obiwan Posted June 20, 2008 Share Posted June 20, 2008 Hey everyone I was wondering if anyone could help me validate the username and password in this semi working script. <? $db_name = "auth_users"; $table_name = "site_members"; $connection =@mysql_connect("server","usr","pass") or die(mysql_error()); $db = @mysql_select_db($db_name,$connection) or die(mysql_error()); $sql = "SELECT * FROM $table_name WHERE username = '$_POST[user_name]' AND password = password('$_POST[user_password]')"; $result =@mysql_query($sql,$connection) or die(mysql_error()); $user_info = mysql_fetch_array($result); $num = mysql_num_rows($result); // check passwords match if((!$_POST[user_name]) || (!$_POST[user_password])) { header("Location: login.htm"); exit; print '<p>Please enter your username & password</p>'; } // check input username with username in database $checkUsername=mysql_query("SELECT * FROM $table_name WHERE username='".$_POST["user_name"]."'"); $userResult=mysql_num_rows($checkUsername); if ($userResult == 0) { header("Location: login.htm"); print '<span id="regLinks"><a href=../login.htm>Click here to try and log in</a>'; print '<p>Sorry that username does not exitst</p>'; exit; } // check input password with password in database $checkpass=mysql_query("SELECT * FROM $table_name WHERE password='".$_POST["user_password"]."'"); $passResult=mysql_num_rows($checkpass); if ($user_password !== $passResult) { header("Location: login.htm"); print '<span id="regLinks"><a href=../login.htm>Click here to try and log in</a>'; print '<p>Sorry that password is incorrect</p>'; exit; } ?> Quote Link to comment Share on other sites More sharing options...
abdfahim Posted June 20, 2008 Share Posted June 20, 2008 I saw some strange things in your coding, no1: in the section "// check passwords match", you wrote error msg after exit();, thats strange. Thsi error msg will never shown up. Anyway, this will not cause any harm to your coding. no2:in last condition you wrote if ($user_password !== $passResult){.......... but where is the variable $user_password to compare? no3. this is most strange. In your code, you seperately check whether the user name and password is stored in databse. What it may result is USER A giving password for USER B still can log in !!! Quote Link to comment Share on other sites More sharing options...
jib Posted June 20, 2008 Share Posted June 20, 2008 if this is posted on a website I would recommend storing the password after md5 or sha1 has been applied ie when they register before you throw the password into the db apply either and then store it (don't forget to make the db password field long enough too) then when they login apply it again then check it against the password in the database As I am not that good with php yet I can't pull the exact syntax off the top of my head but a simple google of md5 or sha1 will give you plenty of results Quote Link to comment Share on other sites More sharing options...
obiwan Posted June 20, 2008 Author Share Posted June 20, 2008 Thanks I am new to PHP, but I am currently using $sql = "SELECT * FROM $table_name WHERE username = '$_POST[user_name]' AND password = password('$_POST[user_password]')"; When I view the database it appears in HASH ALGORITHM. Quote Link to comment Share on other sites More sharing options...
abdfahim Posted June 20, 2008 Share Posted June 20, 2008 if this is posted on a website I would recommend storing the password after md5 or sha1 has been applied ie when they register before you throw the password into the db apply either and then store it (don't forget to make the db password field long enough too) then when they login apply it again then check it against the password in the database As I am not that good with php yet I can't pull the exact syntax off the top of my head but a simple google of md5 or sha1 will give you plenty of results He is actually hashing th password already with the SQL command PASSWORD() Quote Link to comment Share on other sites More sharing options...
obiwan Posted June 20, 2008 Author Share Posted June 20, 2008 To abdbuet, I fixed the exit in the if. I expect a few mistakes on my part because I am not to familiar with php, sorry about that. After reading your post I am still not sure how to fix the current problem I am having. I just want to check that the username is in the database, then check if the username that the end user entered is correct or matches the password stored in the database. 1:user_name = the name of the input field in my login.htm 2.user_password = the name of the input password filed from the login.htm My form code: <form method="post" action="phpScripts/loginTest.php"> <div class="universalContainer"> <span class="title">Username: </span><span class="subAlert">(your email address)</span> <input name="user_name" type="text" id="user_name" size="23" maxlength="80" class="createLogInformElements" /> </div> <div class="universalContainer"> <span class="title">Password:</span> <input name="user_password" type="password" id="user_password" size="23" maxlength="20" class="createLogInformElements"/> </div> <div class="universalContainer"> <input name="log_in" type="submit" class="buttons" onclick="validateLogIn('user_name','','R','user_password','','R');return document.MM_returnValue" value="Login"/> </div> </form> By looking at my initial post do you know how to fix this? Quote Link to comment Share on other sites More sharing options...
abdfahim Posted June 20, 2008 Share Posted June 20, 2008 you may try this for whole process <?php if (isset($_POST['submit_login'])) { $username = $_POST['username']; $password = md5($_POST['password']); $result = mysql_query("Select * From login_table where username='$username'",$con); if(mysql_num_rows($result)>0) { $row = mysql_fetch_array($result); if($password == $row["password"]) { echo "Logged in"; } else { echo "Password mismatch"; } } else { echo "No user found"; } } ?> Quote Link to comment Share on other sites More sharing options...
jib Posted June 20, 2008 Share Posted June 20, 2008 OooOOo I didn't know you could do that so im going to shut up now Quote Link to comment Share on other sites More sharing options...
obiwan Posted June 20, 2008 Author Share Posted June 20, 2008 OooOOo I didn't know you could do that so im going to shut up now I have no idea really what I am doing, I am just learning as I go along. No worries man. Quote Link to comment Share on other sites More sharing options...
abdfahim Posted June 20, 2008 Share Posted June 20, 2008 ok obiwan, i am telling you what is the main problem you have. For example, you have 3 user in you database username password =================== user1 1234 user2 5678 user3 9012 Now, in you code, you first check whether there is any username in the database match with the input user name. Then you check whether there is any password in the database match with the input password. Now if I put username=user1 and password=5678 (which is actually password of user3), what happens? It will still login coz it found both username and password in the database, no matters in different record!! Thats why you have to search and match both username and password simultaneously. Hope it helps. Feel free to ask more if any problem occurs. Quote Link to comment Share on other sites More sharing options...
abdfahim Posted June 20, 2008 Share Posted June 20, 2008 OooOOo I didn't know you could do that so im going to shut up now Cummon jib .. we are learning everyday. So there is no point to shut up. I must appreciate you try to answer coz there are many ppl who never bother to answer, you are much better then them!! And believe me, there is a lot to learn for every body. I don't know hell of silly thing, but there is no shame that I don't no everything, nobody know that!! Quote Link to comment Share on other sites More sharing options...
jib Posted June 20, 2008 Share Posted June 20, 2008 It's all good Quote Link to comment Share on other sites More sharing options...
obiwan Posted June 20, 2008 Author Share Posted June 20, 2008 I entered the code like you mentioned abdbuet and now nothing works, before the validation was working on the username so if I entered in the wrong username it would tell me and provide a link. Now nothing works. What is this? ['submit_login'] am I supposed to rename my submit button to match that? Here is my code just in case: <div id="flashColumn"> <? $db_name = "auth_users"; $table_name = "site_members"; $connection =@mysql_connect("server","user","pass") or die(mysql_error()); $db = @mysql_select_db($db_name,$connection) or die(mysql_error()); $sql = "SELECT * FROM $table_name WHERE username = '$_POST[user_name]' AND password = password('$_POST[user_password]')"; $result =@mysql_query($sql,$connection) or die(mysql_error()); $user_info = mysql_fetch_array($result); $num = mysql_num_rows($result); if (isset($_POST['submit_login'])) { $username = $_POST['user_name']; $password = md5($_POST['user_password']); $result = mysql_query("SELECT * FROM $table_name WHERE username='$user_name'",$connection); if(mysql_num_rows($result)>0) { $row = mysql_fetch_array($result); if($password == $row["password"]) { echo "Logged in"; } else { print '<p>The password you entered is incorrect.</p>'; print '<span id="regLinks"><a href=../login.htm>Click here to try again.</a>'; exit(); } } else { print '<p>The username you entered does not exist. Note:(Username is your email address)</p>'; print '<span id="regLinks"><a href=../login.htm>Click here to try again.</a>'; exit(); } } ?> <div id="mainProfile"> <div id="profilePhoto"><img src='/photography/<?php echo $user_info['photoUrlText']?>'class="setProfilePhotoSize"></div> <div id="nameContainer"><?php echo $user_info['f_name']?> <?php echo $user_info['l_name']?></div> <div id="bDayContainer">Birthdate: 00/00/0000</div> <div id="profileBody"></div> </div> Previous Code that was sort of working except for the password: <div id="flashColumn"> <? $db_name = "auth_users"; $table_name = "site_members"; $connection =@mysql_connect("server","user","pass") or die(mysql_error()); $db = @mysql_select_db($db_name,$connection) or die(mysql_error()); $sql = "SELECT * FROM $table_name WHERE username = '$_POST[user_name]' AND password = password('$_POST[user_password]')"; $result =@mysql_query($sql,$connection) or die(mysql_error()); $user_info = mysql_fetch_array($result); $num = mysql_num_rows($result); // check input username with username in database $checkUsername=mysql_query("SELECT * FROM $table_name WHERE username='".$_POST["user_name"]."'"); $userResult=mysql_num_rows($checkUsername); if ($userResult == 0) { header("Location: login.htm"); print '<span id="regLinks"><a href=../login.htm>Click here to try and log in</a>'; print '<p>Sorry that username does not exitst</p>'; exit; } //check input password with password in database $checkpass=mysql_query("SELECT * FROM $table_name WHERE password='".$_POST["user_password"]."'"); $passResult=mysql_num_rows($checkpass); if ($user_password !== $passResult) { header("Location: login.htm"); print '<span id="regLinks"><a href=../login.htm>Click here to try and log in</a>'; print '<p>Sorry that password is incorrect</p>'; exit; } ?> <div id="mainProfile"> <div id="profilePhoto"><img src='/photography/<?php echo $user_info['photoUrlText']?>'class="setProfilePhotoSize"></div> <div id="nameContainer"><?php echo $user_info['f_name']?> <?php echo $user_info['l_name']?></div> <div id="bDayContainer">Birthdate: 06/11/1980</div> <div id="profileBody"></div> </div> Quote Link to comment Share on other sites More sharing options...
abdfahim Posted June 20, 2008 Share Posted June 20, 2008 Also, you can do your form very simply <form method="post" action="phpScripts/loginTest.php"> Username: <input name="username" type="text" id="username" size="23" maxlength="80"> Password: <input name="password" type="password" id="password" size="23" maxlength="20"> <input name="submit_login" type="submit" value="Login"/> </form> I intentionally delete all those class, div and span to make this post readable . You of course can keep those. Quote Link to comment Share on other sites More sharing options...
abdfahim Posted June 20, 2008 Share Posted June 20, 2008 ['submit_login'] is the name of your submit button (see the form I post), which is name "log_in" in your form. Quote Link to comment Share on other sites More sharing options...
abdfahim Posted June 20, 2008 Share Posted June 20, 2008 I entered the code like you mentioned abdbuet and now nothing works, before the validation there is nothing good only on displaying some result, it must be serve your purpose to make it worthy, right? I am afraid buddy that ur previous code will not serve your purpose even that works without ant coding error!! Anyway, let me know whether you solve it. Quote Link to comment Share on other sites More sharing options...
obiwan Posted June 20, 2008 Author Share Posted June 20, 2008 Great, so now it is sort of working but it has left me in the same position I was in when I first posted. If I enter the wrong username it tells me the username entered is incorrect But if I enter the correct username with the correct password it tells me that the password is incorrect??? <? $db_name = "auth_users"; $table_name = "site_members"; $connection =@mysql_connect("server","user","pass") or die(mysql_error()); $db = @mysql_select_db($db_name,$connection) or die(mysql_error()); $sql = "SELECT * FROM $table_name WHERE username = '$_POST[username]' AND password = password('$_POST[password]')"; $result =@mysql_query($sql,$connection) or die(mysql_error()); $user_info = mysql_fetch_array($result); $num = mysql_num_rows($result); if (isset($_POST['submit_login'])) { $username = $_POST['username']; $password = md5($_POST['password']); $result = mysql_query("SELECT * FROM $table_name WHERE username='$username'",$connection); if(mysql_num_rows($result)>0) { $row = mysql_fetch_array($result); if($password == $row["password"]) { echo "Logged in"; } else { print '<p>The password you entered is incorrect.</p>'; print '<span id="regLinks"><a href=../login.htm>Click here to try again.</a>'; exit(); } } else { print '<p>The username you entered does not exist. Note:(Username is your email address)</p>'; print '<span id="regLinks"><a href=../login.htm>Click here to try again.</a>'; exit(); } } ?> Quote Link to comment Share on other sites More sharing options...
Stephen Posted June 20, 2008 Share Posted June 20, 2008 <? $db_name = "auth_users"; $table_name = "site_members"; $connection =@mysql_connect("server","user","pass") or die(mysql_error()); $db = @mysql_select_db($db_name,$connection) or die(mysql_error()); $sql = "SELECT * FROM $table_name WHERE username = '$_POST[username]' AND password = '".md5($_POST[password])."'"; $result =@mysql_query($sql,$connection) or die(mysql_error()); $user_info = mysql_fetch_array($result); $num = mysql_num_rows($result); if (isset($_POST['submit_login'])) { $username = $_POST['username']; $password = md5($_POST['password']); $result = mysql_query("SELECT * FROM $table_name WHERE username='$username'",$connection); if(mysql_num_rows($result)>0) { $row = mysql_fetch_array($result); if($password == $row["password"]) { echo "Logged in"; } else { print '<p>The password you entered is incorrect.</p>'; print '<span id="regLinks"><a href=../login.htm>Click here to try again.</a>'; exit(); } } else { print '<p>The username you entered does not exist. Note:(Username is your email address)</p>'; print '<span id="regLinks"><a href=../login.htm>Click here to try again.</a>'; exit(); } } ?> I fixed one part of it (where it says $sql="SELECT * etc.") Make sure when someone registers it makes there password md5 in the database (check the database and make sure its encrypted). Quote Link to comment Share on other sites More sharing options...
abdfahim Posted June 20, 2008 Share Posted June 20, 2008 ok .. let me chk ur code .. just wait a min Quote Link to comment Share on other sites More sharing options...
abdfahim Posted June 20, 2008 Share Posted June 20, 2008 ok .. let me give you check point one by one 1) delete this part. this has no use, also you use $result variable later $sql = "SELECT * FROM $table_name WHERE username = '$_POST[username]' AND password = '".md5($_POST[password])."'"; $result =@mysql_query($sql,$connection) or die(mysql_error()); $user_info = mysql_fetch_array($result); $num = mysql_num_rows($result); 2) Make echo of $_POST['username'] and $_POST['password'] and see whether they print same as you put in your form. You may use TRIM() to strip blank spaces. 3) then print md5($_POST['password']) and manually check with your password stored in the database. then let me know. Quote Link to comment Share on other sites More sharing options...
obiwan Posted June 20, 2008 Author Share Posted June 20, 2008 Sorry abdbuet, still says password is incorrect. And I dont know where to place the echo and print you meniton Quote Link to comment Share on other sites More sharing options...
obiwan Posted June 20, 2008 Author Share Posted June 20, 2008 Stephen, I logged into myPhpAdmin and changed the password to encrypt and when I try to log in it still runs even though the password is correct? else { print '<p>The password you entered is incorrect.</p>'; print '<span id="regLinks"><a href=../login.htm>Click here to try again.</a>'; exit(); } Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.