ballouta Posted January 20, 2009 Share Posted January 20, 2009 Hi, I have this login code, i couldn't find the cause of my problem. when i enter wrong username or password, the user control panel appears where it should display: Incorrect Username or Password where's the bug? Thank you <?php if($_POST){ $tem1 = trim($_POST["user"]); $tem2 = trim($_POST["pass"]); //check if this username and password match $result=mysql_query("select * from `members` where `user` ='$tem1' AND `pass` COLLATE latin1_bin ='$tem2' AND `blk` = 'N' "); $row = mysql_fetch_array($result); if (mysql_num_rows($result) > 0) { $_SESSION['username'] = $tem1; $_SESSION['pass'] = $tem2; } else { } } //If a user returns from a subpage to login page $result=mysql_query("select * from `members` where `user` ='" . $_SESSION['username'] . "' AND `pass` COLLATE latin1_bin ='" . $_SESSION['pass'] . "' AND `blk` = 'N' "); $row = mysql_fetch_array($result); if (mysql_num_rows($result) > 0) { //here my code (the user control panel) } else { echo "Incorrect Username or Password "; } ?> Link to comment https://forums.phpfreaks.com/topic/141571-login-problem/ Share on other sites More sharing options...
haku Posted January 20, 2009 Share Posted January 20, 2009 You have a few problems. First, you are checking: if($_POST) This will always evaluate to true after the form as been submitted. The error you want to use (user doesn't exist) will only be displayed on pages where the form has not be submitted. Finally, in the if statement where you are checking to see if the user exists, you have nothing at all in the 'else' part of that statement. This is where you want to put the code that the user doesn't exist. Link to comment https://forums.phpfreaks.com/topic/141571-login-problem/#findComment-741019 Share on other sites More sharing options...
ratcateme Posted January 20, 2009 Share Posted January 20, 2009 you are also leaving yourself open to injections if someone can get a active username they could login with a password like ' OR ''='' if you use mysql_real_escape_string() in the input data you can prevent this Scott. Link to comment https://forums.phpfreaks.com/topic/141571-login-problem/#findComment-741020 Share on other sites More sharing options...
ballouta Posted January 20, 2009 Author Share Posted January 20, 2009 Thanks haku and ratcateme for those important security related notes i have login.php page it shows some options for the logged in members the user may navigate to a subpage and return back to login.php of course u understand what i mean, the first time the user is going to login (form submit) and when the user wants to return to login.php page, he will not sign in again. is it possible to fix my code? Link to comment https://forums.phpfreaks.com/topic/141571-login-problem/#findComment-741023 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.