How can I get this multi user login system with PHP + MySQL to work properly?

[APD1993]

I am currently creating a multi-user login system, and I have created the database in MySQL, but the problem is that my PHP script is not working as expected. I would like it so that if the user enters in a correct username + password combination, then they are redirected to a webpage called "congrats.php" for example. However, with my current PHP code, if I include a redirection instruction based on the correct input, then when I run the script, then the user is instantly taken to the congrats.php page without filling in any login details. I'm quite sure that the database has been connected to, as due to the layout of my script at the moment, the text that reads "You did it!" appears 4 times, the same number of rows in my MySQL database. My PHP coding for this is:

 

<html><head><title>Multi-User Log In Form</title></head>
<body>
<?php
$self = $_SERVER['PHP_SELF'];
$username = $_POST['username'];
$password = $_POST['password'];
?>
<form action = "<?php echo $self; ?>" method = "post">
Username <input type = "text" name = "username" size = "8">
Password <input type = "password" name = "password" size = "8">
<input type = "submit" value="Submit">
</form>
<?php
$conn = @mysql_connect("localhost", "root", "") or die ("Err: Conn");
$rs = @mysql_select_db("test3", $conn) or die ("Err: Db");
$sql = "select * from users";
$rs = mysql_query($sql, $conn);
while ($row = mysql_fetch_array($rs)) {

$name = $row["uname"];
$pass = $row["pword"];
if ($username = $name && $password = $pass)
{
//CODE FOR REDIRECTION SHOULD GO HERE
//header("location:congrats.php");
echo "You did it!";
}
else
{
echo "Invalid username and password combination";
}
}
?></body>
</html>

 

Any help in trying to get it so that my PHP script will redirect only if a correct username + password combination is entered would be greatly appreciated

[Muddy_Funster]

ok, this is mostly wrong:

$conn = @mysql_connect("localhost", "root", "") or die ("Err: Conn");
$rs = @mysql_select_db("test3", $conn) or die ("Err: Db");
$sql = "select * from users";
$rs = mysql_query($sql, $conn);
while ($row = mysql_fetch_array($rs)) {

$name = $row["uname"];
$pass = $row["pword"];
if ($username = $name && $password = $pass)

change it to this:

$conn = mysql_connect("localhost", "root", "") or die ("Err: Conn");
$rs = mysql_select_db("test3", $conn) or die ("Err: Db");
$name = mysql_real_escape_string(trim($name));
$pass = mysql_real_escape_string(trim($pass));
$sql = "select id from users where name='$name' and pass='$pass'";
$rs = mysql_query($sql, $conn);
if (mysql_num_rows($rs) >= 1){
//do your success stuff here such as
header('Location: congrats.php')
}
else {
//do failure stuff here
}

[/code]

[APD1993]

ok, this is mostly wrong:

$conn = @mysql_connect("localhost", "root", "") or die ("Err: Conn");
$rs = @mysql_select_db("test3", $conn) or die ("Err: Db");
$sql = "select * from users";
$rs = mysql_query($sql, $conn);
while ($row = mysql_fetch_array($rs)) {

$name = $row["uname"];
$pass = $row["pword"];
if ($username = $name && $password = $pass)

change it to this:

$conn = mysql_connect("localhost", "root", "") or die ("Err: Conn");
$rs = mysql_select_db("test3", $conn) or die ("Err: Db");
$name = mysql_real_escape_string(trim($name));
$pass = mysql_real_escape_string(trim($pass));
$sql = "select id from users where name='$name' and pass='$pass'";
$rs = mysql_query($sql, $conn);
if (mysql_num_rows($rs) >= 1){
//do your success stuff here such as
header('Location: congrats.php')
}
else {
//do failure stuff here
}

[/code]

 

I seem to be getting closer, but it still will not redirect on successful input :/

 

My code now reads as follows:

 

<html><head><title>Multi-User Log In Form</title></head>
<body>
<?php
$self = $_SERVER['PHP_SELF'];
$username = $_POST['username'];
$password = $_POST['password'];
?>
<form action = "<?php echo $self; ?>" method = "post">
Username <input type = "text" name = "username" size = "8">
Password <input type = "password" name = "password" size = "8">
<input type = "submit" value="Submit">
</form>
<?php
$conn = mysql_connect("localhost", "root", "") or die ("Err: Conn");
$rs = mysql_select_db("test3", $conn) or die ("Err: Db");
$name = mysql_real_escape_string(trim($name));
$pass = mysql_real_escape_string(trim($pass));
$sql = "select * from users where name='$name' and pass='$pass'";
$rs = mysql_query($sql, $conn);
if (mysql_num_rows($rs) >=1)
{
header('Location:congrats.php');
}
else
{
echo "Invalid username and password combination";
}

?></body>
</html>

 

I am also getting a couple of messages appearing such as:

 

 

Notice: Undefined variable: name in C:\xampp\htdocs\loginform2.php on line 16

 

Notice: Undefined variable: pass in C:\xampp\htdocs\loginform2.php on line 17

 

Warning: mysql_num_rows() expects parameter 1 to be resource, boolean given in C:\xampp\htdocs\loginform2.php on line 20

 

:/

 

Thanks for the help so far, though

[Muddy_Funster]

reply couple more changes needed:

$self = $_SERVER['PHP_SELF'];
$username = $_POST['username'];
$password = $_POST['password'];
?>
<form action = "<?php echo $self; ?>" method = "post">

to become

$self = '';
$name = $_POST['username'];
$pass = $_POST['password'];
?>
<form action = "<?php echo $self; ?>" method = "post">

[scootstah]

<form action = "<?php echo $self; ?>" method = "post">

 

You might as well just take the PHP out and make it

<form action = "" method = "post">

[APD1993]

reply couple more changes needed:

$self = $_SERVER['PHP_SELF'];
$username = $_POST['username'];
$password = $_POST['password'];
?>
<form action = "<?php echo $self; ?>" method = "post">

to become

$self = '';
$name = $_POST['username'];
$pass = $_POST['password'];
?>
<form action = "<?php echo $self; ?>" method = "post">

 

Thank you for the follow up reply, but alas, it is not redirecting me on correct username + password input:(

 

I think my code is now as the way that you suggested:

 

<html><head><title>Multi-User Log In Form</title></head>
<body>
<?php
$self = '';
$name = $_POST['username'];
$pass = $_POST['password'];
?>
<form action = "<?php echo $self; ?>" method = "post">
Username <input type = "text" name = "username" size = "8">
Password <input type = "password" name = "password" size = "8">
<input type = "submit" value="Submit">
</form>
<?php
$conn = mysql_connect("localhost", "root", "") or die ("Err: Conn");
$rs = mysql_select_db("test3", $conn) or die ("Err: Db");
$name = mysql_real_escape_string(trim($name));
$pass = mysql_real_escape_string(trim($pass));
$sql = "select * from users where name='$name' and pass='$pass'";
$rs = mysql_query($sql, $conn);
if (mysql_num_rows($rs) >=1)
{
header('Location:congrats.php');
}
else
{
echo "Invalid username and password combination";
}

?></body>
</html>

 

Again, thanks for the help that you've provided me with

[Pikachu2000]

You can't send any output to the browser before sending a header(). You should also be developing with error reporting set up to display any and all errors/warnings/notices. You would have gotten a "headers already sent" warning.

[APD1993]

You can't send any output to the browser before sending a header(). You should also be developing with error reporting set up to display any and all errors/warnings/notices. You would have gotten a "headers already sent" warning.

 

Is there a way to fix this issue?

[Pikachu2000]

Yeah, rearrange the logic to determine if headers need to be sent before sending anything else, and if so, send them and exit(). If not continue with the script execution.

[APD1993]

Yeah, rearrange the logic to determine if headers need to be sent before sending anything else, and if so, send them and exit(). If not continue with the script execution.

 

In the context of my script, where would the logic be placed?

[APD1993]

I think I'm getting closer now, the script is now in two different scripts and the redirecting seems to work. However, the problem now is that anything entered into the boxes will cause for the user to be redirected, rather than when the correct username + password combination is entered.

 

My loginform3.html coding is:

 

<html><head><title>Login form</title></head>
<body>
<form action = "loginscr.php" method = "post">
Username <input type = "text" name = "username" size = "8">
Password <input type = "password" name = "password" size = "8">
<input type = "submit" value="Login">
</form>
</body>
</html>

 

And my loginscr.php coding is this:

<?php
$name = $_POST['username'];
$pass = $_POST['password'];

$squname = "root";
$sqpword = "";

$conn = @mysql_connect("localhost", $squname, $sqpword) or die ("Err: Conn");
$rs = mysql_select_db("test3", $conn) or die ("Err: Db");
$name = @mysql_real_escape_string(trim($name));
$pass = @mysql_real_escape_string(trim($pass)); 
$sql = "select * from users";
$rs = mysql_query($sql, $conn);

// If you have more than one result, that's also a problem
while ($row = mysql_fetch_array($rs)) {
if (mysql_num_rows($rs)>=1)
{
    // You might want to set some session variables here, too.
    header('Location:congrats.php');
}
else
{
    echo "Invalid username and password combination";

}
}
?></body>
</html>

 

If anyone could help me with this issue, I would be very thankful

[Thisnamewilldo]

<?php
$name = $_POST['username'];
$pass = $_POST['password'];

$squname = "root";
$sqpword = "";

$conn = @mysql_connect("localhost", $squname, $sqpword) or die ("Err: Conn");
$rs = mysql_select_db("test3", $conn) or die ("Err: Db");
$name = @mysql_real_escape_string(trim($name));
$pass = @mysql_real_escape_string(trim($pass)); 
$sql = "select * from users where name = '$name' and pass = '$pass'";
// Surely you only want the user with that username and password they entered?
$rs = mysql_query($sql, $conn);

// If you have more than one result, that's also a problem
while ($row = mysql_fetch_array($rs)) {
if (mysql_num_rows($rs)>=1)
{
    // You might want to set some session variables here, too.
    header('Location:congrats.php');
}
else
{
    echo "Invalid username and password combination";

}
}
?>