Jump to content

help with username/password code

gskurski

By gskurski
in PHP Coding Help

 Share

Recommended Posts

gskurski Newbie

gskurski

Posted
Posted

Hello,

 

I'm brand new to this forum so forgive me if I'm not following protocol, but I was hoping to get some help with some of my code. I am trying to create a login page that asks for a username and password, posts it to a php file, which connects to mysql database and verifies the username and password, and then either goes to the member page, or denies access. This is what I have so far.

 

From the login page:

 

<form action="login.php" method="post">

Username: <input type="text" name="username" />

Password: <input type="password" name="password" />

<input type="submit" />

</form>

 

 

 

 

 

login.php ---

 

 

 

<?php

$con = mysql_connect("host","admin","adminpass");

if (!$con)

  {

  die('Could not connect: ' . mysql_error());

  }

 

mysql_select_db("database_users", $con);

 

$result = mysql_query("SELECT `Username` FROM users

WHERE Username='$_POST["username"]'

AND Password='$_POST["password"]'");

 

if ($result='$_POST["username"]')

    header("Location: http://www.website.com/members.html");

else

    echo "Incorrect username and/or password";

 

?>

 

I changed the relevant variables to make it anonymous for the forum, but they're correct in my original source.

 

Any help would be appreciated!

 

Thanks,

 

Gerry

Link to comment
Share on other sites
mikesta707 Member

mikesta707

Posted
Posted

$result is a mysql resource, not the column information. if you want the row info, even if you only select one column, you have to use one of the mysql_fetch_XXX functions.

 

Example with fetch_assoc

....
$row = mysql_fetch_assoc($result);
$username = $row['username'];//where 'username' is put the name of the column

 

 

Also, you don't sanitize your inputs at all. That script is open to a SQL injection. mysql_real_escape_string() should be used on all input variables you use in queries. For example:

$username = mysql_real_escape_string($_POST['username']);
$query = "select .. blah blah ... WHERE USERNAME='$username' AND .. blah";

Link to comment
Share on other sites
ignace Advanced Member

ignace

Posted
Posted 

if ($result='$_POST["username"]')

 

Like mikesta already said $result is a result resource and the above code assigns '$_POST["username"]' (literally) to $result due to =.

 

You most probably are looking for:

 

$row = mysql_fetch_assoc($result);
if ($row['username'] == $_POST['username'])

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.