[resolved] need help on username validation

[trq]

Sorry, but can you please post the entire current script. Your code is making less and less sense each time. You talk about certain functionality that simply does not exist in your code.

[pixeltrace]

[code]<?
session_start();

$username = $_POST['username'];
$password = $_POST['password'];

if((!$username) || (!$password)){
echo '<script language=javascript> alert("Please enter ALL of the information!");</script>';
echo '<script language=javascript> top.location = "index.php";</script>';
exit();
}

include '../db_connect.php';

$password = md5($password);

if($login_check == 0) { //NOT LOGGED IN }

$_SESSION['userid'] = $userid;
$_SESSION['username'] = $username;
$_SESSION['user_level'] = $user_level;

mysql_query("UPDATE users SET last_login=now() WHERE userid='$userid'");

header("Location: homepage.php");
}
elseif($login_check == 1) { //NOT LOGGED IN }

$_SESSION['userid'] = $userid;
$_SESSION['username'] = $username;
$_SESSION['user_level'] = $user_level;

mysql_query("UPDATE users SET last_login=now() WHERE userid='$userid'");

header("Location: homepage2.php");

} else {
echo '<script language=javascript> alert("You could not be logged in! Either the username and password do not match! Please try again!");</script>';
echo '<script language=javascript> top.location = "index.php";</script>';
}
?>[/code]

[trq]

Can you explain to me how this [i]logs[/i] a user in? A simple example of a login script would be something like....

[code]
<?php

  session_start();

  // connect to database.

  if (isset($_POST['username']) && isset($_POST['passwrod'])) {
    // query to see if the user exists.
    $result = mysql_query("SELECT user_level FROM users WHERE username = '{$_POST['username']}' AND password = '{$_POST['password']}'");
    if ($result) {
      // did we get a valid user?
      if (mysql_num_rows($result) > 0) {
        $row = mysql_fetch_assoc($result);
        // Log the user in using sessions.
        $_SESSION['username'] = $_POST['username'];
$_SESSION['user_level'] = $row['user_level'];
        // determin what user_level the user belongs to and redirect accordingly.
        if ($row['user_level'] == 'admin') {
          header("Location: admin.php");
        elseif ($row['user_level'] == 'staff') {
          header("Location: staff.php");
        } else {
          header("Location: home.php");
        }
      } else {
        echo "User not found";
      }
    }
  }

?>
[/code]

This is just an example and lacks some error handling but as you can see, im afraid your missing complete sections of logic.

[pixeltrace]

hi,

i have an index page wherein you input the username and password there.
the form method="post" and the action""checkUser.php"

checkUser.php is the one that will verify the userid and points it to either homepage.php or homepage2.php

hope this one helps

[JustinK101]

Ok there are some problems here, this is what I would do:

[code]
<?
session_start();

$username = $_POST['username'];
$password = $_POST['password'];

if(empty($username) || empty($password)){
echo '<script language=javascript> alert("Please enter ALL of the information!");</script>';
echo '<script language=javascript> top.location = "index.php";</script>';
exit();
}

include '../db_connect.php';

$result = mysql_query("SELECT user_id, user_level FROM users WHERE username = '{$username}' AND password = '{$password}'");

$numb_rows = mysql_num_rows($result);
if($numb_rows == 0)
{
  //NOT A VALID LOGIN/PASSWORD
  echo '<script language=javascript> alert("You could not be logged in! Either the username and password do not match! Please try again!");</script>';
  echo '<script language=javascript> top.location = "index.php";</script>';

 die();
}

$row = mysql_fetch_assoc($result);
$password = md5($password); //WHATS THE POINT OF THIS LINE?

$_SESSION['userid'] = $row['userid'];
$_SESSION['username'] = $username;
$_SESSION['user_level'] = $row['user_level'];

mysql_query("UPDATE users SET last_login=now() WHERE userid=" . $row['userid'] . "");

if($row['user_level'] == "Regular")
{
   header("Location: homepage.php");
}
else if($row['user_level'] == "Admin")
{
   header("Location: homepage2.php");
}

?>[/code]

[pixeltrace]

this is what i did base from your codes

[code]<?
session_start();

$username = $_POST['username'];
$password = $_POST['password'];

if(empty($username) || empty($password)){
echo '<script language=javascript> alert("Please enter ALL of the information!");</script>';
echo '<script language=javascript> top.location = "index.php";</script>';
exit();
}

include '../db_connect.php';

$result = mysql_query("SELECT userid, user_level FROM users WHERE username = '{$username}' AND password = '{$password}'");

$numb_rows = mysql_num_rows($result);
if($numb_rows == 0)
{
  //NOT A VALID LOGIN/PASSWORD
  echo '<script language=javascript> alert("You could not be logged in! Either the username and password do not match! Please try again!");</script>';
  echo '<script language=javascript> top.location = "index.php";</script>';

  die();
}

$row = mysql_fetch_assoc($result);

$_SESSION['userid'] = $row['userid'];
$_SESSION['username'] = $username;
$_SESSION['user_level'] = $row['user_level'];

mysql_query("UPDATE users SET last_login=now() WHERE userid=" . $row['userid'] . "");

if($row['user_level'] == 0)
{
    header("Location: homepage.php");
}
else if($row['user_level'] == 1)
{
    header("Location: homepage2.php");
}

?>[/code]


i tried logging in but it always keeps on popping up the error message "You could not be logged in! Either the username and password do not match! Please try again!"

[JustinK101]

How is the password stored in the db? Do you have it encrypted?

[trq]

Maybe youve your password md5'd. You should.

Try...

[code=php:0]
$password = md5($_POST['password']);
[/code]

[pixeltrace]

yes
it is encrypted

[JustinK101]

Bingo, thorpe!

[pixeltrace]

i tried this one but its still popping out the error message "You could not be logged in! Either the username and password do not match! Please try again!"

[code]<?
session_start();

$username = $_POST['username'];
$password = $_POST['password'];

if(empty($username) || empty($password)){
echo '<script language=javascript> alert("Please enter ALL of the information!");</script>';
echo '<script language=javascript> top.location = "index.php";</script>';
exit();
}

include '../db_connect.php';

$result = mysql_query("SELECT userid, user_level FROM users WHERE username = '{$username}' AND password = '{$password}'");

$numb_rows = mysql_num_rows($result);
if($numb_rows == 0)
{
  //NOT A VALID LOGIN/PASSWORD
  echo '<script language=javascript> alert("You could not be logged in! Either the username and password do not match! Please try again!");</script>';
  echo '<script language=javascript> top.location = "index.php";</script>';

  die();
}

$row = mysql_fetch_assoc($result);
$password = md5($_POST['password']);

$_SESSION['userid'] = $row['userid'];
$_SESSION['username'] = $username;
$_SESSION['user_level'] = $row['user_level'];

mysql_query("UPDATE users SET last_login=now() WHERE userid=" . $row['userid'] . "");

if($row['user_level'] == 0)
{
    header("Location: homepage.php");
}
else if($row['user_level'] == 1)
{
    header("Location: homepage2.php");
}

?>[/code]

[JustinK101]

No, No.... Why are you doing the md5 on the password variable when you have already done the verification in the database. You need to md5 the password before you check against the database. :) LOL

Do this:

[code]
<?
session_start();

$username = $_POST['username'];
$password = md5($_POST['password']);

if(empty($username) || empty($password)){
echo '<script language=javascript> alert("Please enter ALL of the information!");</script>';
echo '<script language=javascript> top.location = "index.php";</script>';
exit();
}

include '../db_connect.php';

$result = mysql_query("SELECT userid, user_level FROM users WHERE username = '{$username}' AND password = '{$password}'");

$numb_rows = mysql_num_rows($result);
if($numb_rows == 0)
{
  //NOT A VALID LOGIN/PASSWORD
  echo '<script language=javascript> alert("You could not be logged in! Either the username and password do not match! Please try again!");</script>';
  echo '<script language=javascript> top.location = "index.php";</script>';

  die();
}

$row = mysql_fetch_assoc($result);

$_SESSION['userid'] = $row['userid'];
$_SESSION['username'] = $username;
$_SESSION['user_level'] = $row['user_level'];

mysql_query("UPDATE users SET last_login=now() WHERE userid=" . $row['userid'] . "");

if($row['user_level'] == 0)
{
    header("Location: homepage.php");
}
else if($row['user_level'] == 1)
{
    header("Location: homepage2.php");
}

?>
[/code]

[pixeltrace]

ohhhhh!!!

i got it.

hehehehe..


sorry dudes!!!

and thanks a lot!!!

i owe you justin and thorpe this one

i hope i could be as good as you someday.
hehehe

[JustinK101]

[b]Also, md5 inst encryption. It just returns sort of like a decoded version of the orginal text. I use the following functions to do my encryption to store values in databases.[/b]

BE AWARE OF THE FOLLOWING:

$key = "sjhfs89we48DSGhgwe7t";
$encrypted_value_1 = encrypt("mytext", $key);
$encrypted_value_2 = encrypt("mytext", $key);

$encrypted_value_1 and $encrypted_value_2 are NOT NECCESSARY equal, in fact, they are most likely NOT. NEVER compare encrypted values to each other, you must ALWAYS decrypt and then check.

[code]
function encrypt($s, $key)
{
for($i=0;$i<=strlen($s);$i++)
$r.=substr(str_shuffle(md5($key)),($i % strlen(md5($key))),1).$s[$i];
for($i=1;$i<=strlen($r);$i++) $s[$i-1]=chr(ord($r[$i-1])+ord(substr(md5($key),($i % strlen(md5($key)))-1,1)));
return urlencode(base64_encode($s));
}

function decrypt($s, $key)
{
$s=base64_decode(urldecode($s));
for($i=1;$i<=strlen($s);$i++) $s[$i-1]=chr(ord($s[$i-1])-ord(substr(md5($key),($i % strlen(md5($key)))-1,1)));
for($i=1;$i<=strlen($s)-2;$i=$i+2) $r.=$s[$i];
return $r;
}
[/code]