drogers76 Posted September 12, 2010 Share Posted September 12, 2010 Here is my code so far... I can't login using this php, i am new to php and am trying my hardest to figure this out... i have been on this for 4 days and am about to pull all of my hair out... can anyone please help me... //******** start of login.php ******** <?php require_once('connectvars.php'); // Start the session session_start(); // Clear the error message // $error_msg = ""; // If the user isn't logged in, try to log them in if (!isset($_SESSION['user_id'])) { if (isset($_POST['submit'])) { // Connect to the database $dbc = mysqli_connect(DB_HOST, DB_USER, DB_PASSWORD, DB_NAME); if (!$dbc) { die('Could not connect: ' . mysqli_error()); } echo 'Connected successfully'; // Grab the user-entered log-in data $user_email = mysqli_real_escape_string($dbc, trim($_POST['email'])); $user_pass = mysqli_real_escape_string($dbc, trim($_POST['password'])); if (!empty($user_email) && !empty($user_password)) { // Look up the username and password in the database $query = "SELECT tb_user_id, tb_user_email FROM tb_users WHERE tb_user_email = '$user_email' AND tb_user_password = SHA('$user_pass')"; $data = mysqli_query($dbc, $query); if (mysqli_num_rows($data) == 1) { // The log-in is OK so set the user ID and username session vars (and cookies), and redirect to the home page $row = mysqli_fetch_array($data); $_SESSION['user_id'] = $row['tb_user_id']; $_SESSION['email'] = $row['tb_user_email']; setcookie('user_id', $row['tb_user_id'], time() + (60 * 60 * 24 * 30)); // expires in 30 days setcookie('email', $row['tb_user_email'], time() + (60 * 60 * 24 * 30)); // expires in 30 days $home_url = 'http://' . $_SERVER['HTTP_HOST'] . dirname($_SERVER['PHP_SELF']) . '/index.php'; header('Location: ' . $home_url); } else { // The username/password are incorrect so set an error message $error_msg = 'Sorry, you must enter a valid username and password to log in1.'; } } else { //*********** This is the error i keep getting // The username/password weren't entered so set an error message $error_msg = 'Sorry, you must enter your username and password to log in2.'; } } } // Insert the page header $page_title = 'Log In'; require_once('header.php'); // If the session var is empty, show any error message and the log-in form; otherwise confirm the log-in if (empty($_SESSION['user_id'])) { echo '<p class="error">' . $error_msg . '</p>'; ?> <form method="post" action="<?php echo $_SERVER['PHP_SELF']; ?>"> <fieldset> <legend>Log In</legend> <label for="email">Email Address:</label> <input type="text" name="email" value="<?php if (!empty($user_email)) echo $user_email; ?>" /><br /> <label for="password">Password:</label> <input type="password" name="password"/> </fieldset> <input type="submit" value="Log In" name="submit" /> </form> <?php } else { // Confirm the successful log-in echo('<p class="login">You are logged in as ' . $_SESSION['email'] . '.</p>'); } ?> <?php // Insert the page footer require_once('footer.php'); ?> Quote Link to comment Share on other sites More sharing options...
Pikachu2000 Posted September 12, 2010 Share Posted September 12, 2010 So what does happen when it runs? What errors do you get? Quote Link to comment Share on other sites More sharing options...
drogers76 Posted September 12, 2010 Author Share Posted September 12, 2010 "Connected successfully MyHOMEPAGE - Log In Sorry, you must enter your username and password to log in2." and the page resets rather than going to index.php Quote Link to comment Share on other sites More sharing options...
rwwd Posted September 12, 2010 Share Posted September 12, 2010 Hi there, $user_email = mysqli_real_escape_string($dbc, trim($_POST['email'])); $user_pass = mysqli_real_escape_string($dbc, trim($_POST['password'])); if (!empty($user_email) && !empty($user_pass)) { Alter the vars name in the !empty($user_password) and take off the word I have placed in bold, it doesn't match what you had called the variable in the previous lump of code.. And the use of $_SERVER['PHP_SELF']; isn't recommended now as there are security issues around it, either leave the attribute blank or put in the filename of the file that you have written the code in. Change this:- <input type="text" name="email" value="<?php if (!empty($user_email)) echo $user_email; ?>" /><br /> to:- <input type="text" name="email" value="<?php echo(!empty($user_email)) ? $user_email : ''); ?>" /><br /> That just makes that easier to read. have you tried this (reformatted):- $query = "SELECT `tb_user_id`, `tb_user_email` FROM `tb_users` WHERE `tb_user_email` = '".$user_email."' AND `tb_user_password` = SHA('".$user_pass."')"; through phpmyadmin/mysql query browser to see if it gives you the result your expecting (by which I mean the populated string and not the code;-p) And instead of doing this: if (mysqli_num_rows($data) == 1) { do this: if (mysqli_num_rows($data) > 0) { This just makes the code a little bit more lenient and not so critical (though this could be argued) I'm not sure that this will fix it, but you can give it a go! Cheers, Rw Quote Link to comment Share on other sites More sharing options...
drogers76 Posted September 12, 2010 Author Share Posted September 12, 2010 ok, now i am getting the error: "Sorry, you must enter a valid username and password to log in1" so i think i am getting close... here is all of the new code.... //***************START login.php <?php require_once('connectvars.php'); // Start the session session_start(); // Clear the error message // $error_msg = ""; // If the user isn't logged in, try to log them in if (!isset($_SESSION['user_id'])) { if (isset($_POST['submit'])) { // Connect to the database $dbc = mysqli_connect(DB_HOST, DB_USER, DB_PASSWORD, DB_NAME); if (!$dbc) { die('Could not connect: ' . mysqli_error()); } echo 'Connected successfully'; // Grab the user-entered log-in data $user_email = mysqli_real_escape_string($dbc, trim($_POST['email'])); $user_pass = mysqli_real_escape_string($dbc, trim($_POST['password'])); if (!empty($user_email) && !empty($user_pass)) { // Look up the username and password in the database $query = "SELECT tb_user_id, tb_user_email FROM tb_users WHERE tb_user_email = '$user_email' AND tb_user_password = SHA('$user_pass')"; $data = mysqli_query($dbc, $query); if (mysqli_num_rows($data) > 0) { // The log-in is OK so set the user ID and username session vars (and cookies), and redirect to the home page $row = mysqli_fetch_array($data); $_SESSION['user_id'] = $row['tb_user_id']; $_SESSION['email'] = $row['tb_user_email']; setcookie('user_id', $row['tb_user_id'], time() + (60 * 60 * 24 * 30)); // expires in 30 days setcookie('email', $row['tb_user_email'], time() + (60 * 60 * 24 * 30)); // expires in 30 days $home_url = 'http://' . $_SERVER['HTTP_HOST'] . '/scripts/' . 'index.php'; header('Location: ' . $home_url); } else { // The username/password are incorrect so set an error message $error_msg = 'Sorry, you must enter a valid username and password to log in1.'; } } else { // The username/password weren't entered so set an error message $error_msg = 'Sorry, you must enter your username and password to log in2.'; } } } // Insert the page header $page_title = 'Log In'; require_once('header.php'); // If the session var is empty, show any error message and the log-in form; otherwise confirm the log-in if (empty($_SESSION['user_id'])) { echo '<p class="error">' . $error_msg . '</p>'; ?> <form method="post" action="<?php echo $_SERVER['PHP_SELF']; ?>"> <fieldset> <legend>Log In</legend> <label for="email">Email Address:</label> <input type="text" name="email" value="<?php if (!empty($user_email)) echo $user_email; ?>" /><br /> <label for="password">Password:</label> <input type="password" name="password"/> </fieldset> <input type="submit" value="Log In" name="submit" /> </form> <?php } else { // Confirm the successful log-in echo('<p class="login">You are logged in as ' . $_SESSION['email'] . '.</p>'); } ?> <?php // Insert the page footer require_once('footer.php'); ?> Quote Link to comment Share on other sites More sharing options...
drogers76 Posted September 12, 2010 Author Share Posted September 12, 2010 There has to be something wrong with this section of code.... if (mysqli_num_rows($data) > 0) { // The log-in is OK so set the user ID and username session vars (and cookies), and redirect to the home page $row = mysqli_fetch_array($data); $_SESSION['user_id'] = $row['tb_user_id']; $_SESSION['email'] = $row['tb_user_email']; setcookie('user_id', $row['tb_user_id'], time() + (60 * 60 * 24 * 30)); // expires in 30 days setcookie('email', $row['tb_user_email'], time() + (60 * 60 * 24 * 30)); // expires in 30 days $home_url = 'http://' . $_SERVER['HTTP_HOST'] . '/scripts/' . 'index.php'; header('Location: ' . $home_url); anymore help would be so awsome.. i cant move forward untill i figure this out... and it has been a nightmare... Quote Link to comment Share on other sites More sharing options...
rwwd Posted September 12, 2010 Share Posted September 12, 2010 No your misunderstanding the issue, this appears to be an issue with what comes back from the sql server, echo the sql string to screen AFTER it is populated; make sure it is/has what you want, then copy and paste that into your phpmyadmin/sql query browser & see what it returns, this will highlight any spelling errors, wrongly assigned names etc, the code seems fine, so you need to go from the sql end of things now:- if (!empty($user_email) && !empty($user_pass)) { // Look up the username and password in the database echo $query = "SELECT tb_user_id, tb_user_email FROM tb_users WHERE tb_user_email = '$user_email' AND tb_user_password = SHA('$user_pass')"; exit; $data = mysqli_query($dbc, $query); Do this & see what you get and if it is as expected! From there you can debug it! Cheers, Rw Quote Link to comment Share on other sites More sharing options...
drogers76 Posted September 12, 2010 Author Share Posted September 12, 2010 i am going to scream and just pogo a hot poker for messing this thing up... i have the database set to only allow 32 charactor email addresses, all of my email addresses were way longer.. so that was the problem all along... i am such a jack@$$... finally its all fixed though... Thank you everyone for your help, now to the psychologist for some real help... Quote Link to comment Share on other sites More sharing options...
rwwd Posted September 12, 2010 Share Posted September 12, 2010 I guessed as much when the query moved the error message. When you are using any hash/sha function, read the manual to see what char length is returned when data is passed into it. Then adjust your DB to suit, then this will eliminate anything else like this in the future. It's happened to me more time's than I care to mention!! Anyway, it's working now, after a few revisions of the code you will wonder what all the fuss was about!! Cheers, Rw Quote Link to comment Share on other sites More sharing options...
Pikachu2000 Posted September 12, 2010 Share Posted September 12, 2010 Unrelated to the problem in this thread, but you should change this action="<?php echo $_SERVER['PHP_SELF']; ?>" to action="" in your <form> tag. It's an XSS vulnerability. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.