Jump to content

Recommended Posts

I did this code, which should check if the Username and Passwords match that which is in the database.

 

<? 

if ($username) { 

$username== 

mysql_connect($dbhost,$dbuser,$dbpasswd); 
mysql_select_db($dbname); 
$q = "SELECT * FROM phpbb_users 

$res = @mysql_query($q); 
while($r = @mysql_fetch_array($res)) 
{ 
  echo "{$r['user_name']}<br>"; 
} 

print "The name and password matched, heloo<BR>\n"; 

} else { 

print "The Name & password does not match<BR>\n"; 

?> 

 

 

Are there mistakes in this code

Can you point them out please guys

Link to comment
https://forums.phpfreaks.com/topic/43224-a-username-and-password-match-technique/
Share on other sites

You should do the match within your query. eg;

 

<?php

  // Connect to db.
  if (isset($_POST['uname'] && isset($_POST['pword'])) {
    $sql = "
      SELECT uname, pword
      FROM users
      WHERE uname = '{$_POST['uname']}' && pword = '{_$POST['pword']}'
    ";
    if ($result(mysql_query($sql)) {
      if (!mysql_num_rows($result)) {
        // Username or pass does not exist.
      } else {
        // Username and pass are valid.
      }
    }
  }

?>

sure, no problem, we are here to help ;D

 

<?
/**
* $username, so i assume you also have a variable called $password?
*/
if (isset($username)
&& !empty($username)) { // just a few extra checks added, so that we know the variable exists and is not empty
  /**
   * mysql_connect returns a database resource, which we will store and use later on
   * to execute queries etc...
   */
   $db = @mysql_connect($dbhost,$dbuser,$dbpasswd);
              mysql_select_db($dbname);
  /**
   * assuming your table is using the fields (user_name, user_password)
   * + added WHERE clause so you do not get all records, just those who you are going to need!
   */
   $q = sprintf("SELECT * FROM phpbb_users WHERE user_name = '%s'", $username); 

   /**
    * $db is a resource to your database
    * its optional as second argument for mysql_query,
    * but it would be good practice to write it anyway
    */
   $res = @mysql_query($q, $db);

   while($r = @mysql_fetch_array($res)) 
   { 
       //echo $r['user_name'] . "<br>";
       // check http://be.php.net/manual/nl/function.strcmp.php for more information on strcmp function
       if (strcmp($r['user_password'], $password) == 0) {
           print "The name and password matched, heloo<BR>\n"; 
       }
   } 
} else { // No username
   print "The Name & password does not match<BR>\n"; 
}
?>

Hi Ignance

 

I tried your code

 

When I open the page straight away, I get the message "Name and password did not match" so i guess that is fine

 

However, when i submit username and password from the html form

 

The page is blank

 

even if names is wrong or right

 

Do you know what is the mistake

 

 

ohh, i see what you mean thorpe

 

Well, i am using this code like that

 

 

<?
/**
* $username, so i assume you also have a variable called $password?
*/
if (isset($name)
&& !empty($name)) { // just a few extra checks added, so that we know the variable exists and is not empty
   /**
    * mysql_connect returns a database resource, which we will store and use later on
    * to execute queries etc...
    */
    $db = @mysql_connect(localhost,my_name,my_password);
               mysql_select_db(shyness_phpb1);
   /**
    * assuming your table is using the fields (user_name, user_password)
    * + added WHERE clause so you do not get all records, just those who you are going to need!
    */
    $q = sprintf("SELECT * FROM phpbb_users WHERE user_name = '%s'", $name); 

    /**
     * $db is a resource to your database
     * its optional as second argument for mysql_query,
     * but it would be good practice to write it anyway
     */
    $res = @mysql_query($q, $db);

    while($r = @mysql_fetch_array($res)) 
    { 
        //echo $r['user_name'] . "<br>";
        // check http://be.php.net/manual/nl/function.strcmp.php for more information on strcmp function
        if (strcmp($r['user_password'], $password) == 0) {
            print "The name and password matched, heloo<BR>\n"; 
        }
    } 
} else { // No username
    print "The Name & password does not match<BR>\n"; 
}
?>

 

 

Is that wrong what i did to the code?

Because the fields in the HTML form are called "name" & "password"

 

A Safer option would be to use the mySQL function COUNT, tutorial found here; http://www.tizag.com/mysqlTutorial/mysqlcount.php

 

That is one one but not at all needed.

 

Take a look at my example. You do not need a while loop. Also note that if the form posts the fields name and password they will be found in $_POST['name'] and $_POST['password'].

/**
* This script will receive the values defined in the form fields "name" & "password",
* i am assuming your REQUEST_METHOD is set to POST, if not change method="post"
* strcasecmp() compares strings case insensitive
*/
if (strcasecmp($_SERVER['REQUEST_METHOD'], 'POST') == 0) {
   if (isset($_POST)
   && (count($_POST) != 0)) { // 0 elements would be useless execution of code
      if (strcasecmp(strip_tags($_POST['name']), $_POST['name']) != 0) exit('not allowed to use html in your username!';
      if (strcasecmp(strip_tags($_POST['password']), $_POST['password']) != 0) exit('not allowed to use html in your password!';

      // will not be executed if one of the above two validates as true 
      $username = $_POST['name'];
      $password = $_POST['password'];
      
      $db = @mysql_connect('localhost', 'my_name', 'my_password');
      if (!is_resource($db)) exit('could not connect to database server.');

      if (!@mysql_select_db('shyness_phpb1')) exit('could not select the database.');

      // + added LIMIT 1, making sure we only will validate one row from the database
      $q = sprintf("SELECT * FROM phpbb_users WHERE user_name = '%s' LIMIT 1", $username);
      $res = @mysql_query($q, $db);
      
      if (!is_resource($res)) exit(mysql_errno() . " : " . mysql_error()); // experiment with the provided built-in mysql functions
      
      /**
       * using mysql_fetch_assoc() instead of the mysql_fetch_array()
       * mysql_fetch_assoc() only returns an associative array instead of an numeric
       * mysql_fetch_array() returns both, can be manipulated when you pass MYSQL_ASSOC as second argument
       *
       * What we are doing here, is not the best practice when it comes to validating users,
       * another method should be required!
       */
      while ($r = @mysql_fetch_assoc($res)) {
          if (strcasecmp($r['user_password'], $password) == 0) {
             // this time i used strcasecmp() which is case insensitive, might solve your problem!
             printf("the password match the name provided, helloooo<br />\n");
          } else {
             printf("no match!<br />\n");
          }
      }
   }
}

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.