[SOLVED] MySQL query not working right?

FlyingIsFun1217 · July 10, 2008

Hey!

For a new little project of mine (actually, for other people I'm working with this time), I've got to do a query to check that the credentials entered by a user are the same as those from a database table ('users'). Here's my code:

<?php

include('connectInfo.php');

include('createConnection.php');



$cUser = $_COOKIE['user'];

$cPassword = $_COOKIE['password'];



$sqlUser = 'SELECT user, password FROM users WHERE user="'.$cUser.'"';

$userData = mysql_fetch_array(mysql_query($sqlUser), MYSQL_ASSOC);



if($userData['user'] == $cUser && md5($userData['password']) == $cPassword)

{

//---------------------------Correct-User-and-Password-------------------------------

	echo 'correct!';

//---------------------------------------------------------------------------------------------

}



else

{

	echo '<script type="text/javascript">';

	echo 'window.location = "login.html"';

	echo '</script>';

}

?>

So I've got it to check and see if the user's cookies ('user' and 'password' [password being an md5 hash]) match those from a row in table 'users', and continue only if it finds that they are the same. Thing is, even without the 'user' cookie, it seems to still echo 'correct!'. Is there something I'm missing here? Is there a better way of doing this?

Thanks!

FlyingIsFun1217

DarkWater · July 10, 2008

Why are you storing their login information in cookies instead of just using sessions? Much cleaner and more secure.

FlyingIsFun1217 · July 10, 2008

Why are you storing their login information in cookies instead of just using sessions? Much cleaner and more secure.

I would like to allow the user to continue to be able to use the restricted areas after shutting down. With this method, I can just check their cookies, and make sure that it's correct. Provided the user knows that 'cookie-stealing' is possible, I see no problem letting it work that way.

FlyingIsFun1217

lvtrii · July 10, 2008

Can you provide the output of

print_r($_COOKIE);

and

print_r($userData);

?

FlyingIsFun1217 · July 10, 2008

Can you provide the output of
print_r($_COOKIE);
and
print_r($userData);
?

Sure, but... mind me asking?... what is print_r? Why use it over echo?

FlyingIsFun1217

DarkWater · July 10, 2008

print_r() displays the contents of complex data structures. in a human readable format. print_r != print. =)

lvtrii · July 10, 2008

print_r stands for print_recursive, it's used for printing out the contents of data structures that are more than 1 level deep

I've got a feeling that your cookie's are empty, therefore the query will return nothing (because you search for nothing). So you're comparing nothing to nothing, and its returning true.

FlyingIsFun1217 · July 10, 2008

Well, I know there isn't a 'user' cookie, but my 'password' cookie is correct (I've checked it's contents in FF).

FlyingIsFun1217

lvtrii · July 10, 2008

Your user cookie is not being set properly (and neither is your password one..)

When you try to set a cookie with an empty string, it fails to set. You're passing empty values into the user and password cookie's, but you're md5()ing the password cookie, and md5()ing an empty string returns a hash, so there will be a value to populate the cookie.

I'd take a look at the code you use to assign values to the cookie.

lvtrii · July 10, 2008

And, it's just hit me that you md5 the database password to compare it to the cookie one. This leads me to believe one of two things.

You're storing the password in the database unencrypted, and a single hashed version in the cookie
or you're storing a hashed version in the database, and storing a double hashed version in the cookie, as to make it less use to people if it is stolen.

I hope it's the latter.

FlyingIsFun1217 · July 10, 2008

Yeah, DB is unhashed, for testing purposes on my local machine. After I get everything working as it should, I'll go through and make sure I'm hashing what should be and making sure it's still correct.

Output of

print_r($_COOKIE);
echo '<br><br>';
print_r($userData);

is

Array ( [password] => d41d8cd98f00b204e9800998ecf8427e )

So obviously nothing is going on with the query, which is why there's no result for each field I'm trying to get from the DB table.

FlyingIsFun1217

FlyingIsFun1217 · July 10, 2008

New source is the following:

<?php
include('connectInfo.php');
include('createConnection.php');

$cUser = $_COOKIE['user'];
$cPassword = $_COOKIE['password'];

$sqlUser = 'SELECT user, password FROM users WHERE user="'.$cUser.'"';
$userData = mysql_fetch_array(mysql_query($sqlUser), MYSQL_ASSOC) or die('AHHHH!!!! ARRAY FETCH FAILED!!!');

if($userData['user'] == $cUser && md5($userData['password']) == $cPassword)
{
//---------------------------Correct-User-and-Password-------------------------------

//---------------------------------------------------------------------------------------------
}

else
{
	echo '<script type="text/javascript">';
	echo 'window.location = "login.html"';
	echo '</script>';
}
?>

And guess what happens? I'll check to make sure all of the connections are correct.

FlyingIsFun1217

lvtrii · July 10, 2008

Can you post the code of the page where you set the cookies?

FlyingIsFun1217 · July 10, 2008

That's whats causing the error (although indirectly). Essentially, I'm selecting from the table where user="" (since there's no user cookie). Now all I really need to do is figure out why my login action script doesn't set user but does set password:

<?php
include('connectInfo.php');
include('createConnection.php');

$user = $_POST['user'];
$password = $_POST['password'];

$sqlUser = 'SELECT user, password FROM users WHERE user="'.$user.'"';
$userData = mysql_fetch_array(mysql_query($sqlUser), MYSQL_ASSOC);

if($userData['user'] == $user)
{
	if($userData['password'] == $password)
	{
		setcookie('user', $user, time()+3600);
		setcookie('password', md5($password), time()+3600);

		echo '<script type="text/javascript">';
		echo 'window.location = "postNews.php"';
		echo '</script>';
	}

	else
	{
		echo '<script type="text/javascript">';
		echo 'window.location = "login.html"';
		echo '</script>';
	}
}

else
{
	echo '<script type="text/javascript">';
	echo 'window.location = "login.html"';
	echo '</script>';
}

include('closeConnection.php');
?>

FlyingIsFun1217

lvtrii · July 10, 2008

That is strange...

Try using:

setcookie('user', $userData['user'], time()+3600);
setcookie('password', md5($userData['password']), time()+3600);

And can I also see login.html too? Are your input names correct? e.g.

<input type="text" name="user" />
<input type="password" name="password" />

And is the form definitely using POST?

FlyingIsFun1217 · July 10, 2008

Yeah, I figured it should work (even though it doesn't).

The names are correct, I've checked. The main reason I know it's correct is that to get to the point where it sets any cookies, it's already gone through both fields and compared them to the DB table contents.

If worst comes to worst, I'll echo all the variables, and make sure that everything is being compared/outputted/whatever correctly.

FlyingIsFun1217

lvtrii · July 10, 2008

The way you're running your queries, if the username and password are both empty, then it will still get to the point where it sets the cookies, as $user and $userData['user'] will both be empty. As will the passwords.

FlyingIsFun1217 · July 10, 2008

Ok, I see what your saying. And that's exactly whats happening. Here's the login page, name values correct still

<div id="page">
<!-- start content -->
<div id="content">
<center>
<table>
	<form action="loginCheck.php">
		<tr>
			<td>User Name</td>
			<td>
			<input type="text" name="user">
			</td>
		</tr>
		<br>
		<tr>
			<td>Password</td>
			<td>
			<input type="password" name="password">
			<td>
		</tr>
		<br>
		<tr>
			<td></td>
			<td align="right">
			<input type="submit" value="Log In">
			<td>
		</tr>
	</form>
</table>
</center>
</div>
</div>

FlyingIsFun1217

FlyingIsFun1217 · July 10, 2008

Geeze, all of this because I forgot to set the form to method="post".

Ill try it and see if it works, but I'm sure it will.

FlyingIsFun1217

lvtrii · July 10, 2008

Change

<form action="loginCheck.php">

To

<form action="loginCheck.php" method="post">

And it should work

DarkWater · July 10, 2008

I thought POST was the default form method if none was selected, and if it WAS using get, he'd see it in the URL.

discomatt · July 10, 2008

I thought POST was the default form method if none was selected, and if it WAS using get, he'd see it in the URL.

Really depends if your browser interprets it that way. Regardless, you're not standards complaint if you don't have a method.

DarkWater · July 10, 2008

Oh yeah, I didn't say that he shouldn't put the method anyway, I was just saying it because I don't think adding that is going to fix his problem honestly. >_>

FlyingIsFun1217 · July 10, 2008

That sure fixed it.

Sorry for wasting your time. At least I'm keeping your sharp

FlyingIsFun1217

Sign In

[SOLVED] MySQL query not working right?

Recommended Posts

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Join the conversation

Important Information