scdawg Posted November 7, 2011 Share Posted November 7, 2011 I have a login script that isn't rejecting non-users. For whatever reason, it's passing them on to the welcome page where an actual user sees user specific information. I'm newer to php, but can't for the life of me understand why the script doesn't seem to ever utilize the 'else' portion of the 'if' statement. So in short it works as expected for actual users, but non-users are not getting rejected. Below is my code. Any help is appreciated. $sqla = "SELECT count(*) FROM authorize WHERE username='$_POST[username]' and password='$_POST[password]'"; $result = mysql_query($sqla) or die ("Error: ". mysql_error(). " with query ". $query); $count = mysql_num_rows($result); if($count==1) { //start session for user session_start(); //get company id and user first and last name $query = mysql_query("SELECT comp_id FROM authorize WHERE username='$_POST[username]'") or die ("Error: ". mysql_error(). " with query ". $query); $query2 = mysql_query("SELECT firstname, lastname FROM authorize WHERE username='$_POST[username]'") or die ("Error: ". mysql_error(). " with query ". $query); $resultb = mysql_fetch_assoc($query); $resultc = mysql_fetch_array($query2); $_SESSION['coid'] = $resultb['comp_id']; $_SESSION['firstn'] = $resultc['firstname']; $_SESSION['lastn'] = $resultc['lastname']; //get company name $query3 = mysql_query("SELECT comp_name FROM companies WHERE comp_id='$resultb[comp_id]'") or die ("Error: ". mysql_error(). " with query ". $query); $resultd = mysql_fetch_assoc($query3); $_SESSION['conm'] = $resultd['comp_name']; header("location: overview.php"); } Else { echo "That user does not exist."; header("location: login.html"); } Quote Link to comment Share on other sites More sharing options...
xyph Posted November 7, 2011 Share Posted November 7, 2011 Isolate this issue. Remove all of the code except your if/else statement. Use echos to debug what's happening. <?php $sqla = "SELECT count(*) FROM authorize WHERE username='$_POST[username]' and password='$_POST[password]'"; $result = mysql_query($sqla) or die ("Error: ". mysql_error(). " with query ". $query); $count = mysql_num_rows($result); if($count==1) { echo 'user authorized'; } Else { echo 'bad user'; } echo "<br>$count"; ?> Also, the header Location should always be a complete URL Note: HTTP/1.1 requires an absolute URI as argument to » Location: including the scheme, hostname and absolute path, but some clients accept relative URIs. You can usually use $_SERVER['HTTP_HOST'], $_SERVER['PHP_SELF'] and dirname() to make an absolute URI from a relative one yourself: <?php /* Redirect to a different page in the current directory that was requested */ $host = $_SERVER['HTTP_HOST']; $uri = rtrim(dirname($_SERVER['PHP_SELF']), '/\\'); $extra = 'mypage.php'; header("Location: http://$host$uri/$extra"); exit; ?> http://php.net/manual/en/function.header.php Quote Link to comment Share on other sites More sharing options...
requinix Posted November 7, 2011 Share Posted November 7, 2011 Your SELECT COUNT(*) will always return one row. However it contains a number: how many rows in the table match your conditions. So mysql_num_rows() will always return 1. Do a simpler SELECT 1 FROM authorize... Quote Link to comment Share on other sites More sharing options...
scdawg Posted November 8, 2011 Author Share Posted November 8, 2011 Thanks, both very helpful suggestions. I've narrowed my probelm down to the password. When the user creates their account, the password is encrypted in the insert statement with password($_POST['password']). I know thats primitive, but how do I unencrypt it, so to verify it? Quote Link to comment Share on other sites More sharing options...
scdawg Posted November 8, 2011 Author Share Posted November 8, 2011 Update - I got is solved. Thanks guys. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.