ash992 Posted October 24, 2013 Share Posted October 24, 2013 (edited) Hi everyone, so I programmed this login script a long time ago for a website I had, I'm now trying to reuse it and I can't get it to work, I've tried replacing everything, and testing things, I've found one problem but as far as I know the problem shouldn't be happening, here's the code. <?php include 'connect.php'; session_start(); $email = ($_POST['email']); $pass = ($_POST['password']); //check missing data if($email == ''){ $_SESSION['errorsec'] = "Please enter an email address!"; header('Location: ../Checkout'); die(); } if($pass == ''){ $_SESSION['errorsec'] = "Please enter a password!"; header('Location: ../Checkout'); die(); } //Create query $qry="SELECT * FROM Customers WHERE Email='$email' AND Password='".md5($_POST['password'])."'"; $result=mysql_query($qry); //Check whether the query was successful or not if($result) { if(mysql_num_rows($result) == 1) { //Login Successful echo 'temp'; die(); }else{ //Login failed $_SESSION['errorsec'] = "Invalid email address or password"; header('Location: ../Checkout'); die(); }else { die("Query failed"); } ?> First of all I know that the email and password are being taken from the forms correctly as I've tried echo'ing them both, however the Issue that I've found is that even when the password and username are entered correctly, mysql_num_rows($result) is still equal to 0, now I'm pretty bad with mysql hence reusing a script from a long time ago but I have no idea of what's going wrong really, Any help would be much' appreciated! Thanks alot in advance. Edited October 24, 2013 by ash992 Quote Link to comment Share on other sites More sharing options...
cyberRobot Posted October 24, 2013 Share Posted October 24, 2013 So you're not getting any errors? The code posted is missing a curly bracket: <?php }else{ //Login failed $_SESSION['errorsec'] = "Invalid email address or password"; header('Location: ../Checkout'); die(); } //<-- I added this bracket }else { die("Query failed"); } ?> If you don't see any errors, have you tried using mysql_error() to see if there are any MySQL errors. Note that the function needs to be called after the query is processed. Quote Link to comment Share on other sites More sharing options...
ash992 Posted October 24, 2013 Author Share Posted October 24, 2013 yeah I added the curly bracket, I just mis-copied the code erm well the error I'm getting is the output of //Login failed $_SESSION['errorsec'] = "Invalid email address or password"; header('Location: ../Checkout'); die(); however if I put something to test the conditional statments' success like by just echoing something there, then the if($result) { is passed fine when the login details are correct, however the if(mysql_num_rows($result) == 1) { doesn't work as mysql_num_rows($result) currently equals 0, even though the correct email and password are in the mysql database :s Quote Link to comment Share on other sites More sharing options...
cyberRobot Posted October 24, 2013 Share Posted October 24, 2013 Is the password stored in the database hashed with md5()? You need to use the same hashing function. Side notes: mysql_ functions have been depreciated. You'll need to start looking into the alternatives. I would link to the PHP manual, but Google says there is harmful content on that website. Instead you can search Google for MySQLi and/or PDO. When querying a database, you need to escape any information which comes from an un-trusted source such as a form. Fields can be escaped with mysql_real_escape_string(). Quote Link to comment Share on other sites More sharing options...
ash992 Posted October 24, 2013 Author Share Posted October 24, 2013 yeah it is stored with md5 but it's also checked with md5 so it should be fine, I'll try looking at the myqli and pdo stuff you mentioned though Thanks, Also thanks for showing me the mysql_real_escape_string(); I'd never even heard of it Quote Link to comment Share on other sites More sharing options...
cyberRobot Posted October 24, 2013 Share Posted October 24, 2013 Did you try adding the mysql_error after the query is processed? Note that you'll need to comment out the header redirect so you can see any errors produced by PHP. //Login failed $_SESSION['errorsec'] = "Invalid email address or password"; //header('Location: ../Checkout'); //<-- COMMENT OUT THIS LINE Quote Link to comment Share on other sites More sharing options...
cyberRobot Posted October 24, 2013 Share Posted October 24, 2013 Just to clarify, the mysql_error() function can be added like this: $qry="SELECT * FROM Customers WHERE Email='$email' AND Password='".md5($_POST['password'])."'"; $result=mysql_query($qry); echo mysql_error(); Quote Link to comment Share on other sites More sharing options...
ash992 Posted October 24, 2013 Author Share Posted October 24, 2013 }else { echo 'it didn\'t work'; mysql_error(); die(); //Login failed //$_SESSION['errorsec'] = "Invalid email address or password"; //header('Location: ../Checkout'); //die(); } there is no output when I changed it to that :\ not really sure if I was echoing the mysql error correctly as I've never used it, I'm just seeing if there's an alternative to the mysql_num_rows($result) as I believe that's the issue though I haven't found anything yet Quote Link to comment Share on other sites More sharing options...
cyberRobot Posted October 24, 2013 Share Posted October 24, 2013 The error results need to be echoed: echo mysql_error(); Quote Link to comment Share on other sites More sharing options...
Ch0cu3r Posted October 24, 2013 Share Posted October 24, 2013 (edited) You need to echo mysql_error(); for the error to be outputted. Edited October 24, 2013 by Ch0cu3r Quote Link to comment Share on other sites More sharing options...
ash992 Posted October 24, 2013 Author Share Posted October 24, 2013 ah sorry! I've changed it to echo mysql_error(); however there is still no output when I enter the correct details other than it didn't work Quote Link to comment Share on other sites More sharing options...
cyberRobot Posted October 24, 2013 Share Posted October 24, 2013 Did you try echoing $email and $password to see if they contain what you expect? You should also try echoing out the hash password and compare the variables against the database. Can you match them manually? Quote Link to comment Share on other sites More sharing options...
ash992 Posted October 24, 2013 Author Share Posted October 24, 2013 (edited) }else { echo $email; echo $pass; echo md5($pass); echo 'it didn\'t work'; echo mysql_error(); //Login failed //$_SESSION['errorsec'] = "Invalid email address or password"; //header('Location: ../Checkout'); //die(); } weirdly all of these are outputting the correct thing, still the only thing that's not working is the mysql_num_rows($result) is equal to 0 instead of 1, that would usually mean that it can't find the correct username and password in the customers database, however I have the mysql database opened and they're both there and correspond exactly with the inputs.. :s Edited October 24, 2013 by ash992 Quote Link to comment Share on other sites More sharing options...
cyberRobot Posted October 24, 2013 Share Posted October 24, 2013 Did you try echoing out the results from mysql_num_rows($result)? Perhaps it's finding more than 1 result? Quote Link to comment Share on other sites More sharing options...
ash992 Posted October 24, 2013 Author Share Posted October 24, 2013 yeah that currently equals 0, that's kinda where this is going wrong :\ Quote Link to comment Share on other sites More sharing options...
Ch0cu3r Posted October 24, 2013 Share Posted October 24, 2013 (edited) Look at your table schema have you spelled the columns correctly when setting up the table? are they spelled the same as the columns in your query? Edited October 24, 2013 by Ch0cu3r Quote Link to comment Share on other sites More sharing options...
ash992 Posted October 24, 2013 Author Share Posted October 24, 2013 Sorry for the slow reply there, yeah they're exactly the same for sure, I even tried copying the table names from the database to double check, they're definitely exactly the same :\ Quote Link to comment Share on other sites More sharing options...
Solution mac_gyver Posted October 24, 2013 Solution Share Posted October 24, 2013 you need to check if the row in the database contains exactly the username and the complete matching hash value that you get when you echo the query in $qry. a common problem is your password field in the database table isn't long enough to hold the complete hash value. another possibility is when you initially inserted the row, you ended up with some white-space before/after the value(s). Quote Link to comment Share on other sites More sharing options...
ash992 Posted October 24, 2013 Author Share Posted October 24, 2013 YES. thank-you so much! the password field was 1 character too short to hold the full thing! been working this for well over 2 days xD always a simple issue.. Thanks a lot! Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.