[SOLVED] Login script not working

[lore_lanu]

Hi all,

 

I'm new to php and I am trying to create my very own log in script. I've made my register page and it works fine, but for some reason whenever I try to execute my login script, it always displays an error.

 

Here is my code:

<?php

//This code runs if the form has been submitted
if (isset($_POST['submit'])) { 

// Connects to the Database 
mysql_connect("dbserver", "dbuser", "dbpassword") or die(mysql_error()); 
mysql_select_db("dbname") or die(mysql_error()); 

// Define $username and $password 
$username= "$_POST['username']"; 
$password= "$_POST['password']"; 

// To protect MySQL injection
$username = 'stripslashes($username)';
$password = 'stripslashes($password)';
$username = 'mysql_real_escape_string($username)';
$password = 'mysql_real_escape_string($password)';

$sql="SELECT * FROM users WHERE username = $username AND password = $password";
$result = 'mysql_query($sql)';

// Mysql_num_row is counting table row
$count = mysql_num_rows($result);

// If result matched $username and $password, table row must be 1 row

if($count == 1){

$message = 'This is success.';
}

else {
$message = '<b>An error has occured.</b> Please try again or create an account.';
}
}
?>

<div class="regvalidate"><?php print $message; ?></div>
<form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post">

<table>
<tr><td><strong>Member Login </strong></td></tr>
<tr><td>Username:</td>
<td><input name="username" type="text" value="<?php echo $_POST['username'];?>"></td></tr>
<tr><td>Password:</td>
<td><input name="password" type="password"></td></tr>
<tr><td><input type="submit" name="submit" value="Login"></td></tr>
</table>

</form>

 

I'm wondering what I am doing wrong here. Any help is appreciated!

 

Thanks in advance!

[Alex]

It would've been nice if you gave us the error you get. I looked over it fast and I saw this:

 

$result = 'mysql_query($sql)';

 

Should be:

 

$result = mysql_query($sql);

 

If it still doesn't work post your errors.

 

Edit: Owait.. All of this needs to be changed:

 

$username = 'stripslashes($username)';
$password = 'stripslashes($password)';
$username = 'mysql_real_escape_string($username)';
$password = 'mysql_real_escape_string($password)';

 

to:

 

$username = stripslashes($username);
$password = stripslashes($password);
$username = mysql_real_escape_string($username);
$password = mysql_real_escape_string($password);

[lore_lanu]

Thanks for your response. I've implemented that in my code, but it still doesn't work.

 

I'm actually not getting any php or database errors. When I submit the form, I get the error message that I wrote in the else statement. Even when I use a valid  username/password combination.

[lore_lanu]

Actually, I just realized that when I register users, I encrypted the passwords as md5. Does that mean I have to state that somewhere in the code?

 

I changed:

// Define $username and $password 
$username= $_POST['username']; 
$password= $_POST['password']; 

 

to this:

// Define $username and $password 
$username= $_POST['username']; 
$password= md5($_POST['password']); 

 

and now I get this mysql error:

Warning: mysql_num_rows(): supplied argument is not a valid MySQL result resource in /home/content/I/n/d/Individual12/html/m/login.php on line 24

 

[jmr3460]

Looksyou are on the right track.

 

[PFMaBiSmAd]

Your query needs single-quotes around the string values -

 

$sql="SELECT * FROM users WHERE username = '$username' AND password = '$password'";

 

This is causing a sql syntax error, which causes the query to fail, which causes mysql_num_rows() to fail, which causes $count to have a null/0 value in it.

 

You should be learning php, developing php code, and debugging php code on a development system that has error_reporting set to E_ALL and display_errors set to ON in your php.ini so that php would give immediate feed back about problems it finds. Edit: I see from one of your additional posts that you are receiving Warning messages.

 

If this case, where your query is failing, at a minimum you need to test the value that the query returns to find out if the query worked or failed before blindly attempting to use non-existent results from the query.

 

Edit2: And yes, if you are using md5() on the password when it was stored, you must use md5() on the value you are trying to compare with the stored value.

[lore_lanu]

Thanks a lot. all of you, for your help! I guess I need to practice a little more with my syntax. Thanks for catching that, PFMaBiSmAd! The script is working fine now.

 

Now my question is: how secure is this script? I won't be using it for anything more than fun and giggles, but that doesn't mean I don't want hackers to  get through it easily either. Do you have any suggestions as what I could do to make it more secure?

[cunoodle2]

This is a little overkill here but I would also compare the results to that of your query to make sure someone isn't being sneaky with you and somehow just putting some value in there that would yield 1 result.  I would do the following just again to do overkill...

 

<?php

$result = @mysql_query($sql); //put "@" at beginning to force it NOT to print errors to screen

// Mysql_num_row is counting table row
if (mysql_num_rows($result) == 1)
{
$row = mysql_fetch_array($result);

if($username == $row["username"] && $password == $row["password"])
{
	echo "Now you have a little bit more of a secure positive result.<br />\n";
}

else
{
	echo "go away hacker.<br />\n";
}

}

else
{
echo "Invalid login info.<br />\n";
}