dean7 Posted November 21, 2009 Share Posted November 21, 2009 Hi all, ive tryed coding a rather good login script but there a problem with it i carnt see.. When the submit button is pressed it just refreshes the page. <?php session_start(); include_once"includes/config.php"; if (strip_tags($_GET['logout']) == "yes"){ session_destroy(); echo "<meta http-equiv='refresh' content='99999999999999999;url=index.php'>"; }elseif (isset($_SESSION['username'])){ header("Location: index2.php"); exit(); } if ($_POST['submit'] && strip_tags($_POST['username']) && strip_tags($_POST['password'])){ $username = addslashes(strip_tags($_POST['username'])); $password = addslashes(strip_tags($_POST['password'])); $ip = $REMOTE_ADDR; ///check INFO $sql = mysql_query("SELECT * FROM users WHERE username='$username' AND password='$password' LIMIT 1"); $login_check = mysql_num_rows($sql); $inf = mysql_fetch_object($sql); if ($login_check == "0"){ $message="Incorrect Username or Password! Try Again!"; }elseif ($login_check != "0"){ if ($inf->status == "Banned"){ $encoded=md5(strtolower($username)); header("Location: banned.php?banned=$username&encoded=$encoded"); exit(); } session_register('username'); $_SESSION['username'] = $inf->username; $timestamp = time()+60; mysql_query("UPDATE users SET online='$timestamp' WHERE username='$username'"); mysql_query("UPDATE users SET l_ip='$ip' WHERE username='$username'"); header("Location: index2.php"); } else { $message= "Incorrect Username or Password<br />"; $timenow=time(); $select = mysql_query("SELECT * FROM users WHERE online > '$timenow' ORDER by id"); $num = mysql_num_rows($select); while ($i = mysql_fetch_object($select)); }} ?> Thats all the php code which is in it. Thanks for your help . Quote Link to comment https://forums.phpfreaks.com/topic/182427-login/ Share on other sites More sharing options...
PFMaBiSmAd Posted November 21, 2009 Share Posted November 21, 2009 When the submit button is pressed ... That would imply there is something wrong with your form. You would need to post it to get help with what it is doing. Quote Link to comment https://forums.phpfreaks.com/topic/182427-login/#findComment-962716 Share on other sites More sharing options...
waynew Posted November 21, 2009 Share Posted November 21, 2009 1: Is your submit button actually called 'submit'? 2: Why are you using addslashes() instead of mysql_real_escape_string()? 3: You are stripping tags from the password? Why? When you could just hash the password using md5() or sha1()? What if a user has a < in their password? 4: Your code will cause some notices to pop up. When making sure that a POST variable exists, use this: if(isset($_POST['submit'])){ //etc } instead of if($_POST['submit']) Quote Link to comment https://forums.phpfreaks.com/topic/182427-login/#findComment-962721 Share on other sites More sharing options...
dean7 Posted November 21, 2009 Author Share Posted November 21, 2009 This is the form i am using: <html> <head> </head> <form method="post" name="form" id="form"> <fieldset class="fieldset"> <legend> Login</legend> Login Name: <br /> <input name="username" type="text" class="form" id="username" maxlength="30"> <br /> Password: <br /> <input name="password" type="password" class="form" id="password"> (<a href="lost.php">forgot?</a>)<br> <br> <input name="submit" type="submit" class="button" value="Login" onClick="this.value='Processing';"> </fieldset> </form> </body> </html> Quote Link to comment https://forums.phpfreaks.com/topic/182427-login/#findComment-962723 Share on other sites More sharing options...
waynew Posted November 21, 2009 Share Posted November 21, 2009 Where is the form attribute "action" ? <form action="pagename.php"> etc Quote Link to comment https://forums.phpfreaks.com/topic/182427-login/#findComment-962726 Share on other sites More sharing options...
dean7 Posted November 21, 2009 Author Share Posted November 21, 2009 Oh yeah forgot about the action thanks, but thats made it work if i dont have the passwords md5. But if i have them md5 its the wrong password :S Quote Link to comment https://forums.phpfreaks.com/topic/182427-login/#findComment-962742 Share on other sites More sharing options...
waynew Posted November 21, 2009 Share Posted November 21, 2009 That's probably because you didn't use md5() on the password when the user was registering. You should never store clear-text passwords in your database. Always hash them using md5() or sha1() beforehand and then insert them. Quote Link to comment https://forums.phpfreaks.com/topic/182427-login/#findComment-962745 Share on other sites More sharing options...
dean7 Posted November 21, 2009 Author Share Posted November 21, 2009 Nah, when the user register's it inserts with the md5. But before i added that i registered myself with a clear-text password, which the login lets me login with that username and password but with the username and password which have a md5 password it dont login. :-\ Quote Link to comment https://forums.phpfreaks.com/topic/182427-login/#findComment-962751 Share on other sites More sharing options...
PFMaBiSmAd Posted November 22, 2009 Share Posted November 22, 2009 Wouldn't it make sense that you need to process the password identically when they register and you save a representation of the entered password and when you attempt to compare the entered password with the values that have been saved? Kind of like comparing apples to apples rather than apples to oranges Quote Link to comment https://forums.phpfreaks.com/topic/182427-login/#findComment-962879 Share on other sites More sharing options...
emopoops Posted November 22, 2009 Share Posted November 22, 2009 u need to have all the passwords encrypted with the same thing in the database or not everyone will be able to log in. Quote Link to comment https://forums.phpfreaks.com/topic/182427-login/#findComment-962986 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.