Jump to content

[SOLVED] Why can't I log in?

rnintulsa

By rnintulsa
in PHP Coding Help

 Share

Recommended Posts

rnintulsa Member

rnintulsa

Posted
Posted

Hi all,  I have this login script that doesn't work when I replace this:

$username = $_POST['username'];
$password = $_POST['password'];

 

with this:

$username = mysql_real_escape_string($_POST['username'], $link);
$password = mysql_real_escape_string($_POST['password '], $link);

What happens when I submit is that it gives me an error that says I am not registered.  But I am in the DB

I am new to php and am loving learning it, but my knowledge is limited.

Thanks ahead of time for explaining things out a bit for a newbie!

 

This is the login page:

<?php
session_start( );

// if username and password are set and not empty then proceed with the rest of the process
if( isset( $_POST[ 'username' ] ) && isset( $_POST[ 'password' ] ) && $_POST[ 'username' ] != '' && $_POST[ 'password' ] != '' )
{		

	$link = mysql_connect('host', 'name', 'pw');

	//$username = mysql_real_escape_string($_POST['username'], $link);
	//$password = mysql_real_escape_string($_POST['password '], $link);

	$username = $_POST['username'];
	$password = $_POST['password'];

	$db_selected = mysql_select_db('kdesign0', $link);
	if (!$db_selected) 
	{
		echo"Connection to the database failed. Please try again later." ;			
		exit;
	}

	//checks for username and password in db table.
	$results = mysql_query("select * from users where username='" . $username . "' and password = '" . $password . "'" ,$link);
	$num_rows = mysql_num_rows($results);

	//greater than zero		
	if( $num_rows  > 0 )
	{
		$_SESSION['username'] = $username;  
		//redirect
		header('Location:orion.php');  

	}
	else
	{
		echo 'You must be registered before you may log in.';
	}
}
?>

<html>

<body>

				<div id="center_column">

					<?php
						include( 'sessions.php' );
						show_statement( );

						if (isset($_SESSION['username'])) 
						{ 
							echo '<br />';
							echo 'Log '.$_SESSION['username'].'';		
							echo '<br /><a href="logout.php">Log out</a><br />';
						}
						else
						{
							echo 'Could not log you in<br />';
						}
					?>

					<form action="login_orion.php" method="post">
						<p>
							Name:				
								<input type="text" name="username"/>
						</p>
						<p>
							Password:				
								<input type="password" name="password"/>
						</p>
						<p>
							<input type="submit" value="Log In"/>
						</p>


				</form>
				</div>	


</body>
</html>

This is the mysql table:

create table users (
  id int not null auto_increment,
  username varchar( 50 ) not null,
  password varchar( 100 ) not null,
  authority varchar( 10 ) not null default 'user', 
  primary key(id)
)

insert into users (username,password,authority) values ('root','password','authority')

 

Also, In this table what does this line mean?

authority varchar( 10 ) not null default 'user',

 

Thank you for your time.

 

Link to comment
https://forums.phpfreaks.com/topic/116469-solved-why-cant-i-log-in/
Share on other sites
akitchin Regular Member

akitchin

Posted
Posted

i believe it's because you must select a database BEFORE using real_escape_string(), since that function takes into account the character set of the current database.  try swinging your mysql_real_escape_string() functions below the database selection, and give it another shot.

 

the NOT NULL specifies that the column cannot take on a null value (that is, cannot be empty).  default 'user' means that the default string, in the absence of anything specified for the "authority" column on an INSERT statement, is 'user'

rnintulsa Member

rnintulsa

Posted
  • Author
Posted

Great!  I moved it and now it works fine.

 

I need to know the correct place to put the

or die(mysql_error())

line that you wrote about? 

 

Here?

$results = mysql_query("select * from users where username='" . $username . "' and password = '" . $password . "'" ,$link) or die(mysql_error()) ;

 

And thanks for the very clear explanation.  I get it now!

 

akitchin Regular Member

akitchin

Posted
Posted

that's precisely where you would put it.  just as a warning though, that's a very harsh error report.  it will halt your entire script and output a non-friendly SQL error in the case that the query fails.  since you're probably not too concerned about appearance, it's fine - just be wary of that fact in future if you want a nice-looking app that doesn't look like it's having a heart attack when the database doesn't play nice.

cooldude832 Advanced Member

cooldude832

Posted
Posted

Bigger question is why didn't that error report

 

do u have error reporting on for php????

 

You can not say mysql_real_escape_string() without a current connection to a database(s) because the escaping algorithm is mysql version dependent.

 

example proper debuggin strucutre

<?php
$q = "Select this from `that`";
$r = mysql_query($q) or die(mysql_error()."<br /><br />".$q);
?>

cooldude832 Advanced Member

cooldude832

Posted
Posted

that's precisely where you would put it.  just as a warning though, that's a very harsh error report.  it will halt your entire script and output a non-friendly SQL error in the case that the query fails.  since you're probably not too concerned about appearance, it's fine - just be wary of that fact in future if you want a nice-looking app that doesn't look like it's having a heart attack when the database doesn't play nice.

 

Um the database doesn't have a heart attack if your queries are property sanitized and written.  So the or die(mysql_error()) is always safe unless your db completely goes down (in which case you site is probably also down).

 

 

akitchin Regular Member

akitchin

Posted
Posted

 

Um the database doesn't have a heart attack if your queries are property sanitized and written.  So the or die(mysql_error()) is always safe unless your db completely goes down (in which case you site is probably also down).

 

 

 

properly sanitized and written doesn't mean the query will never fail.  databases go down all the time without the site itself going down - they're two entirely different servers, so they can (and often do) fail independently.  that's why for a professional-looking application, you want to handle error reporting yourself so that even when the database does fail, you can say so nicely and not give your clients ulcers about what the issue is.  even if the MySQL error makes sense to you when the script halts, all a client will see is "NOT WORKING AND FUBAR."

 

as for why it didn't report an error, it's because the query wasn't syntactically incorrect.  it would have run as:

 

SELECT * FROM foo WHERE username=''

 

which is a perfectly legal query, it just won't return any results.

 

finally, the OP DID have a current connection to MySQL.  what he HADN'T done before using real_escape_string() was select a database, which is a separate step altogether.

rnintulsa Member

rnintulsa

Posted
  • Author
Posted

Ok guys, now I'm a bit confused. There is a difference of opinion and I am learning as I read.  Thanks.

 

akitchin - Are you saying that to use the "or die" is harsh and take it back out because if my script is written right I can

give my own error message that will be softer on the user?

 

cooldude832 - would that error reporting be in the phpinfo file?

this line? display_errors On On

 

This is a mysql db, not mysqli.

 

I didn't really understand the code you sent me.  Sorry.  I am very new to programming.

 

revraz - what is salt and hash?  Did I show my password?  

 

thank you all!

akitchin Regular Member

akitchin

Posted
Posted

leave or die() in - it's a very useful tool, and will help you diagnose big errors instantly.  if you don't have clients paying you for the work, and don't have a lot of users who are paying to use the system, i wouldn't worry about implementing your own error handling.  that is something that comes farther down the road, once you've mastered the basics of running a working application.

 

error reporting and display errors are two different settings.  the former dictates what LEVEL of errors are reported, while the latter dictates whether errors are reported at all.  you can adjust the error reporting level at will, but i'd suggest always leaving display_errors on (although on most shared hosts, this isn't a changeable setting anyway).

 

the code that cooldude sent you isn't really useful - your current application code looks good (and in fact already applies the or die() clause).

 

salting and hashing are a method for encrypting passwords.  while you didn't show us your password, it's more for the end users on your site - you should be storing the passwords themselves as a hash (a common encryption method is MD5) instead of the plain text.  that way, if someone breaks into your database, they can't see any of the actual passwords.  while they have access to your database anyway, the passwords the users have might be in use on other sites, and pose a risk to them if they're discovered.

 

edit:  revraz is on the case for it.  also, i agree with revraz - there's always static info on a website that's useful to see, no point killing the website simply because a db connection can't be made.

rnintulsa Member

rnintulsa

Posted
  • Author
Posted

Thanks again for the great explanations. I get the difference between error reporting, and display_errors now.

 

My site only has one small login section and the rest is static.  So now I understand that things can be

done differently in cases the other way around.  more knowledge!

 

Actually, I am going to have to change the code later to allow 15 companies access to their own page with files on it.

But for now I am trying to learn this first.  So for now so good.  Only one company needs access.

 

Thanks for the heads up revraz, it turns out that that table was my original one that was on my local machine.

So I'm safe.  

 

But how do I salt and hash (encrypt)?

When I enter my password in password field it doesn't actually show the text, but the dots instead.

Is that what you meant?

 

 

 

 

 

akitchin Regular Member

akitchin

Posted
Posted

salting/hashing basically means encrypting your passwords.  what that means is you pass it through a hidden, pre-determined algorithm and store the result.  that way, if someone looks at the password as it's stored in the database, they won't know what the REAL password is, only what the transformation is.  as i mentioned, a common hashing algorithm used is MD5.

 

to compare them, MD5 the input, and compare against the stored password hash for the corresponding user.

GingerRobot Regular Member

GingerRobot

Posted
Posted

actually md5() isn't really considered secure anymore, as there are tons of hash tables out there that people can use to just brute force the password.  You should at least use a salted sha1()

 

A salted md5() renders radinbow tables useless in just the same way salting sha1() does. Sure, md5() has been shown to have vulnerabilities, but the existance of rainbow tables isn't one of them with a salt.

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.