login script works so well that it doesnt

[adunazon]

Hi PHP freaks,

 

I'm returning to the webpage building community after a 10-year hiatus and have returned to find many new and delicious

toys to play with, tastiest of all being PHP.  I'm trying to build a minimal security site with PHP/MySQL login as well as a simple

PHP require using sessions to secure each page.  I've based the script around a 'security by obscurity' script written by

blackmouth, which worked wonderfully.  However, once I added and tried implementing the page security via sessions, the

entire script broke down and now forwards to the secure page even without proper login credentials.  Given that I am completely

uneducated in the area of PHP, I'm hoping there is a simple resolution eluding me that is obvious to a master of the art.  Here

are the pieces of my PHP puzzle.

 

my login script, again, working as intended until I entered in the session pieces:

 

<?php

 

$username = md5($_POST["username"]);

$passwd = md5($_POST["pass"]);

 

$handle = mysql_connect("my.sql.db","sqladmin","admin");

 

mysql_select_db("users",$handle);

 

$query = "SELECT r34ln4m3 FROM 1nside0ut WHERE md5(l0gn4m3)='$username' AND entryw41='$passwd'";

 

$result = mysql_query($query,$handle);

 

if(mysql_num_rows($result)!==0);

 

{

 

session_start();

 

$_SESSION['auth'] = 1;

 

$_SESSION['name'] = $list;

 

header('Location: index1.htm');

 

}

 

alert('Incorrect username or password!');

header('Location: index.html');

 

?>

 

That is intended to create a session which is then required by each page via:

 

<?php

 

require("userauth.php");

 

?>

<!DOCTYPE html PUBLIC...

 

And that file is:

 

<?php

if($_SESSION["auth"]!==1);

{

  header('Location: index.html');

}

?>

 

Again I'm only a couple weeks into learning PHP so please, be gentle if my mistake is an

elementary one.  Thanks in advance for taking the time to read through my issue.

 

cheers.

[marcus]

To make sessions work throughout pages on your website you must declare session_start(); on the top of each page.

 

<?php
session_start();

# rest of code
?>

[adunazon]

Can't figure out how to edit my original post so I will thank you for the correction, however it does not address my problem.

 

Specifically, why would

 

if(mysql_num_rows($result)!==0);

 

always return true even when using incorrect login credentials?

[PFMaBiSmAd]

Because you are not testing if your query execuited without any errors before using mysql_num_rows().

 

If the query failed due to an error, mysql_num_rows() will return a FALSE value, not a zero and by using the exact comparison !== you are testing if mysql_num_rows() is not exactly a zero.

 

Edit: Testing for the condition you want ( mysql_num_rows($result) == 1 ) will result in fail-safe code (you will still need to troubleshoot why your query is failing.)

[adunazon]

Turns out the issue was because I had a semicolon at the end of my if() line. Silly me, and thank you for your help, PFMaBiSmAd.

 

Also I was able to correct all my issues by renaming my html files to php.  I hadn't realized that you could write .php as standard html files.  This is excellent news!

 

Thank you for supporting this irregular newbie.

[adunazon]

Ah, one more question if anyone is still listening...

 

Is there an argument for using the require() as opposed to just putting the short PHP script into the top of each individual document?

[KevinM1]

Ah, one more question if anyone is still listening...

 

Is there an argument for using the require() as opposed to just putting the short PHP script into the top of each individual document?

 

Easier code maintenance.  Say you needed to modify that code sometime down the line.  What's easier - going to every file that has the code hard wired into it and copy/pasting the changes, or visiting one file, editing it, and having the changes automatically applied to all the other files that use that code?

 

EDIT: along similar lines, modularity.