[SOLVED] Can log in with multiple accounts, but they all have the same name

[trecool999]

Ok, so I've got this problem where I can create a couple of accounts using my register form.

The thing is, when I log in they all come up with the same 'Hello, trecool999!' message even if they are different usernames and in the code it displays 'echo "Hello, ".$user."!"'

[pocobueno1388]

Do you have sessions set up? If you don't there is no way of retreiving the right information from the database to do that.

[Jessica]

Where's the code where you define $user?
Do you have register_globals on?

[trecool999]

Ok, try registering here: http://trecool999.8888mb.com/form.html
And logging in here: http://trecool999.8888mb.com/index.html

If it doesn't come up with something like 'Hello, trecool999', then why does it only happen to me?  :-[ :-[ :-[

[pocobueno1388]

Firstly you need to answer all the questions that we asked you so we can get to the bottom of the problem.

Could you give us the code?

[Jessica]

[quote author=jesirose link=topic=124327.msg514894#msg514894 date=1169928332]
Where's the code where you define $user?
[/quote]

I meant show us the code, not show me the file where it runs. I can't help you without seeing the code.

[trecool999]

Ok.

Login HTML:

[code]
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>PSPRock - Welcome!</title>
<style type="text/css">
<!--
#Layer1 {
position:absolute;
left:0;
top:1px;
width:100%;
height:180;
z-index:1;
background-image: url(Images/Site/Backdrop.jpg);
}
body {
background-color: #0099FF;
}
body,td,th {
font-family: Segoe UI;
color: #333333;
}
#Layer2 {
position:absolute;
left:1px;
top:210px;
width:224px;
height:456px;
z-index:2;
}
#Strip {
position:absolute;
left:0px;
top:182px;
width:100%;
height:27;
z-index:3;
background-image: url(Images/Site/StripMiddle.jpg);
}
#Layer3 {
position:absolute;
left:0px;
top:182px;
width:659px;
height:27px;
z-index:4;
}
.style1 {font-size: 14px}
.style2 {color: #666666}
.style3 {color: #333333}
-->
</style>
</head>

<body>
<div id="Layer1"><img src="Images/Site/Logo.jpg" width="700" height="180" /></div>
<div id="Layer2"></div>
<div id="Strip">
  <div align="right">
    <form action="authenticate.php" method="post">
      <span class="style1">Username:</span>
      <input type="text" name="username" size="10">
      <span class="style1">Password:</span>
      <input type="password" name="password" size="10">
<input type="submit" value="Log in" name="submit">
</form>
</div>
</div>
<div class="style1" id="Layer3"><span class="style2"><a href="index.html">Home</a> <span class="style3">-</span> Forums  <span class="style3"></span></span>- <span class="style2">Info</span></div>
</div>
</body>
</html>
[/code]

Login PHP:

[code]
<?php
//Begin PHP file authenticate.php

//Retrieve the data the form passed us. All form data passed to PHP
//will be in the super global array, $_REQUEST. This is automatically
//set for you by PHP (depending on version) You can also use
//$_POST or $_GET autoglobals, but for the sake of learning use the one
//below
$user = $_REQUEST['username'];//get username from form
$pass = $_REQUEST['password'];//get password from form

//Now strip away an potentially harmful code:
$user=strip_tags($user);
$pass=strip_tags($pass);

//To foil any possible attempts at SQL injection, do the following function
//$variable=str_replace("what to look for","what to replace it with",$what_variable_to_use);

//Now use the replace function on our variables
$user=str_replace(" ","",$user);//remove spaces from username
$pass=str_replace(" ","",$pass);//remove spaces from password
$user=str_replace("%20","",$user);//remove escaped spaces from username
$pass=str_replace("%20","",$pass);//remove escaped spaces from password



//And finally, add slashes to escape things like quotes and apostrophes
//because they can be used to hijack SQL statements!
//use the function, addslashes(), pretty self explanatory
$user=addslashes($user);//remove spaces from username
$pass=addslashes($pass);//remove spaces from password
//First, we need to connect to the server
//the format is $connection = mysql_connect("address","username","password");
$conn = mysql_connect("localhost","trecool999_user","*password*");

//now choose the database to use
mysql_select_db("trecool999_user");

//Remember how we encrypted the password in step 1? Well we do
//the same thing here. We stored the encrypted password
//so it couldn't be stolen, but to check what was entered as
//the password, we encrypt it, then check it against the
//encrypted password in the database. This is pretty standard.
//almost EVERY site is going to use a 32 character md5 hash or
//an 8 character cipher with a 2 character salt. Don't worry
//about what that means :)
$pass=md5($pass);

//the function md5 creates a unique 32 character string,
//no matter what the length of the data you encrypt!

//Search for a password  AND username match, then return a value
//of true if we get any results
$request = "SELECT * FROM users WHERE password='".$pass."' AND username='".$user."'";

//Pass the request to the mysql connection,
//and the data is returned in a blob and
//saved in $results
$results = mysql_query($request,$conn);


//if mysql returns any number of rows great than 0, we know we had a match,
//right? Right.
if(mysql_num_rows($results))//function returns true if any matches are found
{
    echo "Hello ".$user.", please wait to be redirected...";
$_SESSION['user'] = $user;
$_SESSION['auth'] = true;
}
else
{
echo "Connection failed, please try again.";
$_SESSION['auth'] = false;
}


//End PHP file authenticate.php
?>
[/code]

Register HTML:

[code]
<form action="signup.php" method="post">
  <p>Username:
    <input type="text" name="username" size="10">
    <br>
    Password: 
    <input type="password" name="password" size="10">
    <br>
    <input type="submit" value="submit" name="submit">
  </p>
  </form>
[/code]

Register PHP:

[code]
<?php
//Begin PHP file signup.php

//Retrieve the data the form passed us. All form data passed to PHP
//will be in the super global array, $_REQUEST. This is automatically
//set for you by PHP (depending on version) You can also use
//$_POST or $_GET autoglobals, but for the sake of learning use the one
//below
$user = $_REQUEST['username'];//get username from form
$pass = $_REQUEST['password'];//get password from form

//Now strip away an potentially harmful code:
$user=strip_tags($user);
$pass=strip_tags($pass);

//To foil any possible attempts at SQL injection, do the following function
//$variable=str_replace("what to look for","what to replace it with",$what_variable_to_use);

//Now use the replace function on our variables
$user=str_replace(" ","",$user);//remove spaces from username
$pass=str_replace(" ","",$pass);//remove spaces from password
$user=str_replace("%20","",$user);//remove escaped spaces from username
$pass=str_replace("%20","",$pass);//remove escaped spaces from password



//And finally, add slashes to escape things like quotes and apostrophes
//because they can be used to hijack SQL statements!
//use the function, addslashes(), pretty self explanatory
$user=addslashes($user);//remove spaces from username
$pass=addslashes($pass);//remove spaces from password


//Now, after all that replacing, see if the password or username less than the required length
//Note that it is good to require a minimum pass/user length to provide greater security
$min_len = 6;

if(strlen($user) < $min_len || strlen($pass) < $min_len)
{
die("User/password was not long enough!");//Kick us out of PHP
}
//First, we need to connect to the server
//the format is $connection = mysql_connect("address","username","password");
$conn = mysql_connect("localhost","trecool999_user","*password*");

//now choose the database to use
mysql_select_db("trecool999_user");

//encrypt the users password so it cannot be retrieved by anyone!
$pass=md5($pass);

//the function md5 creates a unique 32 character string,
//no matter what the length of the data you encrypt!

//Save the request in SQL syntax to a string
$request = "INSERT INTO users values(0,'".$user."','".$pass."')";

//Pass the request to the mysql connection,
//and the data is returned in a blob and
//saved in $results
$results = mysql_query($request,$conn);

if($results)
{
echo "User account created";
}
else
{
echo "There was an error. The user account was not created.";
}


//End PHP file signup.php
?>
[/code]

Someone help quickly! I only have 1 hour and 43 minutes til' I have to go to bed! 13 isn't the best age for going at late times  :-[.

[Jessica]

It worked fine for me.

[trecool999]

Can you tell me why it only happens to me then?

If not, I'll live, since I just found out it works for others.

[pocobueno1388]

The only issue I see is your form action isn't pointing to "login.php" ... not sure if you meant to put authenticate.php or not.

Change:

[code]
<form action="authenticate.php" method="post">
[/code]

To:

[code]
<form action="login.php" method="post">
[/code]

On your login.html page.

[pocobueno1388]

It worked for me also though.

[Jessica]

The page is probably caching in your browser.

[trecool999]

Ok, thanks for the help guys/girls.