[SOLVED] Problems with login page

[Kudosarian]

 

Hi folks. I have been trying to create a simple login page for users to access restricted parts of my website. But I am having real problems with the code as I am a php newbie!!

 

The webpage with the login table is displayed and allows me to enter a username and password, however when I hit login, the page is just refreshed instead of being redirected.

 

Grateful if someone could have a look at the code and flag up any obvious errors that I have missed. (probably something really silly!!!)

 

Thanks

 

Kudosarian

 

<?php

 

session_start();

 

$server = "*****";

$db_username = "*****";

$db_password = "*****";

$db_name = "*****";

 

$db = mysql_connect($server, $db_username, $db_password) or die("Connection to database failed, perhaps the service is down !!");

mysql_select_db($db_name,$db) or die("Database name not available !!");

 

//// Login Section.

$Login=$_POST['Login'];

if($Login){ // If clicked on Login button.

$username=$_POST['username'];

$md5_password=md5($_POST['password']); // Encrypt password with md5() function.

}

// Construct and run query.

$result=mysql_query("select * from users where username='$username' and password='$md5_password'");

if(mysql_num_rows($result)!='0'){ // If match.

session_register("username"); // Craete session username.

header("location: index.php"); // Re-direct to main.php

 

}else{ // If not match.

$message="--- Incorrect Username or Password ---";

}

?>

 

 

 

<h1>login</h1>

 

<p>please enter the your username and password to login....</p>

 

 

<form id="form1" name="form1" method="post" action="<? echo $PHP_SELF; ?>">

<table>

<tr>

<td>Username : </td>

<td><input name="username" type="text" id="username" /></td>

</tr>

<tr>

<td>Password : </td>

<td><input name="password" type="password" id="password" /></td>

</tr>

</table>

<input name="Login" type="submit" id="Login" value="Login" />

</form>

 

 

 

</body>

</html>

 

[Snart]

At first sight, I'd say that your username and password aren't valid, so the following code is executed which stores a variable but doesn't display anything:

 

}else{ // If not match.

$message="--- Incorrect Username or Password ---";

}

 

On a sidenote, be careful how you handle the POST variables.  Mysql injection could be a serious security issue here.

[Chicken Little]

Does the users table exist? Add the following to the $result query

 

or die(mysql_error());

If it does, it will need the username and password so you can login. Also, try changing if(mysql_num_rows($result)!='0'){ to

 

if(mysql_num_rows($result) > '0'){

 

and in the form action change to

<?php $_SERVER['PHP_SELF']; ?>

 

 

[Orionsbelter]

add the escape string to stop injection

[Kudosarian]

Thanks for the comments Snart and Chicken Little and blmg911.

 

I have made the changes you have suggested Chicken, but the page continues to refresh on "login".

 

Oh, yes the users table does indeed exist. No sure if it matters, but I am accessing a database from an online server. I have tried and tested my connection and it is working fine.

 

Not sure why username and password would not be valid Snart - perhaps you could explain?

 

blmg911 - could you explain the escape string to me and point out where to put it? Thanks

 

Appreciate any other help

 

Kudosarian

[Orionsbelter]

it should be put on all $_POSTs such as your $username

 

like $username=mysql_real_escape_string($_POST['username']);

 

you can just stick this coding at the top of the page

 

///////////////////////// Security coding Supplied by blmg911

mysql_real_escape_string($_GET);

mysql_real_escape_string($_POST);

///////////////////////////////////////////////////////////////////////////////////////

[Kudosarian]

Thanks blmg911.

 

I've added your code to my page.

 

K

[Orionsbelter]

try this please

 

<?php

session_start();

$server = "*****"; 
$db_username = "*****";
$db_password = "*****";
$db_name = "*****";

$db = mysql_connect($server, $db_username, $db_password) or die("Connection to database failed, perhaps the service is down !!");
mysql_select_db($db_name,$db) or die("Database name not available !!");

//// Login Section.
if($_POST['Login']){ // If clicked on Login button.
$username=$_POST['username'];
$md5_password=md5($_POST['password']); // Encrypt password with md5() function. 
}
// Construct and run query.
$result=mysql_query("SELECT * FROM users WHERE username='$username' AND password='$md5_password'");
$result=mysql_num_rows($result);
if($result!=='0'){ // If match.
session_register("username"); // Craete session username.
header("location: index.php"); // Re-direct to main.php

}elseif($result=='0'){ // If not match.
$message="--- Incorrect Username or Password ---";
echo"$message";
}
?>



<h1>login</h1>

<p>please enter the your username and password to login....</p>


<form id="form1" name="form1" method="post" action="">
<table>
<tr>
<td>Username : </td>
<td><input name="username" type="text" id="username" /></td>
</tr>
<tr>
<td>Password : </td>
<td><input name="password" type="password" id="password" /></td>
</tr>
</table>
<input name="Login" type="submit" id="Login" value="Login" />
</form>



</body>
</html>

[premiso]

you can just stick this coding at the top of the page

 

///////////////////////// Security coding Supplied by blmg911

mysql_real_escape_string($_GET);

mysql_real_escape_string($_POST);

///////////////////////////////////////////////////////////////////////////////////////

 

You can huh? mysql_real_escape_string

 

string mysql_real_escape_string  ( string $unescaped_string  [, resource $link_identifier  ] )

 

Looks to me like you can only put a string into that function.  You could instead call array_walk_recursive on the array and the mysql function.

[Orionsbelter]

i tested it and it fully works thank you for your input

[premiso]

i tested it and it fully works thank you for your input

 

Must be a setting on your machine. When I run it:

 

Warning: mysql_real_escape_string() expects parameter 1 to be string, array given in C:\wamp\ww\test.php on line 3

array(2) { ["test"]=> string(4) "asdf" ["test2"]=> string( "sdf'sdf'" }

 

For the code:

<?php
mysql_connect("localhost", "", "");
mysql_real_escape_string($_GET);
var_dump($_GET);
die();
?>

 

Just because it "works" for you, does not mean that is the standard/work for everyone else. It sounds like you have some custom php or extension/mod in there or something else that handles it.

 

EDIT:

I would do a var_dump on your array, my bet is you have display_errors turned off and none of your data is getting escaped, but you think it is. And if it is getting escaped, perhaps you have magic_quotes on. If neither than yea the custom code statement is the most likely reason.

[Kudosarian]

ok, I tested your new code blmg911 and I get the same result, the page merely refreshes.

 

for reference, here is the current code including suggested changes:

 

Kudosarian

 

<?php

///////////////////////// Security coding Supplied by blmg911

mysql_real_escape_string($_GET);

mysql_real_escape_string($_POST);

///////////////////////////////////////////////////////////////////////////////////////

session_start();

 

$server = "*****";

$db_username = "*****";

$db_password = ""*****;

$db_name = "*****";

 

$db = mysql_connect($server, $db_username, $db_password) or die("Connection to database failed, perhaps the service is down !!");

mysql_select_db($db_name,$db) or die("Database name not available !!");

 

//// Login Section.

if($_POST['Login']){ // If clicked on Login button.

$username=$_POST['username'];

$md5_password=md5($_POST['password']); // Encrypt password with md5() function.

}

// Construct and run query.

$result=mysql_query("SELECT * FROM users WHERE username='$username' AND password='$md5_password'");

$result=mysql_num_rows($result);

if($result!=='0'){ // If match.

session_register("username"); // Craete session username.

header("location: index.php"); // Re-direct to main.php

 

}elseif($result=='0'){ // If not match.

$message="--- Incorrect Username or Password ---";

echo"$message";

}

?>

 

 

 

 

<h1>login</h1>

 

<p>please enter the your username and password to login....</p>

 

 

<form id="form1" name="form1" method="post" action="<?php $_SERVER['PHP_SELF']; ?>">

<table>

<tr>

<td>Username : </td>

<td><input name="username" type="text" id="username" /></td>

</tr>

<tr>

<td>Password : </td>

<td><input name="password" type="password" id="password" /></td>

</tr>

</table>

<input name="Login" type="submit" id="Login" value="Login" />

</form>

[premiso]

Please use the [.code] [./code] tags around your code (no initial period).

 

As far as why it does not work, well here is a cleaned up version of the code:

<?php
/* This is bad code, remove please. Not to mention this is before the mysql_db is connected
mysql_real_escape_string($_GET);
mysql_real_escape_string($_POST);
*/
session_start();

$server = "*****";
$db_username = "*****";
$db_password = ""*****;
$db_name = "*****";

$db = mysql_connect($server, $db_username, $db_password) or die("Connection to database failed, perhaps the service is down !!");
mysql_select_db($db_name,$db) or die("Database name not available !!");

// lets filter the post data:
array_walk_recursive($_POST, 'mysql_real_escape_string');

//// Login Section.
if($_POST['Login']){ // If clicked on Login button.
$username=trim($_POST['username']);
$md5_password=md5(trim($_POST['password'])); // Encrypt password with md5() function.
}
// Construct and run query.
$result=mysql_query("SELECT * FROM users WHERE username='$username' AND password='$md5_password' LIMIT 1");
$result=mysql_num_rows($result);
if($result > 0){ 
$_SESSION['username'] = $_POST['userame']; // session_register is depreciated
header("location: index.php"); // Re-direct to main.php
}else { // else is just fine here
$message="--- Incorrect Username or Password ---";
echo"$message";
}
?>

 

Now, if the password that is md5 was inserted without mysql_real_escape_string you could have a problem implementing that if it contained any characters that were escaped. I also added trim to trim the data, incase that is throwing it off. Also session_register is depreciated now, use the $_SESSION['username'] format instead.

 

The form looks fine. no need to post that part again. Run the code I posted above and see how it works.

[Kudosarian]

Hi Premiso, and welcome to the chat

 

I tried out your code, and I seem to get the "Incorrect Username or Password" message at the top of my page before I try and login.

 

Kudosarian

[premiso]

Hi Premiso, and welcome to the chat

 

I tried out your code, and I seem to get the "Incorrect Username or Password" message at the top of my page before I try and login.

 

Kudosarian

 

Then your answer is simple. I would recreate the user data and verify that you are inputting it properly and do that check.

 

The username and password are not matching in the DB. The logic above is fine, at this point it is your data in mysql that is messing up. Check your password field that it is at least a varchar(32), also check that you are using the mysql_real_escape_string on both the password and username when inserting as that will throw it off and that you are using trim on that data also.

[Kudosarian]

I'm not 100% sure that I follow you Premiso. The message appears when I load the login page. How can the username and password be incorrect when I have yet to enter them?

 

I checked the DB and revised the password field to varchar(32). When you say check that I am using

the mysql_real_escape_string() on both the password and username when inserting as that will throw it off and that you are using trim() on that data also.

, silly question, but how do I do this?

 

Kudos (the newbie )

[premiso]

I'm not 100% sure that I follow you Premiso. The message appears when I load the login page. How can the username and password be incorrect when I have yet to enter them?

 

I checked the DB and revised the password field to varchar(32). When you say check that I am using

the mysql_real_escape_string() on both the password and username when inserting as that will throw it off and that you are using trim() on that data also.

, silly question, but how do I do this?

 

Kudos (the newbie )

 

So you have no data in the DB? If not then that is why it returns false. If you do not post any data to the form, that is also the same reason why.

 

You need actual test data to test it, or else it will always return false like it should.

[Kudosarian]

No no, you misunderstand. There is data in the table for me to test. But with your code you provided, when I navigate to the login page, the error message is already on the screen. Therefore if a visiter goes to the login page to enter his/her username and password, they are faced with the error message that they have entered an invalid username or password before they have even pressed a key.

 

Does that make sense??

 

K

[Orionsbelter]

he means it echos without even filling in the form and pressing login

[Orionsbelter]

<?php
session_start();

$server = "*****";
$db_username = "*****";
$db_password = ""*****;
$db_name = "*****";

$db = mysql_connect($server, $db_username, $db_password) or die("Connection to database failed, perhaps the service is down !!");
mysql_select_db($db_name,$db) or die("Database name not available !!");

// lets filter the post data:
array_walk_recursive($_POST, 'mysql_real_escape_string');

//// Login Section.
if($_POST['Login']){ // If clicked on Login button.
$username=trim($_POST['username']);
$md5_password=md5(trim($_POST['password'])); // Encrypt password with md5() function.
// Construct and run query.
$result=mysql_query("SELECT * FROM users WHERE username='$username' AND password='$md5_password' LIMIT 1");
$result=mysql_num_rows($result);
if($result > 0){ 
$_SESSION['username'] = $_POST['userame']; // session_register is depreciated
header("location: index.php"); // Re-direct to main.php
}else { // else is just fine here
$message="--- Incorrect Username or Password ---";
echo"$message";
}}
?>

 

thats should work try it please

[premiso]

Yep.

 

<?php
session_start();

if (isset($_POST)) {
$server = "*****";
$db_username = "*****";
$db_password = ""*****;
$db_name = "*****";

$db = mysql_connect($server, $db_username, $db_password) or die("Connection to database failed, perhaps the service is down !!");
mysql_select_db($db_name,$db) or die("Database name not available !!");

// lets filter the post data:
array_walk_recursive($_POST, 'mysql_real_escape_string');

//// Login Section.
if($_POST['Login']){ // If clicked on Login button.
	$username=$_POST['username'];
	$md5_password=md5($_POST['password']); // Encrypt password with md5() function.
}
// Construct and run query.
$result=mysql_query("SELECT * FROM users WHERE username='$username' AND password='$md5_password' LIMIT 1");
$result=mysql_num_rows($result);
if($result > 0){ 
	$_SESSION['username'] = $_POST['userame']; // session_register is depreciated
	header("location: index.php"); // Re-direct to main.php
}else { // else is just fine here
	$message="--- Incorrect Username or Password ---";
	echo"$message";
}
}
?>

 

That way the data is only checked if the user actually submitted the form.

[Orionsbelter]

yours won't wok you didn't removed the } under $md5_password=md5($_POST['password']); // Encrypt password with md5() function.

 

 

use both and see who's work please

[premiso]

yours won't wok you didn't removed the } under $md5_password=md5($_POST['password']); // Encrypt password with md5() function.

 

 

use both and see who's work please

 

lol dude this is not a pissing a match. Mine works just fine, the $_POST['login'] is grand, I added my check further up in the script, see the "isset($_POST)" if statement. Also notice how I indented the code to go along with it.

 

 

[Orionsbelter]

look i mean this

 

if($_POST['Login']){ // If clicked on Login button.
	$username=$_POST['username'];
	$md5_password=md5($_POST['password']); // Encrypt password with md5() function.
} ///////////////////////// THIS SHOULD BE REMOVED AS ITS STOPING THE LOGIN BUTTON FUNCTION HERE
// Construct and run query.

 

 

 

 

 

[premiso]

Edit:

Removed, noticed that checking isset on $_GET does not work. Here is code that will work for the OP.

 

<?php
session_start();

if (isset($_POST['login'])) {
   $server = "*****";
   $db_username = "*****";
   $db_password = "*****";
   $db_name = "*****";

   $db = mysql_connect($server, $db_username, $db_password) or die("Connection to database failed, perhaps the service is down !!");
   mysql_select_db($db_name,$db) or die("Database name not available !!");

   // lets filter the post data:
   array_walk_recursive($_POST, 'mysql_real_escape_string');

  $username=$_POST['username'];
  $md5_password=md5($_POST['password']); // Encrypt password with md5() function.
   // Construct and run query.
   $result=mysql_query("SELECT * FROM users WHERE username='$username' AND password='$md5_password' LIMIT 1");
   $result=mysql_num_rows($result);
   if($result > 0){ 
      $_SESSION['username'] = $_POST['userame']; // session_register is depreciated
      header("location: index.php"); // Re-direct to main.php
   }else { // else is just fine here
      $message="--- Incorrect Username or Password ---";
      echo"$message";
   }
}
?>

 

That version should work as expected.