Jump to content

Login script (probably a simple error)

lAZLf

By lAZLf
in PHP Coding Help

 Share

Recommended Posts

lAZLf Member

lAZLf

Posted
Posted

dbConfig.php

<?
// Replace the variable values below
// with your specific database information.
$host = "localhost";
$user = "username";
$pass = "password";
$db   = "annarbo1_Archives";

// This part sets up the connection to the 
// database (so you don't need to reopen the connection
// again on the same page).
$ms = mysql_pconnect($host, $user, $pass);
if ( !$ms )
{
echo "Error connecting to database.\n";
}

// Then you need to make sure the database you want
// is selected.
mysql_select_db($db);
?>

 

login.php

<?php
// dBase file
include "dbConfig.php";
session_start();

if ($_GET["op"] == "login")
{
if (!$_POST["username"] || !$_POST["password"])
	{
	die("You need to provide a username and password.");
	}

// Create query
$q = "SELECT * FROM `people` "
	."WHERE `username`='".$_POST["username"]."' "
	."AND `password`=PASSWORD('".$_POST["password"]."') "
	."LIMIT 1";
// Run query
$r = mysql_query($q);

if ( $obj = @mysql_fetch_object($r) )
	{
	// Login good, create session variables
	$_SESSION["valid_user"] = $_POST["username"];
	// Redirect to member page
	Header("Location: index.php");
	}
else
	{
	// Login not successful
	die("Sorry, could not log you in. Wrong login information.");
	}
}

?>

 

when I run this online i get this error:

 

 

"Warning: session_start() [function.session-start]: Cannot send session cache limiter - headers already sent (output started at /home4/annarbo1/public_html/login.php:2) in /home4/annarbo1/public_html/login.php on line 4"

 

I have yet to figure out what's wrong

Link to comment
Share on other sites
lAZLf Member

lAZLf

Posted
  • Author
Posted

Thanks, I don't get that error anymore, but even when I enter in the correct name and password I can't get in. I changed a the code a bit:

<?php
session_start();
// dBase file
include "dbConfig.php";

// Create query
$q = "SELECT * FROM `people` "
	."WHERE `username`='".$_POST["username"]."' "
	."AND `password`=PASSWORD('".$_POST["password"]."') "
	."LIMIT 1";
// Run query
$r = mysql_query($q);

if ( $obj = @mysql_fetch_object($r))
	{
	// Login good, create session variables
	$_SESSION["valid_user"] = $_POST["username"];
	// Redirect to member page
	header ("location: index.php");
	}
else
	{
	// Login not successful
	die("Sorry, could not log you in. Wrong login information.");
	}

?>

I'm gonna guess the problem is with the if statement (well, it always go to the else statement). What's wrong with it. (try to explain it if you can, i'm still learning about PHP)

Link to comment
Share on other sites
mrMarcus Member

mrMarcus

Posted
Posted

change:

 

$r = mysql_query($q);

 

to:

 

$r = mysql_query($q) or trigger_error (mysql_error());

 

see if errors come up.

 

as well, echo your query:

 

<?php
// Create query
$q = "SELECT * FROM `people` "
    ."WHERE `username`='".$_POST["username"]."' "
    ."AND `password`=PASSWORD('".$_POST["password"]."') "
    ."LIMIT 1";

echo '<pre>Query: '.  $q .'</pre>';

// Run query
$r = mysql_query($q) or trigger_error (mysql_error());

 

see if (when you echo the query), your username and password match from what's in the query to what's in the database.

 

EDIT: i don't know much about the PASSWORD() function in mysql, but consider using MD5() instead.  hash your password before inserting variable into query, and make sure that passwords in db are also hashed (hash them upon creation of the account(s)).

Link to comment
Share on other sites
lAZLf Member

lAZLf

Posted
  • Author
Posted

I changed "login.php" again, and now i'm sure that the "if" statement isn't working right, I enter in the correct information and it always sais I didn't.

 

Should I change something in the "if" statement? 

<?php
session_start();
// dBase file
include "dbConfig.php";

// Create query
$q = "SELECT * FROM people WHERE username='".$_POST["username"]."' AND password = PASSWORD('".$_POST["password"]."')";
// Run query
$r = mysql_query($q, $ms);



$rowCheck = mysql_num_rows($r); 
if($rowCheck > 0){ 
while($row = mysql_fetch_array($r)){  	
	// Login good, create session variables
	$_SESSION["valid_user"] = $_POST["username"];
	// Redirect to member page
	header ("location: index.php");
} 

  } 
  else { 

  //if nothing is returned by the query, unsuccessful login code goes here... 

  echo 'Incorrect login name or password. Please try again.'; 
  } 
  
?>

 

Link to comment
Share on other sites
mrMarcus Member

mrMarcus

Posted
Posted

did you try my suggestions?  please give the results.

 

and, are you aware that you are using mysql_pconnect to connect to your database?  if so, understand that this opens a persistent connection to the db which is not terminated when the script has finished executing.  this can lead to (upon heavy traffic), database connectivity issues by having too many open connections at any given time.

 

if you were not aware of the difficulties that could ensue, consider using mysql_connect instead.

 

now, add trigger_error() to your query:

 

$r = mysql_query($q) or trigger_error (mysql_error());

 

and try echo'ing out $q to see if the query is what you think it is.

 

do that first, and then we can move on from there.  but i will not offer any more help until i know that information has been exercised.

Link to comment
Share on other sites
mrMarcus Member

mrMarcus

Posted
Posted

Alright I did what mrMarcus said.

 

I got back:

"Incorrect login name or password. Please try again.

Query: SELECT * FROM people WHERE username='username' AND password = PASSWORD('password')"

 

It all matches up.

 

so, when you echo out the password, it's hashed in the db the same way as it is in the query?  using PASSWORD()?

Link to comment
Share on other sites
lAZLf Member

lAZLf

Posted
  • Author
Posted

I just figured out that meant using the sha1(); function.

 

So yes, it's hashed.

Now that i've hashed it, it works.

Now I have a new problem, which is probably a newby mistake.

 

When it goes back to the previous page via header location, I noticed that either the login.php page didn't set the session, or the index.php page didn't check for it properly.

 

login.php:

<?php
session_start();
// dBase file
include "dbConfig.php";

// Create query
$q = "SELECT * FROM people WHERE username='".$_POST["username"]."' AND password = sha1('".$_POST["password"]."')";
// Run query
$r = mysql_query($q,$ms) or trigger_error (mysql_error());


$rowCheck = mysql_num_rows($r); 
if($rowCheck > 0){ 
while($row = mysql_fetch_array($r)){  	
	// Login good, create session variables
	$_SESSION["valid_user"] = $_POST["username"];
	// Redirect to member page
	header ("location: index.php");
} 

  } 
  else { 

  //if nothing is returned by the query, unsuccessful login code goes here... 

  echo 'Incorrect login name or password. Please try again.'; 
  } 
  echo '<pre>Query: '.  $q .'</pre>'; 
?>

 

 

index.php:

	
<?php  
  if (!$_SESSION['valid_user']) {
	  echo'
	<form action="login.php" method="post">
	<table cellspacing="0">
	<tr><td><input type="text" name="username"width="300" value="username"/></td></tr>
	<tr><td><input type="password" name="password"width="300" value="password"/></td></tr>
  	<tr><td><input type="submit" value="login"/></td></tr>
	</table>
	</form>
  ';
  } else {
	echo"Welcome".$_SESSION['valid_user'];  
  }
?>

Link to comment
Share on other sites
mrMarcus Member

mrMarcus

Posted
Posted

PASSWORD() was hashing the password going into the database.

 

what i was asking you is when you look at the password in your database, is it plain text (joe blow), or is it hashed (asdf786sa87df678as6fd786asd87f6a87sfd6)?

 

when you register an account, you must also hash the password going in, so when you go to login, the passwords will match:

 

if i register an account on your site, and you're not hashing the password up registration and my password goes in as plain text (joe blow), and then when i try and login, you are now hashing the password i entered to login, and checking tmy plain-text password in the db against the hashed password i just entered in the login form, they will obviously not match, which will then tell me that i entered invalid information.

 

register.php

<?php
//code...
$password = md5 ($_POST['password']); //password from register form;

//your insert query with a hashed $password going into `password` field.
?>

 

login.php

<?php
//code...
$username = $mysql_real_escape_string (_POST["username"]);
$password = md5 ($_POST['password']); //password from login form;

$q = "SELECT * FROM `people` WHERE `username` = '".$username."' AND `password` = '".$password."'";
?>

 

you get it?  don't use the MySQL hashing functions, just do your hashing with PHP.

 

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.