysql_fetch_array( $result ); if(($username == $row[uSERNAME]) && ($secured_password == $row[PASSWORD])) { session_register('username'); header('Location:http://******.com/privatedata.php'); echo 'its right'; } else { header('Location:http://******.com/login.php'); } } Quote Link to comment Share on other sites More sharing options...
zenag Posted April 29, 2008 Share Posted April 29, 2008 whats the error ur getting.... Quote Link to comment Share on other sites More sharing options...
conker87 Posted April 29, 2008 Share Posted April 29, 2008 <?php $username = $_POST[username]; $ptrying = $_POST[password]; $secured_password = sha1($ptrying); $query = "SELECT * FROM USERS WHERE USERNAME='$username' AND PASSWORD ='$secured_password'"; $result = mysql_query($query) or die(mysql_error()); // Did no-one notice the lack of semi-colon here? if (mysql_num_rows($result) > 0) { $row= mysql_fetch_array( $result ); if(($username == $row[uSERNAME]) && ($secured_password == $row[PASSWORD])) { session_register('username'); header('Location:http://******.com/privatedata.php'); echo 'its right'; } else { header('Location:http://******.com/login.php'); } } ?> Quote Link to comment Share on other sites More sharing options...
waynewex Posted April 29, 2008 Author Share Posted April 29, 2008 I'm not getting any text error as such; its just that its not redirecting; at all. This means that its failing either on or before the first IF statement. I added the semi-colon (VERY STUPID MISTAKE) but alas, its still staying on the same page. <?php session_start(); $user="*****"; $password="*******"; $database="********"; mysql_connect("*************" ,$user,$password); @mysql_select_db($database) or die(mysql_error); $username = $_POST[username]; $ptrying = $_POST[password]; $secured_password = sha1($ptrying); $query = ("SELECT * FROM USERS WHERE USERNAME='$username' AND PASSWORD ='$secured_password'") or die(mysql_error); $result = mysql_query($query); if (mysql_num_rows($result) > 0) { $row= mysql_fetch_array( $result ); if(($username == $row[uSERNAME]) && ($secured_password == $row[PASSWORD])) { session_register('username'); header('Location:http://*********.com/privatedata.php'); } else { header('Location:http://********.com/login.php'); } } mysql_close($conn); ?> Thanks for trying guys. Quote Link to comment Share on other sites More sharing options...
waynewex Posted April 29, 2008 Author Share Posted April 29, 2008 Sorry, here's the code with the "or die" fixed. Another stupid mistake. Its just that I've been rearranging this piece of code for ages trying to figure out whats wrong. Its still not redirecting and I'm getting no error. <?php session_start(); $user="******"; $password="******"; $database="*********"; mysql_connect("*****************" ,$user,$password); @mysql_select_db($database) or die(mysql_error); $username = $_POST[username]; $ptrying = $_POST[password]; $secured_password = sha1($ptrying); $query = "SELECT * FROM USERS WHERE USERNAME='$username' AND PASSWORD ='$secured_password'"; $result = mysql_query($query) or die(mysql_error); if (mysql_num_rows($result) > 0) { $row= mysql_fetch_array( $result ); if(($username == $row[uSERNAME]) && ($secured_password == $row[PASSWORD])) { session_register('username'); header('Location:http://*********/privatedata.php'); } else { header('Location:http://********/login.php'); } } mysql_close($conn); ?> Quote Link to comment Share on other sites More sharing options...
zenag Posted April 29, 2008 Share Posted April 29, 2008 why cant u use base64_encode & base64_decode instead of sha1.....i ve checked ur code with that it works fine..... if(($username == $row["USERNAME"]) && ($secured_password == $row["PASSWORD"])) Quote Link to comment Share on other sites More sharing options...
waynewex Posted April 29, 2008 Author Share Posted April 29, 2008 Guys. I fixed it. The problem was that I had set the password field length in the USER table to 20 while forgetting that I wasn't storing the password given by the user, I was storing the encrypted version of the password, which is a lot longer in length. This meant that the encrypted passwords were getting cut down in size. So, when I was comparing the passwords, I was comparing the real password with the shortened down version of that password, which of course caused it to fail on: $query = "SELECT * FROM USERS WHERE USERNAME='$username' AND PASSWORD ='$secured_password';"; $result = mysql_query($query) or die(mysql_error); if (mysql_num_rows($result) > 0) { $row = mysql_fetch_array( $result ); if(($username == $row[uSERNAME]) && ($secured_password == $row[PASSWORD])) //FAILED HERE { session_register('username'); header('Location:http://waynewhitty.com/privatedata.php'); } else { header('Location:http://waynewhitty.com/login.php'); } } So thanks guys for helping, its working now and maybe my mistake will stop somebody else from making the same mistake in the future. Also, thanks for the tips on my code. Quote Link to comment Share on other sites More sharing options...
waynewex Posted April 29, 2008 Author Share Posted April 29, 2008 Thanks Zenag. Quote Link to comment Share on other sites More sharing options...
zenag Posted April 29, 2008 Share Posted April 29, 2008 with pleasure Quote Link to comment Share on other sites More sharing options...
conker87 Posted April 29, 2008 Share Posted April 29, 2008 base64_encode for passwords?! Yeah, ok, if you want to be hacked easier than ever. -.- Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.