cahcs Posted October 3, 2007 Share Posted October 3, 2007 whats wron with dis code??? even if i input the correct username and password it still prompt me "Invalid username or password!"..??? <? session_start(); include("connect.php"); if (isset($_POST["Login"])) { $username = $_POST["username"]; $password = md5($_POST["password"]); $result = mysql_query("select * from user where username = '".$username."' and password = '".$password."'"); $isExist = mysql_num_rows($result); if ($isExist == 1) { $_SESSION["username"] = $password; echo '<script>location.href="tutorials[1].php";</script>'; } else { echo '<script>alert("Invalid username or password!"); history.go(-1);</script>'; } } else { echo '<script>location.href="index.php";</script>'; } ?> Quote Link to comment Share on other sites More sharing options...
MmmVomit Posted October 3, 2007 Share Posted October 3, 2007 FILTER USER INPUT!!! I know this isn't what you asked, but it is VERY IMPORTANT! Your code is open to sql injection. Okay, now to answer your question. Get rid of the password in your sql query. Just look for rows where the username matches, then (for debugging) echo the hash of the user supplied password and the password hash retrieved from the database. Quote Link to comment Share on other sites More sharing options...
shocker-z Posted October 3, 2007 Share Posted October 3, 2007 $result = mysql_query("select * from user where username = '".$username."' and password = '".$password."'") or die(mysql_error()); $isExist = mysql_num_rows($result); echo 'rows returned: '.$isExist; use that to see if there are any errors in the query as well as seeing what value $isExist has. Regards Liam Quote Link to comment Share on other sites More sharing options...
cahcs Posted October 3, 2007 Author Share Posted October 3, 2007 can u edit it for me if u dont mind??? pls, iam only a beginner... plz Quote Link to comment Share on other sites More sharing options...
MmmVomit Posted October 3, 2007 Share Posted October 3, 2007 <?php session_start(); include("connect.php"); if (isset($_POST["Login"])) { $username = $_POST["username"]; $password = md5($_POST["password"]); $result = mysql_query("select * from user where username = '$username';"); if(!$result) { die("Error " . mysql_errno() . ": " . mysql_error()); } $isExist = mysql_num_rows($result); echo "<p>User supplied password: $password</p>\n"; while($row = mysql_fetch_assoc($result)) { echo "<pre>\n"; print_r($row); echo "</pre>\n"; } if ($isExist == 1) { $_SESSION["username"] = $password; echo '<script>location.href="tutorials[1].php";</script>'; } else { echo '<script>alert("Invalid username or password!"); history.go(-1);</script>'; } } else { echo '<script>location.href="index.php";</script>'; } ?> Try that and let us know what the output is. Quote Link to comment Share on other sites More sharing options...
cahcs Posted October 3, 2007 Author Share Posted October 3, 2007 it works but theres a little bit problem.... if the username and password is empty and i click login in: [attachment deleted by admin] Quote Link to comment Share on other sites More sharing options...
MmmVomit Posted October 3, 2007 Share Posted October 3, 2007 Uh, enter a username and password. Quote Link to comment Share on other sites More sharing options...
cahcs Posted October 3, 2007 Author Share Posted October 3, 2007 yupz, i knw.. but is there anyway where this msg "User supplied password: d4242424248575637627" will not display?? Quote Link to comment Share on other sites More sharing options...
MmmVomit Posted October 3, 2007 Share Posted October 3, 2007 That's there for debugging. Once we find out what the error is, we'll remove the line of code that does that. Put in a valid username and password and let us know what the output is. Quote Link to comment Share on other sites More sharing options...
cahcs Posted October 3, 2007 Author Share Posted October 3, 2007 thnx a lot!! u really save my ass!! hahha.. God Bless... Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.