drummer101 Posted June 23, 2007 Share Posted June 23, 2007 session_start(); require("connect.php"); @$_SESSION["username"] = $_POST["username"]; @$_SESSION["password"] = $_POST["password"]; $username = ucfirst($_SESSION["username"]); $password = $_SESSION["password"]; $valid_user = 0; @$sql = "SELECT * FROM `users` WHERE Username = '$username'"; $result = mysql_query($sql) or die ('Query Failed' . mysql_error()); $numrows = mysql_num_rows($result); ?> <title>Login</title> </head> <body> <? if(!isset($username) | !isset($password)){ ?> <form action="login.php" method="POST"> <p align="center">Please log in to continue.</p> <table align="center" border="0"> <tr> <td>Username: </td> <td><input type="text" name="username"></td> </tr> <tr> <td>Password: </td> <td><input type="password" name="password"></td> </tr> <tr> <td colspan="2" align="right"> <input type="submit" value="Login"></td> </tr> </table> </form> <? } else { while ($row = mysql_fetch_assoc($result)){ if(($numrows = 1) and ($row["Password"] = $password) and ($row["Username"] = $username) and ($row['Active'] = 1)){ $valid_user = 1; echo "Session variable are set <br> They are...<br> Username: $username <br> Password: " . md5($password) . "<br><br>"; echo "Hello $username. Today is " . date("l, F jS Y") . " and it is " . date("g:ia") . "<br>"; echo "Please <a href='logout.php'>Click here</a> if you wish to log out.<br>"; } elseif(($numrows = 1) and ($password = $row['Password']) and ($username = $row['Username']) and ($row['Active'] = 0)){ $valid_user = 0; echo "Your account has been deactivated. Please contact the administrator to resolve this."; session_unset(); session_destroy(); } elseif(($numrows = 0) or ($password != $_SESSION['password']) or ($username != $_SESSION['username'])){ $valid_user = 0; echo "You have specified a wrong username or password, please go back and try again"; session_unset(); session_destroy(); } else { $valid_user = 0; // Safety catch, to ensure if any of the above conditions aren't met users still are not authenticated. } // elseif ($numrows = 0 and $password != $row['Password'] or $username != $row['Username']) } // while ($row = mysql_fetch_assoc($result)) The main problem that I'm having is if a username is entered that exists in the database, instead of executing elseif(($numrows = 0) or ($password != $_SESSION['password']) or ($username != $_SESSION['username'])){ $valid_user = 0; echo "You have specified a wrong username or password, please go back and try again"; session_unset(); session_destroy(); it executes if(($numrows = 1) and ($row["Password"] = $password) and ($row["Username"] = $username) and ($row['Active'] = 1)){ $valid_user = 1; echo "Session variable are set <br> They are...<br> Username: $username <br> Password: " . md5($password) . "<br><br>"; echo "Hello $username. Today is " . date("l, F jS Y") . " and it is " . date("g:ia") . "<br>"; echo "Please <a href='logout.php'>Click here</a> if you wish to log out.<br>"; The other problem I'm having with the script is when an invalid username AND password are entered, instead of executing elseif(($numrows = 0) or ($password != $_SESSION['password']) or ($username != $_SESSION['username'])){ $valid_user = 0; echo "You have specified a wrong username or password, please go back and try again"; session_unset(); session_destroy(); The output is just blank. ??? I added an error check echo to the closing } else { but that wasn't triggered. Any input is much appreciated. Quote Link to comment Share on other sites More sharing options...
aim25 Posted June 23, 2007 Share Posted June 23, 2007 For one i think your trying to figure out if row["Password"] is equal to $password, and you used "=", i think you should try "==". I'm, not sure, I've never come across anything like how u program. Quote Link to comment Share on other sites More sharing options...
drummer101 Posted June 23, 2007 Author Share Posted June 23, 2007 and you used "=", i think you should try "==". Already been through that. No effect. Quote Link to comment Share on other sites More sharing options...
drummer101 Posted June 25, 2007 Author Share Posted June 25, 2007 Anyone else able to take a quick look at this? I'm sure it's something pretty basic and very stupid that I missed Quote Link to comment Share on other sites More sharing options...
suma237 Posted June 25, 2007 Share Posted June 25, 2007 Hey, $sql = "SELECT Username,Password FROM `users` WHERE Username = '$username'"; use the above select statement and remove @ symbol.If you remove the @ sign ,then you will be able to sort out the error Quote Link to comment Share on other sites More sharing options...
mmarif4u Posted June 25, 2007 Share Posted June 25, 2007 i see alot of errors and injection in ur code. Like why u r saving pass in sessions. U did not match username against password in ur query. For checking to be valid u have to do it like : if(($numrows, >) >0){ login suceesful} else { login failed } Quote Link to comment Share on other sites More sharing options...
drummer101 Posted June 25, 2007 Author Share Posted June 25, 2007 Hey, $sql = "SELECT Username,Password FROM `users` WHERE Username = '$username'"; use the above select statement and remove @ symbol.If you remove the @ sign ,then you will be able to sort out the error Just tried that and no dice :S I've narrowed it down to: echo $numrows; shows that 0 rows match my $sql query, which is correct, BUT... for some reason elseif(($numrows = 0) or ($password != $_SESSION['password']) or ($username != $_SESSION['username'])){ Edit: Like why u r saving pass in sessions. isn't catching it. elseif ($numrows = 0) should take care of that exception, but for some reason isnt... I've tried elseif ($numrows == 0), elseif ($numrows == "0") and elseif ($numrows = "0") none of these altered code changes, resulted in correct execution. I even cut the elseif statement down to just elseif ($numrows = 0){ echo "Wrong username or password"; } and that still doesn't work. The good news however, is that if a username that IS in the database is entered with a wrong password, it will correctly execute the "wrong password or username" clause. Like why u r saving pass in sessions. Thats only temporary, I don't intend to leave it like that, but thank you for pointing that out. I do appreciate it. Quote Link to comment Share on other sites More sharing options...
drummer101 Posted June 26, 2007 Author Share Posted June 26, 2007 Anyone else see my problem? I'm seriously stumped.. Quote Link to comment Share on other sites More sharing options...
drummer101 Posted June 28, 2007 Author Share Posted June 28, 2007 Anyone able to take a gander? Still have no idea whats wrong with the if/elseif clauses not executing properly. ??? Quote Link to comment Share on other sites More sharing options...
no_one Posted June 28, 2007 Share Posted June 28, 2007 Something like this looks nicer, I don't know if it meets everything you need. A few notes. You needlessly checked for "rowcount==1" more than once.. if it's in every case, then check it once and be done with it. It's best to do the bulk, if not all, of your php processing/code before any html.. just looks neater. Easier to find errors, etc. I also separated the sql query out, if the user is loading this page for the first time, then it's pointless to do that in waste. If you want to save the username/password to the session, then put it inside the successful login if-block. I didn't quite understand why you're looping rows, usernames are usually unique, and for good reason. I left it in there in case you had something that made sense in your mind, w/e. As everyone else stated == is for testing equality and = is for setting a variable. I changed all and and or to && and ||. And/or might be legal, I dunno, I'm not a php guru by any means. I left in the test cases you wrote otherwise, and all messages, etc. Hope this helps and isn't bug filled.. <?php session_start(); require("connect.php"); $login_msg = ""; $valid_user = false; if ( isset($_POST['login_submit']) ) { $username = isset($_POST["username"]) ? ucfirst($_POST["username"]) : ""; $password = isset($_POST["password"]) ? $_POST["password"] : ""; $sql = "SELECT * FROM users WHERE Username = '$username'"; $result = mysql_query($sql) or die ('Query Failed' . mysql_error()); $numrows = mysql_num_rows($result); if ( !$numrows ) { $login_msg = "Invalid username/password"; } else { // user found while ($row = mysql_fetch_assoc($result)) // why? can more than 1 user have the same username? { if( ($row["Password"] == $password) && ($row["Username"] == $username) && ($row['Active'] == 1)) { $valid_user = true; $login_msg .= "Session variable are set <br> They are...<br> Username: $username <br> Password: " . md5($password) . "<br><br>"; $login_msg .= "Hello $username. Today is " . date("l, F jS Y") . " and it is " . date("g:ia") . "<br>"; $login_msg .= "Please <a href='logout.php'>Click here</a> if you wish to log out.<br>"; } elseif ( ($password == $row['Password']) && ($username == $row['Username']) && ($row['Active'] == 0) ) { $valid_user = false; $login_msg .= "Your account has been deactivated. Please contact the administrator to resolve this."; session_unset(); session_destroy(); } } // while ($row = mysql_fetch_assoc($result)) } } ?> <html> <title>Login</title> </head> <body> <?php if( !empty($login_msg) ) { print($login_msg); // for error or success message } if( !$valid_user) { ?> <form action="login.php" method="POST"> <p align="center">Please log in to continue.</p> <table align="center" border="0"> <tr> <td>Username: </td> <td><input type="text" name="username"></td> </tr> <tr> <td>Password: </td> <td><input type="password" name="password"></td> </tr> <tr> <td colspan="2" align="right"> <input type="submit" name="login_submit" value="Login"></td> </tr> </table> </form> <?php } // # missing this - END ELSE ?> Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.