Jump to content

Recommended Posts

Hi,

 

I'm currently having an issue with validating my login script, it only appears that one part of it actually works!

 

I have a simple login form with a username and password field and login button. 

 

At the moment if I enter nothing into the login form (nothing for both username and password), it logs in as an unregistered user with no ID and my error message is displayed.

If I enter an unregistered username with no password the same thing happens.

If I enter an unregistered username with a random password there is no log in which is good, but my error message is not displayed. 

If I enter a registered username and password into the form, it logs in with the correct ID and no error message is displayed, which is good. 

If I enter a random password with nothing in the username it does not log in which is good and the error message is displayed as it should

 

How can I get it so that all of these login attempts are coded so that it always results in the last case if an unregistered user is entered and / or missing details are entered into the form?

 

Form and Validation Code

       	<?php
			
			if ($_SESSION['loggedin'] == true){ 
 
 				 echo "You are logged in as ";?><b><?php echo $_SESSION['username']?></b><?php echo " ["; echo $_SESSION['id']; echo "]";  
				 
		?>			
                 
         	<a href="logout.php">Logout</a>
            
        <?php
				
			}else{ 
 
 				echo "<p><b>Login:</b></p>\n"; 
			
		?>
                                
            <form name="loginform" action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post">
				<b>Username:</b> <input type="text" name="liusername"> 
			    <b>Password:</b> <input type="password" name="lipassword">
            	<input type="submit" name="lisubmit" value="Login">
	  		</form>            
		
			<?php
			
				
				} 	
				if ($_SESSION['loggedin'] == true);
				if (empty($_POST) === false) {
					$username = $_POST['liusername'];
					$password = $_POST['lipassword'];
					
				
				

					if (empty($username) === true || empty($password) === true) {
						?><br /><font color="red"><?php echo 'ERROR: You need to enter a username and password!';

					}
				
				}
 			?>

Login Code

<?php

	if (isset($_POST['lisubmit'])){
		
		$query = "SELECT user_id, user_password FROM user WHERE user_username = '".$_POST['liusername']."'";  // Select details from user table
		
		$result = mysql_query($query) or die(mysql_error());
		
		$row = mysql_fetch_array($result);
		
		if ($row['user_password'] == $_POST['lipassword']) {
			
			$_SESSION['loggedin'] = true;
			$_SESSION['id'] = $row['user_id'];		
			$_SESSION['username'] = $_POST['liusername'];
			
			
		} else {
			
			$_SESSION['loggedin'] = false;
			$_SESSION['id'] = 0;
		
	}
	
}
	
?>

Thank you in advance for any help.

Link to comment
https://forums.phpfreaks.com/topic/287592-login-verification-problems/
Share on other sites

First, use mysqli, not mysql which is deprecated (no longer going to be supported, updated)

To clean up input data use mysqli_real_escape_string();

To check whether a user exists, make sure that a row gets returned:

<?php

	if (isset($_POST['lisubmit'])){
		$liusername=mysqli_real_escape_string($dblink,$_POST['liusername']);// Note I'm using mysqli here. Can't mix and match. You need to change the rest of your code to do the same or change my function to mysql.
		$query = "SELECT user_id, user_password FROM user WHERE user_username = '$liusername'";  // Select details from user table
		
		$result = mysql_query($query) or die(mysql_error());
		
		$row = mysql_fetch_array($result);

		
		if ($row['user_password'] == $_POST['lipassword'] && $row['user_password']!='') {
			
			$_SESSION['loggedin'] = true;
			$_SESSION['id'] = $row['user_id'];		
			$_SESSION['username'] = $_POST['liusername'];
			
			
		} else {
			
			$_SESSION['loggedin'] = false;
			$_SESSION['id'] = 0;
		
	}
	
}
	
?>

There are a lot of ways to check that the user exists. If not, $ row will be empty. I did a not so elegant check by adding a check to make sure that the password returned in $ row was not blank but you could use mysqli_num_rows() for a more elegant check that a row is being returned.

Thank you very much davidannis! It no longer logs anyone in and displays the error message as desired!

I have to use mysql for this part of an assignment I'm working on so I have changed the function to msql as you've told me to.

 

I do have one issue though, if I login a registered user, I get a php error at the top of the page:

 

Warning: mysql_real_escape_string() expects parameter 2 to be resource, string given in E:\Inetpub\wwwroot\php\home\includes\login.php on line 4

 

Have I done something wrong?

 

Thank you for your help so far!

  • Solution

Warning: mysql_real_escape_string() expects parameter 2 to be resource, string given in E:\Inetpub\wwwroot\php\home\includes\login.php on line 4

That's because the syntax is different between mysql_real_escape_string http://nz2.php.net/manual/en/function.mysql-real-escape-string.php and mysqli_real_escape_string

 

string mysql_real_escape_string ( string $unescaped_string [, resource $link_identifier = NULL ] )

 

vs.

 

string mysqli_real_escape_string ( mysqli $link , string $escapestr )

notice that the link is first in one and last in the other. If this is a class assignment and will never go live, you can probably dispense with the security (though its bad practice) and just forget about sanitizing data.

 

 

 

Oh and also, when I enter an unregistered username and password, the error doesn't display? Is there anyway to show that too?

		$result = mysql_query($query) or die(mysql_error());

		$number_users = mysqli_num_rows($result );
if ($number_users==0){echo ' no such user';}
		$row = mysql_fetch_array($result);

		
		if ($row['user_password'] == $_POST['lipassword'] && $row['user_password']!='') {
			
			$_SESSION['loggedin'] = true;
			$_SESSION['id'] = $row['user_id'];		
			$_SESSION['username'] = $_POST['liusername'];
			
			
		} else {
			echo 'username and password don't match';
			$_SESSION['loggedin'] = false;
			$_SESSION['id'] = 0;

		
	}
	

Thanks for your help.

I'm no longer getting the error now but it's still not logging in as a registered user.

 

Have I entered this correctly and does it correspond with the correct syntax? I'm such a novice >.<

<?php

	if (isset($_POST['lisubmit'])){
		$liusername=mysql_real_escape_string($_POST['liusername'][$dblink = NULL]); 
		$query = "SELECT user_id, user_password FROM user WHERE user_username = '$liusername'";  // Select details from user table
		
		$result = mysql_query($query) or die(mysql_error());

		$number_users = mysql_num_rows($result );
if ($number_users==0){echo ' no such user';}
		$row = mysql_fetch_array($result);
	
			if ($row['user_password'] == $_POST['lipassword'] && $row['user_password']!='') {
			
			$_SESSION['loggedin'] = true;
			$_SESSION['id'] = $row['user_id'];		
			$_SESSION['username'] = $_POST['liusername'];
			
			
		} else {
			echo 'username and password don\'t match';
			$_SESSION['loggedin'] = false;
			$_SESSION['id'] = 0;
		
		}
}
	
?>

Also is there a way to merge the other error: "username and password don't match" into the "ERROR: you need to enter a username and password" script that's in another php file? Just so it appears in the correct place within the document?

 

I've tried to merge the code over, but it doesn't seem to work correctly?

 

Login form page

       	<?php
			
			if ($_SESSION['loggedin'] == true){ 
 
 				 echo "You are logged in as ";?><b><?php echo $_SESSION['username']?></b><?php echo " ["; echo $_SESSION['id']; echo "]";  
				 
		?>			
                 
         	<a href="logout.php">Logout</a>
            
        <?php
			
 
			}else{ 
 
 				echo "<p><b>Login:</b></p>\n"; 
			
		?>
               
                
            <form name="loginform" action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post">
				<b>Username:</b> <input type="text" name="liusername"> 
			    <b>Password:</b> <input type="password" name="lipassword">
            	<input type="submit" name="lisubmit" value="Login">
	  		</form>            
		
			<?php
			
		
				} 	
				if ($_SESSION['loggedin'] == true);
				if (empty($_POST) === false) {
					$username = $_POST['liusername'];
					$password = $_POST['lipassword'];
					
				
				

					if (empty($username) === true || empty($password) === true) {
						?><br /><font color="red"><?php echo 'ERROR: You need to enter a username and password!'; // <- To be placed as the same area as this?

					}
				
				}
 			?>
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.