Login Page kinda stuck

[SirChick]

I have tried to make a log in page and need to check if my php and MYSQL works.....im unable to test it at the moment, as im still trying to work out how to get apache working properly.

 

Also i am trying to get the code to check the password that is assigned to the username that the user has inputted... i gave it my best shot from what i know But i dont think it looks correct.

 

 

This is my login code... does it look correct to you?

 

<?php
if (isset($_GET['Login'])) {
//code runs once the login button is pressed

$Username = ($_GET['Username']); 
$Password = ($_GET['Password']);
//assign the two input boxes on the form to these two variables

mysql_connect("localhost", "root", "private") or die (mysql_error());
mysql_select_db("databasename") or die (mysql_error());
//connect to database

$chkUSERNAME = mysql_query("SELECT * FROM `userregistration` WHERE `Username` = '".$_GET['Username']."'");
$getUSERNAME = mysql_fetch_object($chkUSERNAME);
if($_GET['Username'] != $getUSR->Username) {
  die('Username or password is incorrect, please check your spelling!');
//checking if username exists in the database if not .. show error

$chkPASSWORD = mysql_query("SELECT * FROM `userregistration` WHERE `Password` = '".$_GET['Password']."'");
$getPASSWORD = mysql_fetch_object($chkPASSWORD);
if($_GET['PASSWORD'] != $getPSW->Password) {
  die('Username or password is incorrect, please check your spelling!');
//checking if password matches with the username if not ..show ever

header("Location: success.php");
//if login successful go to success.php page

 

 

 

I am unsure as to weather this is going to work how ever:

 

$chkPASSWORD = mysql_query("SELECT * FROM `userregistration` WHERE `Password` = '".$_GET['Password']."'");
$getPASSWORD = mysql_fetch_object($chkPASSWORD);
if($_GET['PASSWORD'] != $getPSW->Password) {
  die('Username or password is incorrect, please check your spelling!');
//checking if password matches with the username if not ..show ever

 

I very much doubt it does work, it was an ambitious attempt of me, does it look ok to you guys ?

Also have i missed out any security problems?

[MemphiS]

I can see quite a few security things left out there. Connecting to the db using root is a massive no no.  :-X None of your $_GET[] have been checked..never trust the user.

 

<?php
$Username = (strip_tags(addslashes($_GET['Username']))); 
$Password = (strip_tags(addslashes($_GET['Password'])));


// checks the user input
if (!ctype_aplha($Username)){ die("Usernames can be letters only"); }
if (!ctype_alnum($Password)){ die("Passwords may only contain letters and numbers"); }
?>

i have to go but im sure someone else will post the other problems in that code

[SirChick]

localhost is only for test purposes before i upload it to a real online server just so you know and thanks for the check. Good thinking

[tibberous]

He might have magic quotes on his server. If you do that and he does have magic quotes you'll screw up the data.

 

if(!get_magic_quotes_gpc()){

 

  foreach($_POST as $key => $value){

  if(gettype($value) == "array")

    foreach($value as $k => $v){

    $varvar = $k;

    $$varvar = $v;

    }

 

  $varvar = $key;

  $$varvar = addslashes($value);

  }

 

}

 

That code will fix you. Make sure you do it for _GET too, or just turn magic quotes on. I can't stand to program without magic quotes, or with register globals off, so I have a page that emulates turning them on. It also connects to the database. If your going to write a lot of code I'd recommend getting one of these, otherwise you'll have to type a lot of useless shit over and over.

[tibberous]

Also, the ` around the databases are not necessary.

[SirChick]

i have no clue what that even does :S ? I'm using apache which apparently is automatically turned on, which is why i didnt put the strip tags in my code. Im more concerned about weather it will check the correct password with the username ?

 

 

 

Also, the ` around the databases are not necessary.

 

it didnt work without the '.