[SOLVED] help with login php script and forms

[rockindano30]

Hi everyone,

 

i am working on a app. for a client. now i have my login.php page with a simple form. this page calls my validation2.php page and then validation2 page calls my update page.

 

now when i type in the user name and password, my validation page displays my error that i have:

 

"invalid username and password. login first"

 

but if i hit go back on my browser and refresh the page and retype the info, it logs me in. i typed my info in correctly. but seems that the first time that i run it it doesn't finds anything in the mysql table users, so when i go back and refresh and retype it finds it in the table and continues with the update form.??? ??? ???

 

i will be including my files here:

 

login.php

  <form method="post" action="validate2.php">
    User Name:<Br />
      <input name="user_name" type="text" value=" " size="15" maxlength="25" /><br /><br />
      Password:<br />
  <input name="psswrd" type="password" value="" size="15" maxlength="25" /><br /><br />
      <input name="submit" type="submit" value="Login" />
</form>

 

validate2.php

			<?php 
			if(!isset($_POST["user_name"]) || !isset($_POST["psswrd"]))
			die("invalid operation");
			$goback = "<br /><br />Please <a href=\"login.php\">go back</a> and try again.";

			//print "$_POST[\"user_name\"]<br />";
			if(empty($_POST["user_name"])) die("<br />The email field cannot be left blank.");
			if(empty($_POST["psswrd"])) die("<br />The Password field cannot be left blank");
			$user_name = $_POST["user_name"];
			$psswrd = md5(trim($_POST["psswrd"]));

			if (!($db = mysql_connect('localhost','user_db','db_password')))
			{
				print"Error: could not connect to the database.";
				exit;
			}
			mysql_select_db(test);

//$query = "SELECT * FROM users WHERE user_name='{$_POST['user_name']}' AND psswrd='{$_POST['psswrd']}'";
			$query = "SELECT * FROM users WHERE user_name = '{$user_name}' AND psswrd = '{$psswrd}'";
			$result = mysql_query($query);

			if(mysql_num_rows($result)==0)
			die("<br />Invalid email or passwordmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmm!<br />{$goback}");

			$row = @ mysql_fetch_array($result);
			session_start();
			$_SESSION["user_id"]=$row["user_id"];
			$_SESSION["ip_addr"]=$_SERVER["REMOTE_ADDR"];
			$_SESSION["user_name"]=$row["user_name"];
			header("LOCATION: update.php");
		?>

[craygo]

I would try clearing your temp internet files and private cache. Seems like the original page has been cached. If you have changed the input field names they may be cached in the original names which is why it works when you refresh the page.

 

i am just throwing this out there since your code looks fine and does work.

 

Ray

[rockindano30]

thank you let me try that and see if it works.

 

[MiCR0]

& your code has a number of vulnerabilities..

 

$_POST["user_name"]

$_POST["psswrd"]

there is no validation security..

[rockindano30]

MiCR0

 

how could i fix my code for that?

[rockindano30]

well craygo i did your steps and still same thing???

[craygo]

can use mysql_real_escape_string() to prepare the data.

[craygo]

One thing you may want to do is not suppress error reporting until all your code is set

 

			<?php
			if(!isset($_POST["user_name"]) || !isset($_POST["psswrd"]))
			die("invalid operation");
			$goback = "<br /><br />Please <a href=\"login.php\">go back</a> and try again.";
			if (!$db = mysql_connect('localhost','user_db','db_password'))
			{
				print"Error: could not connect to the database.<br>".mysql_error();
				exit;
			}
			@mysql_select_db('test') or die(mysql_error());  // unless your database name is test, you should change this. and if it is put it in quotes

			//print "$_POST[\"user_name\"]<br />";
			if(empty($_POST["user_name"])) die("<br />The email field cannot be left blank.");
			if(empty($_POST["psswrd"])) die("<br />The Password field cannot be left blank");
			$user_name = mysql_real_escape_string($_POST["user_name"]);
			$psswrd = md5(trim($_POST["psswrd"]));

        //$query = "SELECT * FROM users WHERE user_name='{$_POST['user_name']}' AND psswrd='{$_POST['psswrd']}'";
			$query = "SELECT * FROM `users` WHERE `user_name` = '{$user_name}' AND psswrd = '{$psswrd}'";
			$result = mysql_query($query) or die(mysql_error());

			if(mysql_num_rows($result) == 0)
			die("<br />Invalid email or passwordmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmm!<br />{$goback}");

			$row = mysql_fetch_array($result);
			session_start();
			$_SESSION["user_id"]=$row["user_id"];
			$_SESSION["ip_addr"]=$_SERVER["REMOTE_ADDR"];
			$_SESSION["user_name"]=$row["user_name"];
			header("LOCATION: update.php");
		?>

 

Ray

[rockindano30]

huh? what do you mean. sorry for being a nubbie

[rockindano30]

anybody know of a good tutorial for that? or guide me to a tut?

[craygo]

you want to use php's error checking to get your code working correctly. Above I added some error checking to try and narrow things down for you

[rockindano30]

oh i c. thank you

[rockindano30]

well don't know what it was but changed my login.php file to a login.html file and seems to be working just fine. thank you craygo for all your help and advise.