Catana Posted April 7, 2014 Share Posted April 7, 2014 Hi, I'm currently having an issue with validating my login script, it only appears that one part of it actually works! I have a simple login form with a username and password field and login button. At the moment if I enter nothing into the login form (nothing for both username and password), it logs in as an unregistered user with no ID and my error message is displayed. If I enter an unregistered username with no password the same thing happens. If I enter an unregistered username with a random password there is no log in which is good, but my error message is not displayed. If I enter a registered username and password into the form, it logs in with the correct ID and no error message is displayed, which is good. If I enter a random password with nothing in the username it does not log in which is good and the error message is displayed as it should. How can I get it so that all of these login attempts are coded so that it always results in the last case if an unregistered user is entered and / or missing details are entered into the form? Form and Validation Code <?php if ($_SESSION['loggedin'] == true){ echo "You are logged in as ";?><b><?php echo $_SESSION['username']?></b><?php echo " ["; echo $_SESSION['id']; echo "]"; ?> <a href="logout.php">Logout</a> <?php }else{ echo "<p><b>Login:</b></p>\n"; ?> <form name="loginform" action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post"> <b>Username:</b> <input type="text" name="liusername"> <b>Password:</b> <input type="password" name="lipassword"> <input type="submit" name="lisubmit" value="Login"> </form> <?php } if ($_SESSION['loggedin'] == true); if (empty($_POST) === false) { $username = $_POST['liusername']; $password = $_POST['lipassword']; if (empty($username) === true || empty($password) === true) { ?><br /><font color="red"><?php echo 'ERROR: You need to enter a username and password!'; } } ?> Login Code <?php if (isset($_POST['lisubmit'])){ $query = "SELECT user_id, user_password FROM user WHERE user_username = '".$_POST['liusername']."'"; // Select details from user table $result = mysql_query($query) or die(mysql_error()); $row = mysql_fetch_array($result); if ($row['user_password'] == $_POST['lipassword']) { $_SESSION['loggedin'] = true; $_SESSION['id'] = $row['user_id']; $_SESSION['username'] = $_POST['liusername']; } else { $_SESSION['loggedin'] = false; $_SESSION['id'] = 0; } } ?> Thank you in advance for any help. Quote Link to comment https://forums.phpfreaks.com/topic/287592-login-verification-problems/ Share on other sites More sharing options...
Rifts Posted April 7, 2014 Share Posted April 7, 2014 you never check if the user actually exists. also you need to clean all you inputs you should never just use POST data. Quote Link to comment https://forums.phpfreaks.com/topic/287592-login-verification-problems/#findComment-1475313 Share on other sites More sharing options...
Catana Posted April 7, 2014 Author Share Posted April 7, 2014 I'm still a newbie towards php so I'm not sure what/where to add or change as I don't understand this validation thing very well? Quote Link to comment https://forums.phpfreaks.com/topic/287592-login-verification-problems/#findComment-1475326 Share on other sites More sharing options...
Catana Posted April 8, 2014 Author Share Posted April 8, 2014 How do I check that the user exists and how do I stop random user names that are not in the user table from logging in? Thanks. Quote Link to comment https://forums.phpfreaks.com/topic/287592-login-verification-problems/#findComment-1475384 Share on other sites More sharing options...
davidannis Posted April 8, 2014 Share Posted April 8, 2014 First, use mysqli, not mysql which is deprecated (no longer going to be supported, updated) To clean up input data use mysqli_real_escape_string(); To check whether a user exists, make sure that a row gets returned: <?php if (isset($_POST['lisubmit'])){ $liusername=mysqli_real_escape_string($dblink,$_POST['liusername']);// Note I'm using mysqli here. Can't mix and match. You need to change the rest of your code to do the same or change my function to mysql. $query = "SELECT user_id, user_password FROM user WHERE user_username = '$liusername'"; // Select details from user table $result = mysql_query($query) or die(mysql_error()); $row = mysql_fetch_array($result); if ($row['user_password'] == $_POST['lipassword'] && $row['user_password']!='') { $_SESSION['loggedin'] = true; $_SESSION['id'] = $row['user_id']; $_SESSION['username'] = $_POST['liusername']; } else { $_SESSION['loggedin'] = false; $_SESSION['id'] = 0; } } ?> There are a lot of ways to check that the user exists. If not, $ row will be empty. I did a not so elegant check by adding a check to make sure that the password returned in $ row was not blank but you could use mysqli_num_rows() for a more elegant check that a row is being returned. Quote Link to comment https://forums.phpfreaks.com/topic/287592-login-verification-problems/#findComment-1475385 Share on other sites More sharing options...
Catana Posted April 8, 2014 Author Share Posted April 8, 2014 Thank you very much davidannis! It no longer logs anyone in and displays the error message as desired! I have to use mysql for this part of an assignment I'm working on so I have changed the function to msql as you've told me to. I do have one issue though, if I login a registered user, I get a php error at the top of the page: Warning: mysql_real_escape_string() expects parameter 2 to be resource, string given in E:\Inetpub\wwwroot\php\home\includes\login.php on line 4 Have I done something wrong? Thank you for your help so far! Quote Link to comment https://forums.phpfreaks.com/topic/287592-login-verification-problems/#findComment-1475386 Share on other sites More sharing options...
Catana Posted April 8, 2014 Author Share Posted April 8, 2014 Oh and also, when I enter an unregistered username and password, the error doesn't display? Is there anyway to show that too? Thank you for your time. Quote Link to comment https://forums.phpfreaks.com/topic/287592-login-verification-problems/#findComment-1475388 Share on other sites More sharing options...
Solution davidannis Posted April 8, 2014 Solution Share Posted April 8, 2014 Warning: mysql_real_escape_string() expects parameter 2 to be resource, string given in E:\Inetpub\wwwroot\php\home\includes\login.php on line 4 That's because the syntax is different between mysql_real_escape_string http://nz2.php.net/manual/en/function.mysql-real-escape-string.php and mysqli_real_escape_string string mysql_real_escape_string ( string $unescaped_string [, resource $link_identifier = NULL ] ) vs. string mysqli_real_escape_string ( mysqli $link , string $escapestr ) notice that the link is first in one and last in the other. If this is a class assignment and will never go live, you can probably dispense with the security (though its bad practice) and just forget about sanitizing data. Oh and also, when I enter an unregistered username and password, the error doesn't display? Is there anyway to show that too? $result = mysql_query($query) or die(mysql_error()); $number_users = mysqli_num_rows($result ); if ($number_users==0){echo ' no such user';} $row = mysql_fetch_array($result); if ($row['user_password'] == $_POST['lipassword'] && $row['user_password']!='') { $_SESSION['loggedin'] = true; $_SESSION['id'] = $row['user_id']; $_SESSION['username'] = $_POST['liusername']; } else { echo 'username and password don't match'; $_SESSION['loggedin'] = false; $_SESSION['id'] = 0; } Quote Link to comment https://forums.phpfreaks.com/topic/287592-login-verification-problems/#findComment-1475391 Share on other sites More sharing options...
Catana Posted April 8, 2014 Author Share Posted April 8, 2014 Thanks for your help. I'm no longer getting the error now but it's still not logging in as a registered user. Have I entered this correctly and does it correspond with the correct syntax? I'm such a novice >.< <?php if (isset($_POST['lisubmit'])){ $liusername=mysql_real_escape_string($_POST['liusername'][$dblink = NULL]); $query = "SELECT user_id, user_password FROM user WHERE user_username = '$liusername'"; // Select details from user table $result = mysql_query($query) or die(mysql_error()); $number_users = mysql_num_rows($result ); if ($number_users==0){echo ' no such user';} $row = mysql_fetch_array($result); if ($row['user_password'] == $_POST['lipassword'] && $row['user_password']!='') { $_SESSION['loggedin'] = true; $_SESSION['id'] = $row['user_id']; $_SESSION['username'] = $_POST['liusername']; } else { echo 'username and password don\'t match'; $_SESSION['loggedin'] = false; $_SESSION['id'] = 0; } } ?> Also is there a way to merge the other error: "username and password don't match" into the "ERROR: you need to enter a username and password" script that's in another php file? Just so it appears in the correct place within the document? I've tried to merge the code over, but it doesn't seem to work correctly? Login form page <?php if ($_SESSION['loggedin'] == true){ echo "You are logged in as ";?><b><?php echo $_SESSION['username']?></b><?php echo " ["; echo $_SESSION['id']; echo "]"; ?> <a href="logout.php">Logout</a> <?php }else{ echo "<p><b>Login:</b></p>\n"; ?> <form name="loginform" action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post"> <b>Username:</b> <input type="text" name="liusername"> <b>Password:</b> <input type="password" name="lipassword"> <input type="submit" name="lisubmit" value="Login"> </form> <?php } if ($_SESSION['loggedin'] == true); if (empty($_POST) === false) { $username = $_POST['liusername']; $password = $_POST['lipassword']; if (empty($username) === true || empty($password) === true) { ?><br /><font color="red"><?php echo 'ERROR: You need to enter a username and password!'; // <- To be placed as the same area as this? } } ?> Quote Link to comment https://forums.phpfreaks.com/topic/287592-login-verification-problems/#findComment-1475395 Share on other sites More sharing options...
Catana Posted April 8, 2014 Author Share Posted April 8, 2014 Ignore my last posts, I managed to get it working and merged the two error statements into one! Thank you for your help davidannis! Quote Link to comment https://forums.phpfreaks.com/topic/287592-login-verification-problems/#findComment-1475404 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.