eazyefolife Posted January 23, 2010 Share Posted January 23, 2010 <?php $con = mysql_connect("blocked","Blocked","blocked"); if (!$con) { die('Could not connect: ' . mysql_error()); } mysql_select_db("blocked", $con); if($_POST["username"] && $_POST["password"]) { if(!isset($_POST['username']) || !trim($_POST['username'])) die('Please enter a name.'); $fname = $_POST["username"]; $ppassword = $_POST["password"]; $sql = mysql_query("SELECT * FROM players WHERE Name = '$fname' AND Password = '$ppassword' LIMIT 1"); if(mysql_num_rows($sql)>0) { echo("You are logged in!"); } } else { echo "Password does not match"; return 0; } ?> Quote Link to comment Share on other sites More sharing options...
oni-kun Posted January 24, 2010 Share Posted January 24, 2010 !trim($_POST['username'])) This does not return true or false. It only returns the trimmed name (without leading or trailing spaces, blank characters or null) and will never be 'true' , like you wanted to compare the password. As well, and very importantly: $fname = $_POST["username"]; $ppassword = $_POST["password"]; You're not sanitizing the data being inputted to the database! This will lead to such easy injections and data retrieval. Use mysql_real_escape_string $fname = mysql_real_escape_string($_POST["username"]); $ppassword = mysql_real_escape_string($_POST["password"]); Quote Link to comment Share on other sites More sharing options...
eazyefolife Posted January 24, 2010 Author Share Posted January 24, 2010 !trim($_POST['username'])) This does not return true or false. It only returns the trimmed name (without leading or trailing spaces, blank characters or null) and will never be 'true' , like you wanted to compare the password. As well, and very importantly: $fname = $_POST["username"]; $ppassword = $_POST["password"]; You're not sanitizing the data being inputted to the database! This will lead to such easy injections and data retrieval. Use mysql_real_escape_string $fname = mysql_real_escape_string($_POST["username"]); $ppassword = mysql_real_escape_string($_POST["password"]); still doesnt work Quote Link to comment Share on other sites More sharing options...
oni-kun Posted January 24, 2010 Share Posted January 24, 2010 <?php $con = mysql_connect("blocked","Blocked","blocked"); if (!$con) { die('Could not connect: ' . mysql_error()); } mysql_select_db("blocked", $con); if($_POST["username"] && $_POST["password"]) { if(!isset($_POST['username'])) { die('Please enter a name.'); } $fname = mysql_real_escape_string(trim($_POST["username"])); $ppassword = mysql_real_escape_string(trim( $_POST["password"])); $sql = mysql_query("SELECT * FROM players WHERE Name = '$fname' AND Password = '$ppassword' LIMIT 1"); if(mysql_num_rows($sql)>0) { echo("You are logged in!"); } } else { echo "Password does not match"; return false; } ?> (May be syntax errrors). But you can see the obvious problems with your old code. Quote Link to comment Share on other sites More sharing options...
eazyefolife Posted January 24, 2010 Author Share Posted January 24, 2010 <?php $con = mysql_connect("blocked","Blocked","blocked"); if (!$con) { die('Could not connect: ' . mysql_error()); } mysql_select_db("blocked", $con); if($_POST["username"] && $_POST["password"]) { if(!isset($_POST['username'])) { die('Please enter a name.'); } $fname = mysql_real_escape_string(trim($_POST["username"])); $ppassword = mysql_real_escape_string(trim( $_POST["password"])); $sql = mysql_query("SELECT * FROM players WHERE Name = '$fname' AND Password = '$ppassword' LIMIT 1"); if(mysql_num_rows($sql)>0) { echo("You are logged in!"); } } else { echo "Password does not match"; return false; } ?> (May be syntax errrors). But you can see the obvious problems with your old code. I dont see anything, that's why im asking. Quote Link to comment Share on other sites More sharing options...
oni-kun Posted January 24, 2010 Share Posted January 24, 2010 I told you, look at your logic: if($_POST["username"] && $_POST["password"]) { if(!isset($_POST['username'])) { die('Please enter a name.'); } If username and password HAS to be defined, How can username EVER be not set? Your die() will never run. And as mentioned before.... : if(!isset($_POST['username']) || !trim($_POST['username'])) die('Please enter a name.'); How can !trim equate to a true or false answer? It can't! It's like saying if (substr($message)) { echo "message is correct"; } What is substr doing (or in your case trim), Nothing! it will always equate to one thing. Quote Link to comment Share on other sites More sharing options...
eazyefolife Posted January 24, 2010 Author Share Posted January 24, 2010 Edit: Code changed if(!isset($_POST['username']) || !trim($_POST['username'])) die('Please enter a name.'); $fname = mysql_real_escape_string(trim($_POST["username"])); $ppassword = mysql_real_escape_string(trim( $_POST["password"])); $sql = mysql_query("SELECT * FROM players WHERE Name = '$fname' AND Password = '$ppassword' LIMIT 1"); if($_POST["username"] && $_POST["password"]) { if(mysql_num_rows($sql)>0) { echo("You are logged in!"); } else { echo "Account does not exist"; } return false; } else { echo("Incorrect Password"); } This is better? Now it keeps saying, please put in a name Quote Link to comment Share on other sites More sharing options...
oni-kun Posted January 24, 2010 Share Posted January 24, 2010 if(!isset($_POST['username']) || !trim($_POST['username'])) die('Please enter a name.'); Yet that code still remains.... Quote Link to comment Share on other sites More sharing options...
eazyefolife Posted January 24, 2010 Author Share Posted January 24, 2010 if(!isset($_POST['username']) || !trim($_POST['username'])) die('Please enter a name.'); Yet that code still remains.... Then what should I replace with it?? Quote Link to comment Share on other sites More sharing options...
laffin Posted January 24, 2010 Share Posted January 24, 2010 I think you need to understand what expressions and conditionals are. you can think of if/else statements as true/false if(true) { ..code ... } else { ... code ... } [/code Now, if you note the trim function and what it does, and return. [quote]trim — Strip whitespace (or other characters) from the beginning and end of a string[/quote] Now ask yourself, can this be used in a true/false statement? Not a chance. so your object is making this into a true/false expression. now take a look at this function: [quote]empty — Determine whether a variable is empty[/quote] remember, you can combine/nest functions to get your desired result Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.