xcoderx Posted May 9, 2010 Share Posted May 9, 2010 ok all im trying to do is in the usrname fielf if i enter the correct value which is in db then it says user exist and if not the says user does not exist. here is my coding could someone help? <html> <head> <title>Login</title> <link rel="stylesheet" type="text/css" href="style/login.css" media="all"> </head> <body> <div id="form_align"> <form action="login.php" method="post" name="frm_login"> Username: <input type="text" name="txt_username"/><br /> Password: <input type="password" name="txt_pass"/><br /> <input type="submit" name="sub" value="Login"> </form> </div> </body> </html> <?php if(! $conn=mysql_connect("localhost", "root", "demo")) die("Could't connect to database server.."); mysql_select_db("online_application",$conn) or die(mysql_error()); $username = $_POST['txt_username']; $password = $_POST['txt_pass']; $sql = " SELECT * FROM users WHERE user_name='".$username."' AND password='".$password."'"; //$result = mysql_query($sql); if(){ print 'user exists'; } else{ print 'User does not exists'; } ?> Link to comment https://forums.phpfreaks.com/topic/201152-how-will-the-statement-be/ Share on other sites More sharing options...
hansford Posted May 9, 2010 Share Posted May 9, 2010 $query= "Select * FROM users WHERE username = '$username' AND password = '$password'"; if(!$result = mysql_query($query)) { //handle error here } else { if(!mysql_num_rows($result)){ echo "user does not exist"; } else { echo "user exists"; } } Link to comment https://forums.phpfreaks.com/topic/201152-how-will-the-statement-be/#findComment-1055328 Share on other sites More sharing options...
xcoderx Posted May 9, 2010 Author Share Posted May 9, 2010 i get error Parse error: parse error in C:\wamp\www\reg\login.php on line 49 Link to comment https://forums.phpfreaks.com/topic/201152-how-will-the-statement-be/#findComment-1055330 Share on other sites More sharing options...
tomfmason Posted May 9, 2010 Share Posted May 9, 2010 I suggest that you checkout mysql_real_escape_string. As it stands your script is vulnerable to sql injection Link to comment https://forums.phpfreaks.com/topic/201152-how-will-the-statement-be/#findComment-1055331 Share on other sites More sharing options...
xcoderx Posted May 9, 2010 Author Share Posted May 9, 2010 now is this Notice: Undefined variable: query in C:\wamp\www\reg\login.php on line 38 Link to comment https://forums.phpfreaks.com/topic/201152-how-will-the-statement-be/#findComment-1055334 Share on other sites More sharing options...
tomfmason Posted May 9, 2010 Share Posted May 9, 2010 here is a simple but effective login script that I wrote back in 06 - http://php.nks.com.ar/manual/es/function.mysql-real-escape-string.php#68655 Link to comment https://forums.phpfreaks.com/topic/201152-how-will-the-statement-be/#findComment-1055335 Share on other sites More sharing options...
hansford Posted May 9, 2010 Share Posted May 9, 2010 $query or $sql...name it whatever, just make sure its consistent in the script. edit: removed from post Link to comment https://forums.phpfreaks.com/topic/201152-how-will-the-statement-be/#findComment-1055338 Share on other sites More sharing options...
xcoderx Posted May 9, 2010 Author Share Posted May 9, 2010 thanks bro but i must do with the coding i wrote im not suppose to use anythin else :-( damn im stuck Link to comment https://forums.phpfreaks.com/topic/201152-how-will-the-statement-be/#findComment-1055339 Share on other sites More sharing options...
xcoderx Posted May 9, 2010 Author Share Posted May 9, 2010 ok almost near but now its not checking anythin by default i only see user does not exist Link to comment https://forums.phpfreaks.com/topic/201152-how-will-the-statement-be/#findComment-1055344 Share on other sites More sharing options...
hansford Posted May 9, 2010 Share Posted May 9, 2010 If whatever value is in $username and $password are not in the database, then you will get "user does not exist" it must match both variables exactly; even a space will make it fail to find a match. edit: removed from post Link to comment https://forums.phpfreaks.com/topic/201152-how-will-the-statement-be/#findComment-1055345 Share on other sites More sharing options...
litebearer Posted May 9, 2010 Share Posted May 9, 2010 Try checking WITHOUT using the password as part of the criteria Link to comment https://forums.phpfreaks.com/topic/201152-how-will-the-statement-be/#findComment-1055347 Share on other sites More sharing options...
tomfmason Posted May 9, 2010 Share Posted May 9, 2010 are you storing the user's password in plain text? If so, you shouldn't. You should use md5 or some other hashing technique. Link to comment https://forums.phpfreaks.com/topic/201152-how-will-the-statement-be/#findComment-1055355 Share on other sites More sharing options...
xcoderx Posted May 9, 2010 Author Share Posted May 9, 2010 yaya fixed thanks soo much. mistake was mine i was mispelling the value which was stored in db :-) Link to comment https://forums.phpfreaks.com/topic/201152-how-will-the-statement-be/#findComment-1055356 Share on other sites More sharing options...
xcoderx Posted May 9, 2010 Author Share Posted May 9, 2010 i use md5 bro and thanks for the helps and time :-) Link to comment https://forums.phpfreaks.com/topic/201152-how-will-the-statement-be/#findComment-1055359 Share on other sites More sharing options...
tomfmason Posted May 9, 2010 Share Posted May 9, 2010 i use md5 bro and thanks for the helps and time :-) are you sure? $username = $_POST['txt_username']; $password = $_POST['txt_pass']; $sql = " SELECT * FROM users WHERE user_name='".$username."' AND password='".$password."'"; //$result = mysql_query($sql); The code above takes a plain and unsanitized password from $_POST. I don't see where you are md5ing the posted password Link to comment https://forums.phpfreaks.com/topic/201152-how-will-the-statement-be/#findComment-1055361 Share on other sites More sharing options...
tomfmason Posted May 9, 2010 Share Posted May 9, 2010 If you are using md5 to hash the password when the user registers you will also need to use it to check their password when they login. Here is an example of how I would do it(using your existing code) if(! $conn=mysql_connect("localhost", "root", "demo")) die("Could't connect to database server.."); mysql_select_db("online_application",$conn) or die(mysql_error()); $username = mysql_real_escape_string(trim($_POST['txt_username'])); $password = md5(mysql_real_escape_string(trim($_POST['txt_pass']))); $sql = " SELECT * FROM users WHERE user_name='".$username."' AND password='".$password."'"; $res= mysql_query($sql) $login_match= mysql_result($res, 0, 'login_match'); if($login_match == 1){ print 'user exists with that password'; } else{ print 'User does not exists with that password'; Link to comment https://forums.phpfreaks.com/topic/201152-how-will-the-statement-be/#findComment-1055362 Share on other sites More sharing options...
xcoderx Posted May 9, 2010 Author Share Posted May 9, 2010 sorry my mistake i meant to say ill use md5 and yes currently the pws are in plain text Link to comment https://forums.phpfreaks.com/topic/201152-how-will-the-statement-be/#findComment-1055363 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.