Stalingrad Posted August 2, 2011 Share Posted August 2, 2011 Hi!I madea basic login for my site yesterday. It seemed to work fine yesterday but I tryed it last nite and now today and it's not working. =[ I'm not getting any errors, it's just that if I type in a random name and password it says you are now logged in when they're not even in the database. I login with a real nname and password, it says it is logged in but the session variable name isn't set. Here is the code: login.php: <?php session_start(); $con = mysql_connect("localhost","username","password"); if (!$con) { die('Could not connect: ' . mysql_error()); } mysql_select_db("database_name", $con); if(!$submit) { echo "<font size=6><fontface=verdana>Login</font>"; ?> <form action="<? echo "$PHP_SELF"; ?>" method="POST"> Username: <input type="text" name="username"><br> Password: <input type="password" name="password"><br><br> <input type="submit" name="submit" value="Log In"></form> <?php } $submit = $_POST['submit']; $lusername = $_POST['username']; $lpassword = $_POST['password']; if($submit) { $get = mysql_query("SELECT count(userid) FROM users WHERE username='$lusername' and password='$lpassword'"); $theresult = mysql_result($get, 0); if($theresult == 1) { echo "<font face=verdana><font size=3><font color=red>Error! Invalid username and password combination.</font>"; } else { $_SESSION['username']; echo "<font color=green><font face=verdana><font size=4>You are now Logged In, " .$_SESSION['username']. "</font>";} } ?> I edited out my database information for security purposes... it connects fine. I did NOT add an error message for what happends when the login is wrong. If anybody can help, I would gratly appreciate it... thanks! =] Quote Link to comment Share on other sites More sharing options...
ZulfadlyAshBurn Posted August 2, 2011 Share Posted August 2, 2011 you did not specify what is $submit at the start of the php script. thus if(!$submit) { echo "<font size=6><fontface=verdana>Login</font>"; wont work Quote Link to comment Share on other sites More sharing options...
ZulfadlyAshBurn Posted August 2, 2011 Share Posted August 2, 2011 modify your script to this <?php session_start(); $submit = $_POST['submit']; $con = mysql_connect("localhost","username","password"); if (!$con) { die('Could not connect: ' . mysql_error()); } mysql_select_db("database_name", $con); if(!$submit) { echo "<font size=6><fontface=verdana>Login</font>"; ?> <form action="<? echo "$PHP_SELF"; ?>" method="POST"> Username: <input type="text" name="username"><br> Password: <input type="password" name="password"><br><br> <input type="submit" name="submit" value="Log In"></form> <?php } $lusername = $_POST['username']; $lpassword = $_POST['password']; if($submit) { $get = mysql_query("SELECT count(userid) FROM users WHERE username='$lusername' and password='$lpassword'"); $theresult = mysql_result($get, 0); if($theresult == 1) { echo "<font face=verdana><font size=3><font color=red>Error! Invalid username and password combination.</font>"; } else { $_SESSION['username']; echo "<font color=green><font face=verdana><font size=4>You are now Logged In, " .$_SESSION['username']. "</font>";} } ?> Quote Link to comment Share on other sites More sharing options...
Stalingrad Posted August 2, 2011 Author Share Posted August 2, 2011 ahh thank you, but it's still not woroking. I typed in random letters and it still says logged in. When Ip ut in the ocrrect name and password, it says logged in but doesn't display the username (which is the session varible). thanks! Quote Link to comment Share on other sites More sharing options...
Nodral Posted August 2, 2011 Share Posted August 2, 2011 As you manualy declare that $submit = $_POST['submit'];, regardless of whether there is a value in $_POST['submit'] you have set the variable. therefore if($submit) will always return true. You should use if(isset($_POST['submit'])){ This way, it is only true if the submit button has been clicked. A better way to organise your code by the way, is to have all your php processing at the top, then have your output (HTML form) at the end Quote Link to comment Share on other sites More sharing options...
Stalingrad Posted August 2, 2011 Author Share Posted August 2, 2011 Still doesn't work. I'm not sure what is wrong. I can't even check to see if my databse is working okay. I have phpmyadmin up and it's running okay. Quote Link to comment Share on other sites More sharing options...
ZulfadlyAshBurn Posted August 2, 2011 Share Posted August 2, 2011 you must query your login first then display the form if error. <?php session_start(); $submit = $_POST['submit']; $lusername = $_POST['username']; $lpassword = $_POST['password']; $con = mysql_connect("localhost","username","password"); if (!$con) { die('Could not connect: ' . mysql_error()); } mysql_select_db("database_name", $con); if(!isset($_POST['submit'])) { echo "<font size=6><fontface=verdana>Login</font>"; ?> <form action="<? echo "$PHP_SELF"; ?>" method="POST"> Username: <input type="text" name="username"><br> Password: <input type="password" name="password"><br><br> <input type="submit" name="submit" value="Log In"></form> <?php } if(isset($_POST['submit'])) { $get = mysql_query("SELECT count(userid) FROM users WHERE username='$lusername' and password='$lpassword'"); $theresult = mysql_result($get, 0); if($theresult == 1) { echo "<font face=verdana><font size=3><font color=red>Error! Invalid username and password combination.</font>"; } } else { $_SESSION['username']; echo "<font color=green><font face=verdana><font size=4>You are now Logged In, " .$_SESSION['username']. "</font>"; } ?> this should work. Quote Link to comment Share on other sites More sharing options...
IrOnMaSk Posted August 2, 2011 Share Posted August 2, 2011 To me it seems like this line never get executed $get = mysql_query("SELECT count(userid) FROM users WHERE username='$lusername' and password='$lpassword'"); that's y it never check the login info from user against the database... which means it didn't check whether the form submitted or not... and definitly do the isset to check whether the form been submitted and this line is subject to xxs attack: <form action="<? echo "$PHP_SELF"; ?>" method="POST"> Quote Link to comment Share on other sites More sharing options...
Nodral Posted August 2, 2011 Share Posted August 2, 2011 Alternatively try this if(isset($_POST['submit'])) { $get = mysql_query("SELECT id FROM users WHERE username='$lusername' and password='$lpassword'"); $theresult = mysql_num_rows($get); if($theresult == 1) { echo "<font face=verdana><font size=3><font color=red>Error! Invalid username and password combination.</font>"; } else { $_SESSION['username']; echo "<font color=green><font face=verdana><font size=4>You are now Logged In, " .$_SESSION['username']. "</font>"; } } ?> Your if closing braces were also in the wrong place too. Check how they are now set above Quote Link to comment Share on other sites More sharing options...
Stalingrad Posted August 2, 2011 Author Share Posted August 2, 2011 Oh, okay guys! I got it to work, thank you! JUst one more thing Ig uess I can ask here... my session variable at the bottom, well near the bottom... how do I set the session variable as a variable? Thanks! Quote Link to comment Share on other sites More sharing options...
Nodral Posted August 2, 2011 Share Posted August 2, 2011 Move your closing braces to how I posted above. You come out of your if statement too early, so that the else you set your session variable in, is if $_POST['submit'] is not set. Hope that makes sense Quote Link to comment Share on other sites More sharing options...
ZulfadlyAshBurn Posted August 2, 2011 Share Posted August 2, 2011 $myvariable = $_SESSION['thestoredsession']; Quote Link to comment Share on other sites More sharing options...
Stalingrad Posted August 2, 2011 Author Share Posted August 2, 2011 Thanks for theh elp, but I triedt hat and the variable is still not displaying. It should say you are now loggedi n, username. But it just says, youa re now logged in, . Quote Link to comment Share on other sites More sharing options...
Psycho Posted August 2, 2011 Share Posted August 2, 2011 This is more of a suggestion, but the logic is backwards. You should have the code for the form at the end of the script. That way if the user did not submit credentials OR if login fails you can display the form and repopulate the user id. Also, regarding ZulfadlyAshBurn's update there is a problem with this: $submit = $_POST['submit']; That can cause errors to be displayed depending on the error reporting level. Plus, later in the code there is a check using if(!$submit) { A non value will be interpreted as false, but that is a sloppy method. I would suggest this isset($_POST['submit']) As for your script you are not setting the session value anywhere - only trying to display it. Also, the FONT tag has been deprecated for YEARS - stop using it. You were using it wrong anyway - you have three opening font tags and only one closing tag. You can put multiple parameters into one opening tag. Don't use PHP_SELF - it is not safe. Just leave the action parameter empty or do some research on the proper way to set the value. Lastly, you are using the password in plain text in the database. You should be hashing the password (preferably with a salt). I didn't do anything with the password in the script below because you would have to create the hashing process to also implement in the script that creates the user records. Here is a complete rewrite fixing many different problems and providing a more logical flow. <?php session_start(); $con = mysql_connect("localhost","username","password"); if (!$con) { die('Could not connect: ' . mysql_error()); } mysql_select_db("database_name", $con) or die('Could not select db: ' . mysql_error());; //Create text var to hold any error messages $errorMsg = ''; if(isset($_POST['submit'])) { $username = mysql_real_escape_string(trim($_POST['username'])); $password = mysql_real_escape_string(trim($_POST['password'])); if(empty($username) || empty($password)) { //Username and/or password is empty $errorMsg = "Username and password are required."; } else { //Create and run query to validate credentials $query = "SELECT userid FROM users WHERE username='$username' and password='$password'"; $result = mysql_query($query); if(mysql_num_rows($result)!=1) { //Validation failed $errorMsg = "Error! Invalid username and password combination."; } else { //Validation passed $_SESSION['username'] = trim($_POST['username']); ##Ideally you should redirect to a welcome page using a header() after setting the session vars. ##For illustrative purposes we will display a confirmation message and exit the script echo "You are now Logged In, {$_SESSION['username']}"; exit(); } } } //Validation was not done or failed, unset the session var if it exists if(isset($_SESSION['username']) { unset($_SESSION['username']); } ?> <html> <head></head> <body> <div style="color:red;"><?php echo $errorMsg; ?></div> <h2 style="font-family:verdana;">Login</h2> <form action="" method="post"> Username: <input type="text" name="username" value="<?php echo trim($_POST['username']); ?>"><br> Password: <input type="password" name="password"><br><br> <input type="submit" name="submit" value="Log In"> </form> </body> </html> Quote Link to comment Share on other sites More sharing options...
Nodral Posted August 2, 2011 Share Posted August 2, 2011 Please repost your code so we can see what changes you have made. Have you moved the closing brace as suggested? Quote Link to comment Share on other sites More sharing options...
Stalingrad Posted August 2, 2011 Author Share Posted August 2, 2011 Here is the code: <?php session_start(); $submit = $_POST['submit']; $lusername = $_POST['username']; $lpassword = $_POST['password']; $con = mysql_connect("localhost","ussername","password"); if (!$con) { die('Could not connect: ' . mysql_error()); } mysql_select_db("database_name", $con); if(!isset($_POST['submit'])){ echo "<font size=6><fontface=verdana>Login</font>"; ?> <form action="<? echo "$PHP_SELF"; ?>" method="POST"> Username: <input type="text" name="username"><br> Password: <input type="password" name="password"><br><br> <input type="submit" name="submit" value="Log In"></form> <?php } if(isset($_POST['submit'])){ $get = mysql_query("SELECT count(userid) FROM users WHERE username='$lusername' and password='$lpassword'"); $theresult = mysql_result($get, 0); if($theresult != 1) { echo "<font face=verdana><font size=3><font color=red>Error! Invalid username and password combination.</font>"; } else { $_SESSION['username']; $display = $_SESSION['username']; echo "<font color=green><font face=verdana><font size=4>You are now Logged In, " .$_SESSION['username']. "</font>"; } } ?> Quote Link to comment Share on other sites More sharing options...
ZulfadlyAshBurn Posted August 2, 2011 Share Posted August 2, 2011 i suggest you follow mjdamato code. Quote Link to comment Share on other sites More sharing options...
Stalingrad Posted August 2, 2011 Author Share Posted August 2, 2011 Okay, I put his code in, and I click to login, and it just shows teh login again. Quote Link to comment Share on other sites More sharing options...
IrOnMaSk Posted August 2, 2011 Share Posted August 2, 2011 wow this is confusing! there's lots of code... I would just stick to one code and debug it... so choose your favorite code lol and the action here might not even doing anything, other word it's not grabing username and password from the word that's you there's no error <form action="" method="post"> Quote Link to comment Share on other sites More sharing options...
TOA Posted August 2, 2011 Share Posted August 2, 2011 I suspect your issue is here. You're not actually setting the session variable to anything. else { $_SESSION['username']; $display = $_SESSION['username']; echo "<font color=green><font face=verdana><font size=4>You are now Logged In, " .$_SESSION['username']. "</font>"; You also set the session to another variable, then don't use it. Unless you use it later, seems pointless. But I reiterate: i suggest you follow mjdamato code. Hope that helps Quote Link to comment Share on other sites More sharing options...
Psycho Posted August 2, 2011 Share Posted August 2, 2011 I did not test the code I provided previously. I just created a test database and after fixing a minor syntax error it works. To fix the syntax error, change this if(isset($_SESSION['username']) To this if(isset($_SESSION['username'])) Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.