Jump to content

Recommended Posts

<?php
$con = mysql_connect("blocked","Blocked","blocked");
if (!$con) {
  die('Could not connect: ' . mysql_error());
}
mysql_select_db("blocked", $con);
if($_POST["username"] && $_POST["password"]) 
{
if(!isset($_POST['username']) || !trim($_POST['username'])) die('Please enter a name.');
$fname = $_POST["username"];
    $ppassword = $_POST["password"];
    $sql = mysql_query("SELECT * FROM players WHERE Name = '$fname' AND Password = '$ppassword' LIMIT 1");
    if(mysql_num_rows($sql)>0) 
    {
        echo("You are logged in!");
    }
}
else
{
echo "Password does not match";	
return 0;
}		
?>

!trim($_POST['username']))

 

This does not return true or false. It only returns the trimmed name (without leading or trailing spaces, blank characters or null) and will never be 'true' , like you wanted to compare the password.

 

As well, and very importantly:

$fname = $_POST["username"];
$ppassword = $_POST["password"];

 

You're not sanitizing the data being inputted to the database! This will lead to such easy injections and data retrieval. Use mysql_real_escape_string

$fname = mysql_real_escape_string($_POST["username"]);
$ppassword = mysql_real_escape_string($_POST["password"]);

!trim($_POST['username']))

 

This does not return true or false. It only returns the trimmed name (without leading or trailing spaces, blank characters or null) and will never be 'true' , like you wanted to compare the password.

 

As well, and very importantly:

$fname = $_POST["username"];
$ppassword = $_POST["password"];

 

You're not sanitizing the data being inputted to the database! This will lead to such easy injections and data retrieval. Use mysql_real_escape_string

$fname = mysql_real_escape_string($_POST["username"]);
$ppassword = mysql_real_escape_string($_POST["password"]);

 

still doesnt work  :shrug:

<?php
$con = mysql_connect("blocked","Blocked","blocked");
if (!$con) {
  die('Could not connect: ' . mysql_error());
}
mysql_select_db("blocked", $con);
if($_POST["username"] && $_POST["password"]) {
   if(!isset($_POST['username'])) {
        die('Please enter a name.');
   }
    $fname = mysql_real_escape_string(trim($_POST["username"]));
    $ppassword = mysql_real_escape_string(trim( $_POST["password"]));
    $sql = mysql_query("SELECT * FROM players WHERE Name = '$fname' AND Password = '$ppassword' LIMIT 1");
    if(mysql_num_rows($sql)>0)  {
        echo("You are logged in!");
    }
} else {
    echo "Password does not match";
    return false;
}
?>

 

(May be syntax errrors). But you can see the obvious problems with your old code.

<?php
$con = mysql_connect("blocked","Blocked","blocked");
if (!$con) {
  die('Could not connect: ' . mysql_error());
}
mysql_select_db("blocked", $con);
if($_POST["username"] && $_POST["password"]) {
   if(!isset($_POST['username'])) {
        die('Please enter a name.');
   }
    $fname = mysql_real_escape_string(trim($_POST["username"]));
    $ppassword = mysql_real_escape_string(trim( $_POST["password"]));
    $sql = mysql_query("SELECT * FROM players WHERE Name = '$fname' AND Password = '$ppassword' LIMIT 1");
    if(mysql_num_rows($sql)>0)  {
        echo("You are logged in!");
    }
} else {
    echo "Password does not match";
    return false;
}
?>

 

(May be syntax errrors). But you can see the obvious problems with your old code.

 

I dont see anything, that's why im asking.

I told you, look at your logic:

if($_POST["username"] && $_POST["password"]) {
   if(!isset($_POST['username'])) {
        die('Please enter a name.');
   }

 

If username and password HAS to be defined, How can username EVER be not set? Your die() will never run. And as mentioned before.... :

 

if(!isset($_POST['username']) || !trim($_POST['username'])) die('Please enter a name.');

 

How can !trim  equate to a true or false answer? It can't! It's like saying

if (substr($message)) { 
    echo "message is correct";
}

 

What is substr doing (or in your case trim), Nothing! it will always equate to one thing.

 

Edit: Code changed

 

if(!isset($_POST['username']) || !trim($_POST['username'])) die('Please enter a name.');
    $fname = mysql_real_escape_string(trim($_POST["username"]));
    $ppassword = mysql_real_escape_string(trim( $_POST["password"]));
    $sql = mysql_query("SELECT * FROM players WHERE Name = '$fname' AND Password = '$ppassword' LIMIT 1");
if($_POST["username"] && $_POST["password"]) 
{
	if(mysql_num_rows($sql)>0)  {
		echo("You are logged in!");
	}
	else {
	echo "Account does not exist"; }
	return false;
}
else { echo("Incorrect Password"); 
}

 

This is better? Now it keeps saying, please put in a name

I think you need to understand what expressions and conditionals are.

you can think of if/else statements as true/false

if(true) { ..code ... }
else { ... code ... }
[/code

Now, if you note the trim function and what it does, and return.
[quote]trim — Strip whitespace (or other characters) from the beginning and end of a string[/quote]

Now ask yourself, can this be used in a true/false statement?
Not a chance.

so your object is making this into a true/false expression.

now take a look at this function:
[quote]empty — Determine whether a variable is empty[/quote]

remember, you can combine/nest functions to get your desired result

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.