eazyefolife Posted January 23, 2010 Share Posted January 23, 2010 <?php $con = mysql_connect("blocked","Blocked","blocked"); if (!$con) { die('Could not connect: ' . mysql_error()); } mysql_select_db("blocked", $con); if($_POST["username"] && $_POST["password"]) { if(!isset($_POST['username']) || !trim($_POST['username'])) die('Please enter a name.'); $fname = $_POST["username"]; $ppassword = $_POST["password"]; $sql = mysql_query("SELECT * FROM players WHERE Name = '$fname' AND Password = '$ppassword' LIMIT 1"); if(mysql_num_rows($sql)>0) { echo("You are logged in!"); } } else { echo "Password does not match"; return 0; } ?> Link to comment https://forums.phpfreaks.com/topic/189572-how-come-it-keeps-saying-wrong-password-for-everything-0_o/ Share on other sites More sharing options...
oni-kun Posted January 24, 2010 Share Posted January 24, 2010 !trim($_POST['username'])) This does not return true or false. It only returns the trimmed name (without leading or trailing spaces, blank characters or null) and will never be 'true' , like you wanted to compare the password. As well, and very importantly: $fname = $_POST["username"]; $ppassword = $_POST["password"]; You're not sanitizing the data being inputted to the database! This will lead to such easy injections and data retrieval. Use mysql_real_escape_string $fname = mysql_real_escape_string($_POST["username"]); $ppassword = mysql_real_escape_string($_POST["password"]); Link to comment https://forums.phpfreaks.com/topic/189572-how-come-it-keeps-saying-wrong-password-for-everything-0_o/#findComment-1000605 Share on other sites More sharing options...
eazyefolife Posted January 24, 2010 Author Share Posted January 24, 2010 !trim($_POST['username'])) This does not return true or false. It only returns the trimmed name (without leading or trailing spaces, blank characters or null) and will never be 'true' , like you wanted to compare the password. As well, and very importantly: $fname = $_POST["username"]; $ppassword = $_POST["password"]; You're not sanitizing the data being inputted to the database! This will lead to such easy injections and data retrieval. Use mysql_real_escape_string $fname = mysql_real_escape_string($_POST["username"]); $ppassword = mysql_real_escape_string($_POST["password"]); still doesnt work Link to comment https://forums.phpfreaks.com/topic/189572-how-come-it-keeps-saying-wrong-password-for-everything-0_o/#findComment-1000607 Share on other sites More sharing options...
oni-kun Posted January 24, 2010 Share Posted January 24, 2010 <?php $con = mysql_connect("blocked","Blocked","blocked"); if (!$con) { die('Could not connect: ' . mysql_error()); } mysql_select_db("blocked", $con); if($_POST["username"] && $_POST["password"]) { if(!isset($_POST['username'])) { die('Please enter a name.'); } $fname = mysql_real_escape_string(trim($_POST["username"])); $ppassword = mysql_real_escape_string(trim( $_POST["password"])); $sql = mysql_query("SELECT * FROM players WHERE Name = '$fname' AND Password = '$ppassword' LIMIT 1"); if(mysql_num_rows($sql)>0) { echo("You are logged in!"); } } else { echo "Password does not match"; return false; } ?> (May be syntax errrors). But you can see the obvious problems with your old code. Link to comment https://forums.phpfreaks.com/topic/189572-how-come-it-keeps-saying-wrong-password-for-everything-0_o/#findComment-1000609 Share on other sites More sharing options...
eazyefolife Posted January 24, 2010 Author Share Posted January 24, 2010 <?php $con = mysql_connect("blocked","Blocked","blocked"); if (!$con) { die('Could not connect: ' . mysql_error()); } mysql_select_db("blocked", $con); if($_POST["username"] && $_POST["password"]) { if(!isset($_POST['username'])) { die('Please enter a name.'); } $fname = mysql_real_escape_string(trim($_POST["username"])); $ppassword = mysql_real_escape_string(trim( $_POST["password"])); $sql = mysql_query("SELECT * FROM players WHERE Name = '$fname' AND Password = '$ppassword' LIMIT 1"); if(mysql_num_rows($sql)>0) { echo("You are logged in!"); } } else { echo "Password does not match"; return false; } ?> (May be syntax errrors). But you can see the obvious problems with your old code. I dont see anything, that's why im asking. Link to comment https://forums.phpfreaks.com/topic/189572-how-come-it-keeps-saying-wrong-password-for-everything-0_o/#findComment-1000610 Share on other sites More sharing options...
oni-kun Posted January 24, 2010 Share Posted January 24, 2010 I told you, look at your logic: if($_POST["username"] && $_POST["password"]) { if(!isset($_POST['username'])) { die('Please enter a name.'); } If username and password HAS to be defined, How can username EVER be not set? Your die() will never run. And as mentioned before.... : if(!isset($_POST['username']) || !trim($_POST['username'])) die('Please enter a name.'); How can !trim equate to a true or false answer? It can't! It's like saying if (substr($message)) { echo "message is correct"; } What is substr doing (or in your case trim), Nothing! it will always equate to one thing. Link to comment https://forums.phpfreaks.com/topic/189572-how-come-it-keeps-saying-wrong-password-for-everything-0_o/#findComment-1000613 Share on other sites More sharing options...
eazyefolife Posted January 24, 2010 Author Share Posted January 24, 2010 Edit: Code changed if(!isset($_POST['username']) || !trim($_POST['username'])) die('Please enter a name.'); $fname = mysql_real_escape_string(trim($_POST["username"])); $ppassword = mysql_real_escape_string(trim( $_POST["password"])); $sql = mysql_query("SELECT * FROM players WHERE Name = '$fname' AND Password = '$ppassword' LIMIT 1"); if($_POST["username"] && $_POST["password"]) { if(mysql_num_rows($sql)>0) { echo("You are logged in!"); } else { echo "Account does not exist"; } return false; } else { echo("Incorrect Password"); } This is better? Now it keeps saying, please put in a name Link to comment https://forums.phpfreaks.com/topic/189572-how-come-it-keeps-saying-wrong-password-for-everything-0_o/#findComment-1000616 Share on other sites More sharing options...
oni-kun Posted January 24, 2010 Share Posted January 24, 2010 if(!isset($_POST['username']) || !trim($_POST['username'])) die('Please enter a name.'); Yet that code still remains.... Link to comment https://forums.phpfreaks.com/topic/189572-how-come-it-keeps-saying-wrong-password-for-everything-0_o/#findComment-1000621 Share on other sites More sharing options...
eazyefolife Posted January 24, 2010 Author Share Posted January 24, 2010 if(!isset($_POST['username']) || !trim($_POST['username'])) die('Please enter a name.'); Yet that code still remains.... Then what should I replace with it?? Link to comment https://forums.phpfreaks.com/topic/189572-how-come-it-keeps-saying-wrong-password-for-everything-0_o/#findComment-1000653 Share on other sites More sharing options...
laffin Posted January 24, 2010 Share Posted January 24, 2010 I think you need to understand what expressions and conditionals are. you can think of if/else statements as true/false if(true) { ..code ... } else { ... code ... } [/code Now, if you note the trim function and what it does, and return. [quote]trim — Strip whitespace (or other characters) from the beginning and end of a string[/quote] Now ask yourself, can this be used in a true/false statement? Not a chance. so your object is making this into a true/false expression. now take a look at this function: [quote]empty — Determine whether a variable is empty[/quote] remember, you can combine/nest functions to get your desired result Link to comment https://forums.phpfreaks.com/topic/189572-how-come-it-keeps-saying-wrong-password-for-everything-0_o/#findComment-1000672 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.