cant login...

[rainprop]

i've tried 5 different ways to create a login page...

but all give the same results.. WRONG ID AND PASSWORD.

this is the latest login page which i've created..im starting to think that something may be wrong with my database itself..but im still lost..

my database has a table called user

the attributes in it are Id , username, password, and emp_num

can anyone please help..a million thanks in advance.

 

// Create query

$q = "SELECT * FROM `user` "

  ."WHERE `username`='".$_POST["username"]."' "

  ."AND `password`=PASSWORD('".$_POST["password"]."') "

  ."LIMIT 1";

// Run query

$r = mysql_query($q);

 

if ( $obj = @mysql_fetch_object($r) )

  {

  // Login good, create session variables

  $_SESSION["valid_Id"] = $obj->Id;

  $_SESSION["valid_user"] = $_POST["username"];

 

  // Redirect to member page

  Header("Location: members.php");

  }

else

  {

  // Login not successful

  die("Sorry, could not log you in. Wrong login information.");

  }

}

else

[MatthewJ]

Have you tried echoing out the query and running against the data with something like phpmyadmin to make sure it is returning the result you think it should?

[rainprop]

im sorry but im kinda new to this php thing.. echoing the query means??  is it copy the query at mysql console and see whats the result?

anyway i did my database in phpmyadmin..

[MatthewJ]

Yes,

 

If say you are making a variable called  $sql that holds the sql statement to execute, add echo $sql and take the resulting statement and send it through phpmyadmin's query interface to see if it is producing the results you expect once it has your variables in it.

 

For instance

 

$sql = "SELECT * FROM users WHERE username = '$username' AND password = '$password'";
echo $sql;

 

Would return something like this

 

SELECT * FROM users WHERE username = 'matt' AND password = 'Df54!55f_t'

 

That way you know all your variables are getting included properly in the query etc.

[rainprop]

i've tried, but it cant produce any results in mysql.it says error in syntax..

how now?? :'(

[PFMaBiSmAd]

Posting the query and the error it produced would certainly be a step toward someone being able to help.

 

You should also not use the mysql PASSWORD() function for hashing passwords -

Note

The PASSWORD() function is used by the authentication system in MySQL Server; you should not use it in your own applications. For that purpose, consider MD5() or SHA1() instead.

 

[rainprop]

its still the same...im so sad...

duno whr the mistake is...rely duno..

it says that it cant login, bcoz of wrong username and pasword..

 

[ksugihara]

rainprop, can you post:

 

1. The error

2. A set of database values (So just copy the result of SELECT * FROM `users` WHERE `username`='realuser' ) ofcoarse replace "realuser" with a real user

3. This is a bit off topic, but please see www.php.net/mysql_real_escape_string aswell (once the issue is resolved. this is not part of the resolution)

[rainprop]

this is full coding for my login.php   page, prior to that i have configuration.php too.

<?php
session_start();
// dBase file
include "dbConfig.php";

if (isset($_GET['op']) && $_GET["op"] == "login")
{
if (!$_POST["username"] || !$_POST["password"])
  {
  die("You need to provide a username and password.");
  }


$q = "SELECT * FROM `user` "
  ."WHERE `username`='".$_POST["username"]."' "
  ."AND `password`=SHA1('".$_POST["password"]."') "
  ."LIMIT 1";
// Run query
$r = mysql_query($q);

if ( $obj = @mysql_fetch_object($r) )
  {
  // Login good, create session variables
  $_SESSION["valid_username"] = $obj->username;
  $_SESSION["valid_password"] = $_POST["password"];

  Header("Location: members.php");
  }
else
  {

  die("Sorry, could not log you in. Wrong login information.");
  }
}
else
{
echo "<form action=\"?op=login\" method=\"POST\">";
echo "Username: <input name=\"username\" size=\"15\"><br />";
echo "Password: <input type=\"password\" name=\"password\" size=\"8\"><br />";
echo "<input type=\"submit\" value=\"Login\">";
echo "</form>";
}
?>

 

the config.php is

/ 
$host = "localhost";
$user = "root";
$db   = "payroll4;


// Then you need to make sure the database you want
// is selected.
mysql_select_db($payroll4);
?>

 

pls help me.....thanks..

[ksugihara]

Can you post what was requested? If you dont know how, let me know and we can go from there, but right now, what I asked for is what I need to help

[rainprop]

yes i duno...pls tell me how...

 

[ksugihara]

Ok.

 

1. Copy the error you are receiving when trying to run your application, and paste it into a reply here. Im going to assume you know how to copy paste....

 

2. Go to PHPMyAdmin and run the following query, and copy the results here: SELECT * FROM `users`

[rainprop]

1.THE SO CALLED ERROR.. as i've put it that way.. this is wat it comes when i try to login..

Sorry, could not log you in. Wrong login information.

 

2.

 

Id    username  password  emp_num 

    1      123          123            1

 

the datas which i've inserted earlier r just for trial purposes, to make sure it runs,..

 

[ksugihara]

<?php
session_start();
// dBase file
include "dbConfig.php";

if (isset($_GET['op']) && $_GET["op"] == "login")
{
if (!$_POST["username"] || !$_POST["password"])
  {
  die("You need to provide a username and password.");
  }


$q = "SELECT * FROM `user` "
  ."WHERE `username`='".mysql_real_escape_string($_POST[\"username\"])."' "
  ."AND `password`='".mysql_real_escape_string($_POST[\"password\"])."' "
  ."LIMIT 1";
// Run query
$r = mysql_query($q);

if ( $obj = @mysql_fetch_object($r) )
  {
  // Login good, create session variables
  $_SESSION["valid_username"] = $obj->username;
  $_SESSION["valid_password"] = $_POST["password"];

  Header("Location: members.php");
  }
else
  {

  die("Sorry, could not log you in. Wrong login information.");
  }
}
else
{
echo "<form action=\"?op=login\" method=\"POST\">";
echo "Username: <input name=\"username\" size=\"15\"><br />";
echo "Password: <input type=\"password\" name=\"password\" size=\"8\"><br />";
echo "<input type=\"submit\" value=\"Login\">";
echo "</form>";
}
?>

 

1. Get an IDE that supports color syntaxing. Im guessing you did this in Notepad? You would have caught your mistake if you had color syntaxing. Get Notepad++ ATLEAST

 

2. Your password is not encrypted, so you dont need the PASSWORD() or SHA1() functions of MySQL. I suggest encrypting the password, but lets walk before we run.

 

3. 

$_SESSION["valid_username"] = $obj->username;

Im going to take a wild guess and say you probably dont know what OOP stands for, or the difference between a method, property, variable and function. So why on earth are you doing it this way? Use this:

$_SESSION["valid_username"] = htmlentities($_POST["username"]);

 

4. Please look up mysql_real_escape_string and htmlentities, aswell as XSS, SQL Injections, and JS Injections.

 

5. Your if statement:

if ( $obj = @mysql_fetch_object($r) )
  {
  // Login good, create session variables
  $_SESSION["valid_username"] = $obj->username;
  $_SESSION["valid_password"] = $_POST["password"];

  Header("Location: members.php");
  }

 

I see what you are doing, but semantically it is incorrect. Generally speaking, a while statement is used here, or:

$r = mysql_query($q) or die("ERROR: " . mysql_error());

 

 

Also, dont use the root user, because if your application is not secure or exploited (it happens to the best developers), you arent so much at risk. Give your user the right it needs. If your reading, just give it read. If your writing, remove GRANT and other unnecessary permissions. This is just good habit.