Jump to content

login validation


ellchr3
 Share

Recommended Posts

I've created a simple login script and can't get one part to work.  When I enter a username with an invalid password I get the error in the screen shot.  I'm wondering if it has to do with the fact that $numrows is returning a -100?  Everything else seems to work fine.

 

Line 60 the error refers to is the line "if ($username==$dbusername&&$password=dbpassword)"

$sql = "SELECT username, password FROM user_access WHERE username = '$username' AND password = '$password'"; 
$rs=odbc_exec($conn,$sql);
$numrows = odbc_num_rows($rs);

if ($numrows !=0)
{
	while ($row = odbc_fetch_array($rs))
		{
		$dbusername = $row['username'];
		$dbpassword = $row['password'];
		}
		echo $numrows;
		//echo $dbusername;
		//echo '<br>';
		//echo $dbpassword;
		//check to see if they match
	if ($username==$dbusername&&$password==$dbpassword)
	{
		echo "You're in! Click here to enter the <a href='member.php'>Provider Database</a>";
		$_SESSION['username']=$username;
	}
	else 
		echo "Incorrect password!";
		
}
else 
	die("Invalid username.  User does not exist!");



}
else	
	die("Please enter a Username and Password!");
 
?> 

post-125972-0-39468200-1365526557_thumb.png

Link to comment
Share on other sites

there's no guarantee that odbc_num_rows will return the number of rows in a select query result set.

 

 

 

Using odbc_num_rows() to determine the number of rows available after a SELECT will return -1 with many drivers.

 

 

you should either use a SELECT COUNT() query and fetch and test the count value or actually attempt to fetch the row your existing query returns and test if the fetch statement worked.

Link to comment
Share on other sites


<?php


session_start();


$username = $_POST['username'];
$password = $_POST['password'];






if ($username&&$password)
{


$connect = mysql_connect("localhost","root","") or die ("Could not connect");
mysql_select_db ("login") or die ("Could not find database");


$query = mysql_query("SELECT * FROM users WHERE username ='$username'");


$numrows = mysql_num_rows($query);
if ($numrows !=0)
{
while ($row =mysql_fetch_assoc($query))
{
$dbusername = $row['username'];
$dbpassword = $row['password'];
}


if ($username==$dbusername&&md5($password)==$dbpassword)
{
echo header( 'Location: member.php' ) ;
$_SESSION['username']=$dbusername;
}
else 
echo "Inncorrect password";


}
else
die("That user dosen't exist");












}


else
die("Please enter a username and a password");




















?>









It's not great but it works.

Link to comment
Share on other sites

@ellchr3, based on the code you posted and the second method i suggested (attempt to fetch the row your existing query returns, since you want the data from any matching row) here's some untested (i didn't feel like setting up an obdc connection) code to try.

$sql = "SELECT username FROM user_access WHERE username = '$username' AND password = '$password'";
$rs=odbc_exec($conn,$sql);
if(!$rs){
    // query failed with an error
    die("Query failed: $sql<br>Error: ".odbc_errormsg($conn));
}
// query ran without any error
if($row = odbc_fetch_array($rs)){
    // the entered username and password match a user's row
        echo "You're in! Click here to enter the <a href='member.php'>Provider Database</a>";
        $_SESSION['username']=$row['username'];
} else {
    echo "Incorrect username or password!"; // but i won't tell you which
}

notes:

 

1) your query is testing the username and password values. if a row is found, there's no need for more logic to test the username and password again.

 

2) your code in a different thread is testing if the query produced any errors. you need to always do that to prevent the rest of your code from producing more errors and unexpected results when it tries to use the data from a query that failed due to an error.

 

 








 

Link to comment
Share on other sites

This thread is more than a year old. Are you sure you have something important to add to it?

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.