Jump to content

Recommended Posts

Hi Guys,

 

For some reason my login script does not check the values in the database for a match and simply logs you in regardless of what you type in the username and password fields.

 

Any help would be great.

 

 

Here is the code

<?PHP
// Send nothing to the Web Browser until the Session_start() Line.
// Check if the form has been submitted.
if (isset($_POST['submitted'])) {

require_once ('xxxxxxxxxx'); // Connect to the database.

$errors = array(); // Initialise Error Array.

// Check for a UserName.
if(empty($_POST['UserName'])) {
	$errors[] = '<p>You forgot to enter a User Name.</p>';
} else {
	$u = ($_POST['UserName']);
}

//Check for a Password.
if (empty($_POST['Password'])) {
	$errors[] = '<p>You forgot to enter a Password</p>';
} else {
	$p = ($_POST['Password']);
}

if (empty($errors)) { // If everything's OK.

// Retrieve the UserID and UserName for login combination.
$query = "SELECT UserID FROM Users WHERE UserName='$u' AND Password=SHA('$p')";
$result = @mysql_query ($query);
$row = mysql_fetch_array ($result, MYSQL_NUM);

if ($row)) { // A record was pulled from the database.

//Start the session for this user.
session_start();
$_SESSION['UserID'] = $row[0];
$_SESSION['UserName'] = $row[1];
}
//Redirect the user to the admin home panel.
if (!headers_sent()) {
	header ('Location: index.html');
exit(); // Quit the script.
} else { // No record matched the query.
$errors[] = 'The User Name and Password entered do not match our records.';
$errors[] = mysql_error() . '<br /><br />Query: ' . $query;
}
}
mysql_close(); // Close the database connection.
} else { // Form has not been submitted.
$errors = NULL;
} // End of the main submit conditional.
// Begin the page.
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title></title>
<link href="css/styles2.css" rel="stylesheet" type="text/css" />
</head>
<body>
<div id="wrapper">
<div id="header">
</div>
<div id="right_column">
<?PHP
if (!empty($errors)) { // Print any error messages.
echo '<h1>Error!</h1>
<p>The following error(s) occurred:<br />';
foreach ($errors as $msg) {
	echo " - $msg<br />\n";
}
echo '</p><p>Please try again.</p>';
}
// Create the form.
?><br /><br />
<div align="center"><h2>Login</h2></div>
<form id="form" action="login.php" method="post">
<p>Username: <input type="text" name="UserName" size="10" maxlength="10" class="textarea" /></p><br />
<p>Password: <input type="password" name="Password" size="10" maxlength="10" class="password"/></p><br />
<p><input type="submit" name="submit" value="Login"  class="button"/></p><br />
<input type="hidden" name="submitted" value="TRUE" />
</form>
</div>

Link to comment
https://forums.phpfreaks.com/topic/125304-login-page-does-not-check-db-values/
Share on other sites

	
$row = mysql_fetch_array ($result, MYSQL_NUM);

if ($row)) { // A record was pulled from the database.

//Start the session for this user.

session_start();
$_SESSION['UserID']  = $row[0];
$_SESSION['UserName'] = $row[1];
}

I think your problem is within these lines... but I cant put my finger on it.

Trouble shoot please./ disable your redirect for a moment and echo $u, $p, $row[0], and $row[1]

if they are all working properly, than I'll keep looking into your code, other wise maybe we can rework the syntax to get what you want.

Does the query error tell you anything? like does it have a excerpt from the syntax or the SQL? Can't think of whether it will or not, but worth asking.

Any way, try

$query = "SELECT UserID FROM Users WHERE UserName='".$u."' AND Password='".SHA($p)."'";

LOL, or what the other guy beat me too. I didn't know you could SHA with SQL... let me know who's works. (if either)

That might actually do the trick... but i'm not that great at the whole sql thing yet.

Hi Guys,

 

 

Thanks for all your efforts but whilst I have changed the query and I am getting no syntax errors, it still is logging me in under any username passwords. I must admit I am very new to PHP and knowing where to echo out the values and error reporting isnt my strongest point. Maybe you could guide in this area and I will be able to find out if there are errors anywhere else.

 

 

Cheers Danny

Sure, for error reporting put this in.  It will show errors only for the session.

 

// Send nothing to the Web Browser until the Session_start() Line.
// Check if the form has been submitted.

error_reporting(E_ALL);
ini_set('error_reporting', E_ALL);

if (isset($_POST['submitted'])) {

 

Let us know what errors you get.

I don't get a single error?????????????

 

I think I am just going to re-write this code because I cannot understand what is wrong with it.

 

When I log in, it directs to the index page. Even if the username and password are completely bogus.

I really dont understand it.

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.