A username and Password match technique!

[npsari]

I did this code, which should check if the Username and Passwords match that which is in the database.

 

<? 

if ($username) { 

$username== 

mysql_connect($dbhost,$dbuser,$dbpasswd); 
mysql_select_db($dbname); 
$q = "SELECT * FROM phpbb_users 

$res = @mysql_query($q); 
while($r = @mysql_fetch_array($res)) 
{ 
  echo "{$r['user_name']}<br>"; 
} 

print "The name and password matched, heloo<BR>\n"; 

} else { 

print "The Name & password does not match<BR>\n"; 

?> 

 

 

Are there mistakes in this code

Can you point them out please guys

[trq]

You should do the match within your query. eg;

 

<?php

  // Connect to db.
  if (isset($_POST['uname'] && isset($_POST['pword'])) {
    $sql = "
      SELECT uname, pword
      FROM users
      WHERE uname = '{$_POST['uname']}' && pword = '{_$POST['pword']}'
    ";
    if ($result(mysql_query($sql)) {
      if (!mysql_num_rows($result)) {
        // Username or pass does not exist.
      } else {
        // Username and pass are valid.
      }
    }
  }

?>

[ignace]

sure, no problem, we are here to help

 

<?
/**
* $username, so i assume you also have a variable called $password?
*/
if (isset($username)
&& !empty($username)) { // just a few extra checks added, so that we know the variable exists and is not empty
  /**
   * mysql_connect returns a database resource, which we will store and use later on
   * to execute queries etc...
   */
   $db = @mysql_connect($dbhost,$dbuser,$dbpasswd);
              mysql_select_db($dbname);
  /**
   * assuming your table is using the fields (user_name, user_password)
   * + added WHERE clause so you do not get all records, just those who you are going to need!
   */
   $q = sprintf("SELECT * FROM phpbb_users WHERE user_name = '%s'", $username); 

   /**
    * $db is a resource to your database
    * its optional as second argument for mysql_query,
    * but it would be good practice to write it anyway
    */
   $res = @mysql_query($q, $db);

   while($r = @mysql_fetch_array($res)) 
   { 
       //echo $r['user_name'] . "<br>";
       // check http://be.php.net/manual/nl/function.strcmp.php for more information on strcmp function
       if (strcmp($r['user_password'], $password) == 0) {
           print "The name and password matched, heloo<BR>\n"; 
       }
   } 
} else { // No username
   print "The Name & password does not match<BR>\n"; 
}
?>

[npsari]

Hi Ignance

 

I tried your code

 

When I open the page straight away, I get the message "Name and password did not match" so i guess that is fine

 

However, when i submit username and password from the html form

 

The page is blank

 

even if names is wrong or right

 

Do you know what is the mistake

 

 

[trq]

Have you defined the variables $username and $password.

 

Both our posts are examples, not working code. Post your code and a description of your problem.

[npsari]

ohh, i see what you mean thorpe

 

Well, i am using this code like that

 

 

<?
/**
* $username, so i assume you also have a variable called $password?
*/
if (isset($name)
&& !empty($name)) { // just a few extra checks added, so that we know the variable exists and is not empty
   /**
    * mysql_connect returns a database resource, which we will store and use later on
    * to execute queries etc...
    */
    $db = @mysql_connect(localhost,my_name,my_password);
               mysql_select_db(shyness_phpb1);
   /**
    * assuming your table is using the fields (user_name, user_password)
    * + added WHERE clause so you do not get all records, just those who you are going to need!
    */
    $q = sprintf("SELECT * FROM phpbb_users WHERE user_name = '%s'", $name); 

    /**
     * $db is a resource to your database
     * its optional as second argument for mysql_query,
     * but it would be good practice to write it anyway
     */
    $res = @mysql_query($q, $db);

    while($r = @mysql_fetch_array($res)) 
    { 
        //echo $r['user_name'] . "<br>";
        // check http://be.php.net/manual/nl/function.strcmp.php for more information on strcmp function
        if (strcmp($r['user_password'], $password) == 0) {
            print "The name and password matched, heloo<BR>\n"; 
        }
    } 
} else { // No username
    print "The Name & password does not match<BR>\n"; 
}
?>

 

 

Is that wrong what i did to the code?

Because the fields in the HTML form are called "name" & "password"

 

[shaunrigby]

A Safer option would be to use the mySQL function COUNT, tutorial found here; http://www.tizag.com/mysqlTutorial/mysqlcount.php

[trq]

A Safer option would be to use the mySQL function COUNT, tutorial found here; http://www.tizag.com/mysqlTutorial/mysqlcount.php

 

That is one one but not at all needed.

 

Take a look at my example. You do not need a while loop. Also note that if the form posts the fields name and password they will be found in $_POST['name'] and $_POST['password'].

[ignace]

/**
* This script will receive the values defined in the form fields "name" & "password",
* i am assuming your REQUEST_METHOD is set to POST, if not change method="post"
* strcasecmp() compares strings case insensitive
*/
if (strcasecmp($_SERVER['REQUEST_METHOD'], 'POST') == 0) {
   if (isset($_POST)
   && (count($_POST) != 0)) { // 0 elements would be useless execution of code
      if (strcasecmp(strip_tags($_POST['name']), $_POST['name']) != 0) exit('not allowed to use html in your username!';
      if (strcasecmp(strip_tags($_POST['password']), $_POST['password']) != 0) exit('not allowed to use html in your password!';

      // will not be executed if one of the above two validates as true 
      $username = $_POST['name'];
      $password = $_POST['password'];
      
      $db = @mysql_connect('localhost', 'my_name', 'my_password');
      if (!is_resource($db)) exit('could not connect to database server.');

      if (!@mysql_select_db('shyness_phpb1')) exit('could not select the database.');

      // + added LIMIT 1, making sure we only will validate one row from the database
      $q = sprintf("SELECT * FROM phpbb_users WHERE user_name = '%s' LIMIT 1", $username);
      $res = @mysql_query($q, $db);
      
      if (!is_resource($res)) exit(mysql_errno() . " : " . mysql_error()); // experiment with the provided built-in mysql functions
      
      /**
       * using mysql_fetch_assoc() instead of the mysql_fetch_array()
       * mysql_fetch_assoc() only returns an associative array instead of an numeric
       * mysql_fetch_array() returns both, can be manipulated when you pass MYSQL_ASSOC as second argument
       *
       * What we are doing here, is not the best practice when it comes to validating users,
       * another method should be required!
       */
      while ($r = @mysql_fetch_assoc($res)) {
          if (strcasecmp($r['user_password'], $password) == 0) {
             // this time i used strcasecmp() which is case insensitive, might solve your problem!
             printf("the password match the name provided, helloooo<br />\n");
          } else {
             printf("no match!<br />\n");
          }
      }
   }
}

[trq]

Sorry ignace, but your making the code alot more complicated than need be.

 

Also, please use the full <?php tags so as to turn on syntax highlighting. You should always code with it anyways.

[npsari]

yeah ignace

 

I like the explenations that u fit in

 

But the code is huge

 

Is there any simpler form

[trq]

Is there any simpler form

 

Yeah... I posted it 10 replies ago.

[npsari]

Hey throrpe

 

Sorry for my ignorance

 

The confusing bit is that you gave an example

 

But anyway, i will take your code and work on it now

 

I hope i will manage

[trq]

The confusing bit is that you gave an example

 

Thats why were here, not to supply out of the box working code.