Jump to content

Authentication Problem

jkoskewich

By jkoskewich
in PHP Coding Help

 Share

Recommended Posts

jkoskewich Newbie

jkoskewich

Posted
Posted

Hello,

 

I am currently in the process of creating a Infomation System that tracks employees hrs when clocked in and out. It also has a infomation help page that u can CRUD (create read update and delete). I am having a simple problem that i have not been able to figure out. it is at in the Login/Authentcation Page. The login/Authpage is one page with all code inside. There will be two users. Admin and Employees. admins have a rank of 1 and emps have a rank of 2. Here is my code

<?php

// start session

session_start();

 

//destroy session

session_destroy();

 

$message="--- Login ---";

 

// Login Section.

$Login= $_POST['Login'];

if($Login)

{ // if Login button clicked.

$username= $_POST['username'];

$md5_password= md5($_POST['password']); // Encrypt password with md5() function.

 

include("config.php");

// connect to the mysql server.

mysql_connect($server, $db_user, $db_pass)

or die ("Could not connect to mysql because ".mysql_error());

 

// select the database.

mysql_select_db($database)

or die ("Could not select database because ".mysql_error());

 

// Check matching of username and password.

$query= "SELECT rank from admin where username= '$username' and password= '$md5_password'";

$result= mysql_query("$query");

 

while ($row= mysql_fetch_array($result))

{

if ($row[rank] == "1")

{

if (mysql_num_rows($result)!='0')

{ // if match.

session_register("username"); // Craete session username.

header("location:admin_cpanel.php"); // Re-direct to admin control panel

exit;

}

}

elseif ($row[rank] == "2")

{

if (mysql_num_rows($result)!='0')

{ // if match.

session_register("username"); // Craete session username.

header("location:proctor_cpanel.php"); // Re-direct to admin control panel

exit;

}

}

else

{ // if not match.

$message= "--- Incorrect Username or Password ---";

}

}

} // End Login authorize check.

?>

 

<html xmlns="http://www.w3.org/1999/xhtml">

<head>

<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />

<title>JNR Organizer Login</title>

<link rel="stylesheet" type="text/css" href="css/style.css" />

</head>

 

<body>

<table border="1" summary="" align="center">

<!-- Table Row For Banner -->

<tr>

<td colspan="2"><img src="images/Library_Logo.png" alt="JNR Organizer / Buchanan Library Logo" /></td>

</tr>

</table>

<br />

<br />

<form id="login" name="login" method="post" action="<?php echo $PHP_SELF; ?>">

  <table summary="Login Table" border="1" align="center">

    <tr>

  <td colspan="2" align="center"><?php echo $message; ?></td>

</tr>

<tr>

      <td>Username: </td>

      <td><input name="username" type="text" id="username" /></td>

    </tr>

    <tr>

      <td>Password : </td>

      <td><input name="password" type="password" id="password" /></td>

    </tr>

  <tr>

  <td colspan="2" align="center"><input name="Login" type="submit" id="Login" value="Login" /></td>

</tr>

    </table>

</form>

</body>

</html>

 

 

The problem i am having is it all works, You all might laugh, but for some reason. When the username and password Fails Not found. it should drop the the else statment and set the message to --- Incorrect Username or Password ---. It dose not. It just dispalays the -- login --. So the else statment is not even getting exe. Why. i this the right way of doing this? is there a better why? can some one help?

 

 

 

 

 

Link to comment
Share on other sites
marcus Regular Member

marcus

Posted
Posted

You want to do something like:

 

$query = mysql_query("SELECT * FROM `database` WHERE `username` ='$username' AND `passowrd` ='$password'") or die(mysql_error());

//then do a mysql num row execution

if(mysql_num_rows($query) == 0){
  echo "The username and/or password is/are incorrect!";
}else {
$row = mysql_fetch_assoc($query);
//then do your other queries here if row rank equals 1 etc....
}

Link to comment
Share on other sites
ToonMariner Advanced Member

ToonMariner

Posted
Posted

That query is open to mysql injection...

 

you should (in cases where update, insert or select could cause a disaterous problem with user inputted data) use mysql_real_escape_string on your parameters in the string...

 

<?php
$query = "SELECT * FROM `database` WHERE `username` = '" . mysql_real_escape_string($username) . "' AND `passowrd` = '" . mysql_real_escape_string($password) . "'";


$query = mysql_query($query) or die(mysql_error());
?>

 

with that code you can also check if users have tried to inject mysql by checking the variables against the escaped counterpart - if they don't match then some one is being naughty.

 

 

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.