Jump to content

Recommended Posts

Hi!I madea basic login for my site yesterday. It seemed to work fine yesterday but I tryed it last nite and now today and it's not working. =[ I'm not getting any errors, it's just that if I type in a random name and password it says you are now logged in when they're not even in the database. I login with a real nname and password, it says it is logged in but the session variable name isn't set. Here is the code:

login.php:

<?php
session_start();
$con = mysql_connect("localhost","username","password");
if (!$con)
  {
  die('Could not connect: ' . mysql_error());
  }

mysql_select_db("database_name", $con);
if(!$submit) {
echo "<font size=6><fontface=verdana>Login</font>";
?>
<form action="<? echo "$PHP_SELF"; ?>" method="POST">
Username: <input type="text" name="username"><br>
Password: <input type="password" name="password"><br><br>
<input type="submit" name="submit" value="Log In"></form>
<?php
}

$submit = $_POST['submit'];
$lusername = $_POST['username'];
$lpassword = $_POST['password'];

if($submit) {
$get = mysql_query("SELECT count(userid) FROM users WHERE username='$lusername' and password='$lpassword'");
$theresult = mysql_result($get, 0);

if($theresult == 1) {
echo "<font face=verdana><font size=3><font color=red>Error! Invalid username and password combination.</font>";
} else {
$_SESSION['username'];

echo "<font color=green><font face=verdana><font size=4>You are now Logged In, " .$_SESSION['username']. "</font>";}

}

?>

I edited out my database information for security purposes... it connects fine. I did NOT add an error message for what happends when the login is wrong. If anybody can help, I would gratly appreciate it... thanks! =]

Link to comment
https://forums.phpfreaks.com/topic/243595-my-logi-nwill-not-work/
Share on other sites

modify your script to this

 

<?php
session_start();
$submit = $_POST['submit'];
$con = mysql_connect("localhost","username","password");
if (!$con)
  {
  die('Could not connect: ' . mysql_error());
  }

mysql_select_db("database_name", $con);
if(!$submit) {
echo "<font size=6><fontface=verdana>Login</font>";
?>
<form action="<? echo "$PHP_SELF"; ?>" method="POST">
Username: <input type="text" name="username"><br>
Password: <input type="password" name="password"><br><br>
<input type="submit" name="submit" value="Log In"></form>
<?php
}
$lusername = $_POST['username'];
$lpassword = $_POST['password'];

if($submit) {
$get = mysql_query("SELECT count(userid) FROM users WHERE username='$lusername' and password='$lpassword'");
$theresult = mysql_result($get, 0);

if($theresult == 1) {
echo "<font face=verdana><font size=3><font color=red>Error! Invalid username and password combination.</font>";
} else {
$_SESSION['username'];

echo "<font color=green><font face=verdana><font size=4>You are now Logged In, " .$_SESSION['username']. "</font>";}

}

?>

As you manualy declare that $submit = $_POST['submit'];, regardless of whether there is a value in $_POST['submit'] you have set the variable.  therefore if($submit) will always return true.

 

You should use if(isset($_POST['submit'])){

 

This way, it is only true if the submit button has been clicked.

 

A better way to organise your code by the way, is to have all your php processing at the top, then have your output (HTML form) at the end

you must query your login first then display the form if error.

 

<?php
session_start();
$submit = $_POST['submit'];
$lusername = $_POST['username'];
$lpassword = $_POST['password'];

$con = mysql_connect("localhost","username","password");
if (!$con)
  {
  die('Could not connect: ' . mysql_error());
  }

mysql_select_db("database_name", $con);

if(!isset($_POST['submit'])) {
echo "<font size=6><fontface=verdana>Login</font>";
?>
<form action="<? echo "$PHP_SELF"; ?>" method="POST">
Username: <input type="text" name="username"><br>
Password: <input type="password" name="password"><br><br>
<input type="submit" name="submit" value="Log In"></form>
<?php
}

if(isset($_POST['submit'])) {
$get = mysql_query("SELECT count(userid) FROM users WHERE username='$lusername' and password='$lpassword'");
$theresult = mysql_result($get, 0);

if($theresult == 1) {
echo "<font face=verdana><font size=3><font color=red>Error! Invalid username and password combination.</font>";
}
}
else {
$_SESSION['username'];

echo "<font color=green><font face=verdana><font size=4>You are now Logged In, " .$_SESSION['username']. "</font>";
}

?>

 

this should work.

To me it seems like this line never get executed

$get = mysql_query("SELECT count(userid) FROM users WHERE username='$lusername' and password='$lpassword'");

that's y it never check the login info from user against the database... which means it didn't check whether the form submitted or not...

and definitly do the isset to check whether the form been submitted

and this line is subject to xxs attack:

<form action="<? echo "$PHP_SELF"; ?>" method="POST">

Alternatively try this

 

if(isset($_POST['submit'])) {
$get = mysql_query("SELECT id FROM users WHERE username='$lusername' and password='$lpassword'");
$theresult = mysql_num_rows($get);

if($theresult == 1) {
echo "<font face=verdana><font size=3><font color=red>Error! Invalid username and password combination.</font>";
}

else {
$_SESSION['username'];

echo "<font color=green><font face=verdana><font size=4>You are now Logged In, " .$_SESSION['username']. "</font>";
}
}
?>

 

Your if closing braces were also in the wrong place too.  Check how they are now set above

This is more of a suggestion, but the logic is backwards. You should have the code for the form at the end of the script. That way if the user did not submit credentials OR if login fails you can display the form and repopulate the user id. Also, regarding ZulfadlyAshBurn's update there is a problem with this:

$submit = $_POST['submit'];

 

That can cause errors to be displayed depending on the error reporting level. Plus, later in the code there is a check using

if(!$submit) {

 

A non value will be interpreted as false, but that is a sloppy method. I would suggest this

 isset($_POST['submit'])

 

 

As for your script you are not setting the session value anywhere - only trying to display it. Also, the FONT tag has been deprecated for YEARS - stop using it. You were using it wrong anyway - you have three opening font tags and only one closing tag. You can put multiple parameters into one opening tag. Don't use PHP_SELF - it is not safe. Just leave the action parameter empty or do some research on the proper way to set the value. Lastly, you are using the password in plain text in the database. You should be hashing the password (preferably with a salt). I didn't do anything with the password in the script below because you would have to create the hashing process to also implement in the script that creates the user records.

 

Here is a complete rewrite fixing many different problems and providing a more logical flow.

 

<?php

session_start();

$con = mysql_connect("localhost","username","password");
if (!$con)
{
    die('Could not connect: ' . mysql_error());
}
mysql_select_db("database_name", $con) or die('Could not select db: ' . mysql_error());;

//Create text var to hold any error messages
$errorMsg = '';

if(isset($_POST['submit']))
{
    $username = mysql_real_escape_string(trim($_POST['username']));
    $password = mysql_real_escape_string(trim($_POST['password']));

    if(empty($username) || empty($password))
    {
        //Username and/or password is empty
        $errorMsg = "Username and password are required.";
    }
    else
    {
        //Create and run query to validate credentials
        $query = "SELECT userid FROM users WHERE username='$username' and password='$password'";
        $result = mysql_query($query);

        if(mysql_num_rows($result)!=1)
        {
            //Validation failed
            $errorMsg = "Error! Invalid username and password combination.";
        }
        else
        {
            //Validation passed
            $_SESSION['username'] = trim($_POST['username']);
            ##Ideally you should redirect to a welcome page using a header() after setting the session vars.
            ##For illustrative purposes we will display a confirmation message and exit the script
            echo "You are now Logged In, {$_SESSION['username']}";
            exit();
        }
    }
}

//Validation was not done or failed, unset the session var if it exists
if(isset($_SESSION['username'])
{
    unset($_SESSION['username']);
}

?>
<html>
<head></head>

<body>
<div style="color:red;"><?php echo $errorMsg; ?></div>

<h2 style="font-family:verdana;">Login</h2>
<form action="" method="post">
  Username:
  <input type="text" name="username" value="<?php echo trim($_POST['username']); ?>"><br>
  Password:
  <input type="password" name="password"><br><br>
  <input type="submit" name="submit" value="Log In">
</form>

</body>
</html>

Here is the code:

<?php
session_start();
$submit = $_POST['submit'];
$lusername = $_POST['username'];
$lpassword = $_POST['password'];

$con = mysql_connect("localhost","ussername","password");
if (!$con)
  {
  die('Could not connect: ' . mysql_error());
  }
mysql_select_db("database_name", $con);


if(!isset($_POST['submit'])){

echo "<font size=6><fontface=verdana>Login</font>";
?>
<form action="<? echo "$PHP_SELF"; ?>" method="POST">
Username: <input type="text" name="username"><br>
Password: <input type="password" name="password"><br><br>
<input type="submit" name="submit" value="Log In"></form>
<?php
}

if(isset($_POST['submit'])){

$get = mysql_query("SELECT count(userid) FROM users WHERE username='$lusername' and password='$lpassword'");
$theresult = mysql_result($get, 0);

if($theresult != 1) {
echo "<font face=verdana><font size=3><font color=red>Error! Invalid username and password combination.</font>";
}

else {
$_SESSION['username'];
$display = $_SESSION['username'];

echo "<font color=green><font face=verdana><font size=4>You are now Logged In, " .$_SESSION['username']. "</font>";

}
}

?>

wow this is confusing! there's lots of code... I would just stick to one code and debug it... so choose your favorite code lol

and the action here might not even doing anything, other word it's not grabing username and password from the word that's you there's no error

<form action="" method="post">

 

I suspect your issue is here. You're not actually setting the session variable to anything.

 

 else {
$_SESSION['username'];
$display = $_SESSION['username'];
echo "<font color=green><font face=verdana><font size=4>You are now Logged In, " .$_SESSION['username']. "</font>";

 

You also set the session to another variable, then don't use it. Unless you use it later, seems pointless.

 

But I reiterate:

i suggest you follow mjdamato code.

 

Hope that helps

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.