Login page error

[harshadmethrath]

I had a success page redirect after the login...but the login happens even if the username and password is not entered. you can check it in colonialcasa.org

 

here's the code for the login.php page ( i have obviously changed the server name, database and password for privacy reasons )

 

<?

 

/*simple checking of the data*/

if(isset($_POST['login']) & isset($_POST['pass']))

{

 

/*Connection to database logindb using your login name and password*/

$db=mysql_connect('servername','login','password') or die(mysql_error());

mysql_select_db('mpahost_logindb');

 

/*additional data checking and striping*/

$_POST['login']=mysql_real_escape_string(strip_tags(trim($_POST['login'])));

$_POST['pass']=mysql_real_escape_string(strip_tags(trim($_POST['pass'])));

 

$q=mysql_query("SELECT * FROM login WHERE login='{$_POST['login']}' AND pass='{$_POST['pass']}'",$db) or die(mysql_error());

 

/*If there is a matching row*/

if(mysql_num_rows($q) > 0)

{

$_SESSION['login'] = $_POST['login'];

$login='Welcome back '.$_SESSION['login'];

}

else

{

$login= 'Wrong login or password';

}

 

mysql_close($db);

 

}

/*Use of Sessions*/

if(!session_id())

 

header("Location: advocates.html"); // success page. put the URL you want

 

header("Cache-control: private"); //avoid an IE6 bug (keep this line on top of the page)

 

$login='NO data sent';

 

//you may echo the data anywhere in the file

echo $login;

 

?>

 

[DavidAM]

You are redirecting based on the value returned by the session_id() function.  That function has nothing to do with whether the login succeeded or not.  Here is your code with some changes and comments - note: you should use the code ( # ) tags or php ( [ php ] ) tags when posting code on the forum, it makes it easier to read.

 

<?php // ALWAYS USE FULL TAGS, THE SHORT TAGS WILL CREATE PROBLEMS FOR YOU LATER

/*simple checking of the data*/
if(isset($_POST['login']) & isset($_POST['pass']))
{
    // INDENT YOUR CODE SO IT IS EASIER TO READ

    /*Connection to database logindb using your login name and password*/
    $db=mysql_connect('servername','login','password') or die(mysql_error());
    mysql_select_db('mpahost_logindb');

    /*additional data checking and striping*/
    // YOU SHOULD NOT NEED strip_tags() UNLESS magic_quotes IS TURNED ON
    $_POST['login']=mysql_real_escape_string(strip_tags(trim($_POST['login'])));
    $_POST['pass']=mysql_real_escape_string(strip_tags(trim($_POST['pass'])));

    $q=mysql_query("SELECT * FROM login WHERE login='{$_POST['login']}' AND pass='{$_POST['pass']}'",$db) or die(mysql_error());

    /*If there is a matching row*/
    if(mysql_num_rows($q) > 0)
    {
       $_SESSION['login'] = $_POST['login'];
       $login='Welcome back '.$_SESSION['login'];
        // DO YOUR REDIRECT HERE SINCE YOU KNOW THE LOGIN IS VALID
        header("Location: advocates.html"); // success page. put the URL you want
        // ALWAYS, ALWAYS exit() AFTER A REDIRECT
        exit();
    }
    else
    {
       $login= 'Wrong login or password';
    }

    mysql_close($db);

}
// ??
header("Cache-control: private"); //avoid an IE6 bug (keep this line on top of the page)

// THIS WILL OVERWRITE WHATEVER YOU SET $login TO INSIDE THE IF ABOVE
$login='NO data sent';

//you may echo the data anywhere in the file
echo $login;

?>

 

Generally, you should do something more for the user when the login fails, like sending them back to the login form.

[harshadmethrath]

Thanks a lot

 

After using this code...i am receiving " no data sent" error message.

 

try it in colonialcasa.org/signup.html. create a login and try to log in throug any of the pages.

 

ur help is much appreciated.