Kudosarian Posted January 31, 2009 Share Posted January 31, 2009 Hi folks. I have been trying to create a simple login page for users to access restricted parts of my website. But I am having real problems with the code as I am a php newbie!! The webpage with the login table is displayed and allows me to enter a username and password, however when I hit login, the page is just refreshed instead of being redirected. Grateful if someone could have a look at the code and flag up any obvious errors that I have missed. (probably something really silly!!!) Thanks Kudosarian <?php session_start(); $server = "*****"; $db_username = "*****"; $db_password = "*****"; $db_name = "*****"; $db = mysql_connect($server, $db_username, $db_password) or die("Connection to database failed, perhaps the service is down !!"); mysql_select_db($db_name,$db) or die("Database name not available !!"); //// Login Section. $Login=$_POST['Login']; if($Login){ // If clicked on Login button. $username=$_POST['username']; $md5_password=md5($_POST['password']); // Encrypt password with md5() function. } // Construct and run query. $result=mysql_query("select * from users where username='$username' and password='$md5_password'"); if(mysql_num_rows($result)!='0'){ // If match. session_register("username"); // Craete session username. header("location: index.php"); // Re-direct to main.php }else{ // If not match. $message="--- Incorrect Username or Password ---"; } ?> <h1>login</h1> <p>please enter the your username and password to login....</p> <form id="form1" name="form1" method="post" action="<? echo $PHP_SELF; ?>"> <table> <tr> <td>Username : </td> <td><input name="username" type="text" id="username" /></td> </tr> <tr> <td>Password : </td> <td><input name="password" type="password" id="password" /></td> </tr> </table> <input name="Login" type="submit" id="Login" value="Login" /> </form> </body> </html> Quote Link to comment Share on other sites More sharing options...
Snart Posted January 31, 2009 Share Posted January 31, 2009 At first sight, I'd say that your username and password aren't valid, so the following code is executed which stores a variable but doesn't display anything: }else{ // If not match. $message="--- Incorrect Username or Password ---"; } On a sidenote, be careful how you handle the POST variables. Mysql injection could be a serious security issue here. Quote Link to comment Share on other sites More sharing options...
Chicken Little Posted January 31, 2009 Share Posted January 31, 2009 Does the users table exist? Add the following to the $result query or die(mysql_error()); If it does, it will need the username and password so you can login. Also, try changing if(mysql_num_rows($result)!='0'){ to if(mysql_num_rows($result) > '0'){ and in the form action change to <?php $_SERVER['PHP_SELF']; ?> Quote Link to comment Share on other sites More sharing options...
Orionsbelter Posted January 31, 2009 Share Posted January 31, 2009 add the escape string to stop injection Quote Link to comment Share on other sites More sharing options...
Kudosarian Posted January 31, 2009 Author Share Posted January 31, 2009 Thanks for the comments Snart and Chicken Little and blmg911. I have made the changes you have suggested Chicken, but the page continues to refresh on "login". Oh, yes the users table does indeed exist. No sure if it matters, but I am accessing a database from an online server. I have tried and tested my connection and it is working fine. Not sure why username and password would not be valid Snart - perhaps you could explain? blmg911 - could you explain the escape string to me and point out where to put it? Thanks Appreciate any other help Kudosarian Quote Link to comment Share on other sites More sharing options...
Orionsbelter Posted January 31, 2009 Share Posted January 31, 2009 it should be put on all $_POSTs such as your $username like $username=mysql_real_escape_string($_POST['username']); you can just stick this coding at the top of the page ///////////////////////// Security coding Supplied by blmg911 mysql_real_escape_string($_GET); mysql_real_escape_string($_POST); /////////////////////////////////////////////////////////////////////////////////////// Quote Link to comment Share on other sites More sharing options...
Kudosarian Posted January 31, 2009 Author Share Posted January 31, 2009 Thanks blmg911. I've added your code to my page. K Quote Link to comment Share on other sites More sharing options...
Orionsbelter Posted January 31, 2009 Share Posted January 31, 2009 try this please <?php session_start(); $server = "*****"; $db_username = "*****"; $db_password = "*****"; $db_name = "*****"; $db = mysql_connect($server, $db_username, $db_password) or die("Connection to database failed, perhaps the service is down !!"); mysql_select_db($db_name,$db) or die("Database name not available !!"); //// Login Section. if($_POST['Login']){ // If clicked on Login button. $username=$_POST['username']; $md5_password=md5($_POST['password']); // Encrypt password with md5() function. } // Construct and run query. $result=mysql_query("SELECT * FROM users WHERE username='$username' AND password='$md5_password'"); $result=mysql_num_rows($result); if($result!=='0'){ // If match. session_register("username"); // Craete session username. header("location: index.php"); // Re-direct to main.php }elseif($result=='0'){ // If not match. $message="--- Incorrect Username or Password ---"; echo"$message"; } ?> <h1>login</h1> <p>please enter the your username and password to login....</p> <form id="form1" name="form1" method="post" action=""> <table> <tr> <td>Username : </td> <td><input name="username" type="text" id="username" /></td> </tr> <tr> <td>Password : </td> <td><input name="password" type="password" id="password" /></td> </tr> </table> <input name="Login" type="submit" id="Login" value="Login" /> </form> </body> </html> Quote Link to comment Share on other sites More sharing options...
premiso Posted January 31, 2009 Share Posted January 31, 2009 you can just stick this coding at the top of the page ///////////////////////// Security coding Supplied by blmg911 mysql_real_escape_string($_GET); mysql_real_escape_string($_POST); /////////////////////////////////////////////////////////////////////////////////////// You can huh? mysql_real_escape_string string mysql_real_escape_string ( string $unescaped_string [, resource $link_identifier ] ) Looks to me like you can only put a string into that function. You could instead call array_walk_recursive on the array and the mysql function. Quote Link to comment Share on other sites More sharing options...
Orionsbelter Posted January 31, 2009 Share Posted January 31, 2009 i tested it and it fully works thank you for your input Quote Link to comment Share on other sites More sharing options...
premiso Posted January 31, 2009 Share Posted January 31, 2009 i tested it and it fully works thank you for your input Must be a setting on your machine. When I run it: Warning: mysql_real_escape_string() expects parameter 1 to be string, array given in C:\wamp\ww\test.php on line 3 array(2) { ["test"]=> string(4) "asdf" ["test2"]=> string( "sdf'sdf'" } For the code: <?php mysql_connect("localhost", "", ""); mysql_real_escape_string($_GET); var_dump($_GET); die(); ?> Just because it "works" for you, does not mean that is the standard/work for everyone else. It sounds like you have some custom php or extension/mod in there or something else that handles it. EDIT: I would do a var_dump on your array, my bet is you have display_errors turned off and none of your data is getting escaped, but you think it is. And if it is getting escaped, perhaps you have magic_quotes on. If neither than yea the custom code statement is the most likely reason. Quote Link to comment Share on other sites More sharing options...
Kudosarian Posted January 31, 2009 Author Share Posted January 31, 2009 ok, I tested your new code blmg911 and I get the same result, the page merely refreshes. for reference, here is the current code including suggested changes: Kudosarian <?php ///////////////////////// Security coding Supplied by blmg911 mysql_real_escape_string($_GET); mysql_real_escape_string($_POST); /////////////////////////////////////////////////////////////////////////////////////// session_start(); $server = "*****"; $db_username = "*****"; $db_password = ""*****; $db_name = "*****"; $db = mysql_connect($server, $db_username, $db_password) or die("Connection to database failed, perhaps the service is down !!"); mysql_select_db($db_name,$db) or die("Database name not available !!"); //// Login Section. if($_POST['Login']){ // If clicked on Login button. $username=$_POST['username']; $md5_password=md5($_POST['password']); // Encrypt password with md5() function. } // Construct and run query. $result=mysql_query("SELECT * FROM users WHERE username='$username' AND password='$md5_password'"); $result=mysql_num_rows($result); if($result!=='0'){ // If match. session_register("username"); // Craete session username. header("location: index.php"); // Re-direct to main.php }elseif($result=='0'){ // If not match. $message="--- Incorrect Username or Password ---"; echo"$message"; } ?> <h1>login</h1> <p>please enter the your username and password to login....</p> <form id="form1" name="form1" method="post" action="<?php $_SERVER['PHP_SELF']; ?>"> <table> <tr> <td>Username : </td> <td><input name="username" type="text" id="username" /></td> </tr> <tr> <td>Password : </td> <td><input name="password" type="password" id="password" /></td> </tr> </table> <input name="Login" type="submit" id="Login" value="Login" /> </form> Quote Link to comment Share on other sites More sharing options...
premiso Posted January 31, 2009 Share Posted January 31, 2009 Please use the [.code] [./code] tags around your code (no initial period). As far as why it does not work, well here is a cleaned up version of the code: <?php /* This is bad code, remove please. Not to mention this is before the mysql_db is connected mysql_real_escape_string($_GET); mysql_real_escape_string($_POST); */ session_start(); $server = "*****"; $db_username = "*****"; $db_password = ""*****; $db_name = "*****"; $db = mysql_connect($server, $db_username, $db_password) or die("Connection to database failed, perhaps the service is down !!"); mysql_select_db($db_name,$db) or die("Database name not available !!"); // lets filter the post data: array_walk_recursive($_POST, 'mysql_real_escape_string'); //// Login Section. if($_POST['Login']){ // If clicked on Login button. $username=trim($_POST['username']); $md5_password=md5(trim($_POST['password'])); // Encrypt password with md5() function. } // Construct and run query. $result=mysql_query("SELECT * FROM users WHERE username='$username' AND password='$md5_password' LIMIT 1"); $result=mysql_num_rows($result); if($result > 0){ $_SESSION['username'] = $_POST['userame']; // session_register is depreciated header("location: index.php"); // Re-direct to main.php }else { // else is just fine here $message="--- Incorrect Username or Password ---"; echo"$message"; } ?> Now, if the password that is md5 was inserted without mysql_real_escape_string you could have a problem implementing that if it contained any characters that were escaped. I also added trim to trim the data, incase that is throwing it off. Also session_register is depreciated now, use the $_SESSION['username'] format instead. The form looks fine. no need to post that part again. Run the code I posted above and see how it works. Quote Link to comment Share on other sites More sharing options...
Kudosarian Posted January 31, 2009 Author Share Posted January 31, 2009 Hi Premiso, and welcome to the chat I tried out your code, and I seem to get the "Incorrect Username or Password" message at the top of my page before I try and login. Kudosarian Quote Link to comment Share on other sites More sharing options...
premiso Posted January 31, 2009 Share Posted January 31, 2009 Hi Premiso, and welcome to the chat I tried out your code, and I seem to get the "Incorrect Username or Password" message at the top of my page before I try and login. Kudosarian Then your answer is simple. I would recreate the user data and verify that you are inputting it properly and do that check. The username and password are not matching in the DB. The logic above is fine, at this point it is your data in mysql that is messing up. Check your password field that it is at least a varchar(32), also check that you are using the mysql_real_escape_string on both the password and username when inserting as that will throw it off and that you are using trim on that data also. Quote Link to comment Share on other sites More sharing options...
Kudosarian Posted January 31, 2009 Author Share Posted January 31, 2009 I'm not 100% sure that I follow you Premiso. The message appears when I load the login page. How can the username and password be incorrect when I have yet to enter them? I checked the DB and revised the password field to varchar(32). When you say check that I am using the mysql_real_escape_string() on both the password and username when inserting as that will throw it off and that you are using trim() on that data also., silly question, but how do I do this? Kudos (the newbie ) Quote Link to comment Share on other sites More sharing options...
premiso Posted January 31, 2009 Share Posted January 31, 2009 I'm not 100% sure that I follow you Premiso. The message appears when I load the login page. How can the username and password be incorrect when I have yet to enter them? I checked the DB and revised the password field to varchar(32). When you say check that I am using the mysql_real_escape_string() on both the password and username when inserting as that will throw it off and that you are using trim() on that data also., silly question, but how do I do this? Kudos (the newbie ) So you have no data in the DB? If not then that is why it returns false. If you do not post any data to the form, that is also the same reason why. You need actual test data to test it, or else it will always return false like it should. Quote Link to comment Share on other sites More sharing options...
Kudosarian Posted January 31, 2009 Author Share Posted January 31, 2009 No no, you misunderstand. There is data in the table for me to test. But with your code you provided, when I navigate to the login page, the error message is already on the screen. Therefore if a visiter goes to the login page to enter his/her username and password, they are faced with the error message that they have entered an invalid username or password before they have even pressed a key. Does that make sense?? K Quote Link to comment Share on other sites More sharing options...
Orionsbelter Posted January 31, 2009 Share Posted January 31, 2009 he means it echos without even filling in the form and pressing login Quote Link to comment Share on other sites More sharing options...
Orionsbelter Posted January 31, 2009 Share Posted January 31, 2009 <?php session_start(); $server = "*****"; $db_username = "*****"; $db_password = ""*****; $db_name = "*****"; $db = mysql_connect($server, $db_username, $db_password) or die("Connection to database failed, perhaps the service is down !!"); mysql_select_db($db_name,$db) or die("Database name not available !!"); // lets filter the post data: array_walk_recursive($_POST, 'mysql_real_escape_string'); //// Login Section. if($_POST['Login']){ // If clicked on Login button. $username=trim($_POST['username']); $md5_password=md5(trim($_POST['password'])); // Encrypt password with md5() function. // Construct and run query. $result=mysql_query("SELECT * FROM users WHERE username='$username' AND password='$md5_password' LIMIT 1"); $result=mysql_num_rows($result); if($result > 0){ $_SESSION['username'] = $_POST['userame']; // session_register is depreciated header("location: index.php"); // Re-direct to main.php }else { // else is just fine here $message="--- Incorrect Username or Password ---"; echo"$message"; }} ?> thats should work try it please Quote Link to comment Share on other sites More sharing options...
premiso Posted January 31, 2009 Share Posted January 31, 2009 Yep. <?php session_start(); if (isset($_POST)) { $server = "*****"; $db_username = "*****"; $db_password = ""*****; $db_name = "*****"; $db = mysql_connect($server, $db_username, $db_password) or die("Connection to database failed, perhaps the service is down !!"); mysql_select_db($db_name,$db) or die("Database name not available !!"); // lets filter the post data: array_walk_recursive($_POST, 'mysql_real_escape_string'); //// Login Section. if($_POST['Login']){ // If clicked on Login button. $username=$_POST['username']; $md5_password=md5($_POST['password']); // Encrypt password with md5() function. } // Construct and run query. $result=mysql_query("SELECT * FROM users WHERE username='$username' AND password='$md5_password' LIMIT 1"); $result=mysql_num_rows($result); if($result > 0){ $_SESSION['username'] = $_POST['userame']; // session_register is depreciated header("location: index.php"); // Re-direct to main.php }else { // else is just fine here $message="--- Incorrect Username or Password ---"; echo"$message"; } } ?> That way the data is only checked if the user actually submitted the form. Quote Link to comment Share on other sites More sharing options...
Orionsbelter Posted January 31, 2009 Share Posted January 31, 2009 yours won't wok you didn't removed the } under $md5_password=md5($_POST['password']); // Encrypt password with md5() function. use both and see who's work please Quote Link to comment Share on other sites More sharing options...
premiso Posted January 31, 2009 Share Posted January 31, 2009 yours won't wok you didn't removed the } under $md5_password=md5($_POST['password']); // Encrypt password with md5() function. use both and see who's work please lol dude this is not a pissing a match. Mine works just fine, the $_POST['login'] is grand, I added my check further up in the script, see the "isset($_POST)" if statement. Also notice how I indented the code to go along with it. Quote Link to comment Share on other sites More sharing options...
Orionsbelter Posted January 31, 2009 Share Posted January 31, 2009 look i mean this if($_POST['Login']){ // If clicked on Login button. $username=$_POST['username']; $md5_password=md5($_POST['password']); // Encrypt password with md5() function. } ///////////////////////// THIS SHOULD BE REMOVED AS ITS STOPING THE LOGIN BUTTON FUNCTION HERE // Construct and run query. Quote Link to comment Share on other sites More sharing options...
premiso Posted January 31, 2009 Share Posted January 31, 2009 Edit: Removed, noticed that checking isset on $_GET does not work. Here is code that will work for the OP. <?php session_start(); if (isset($_POST['login'])) { $server = "*****"; $db_username = "*****"; $db_password = "*****"; $db_name = "*****"; $db = mysql_connect($server, $db_username, $db_password) or die("Connection to database failed, perhaps the service is down !!"); mysql_select_db($db_name,$db) or die("Database name not available !!"); // lets filter the post data: array_walk_recursive($_POST, 'mysql_real_escape_string'); $username=$_POST['username']; $md5_password=md5($_POST['password']); // Encrypt password with md5() function. // Construct and run query. $result=mysql_query("SELECT * FROM users WHERE username='$username' AND password='$md5_password' LIMIT 1"); $result=mysql_num_rows($result); if($result > 0){ $_SESSION['username'] = $_POST['userame']; // session_register is depreciated header("location: index.php"); // Re-direct to main.php }else { // else is just fine here $message="--- Incorrect Username or Password ---"; echo"$message"; } } ?> That version should work as expected. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.