lAZLf Posted December 13, 2009 Share Posted December 13, 2009 dbConfig.php <? // Replace the variable values below // with your specific database information. $host = "localhost"; $user = "username"; $pass = "password"; $db = "annarbo1_Archives"; // This part sets up the connection to the // database (so you don't need to reopen the connection // again on the same page). $ms = mysql_pconnect($host, $user, $pass); if ( !$ms ) { echo "Error connecting to database.\n"; } // Then you need to make sure the database you want // is selected. mysql_select_db($db); ?> login.php <?php // dBase file include "dbConfig.php"; session_start(); if ($_GET["op"] == "login") { if (!$_POST["username"] || !$_POST["password"]) { die("You need to provide a username and password."); } // Create query $q = "SELECT * FROM `people` " ."WHERE `username`='".$_POST["username"]."' " ."AND `password`=PASSWORD('".$_POST["password"]."') " ."LIMIT 1"; // Run query $r = mysql_query($q); if ( $obj = @mysql_fetch_object($r) ) { // Login good, create session variables $_SESSION["valid_user"] = $_POST["username"]; // Redirect to member page Header("Location: index.php"); } else { // Login not successful die("Sorry, could not log you in. Wrong login information."); } } ?> when I run this online i get this error: "Warning: session_start() [function.session-start]: Cannot send session cache limiter - headers already sent (output started at /home4/annarbo1/public_html/login.php:2) in /home4/annarbo1/public_html/login.php on line 4" I have yet to figure out what's wrong Quote Link to comment Share on other sites More sharing options...
teamatomic Posted December 13, 2009 Share Posted December 13, 2009 start your session above the include. HTH Teamatomic Quote Link to comment Share on other sites More sharing options...
lAZLf Posted December 13, 2009 Author Share Posted December 13, 2009 Thanks, I don't get that error anymore, but even when I enter in the correct name and password I can't get in. I changed a the code a bit: <?php session_start(); // dBase file include "dbConfig.php"; // Create query $q = "SELECT * FROM `people` " ."WHERE `username`='".$_POST["username"]."' " ."AND `password`=PASSWORD('".$_POST["password"]."') " ."LIMIT 1"; // Run query $r = mysql_query($q); if ( $obj = @mysql_fetch_object($r)) { // Login good, create session variables $_SESSION["valid_user"] = $_POST["username"]; // Redirect to member page header ("location: index.php"); } else { // Login not successful die("Sorry, could not log you in. Wrong login information."); } ?> I'm gonna guess the problem is with the if statement (well, it always go to the else statement). What's wrong with it. (try to explain it if you can, i'm still learning about PHP) Quote Link to comment Share on other sites More sharing options...
mrMarcus Posted December 13, 2009 Share Posted December 13, 2009 change: $r = mysql_query($q); to: $r = mysql_query($q) or trigger_error (mysql_error()); see if errors come up. as well, echo your query: <?php // Create query $q = "SELECT * FROM `people` " ."WHERE `username`='".$_POST["username"]."' " ."AND `password`=PASSWORD('".$_POST["password"]."') " ."LIMIT 1"; echo '<pre>Query: '. $q .'</pre>'; // Run query $r = mysql_query($q) or trigger_error (mysql_error()); see if (when you echo the query), your username and password match from what's in the query to what's in the database. EDIT: i don't know much about the PASSWORD() function in mysql, but consider using MD5() instead. hash your password before inserting variable into query, and make sure that passwords in db are also hashed (hash them upon creation of the account(s)). Quote Link to comment Share on other sites More sharing options...
lAZLf Posted December 14, 2009 Author Share Posted December 14, 2009 I changed "login.php" again, and now i'm sure that the "if" statement isn't working right, I enter in the correct information and it always sais I didn't. Should I change something in the "if" statement? <?php session_start(); // dBase file include "dbConfig.php"; // Create query $q = "SELECT * FROM people WHERE username='".$_POST["username"]."' AND password = PASSWORD('".$_POST["password"]."')"; // Run query $r = mysql_query($q, $ms); $rowCheck = mysql_num_rows($r); if($rowCheck > 0){ while($row = mysql_fetch_array($r)){ // Login good, create session variables $_SESSION["valid_user"] = $_POST["username"]; // Redirect to member page header ("location: index.php"); } } else { //if nothing is returned by the query, unsuccessful login code goes here... echo 'Incorrect login name or password. Please try again.'; } ?> Quote Link to comment Share on other sites More sharing options...
mrMarcus Posted December 14, 2009 Share Posted December 14, 2009 did you try my suggestions? please give the results. and, are you aware that you are using mysql_pconnect to connect to your database? if so, understand that this opens a persistent connection to the db which is not terminated when the script has finished executing. this can lead to (upon heavy traffic), database connectivity issues by having too many open connections at any given time. if you were not aware of the difficulties that could ensue, consider using mysql_connect instead. now, add trigger_error() to your query: $r = mysql_query($q) or trigger_error (mysql_error()); and try echo'ing out $q to see if the query is what you think it is. do that first, and then we can move on from there. but i will not offer any more help until i know that information has been exercised. Quote Link to comment Share on other sites More sharing options...
Buddski Posted December 14, 2009 Share Posted December 14, 2009 Just having a stab in the dark here, forgive me if it sounds stupid, but are you being redirected or are you receiving your error message 'Incorrect login name or password. Please try again.' Quote Link to comment Share on other sites More sharing options...
lAZLf Posted December 14, 2009 Author Share Posted December 14, 2009 I'm receiving the actual message. If I was being redirected, it would be to the homepage where it checks if the session variable is stored and displays content accordingly. Quote Link to comment Share on other sites More sharing options...
Buddski Posted December 14, 2009 Share Posted December 14, 2009 Well in that case I would strongly suggest doing what MrMarcus has posted.. It will help you find any errors that could be springing up.. Let us know of the resulted output. Quote Link to comment Share on other sites More sharing options...
lAZLf Posted December 14, 2009 Author Share Posted December 14, 2009 Alright I did what mrMarcus said. I got back: "Incorrect login name or password. Please try again. Query: SELECT * FROM people WHERE username='username' AND password = PASSWORD('password')" It all matches up. Quote Link to comment Share on other sites More sharing options...
mrMarcus Posted December 14, 2009 Share Posted December 14, 2009 Alright I did what mrMarcus said. I got back: "Incorrect login name or password. Please try again. Query: SELECT * FROM people WHERE username='username' AND password = PASSWORD('password')" It all matches up. so, when you echo out the password, it's hashed in the db the same way as it is in the query? using PASSWORD()? Quote Link to comment Share on other sites More sharing options...
lAZLf Posted December 14, 2009 Author Share Posted December 14, 2009 What do you mean by hash? And how would I do it? Quote Link to comment Share on other sites More sharing options...
Buddski Posted December 14, 2009 Share Posted December 14, 2009 when he says 'hashed' he is talking about md5 encryption.. When you create a user is their password stored in the database as plain text or is it encrypted? Quote Link to comment Share on other sites More sharing options...
lAZLf Posted December 14, 2009 Author Share Posted December 14, 2009 I just figured out that meant using the sha1(); function. So yes, it's hashed. Now that i've hashed it, it works. Now I have a new problem, which is probably a newby mistake. When it goes back to the previous page via header location, I noticed that either the login.php page didn't set the session, or the index.php page didn't check for it properly. login.php: <?php session_start(); // dBase file include "dbConfig.php"; // Create query $q = "SELECT * FROM people WHERE username='".$_POST["username"]."' AND password = sha1('".$_POST["password"]."')"; // Run query $r = mysql_query($q,$ms) or trigger_error (mysql_error()); $rowCheck = mysql_num_rows($r); if($rowCheck > 0){ while($row = mysql_fetch_array($r)){ // Login good, create session variables $_SESSION["valid_user"] = $_POST["username"]; // Redirect to member page header ("location: index.php"); } } else { //if nothing is returned by the query, unsuccessful login code goes here... echo 'Incorrect login name or password. Please try again.'; } echo '<pre>Query: '. $q .'</pre>'; ?> index.php: <?php if (!$_SESSION['valid_user']) { echo' <form action="login.php" method="post"> <table cellspacing="0"> <tr><td><input type="text" name="username"width="300" value="username"/></td></tr> <tr><td><input type="password" name="password"width="300" value="password"/></td></tr> <tr><td><input type="submit" value="login"/></td></tr> </table> </form> '; } else { echo"Welcome".$_SESSION['valid_user']; } ?> Quote Link to comment Share on other sites More sharing options...
Buddski Posted December 14, 2009 Share Posted December 14, 2009 Do you have session_start(); at the top of your index page? Quote Link to comment Share on other sites More sharing options...
mrMarcus Posted December 14, 2009 Share Posted December 14, 2009 PASSWORD() was hashing the password going into the database. what i was asking you is when you look at the password in your database, is it plain text (joe blow), or is it hashed (asdf786sa87df678as6fd786asd87f6a87sfd6)? when you register an account, you must also hash the password going in, so when you go to login, the passwords will match: if i register an account on your site, and you're not hashing the password up registration and my password goes in as plain text (joe blow), and then when i try and login, you are now hashing the password i entered to login, and checking tmy plain-text password in the db against the hashed password i just entered in the login form, they will obviously not match, which will then tell me that i entered invalid information. register.php <?php //code... $password = md5 ($_POST['password']); //password from register form; //your insert query with a hashed $password going into `password` field. ?> login.php <?php //code... $username = $mysql_real_escape_string (_POST["username"]); $password = md5 ($_POST['password']); //password from login form; $q = "SELECT * FROM `people` WHERE `username` = '".$username."' AND `password` = '".$password."'"; ?> you get it? don't use the MySQL hashing functions, just do your hashing with PHP. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.