[SOLVED] login script unresponsive

[MechanicsPal]

I am by no means new to PHP (been working with it for about 5 years or so), however, this is only my second attempt at a login system.  I normally use cookies, because the sites I have worked on did not require much in the way of security.  However, when approaching this project, I decided to give sessions a go around.  This hasn't worked out well for me, and after pouring over the code for many hours, I fail to see my mistakes.  I know they are there, but am unable to see them (aren't we all sometimes?).  Anyways.  To the point:

 

 

<?php
session_start();

$cmd = $_POST['command'];
if ($cmd == "login") {
// convert username and password from _POST or _SESSION
$uname = $_POST['username'];
$pword = md5($_POST['password']);
// query for a user/pass match
$result = mysql_query("select * from table where username='$uname' and password='$pword')");

// retrieve number of rows resulted
$num=mysql_num_rows($result);
if($num === 1) {
 $_authUname = $uname;
	$_authPword = $pword;
$getmpID = mysql_query("select mpID from table where username='$uname' and password='$pword')");
$_SESSION['mpID'] = $getmpID;
$_SESSION['user'] = $_authUname;
$_SESSION['pass'] = $_authPword;
$_SESSION['isloggedin'] = "1";
echo "<a href='dashboard.php'>Go to Dashboard</a>";
} else {
 echo "Username/Password Mismatch";	
}
}
?> 
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>

  <meta http-equiv="Content-Language" content="en-us">

  <meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
  <title></title>
<link rel="stylesheet" href="style.css" />
</head>

<body>
<center>
<div align="center" class="login" style="width: 800px; height: auto;">
<table border="0" width="100%">
	<tr>
		<td><img src="img/memberDashboard.png" alt="MemberDashboard Img"></td>
	</tr>
	<tr>
		<td>
		<p align="center">Please Login</p>
		<form action="index.php" method="post">
		<input type="hidden" name="command" value="login" />
			<p align="center">Username:
			<input type="text" name="username" size="22"><br>
			Password: <input type="password" name="password" size="22"></p>
			<p align="center">
			<input type="submit" value="Login" name="Submit"></p>
</form>

		</td>
	</tr>
</table>
</div>

</center>
</body>

</html>

 

What I am trying to do is:

1.  Verify that the username and password are found in the database table

2.  If verified, go ahead and process the information, and load the needed data in to $_SESSION variables

3.  Tell the global that the user is logged in

4.  Pass the information to the page where the data is actually required.

 

What I am asking:

1.  What do you see wrong above?

2.  How do I correct it?

3.  How many licks does it take to get to the center of a tootsie roll pop?

4.  Is there an easier way to init the session, pull the data from the database, and then store the data retrieved in a

    session variable, perhaps in via a function?

 

Any input is greatly appreciated, whether negative, positive, or otherwise. 

 

[cooldude832]

1) Error check queries

example

<?php
$q = "select * from `table` where 1=1";
$r = mysql_query($q) or die(mysql_error()."<br /><br />".$q);
?>

 

2) What output do you get if any?

 

 

3) How have u done php for 5 years without sessions or logins that is amazing!

[Andy-H]

$getmpID = mysql_query("select mpID from table where username='$uname' and password='$pword')");

$_SESSION['mpID'] = $getmpID;

 

//////////////////

 

$q = mysql_query("SELECT mpID FROM table WHERE username='$uname' AND password='$pword'")or die(mysql_error());

 

 

$g = mysql_fetch_row($q);

 

$getmpID = $g[0];

 

$_SESSION['mpID'] = $getmpID;

[Andy-H]

It would also be useful to use mysql_real_escape_string(); on data being used in queries.

 

Maybe also session_register('mpID');

 

if (!session_is_registered('mpID')){

Header("Location: dashboard.php");

}

 

And in the site

 

if (session_is_registered('mpID')){

Header("Location: index.php");

}

 

 

[cooldude832]

andy-h session_register is a depreciated item that is no longer to be used in php 4.

 

read the note http://us.php.net/session_register

[Andy-H]

Thanks lol, I dont know about this stuff - I'm self taught.  ???

[cooldude832]

I'm self taught. 

 

aren't we all (or taught but php.net/phpfreaks )

[Andy-H]

Lol I am assuming you mean "by" when you say "but", I only just found out about phpfreaks but it's taught me alot already lol

[MechanicsPal]

Thank you all for your input.  I did what you said cooldude, and didn't get any errors on output, however, I did realize that I had forgotten to utilize a variable and pull the row data out.  Thanks Andy - Now, I must go to the hospital to see if this "T" key can be un-embedded from my skull

 

also, cooldude -

For five years, my focus with PHP was the ability to transfix data from a mySQL database and edit/modify variables and other dynamic data.  Functions and such, I didn't touch much, as well as sessions.  I was aware of the depreciation of the session_register(); function, as I had used it maybe twice, and both times on php3.  But yes, I did get lost in the vast quagmire that is PHP

 

 

Thanks Again!!

~ MechanicsPal

[cooldude832]

your mysql writing after five years still likes like a new persons mysql fyi.

[LemonInflux]

This isn't 5 year's practice. I've been doing PHP 6 months, and I could recreate this within the first month. Surely you must've looked at other things even for a day or two? :/

 

----------------

Now playing: Guns N' Roses - It's So Easy

via FoxyTunes

[cooldude832]

well I am just pointing out the * operator is a very lazy or newest person technique since usually a table stores data for linking that ins't needed in this query.  and the lack of quoting of table names with `` just seems like something you pick up after 5 years since I picked up on it in the first few weeks.

 

 

 

[Andy-H]

I was told not to use the backticks :S