Nebin Posted May 18, 2011 Share Posted May 18, 2011 Hi Guys. Really Stuck here. I am making a website, its basicall an online shop of sorts. I am making a login page for our customers and an admin page for us lot to upload new products to sql etc. Whats its meant to do is accept the username and pw then allow me to access the adminpage. Although its just saying that user doesnt exist all the time. I dont know why becuase the details are correct. :-\ admin_login page is the code below. <?php session_start(); if(isset($_SESSION["manager"])){ header("location:index.php"); exit(); } ?> <?php if(isset($_POST["username"])&&isset($_POST["password"])){ $manager = preg_replace('#[A-Za-z0-9]#i','',$_POST["username"]); $password = preg_replace('#[^A-Za-z0-9]#i','',$_POST["password"]); include"../storescripts/connect_to_mysql.php"; $sql = mysql_query("SELECT id FROM admin WHERE username='$manager' AND password='$password' LIMIT 1"); $existCount = mysql_num_rows($sql); if($existCount == 1){ while($row = mysql_fetch_array($sql)){ $id = $row["id"]; } $_SESSION["id"] = $id; $_SESSION["manager"] = $manager; $_SESSION["password"] = $password; header("location: index.php"); exit(); }else{ echo 'That Information Is Incorrect. Try again <a href="index.php">Click Here</a>'; exit(); } } ?> and now the index.php which is what the admin see when they log in successfully. <?php session_start(); if(isset($_SESSION["manager"])){ header("location: admin_login.php"); exit(); } //Be Sure To Check That This Manager Session Value Is Infact In The DataBase $managerID = preg_replace('#[^0-9#i','',$_SESSION["id"]); $manager = preg_replace('#[^A-Za-z0-9]#i','',$_SESSION["manager"]); $password = preg_replace('#[^A-Za-z0-9]#i','',$_SESSION["password"]); include "../strorescripts/connect_to_mysql.php"; $sql = mysql_query("SELECT * FROM admin WHERE id='$managerID' AND username='$manager' AND password='$password' LIMIT 1"); $existCount = mysql_num_rows($sql); if($existCount == 0){ header("location:../index.php"); exit(); } ?> Quote Link to comment Share on other sites More sharing options...
requinix Posted May 18, 2011 Share Posted May 18, 2011 Take a look: preg_replace('#[A-Za-z0-9]#i','',$_POST["username"]) Quote Link to comment Share on other sites More sharing options...
fugix Posted May 18, 2011 Share Posted May 18, 2011 1. are you connecting to your db 2. have you tried echoing the number of rows to make sure you are grabbing any. 3. have you tried to debug your query yet. eg $sql = mysql_query("SELECT id FROM admin WHERE username='$manager' AND password='$password' LIMIT 1") or die(mysql_error()); Quote Link to comment Share on other sites More sharing options...
wo66 Posted November 4, 2013 Share Posted November 4, 2013 You have different paths on you include file.. include "../storescripts/connect_to_mysql.php"; include "../strorescripts/connect_to_mysql.php"; __________^ Remove the r !! Quote Link to comment Share on other sites More sharing options...
White_Lily Posted November 4, 2013 Share Posted November 4, 2013 It also looks like your going to need to process the form through AJAX / JSON if you intend to have 3 fields per form slide, you may also want to consider client-side validation so that the user's page doesn't have to refresh all the time just to bring up any errors. Quote Link to comment Share on other sites More sharing options...
MDCode Posted November 5, 2013 Share Posted November 5, 2013 Noooo don't use any Adam Khoury (whatever) scripts (you're using one now). He stores passwords in his tutorials unhashed and unsalted and just tells you to go learn how. He's never heard of XSS, CSRF, and 2nd Order SQL Injection either. I would suggest either learning how to secure it first, build one from scratch, or follow another tutorial. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.