Thaikhan Posted August 13, 2013 Share Posted August 13, 2013 Hello guys, I'm trying to make a login system linked to a mySQL database and below is what I have so far. The problem I'm having is when I try to submit both a username and password, I think the database query is failing and it leads to a blank page. Any ideas? Thanks you. Any help will be greatly appreciated. Here's the page I'm talking about: http://aerithea.com/login/login.php <?php session_start(); ?> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html lang="en"> <head> <meta http-equiv="content-type" content="text/html; charset=utf-8" /> <title>Member System - Login</title> </head> <body> <?php $form = "<form action='./login.php' method='post'> <table> <tr> <td>Username:</td> <td><input type='text' name='user' /></td> </tr> <tr> <td>Password:</td> <td><input type='password' name='password' /></td> </tr> <tr> <td></td> <td><input type='submit' name='loginbtn' value='Login' /></td> </tr> </table> </form>"; if ($_POST['loginbtn']) { $user = $_POST['user']; $password = $_POST['password']; if ($user) { if ($password) { require("connect.php"); $password = md5(md5("q`wkIa4".$password."qwe;lnm")); //make sure login info correct $query = msql_query("SELECT * FROM users WHERE username='$user'"); $numrows = mysql_num_rows($query); if ($numrows == 1) { $row = mysql_fetch_assoc($query); $dbid = $row['id']; $dbuser = $row['username']; $dbpass = $row['password']; $dbactive = $row['active']; if($password == $dbpass) { if($dbactive == 1) { //set session info $_SESSION['userid'] = $dbid; $_SESSION['username'] = $dbuser; echo "You have been logged in as <b>$dbuser</b>. <a href='./member.php'>Click here</a> to go to the member page."; } else echo "You must activate your account to login. $form"; } else echo "You did not enter the correct password. $form"; } else echo "The username you entered was not found. $form"; mysql_close(); } else echo "You must enter your password. $form"; } else echo "You must enter your username. $form"; } else echo $form; ?> </body> </html> Quote Link to comment https://forums.phpfreaks.com/topic/281105-php-login-system/ Share on other sites More sharing options...
Barrikor Posted August 13, 2013 Share Posted August 13, 2013 After you run the query, see if $query === false Quote Link to comment https://forums.phpfreaks.com/topic/281105-php-login-system/#findComment-1444675 Share on other sites More sharing options...
Thaikhan Posted August 13, 2013 Author Share Posted August 13, 2013 I'm very new to the programming scene. Could you please explain how to do that Barrikor? Quote Link to comment https://forums.phpfreaks.com/topic/281105-php-login-system/#findComment-1444677 Share on other sites More sharing options...
Thaikhan Posted August 13, 2013 Author Share Posted August 13, 2013 I found the issue. I was missing a y in my $query. Quote Link to comment https://forums.phpfreaks.com/topic/281105-php-login-system/#findComment-1444681 Share on other sites More sharing options...
sKunKbad Posted August 13, 2013 Share Posted August 13, 2013 Authentication is not for beginners. You will get hacked in 2 seconds. The code you have shown above demonstrates one of the easiest things to hack. You need to read up on sql injection and proper password hashing before writing more code. You also need to read up on input validation and all of the common attack vectors. The better alternative, unless you just want to learn more about PHP, is to use somebody else's authentication library. Quote Link to comment https://forums.phpfreaks.com/topic/281105-php-login-system/#findComment-1444683 Share on other sites More sharing options...
limitbreaker Posted August 13, 2013 Share Posted August 13, 2013 Authentication is not for beginners. You will get hacked in 2 seconds. The code you have shown above demonstrates one of the easiest things to hack. You need to read up on sql injection and proper password hashing before writing more code. You also need to read up on input validation and all of the common attack vectors. The better alternative, unless you just want to learn more about PHP, is to use somebody else's authentication library. I've been a PHP programmer for a year, self taught, but would a combo of mysql_real_escape_string and pass() be sufficient? Quote Link to comment https://forums.phpfreaks.com/topic/281105-php-login-system/#findComment-1444697 Share on other sites More sharing options...
PaulRyan Posted August 13, 2013 Share Posted August 13, 2013 There is a few things I see wrong with the script at the minute. 1 - You haven't turned on error reporting, see here Error Reporting 2 - You are using MySQL, you should really be looking into MySQLi 3 - You are not validating the incoming form data before using it in your queries (previously mentioned by another user) 4 - You should be processing all PHP before any output to the browser, before this line <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> 5 - You are using MD5() for hasing your passwords, you should look into the PHPass Library This line here, you are using msql instead of mysql. $query = msql_query("SELECT * FROM users WHERE username='$user'"); Look into using isset/empty for checking whether variables are set and if they are empty etc. Quote Link to comment https://forums.phpfreaks.com/topic/281105-php-login-system/#findComment-1444734 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.