xcoderx Posted May 9, 2010 Share Posted May 9, 2010 ok all im trying to do is in the usrname fielf if i enter the correct value which is in db then it says user exist and if not the says user does not exist. here is my coding could someone help? <html> <head> <title>Login</title> <link rel="stylesheet" type="text/css" href="style/login.css" media="all"> </head> <body> <div id="form_align"> <form action="login.php" method="post" name="frm_login"> Username: <input type="text" name="txt_username"/><br /> Password: <input type="password" name="txt_pass"/><br /> <input type="submit" name="sub" value="Login"> </form> </div> </body> </html> <?php if(! $conn=mysql_connect("localhost", "root", "demo")) die("Could't connect to database server.."); mysql_select_db("online_application",$conn) or die(mysql_error()); $username = $_POST['txt_username']; $password = $_POST['txt_pass']; $sql = " SELECT * FROM users WHERE user_name='".$username."' AND password='".$password."'"; //$result = mysql_query($sql); if(){ print 'user exists'; } else{ print 'User does not exists'; } ?> Quote Link to comment Share on other sites More sharing options...
hansford Posted May 9, 2010 Share Posted May 9, 2010 $query= "Select * FROM users WHERE username = '$username' AND password = '$password'"; if(!$result = mysql_query($query)) { //handle error here } else { if(!mysql_num_rows($result)){ echo "user does not exist"; } else { echo "user exists"; } } Quote Link to comment Share on other sites More sharing options...
xcoderx Posted May 9, 2010 Author Share Posted May 9, 2010 i get error Parse error: parse error in C:\wamp\www\reg\login.php on line 49 Quote Link to comment Share on other sites More sharing options...
tomfmason Posted May 9, 2010 Share Posted May 9, 2010 I suggest that you checkout mysql_real_escape_string. As it stands your script is vulnerable to sql injection Quote Link to comment Share on other sites More sharing options...
xcoderx Posted May 9, 2010 Author Share Posted May 9, 2010 now is this Notice: Undefined variable: query in C:\wamp\www\reg\login.php on line 38 Quote Link to comment Share on other sites More sharing options...
tomfmason Posted May 9, 2010 Share Posted May 9, 2010 here is a simple but effective login script that I wrote back in 06 - http://php.nks.com.ar/manual/es/function.mysql-real-escape-string.php#68655 Quote Link to comment Share on other sites More sharing options...
hansford Posted May 9, 2010 Share Posted May 9, 2010 $query or $sql...name it whatever, just make sure its consistent in the script. edit: removed from post Quote Link to comment Share on other sites More sharing options...
xcoderx Posted May 9, 2010 Author Share Posted May 9, 2010 thanks bro but i must do with the coding i wrote im not suppose to use anythin else :-( damn im stuck Quote Link to comment Share on other sites More sharing options...
xcoderx Posted May 9, 2010 Author Share Posted May 9, 2010 ok almost near but now its not checking anythin by default i only see user does not exist Quote Link to comment Share on other sites More sharing options...
hansford Posted May 9, 2010 Share Posted May 9, 2010 If whatever value is in $username and $password are not in the database, then you will get "user does not exist" it must match both variables exactly; even a space will make it fail to find a match. edit: removed from post Quote Link to comment Share on other sites More sharing options...
litebearer Posted May 9, 2010 Share Posted May 9, 2010 Try checking WITHOUT using the password as part of the criteria Quote Link to comment Share on other sites More sharing options...
tomfmason Posted May 9, 2010 Share Posted May 9, 2010 are you storing the user's password in plain text? If so, you shouldn't. You should use md5 or some other hashing technique. Quote Link to comment Share on other sites More sharing options...
xcoderx Posted May 9, 2010 Author Share Posted May 9, 2010 yaya fixed thanks soo much. mistake was mine i was mispelling the value which was stored in db :-) Quote Link to comment Share on other sites More sharing options...
xcoderx Posted May 9, 2010 Author Share Posted May 9, 2010 i use md5 bro and thanks for the helps and time :-) Quote Link to comment Share on other sites More sharing options...
tomfmason Posted May 9, 2010 Share Posted May 9, 2010 i use md5 bro and thanks for the helps and time :-) are you sure? $username = $_POST['txt_username']; $password = $_POST['txt_pass']; $sql = " SELECT * FROM users WHERE user_name='".$username."' AND password='".$password."'"; //$result = mysql_query($sql); The code above takes a plain and unsanitized password from $_POST. I don't see where you are md5ing the posted password Quote Link to comment Share on other sites More sharing options...
tomfmason Posted May 9, 2010 Share Posted May 9, 2010 If you are using md5 to hash the password when the user registers you will also need to use it to check their password when they login. Here is an example of how I would do it(using your existing code) if(! $conn=mysql_connect("localhost", "root", "demo")) die("Could't connect to database server.."); mysql_select_db("online_application",$conn) or die(mysql_error()); $username = mysql_real_escape_string(trim($_POST['txt_username'])); $password = md5(mysql_real_escape_string(trim($_POST['txt_pass']))); $sql = " SELECT * FROM users WHERE user_name='".$username."' AND password='".$password."'"; $res= mysql_query($sql) $login_match= mysql_result($res, 0, 'login_match'); if($login_match == 1){ print 'user exists with that password'; } else{ print 'User does not exists with that password'; Quote Link to comment Share on other sites More sharing options...
xcoderx Posted May 9, 2010 Author Share Posted May 9, 2010 sorry my mistake i meant to say ill use md5 and yes currently the pws are in plain text Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.