login form: it logs in no matter what and it shouldnt, please help

[rich___]

<?php

// allows session info to be used on this page

session_start();

 

// if this script isn't receiving form data, exit fast

if(!isset($_POST['btnLogin']))

{ header("Location: login.htm");

session_write_close();

exit();

}

 

 

if(empty($_POST[txtPassword]) || empty($_POST[txtUsername])) // if empty fields, give error

 

msg

{

  echo ('please enter in both fields');

}

 

else

 

// gets username and password as typed into the login form

{

  $pass = $_POST['txtPassword'];

  $user = $_POST['txtUsername'];

}

 

$sEncryptedPassword = crypt($pass);

 

// creates a new connection object

$adoCon = new COM("ADODB.Connection");

 

// the path to the folder holding this PHP script

$sHere = dirname(__FILE__);

 

// opens the connection using a standard connection string

try

{

$adoCon->Open("Provider=Microsoft.Jet.OLEDB.4.0;

Data Source=C:\\xampp\\htdocs\\xampp\\db1.mdb");

}

 

catch(Exception $e)

{

echo('Sorry - There was a problem with opening the database.<br />');

}

 

 

 

$sSQL = "SELECT * FROM tblUsers WHERE userName='$user' AND userPass = '$sEncryptedPassword';";

$rsMain = $adoCon->Execute( $sSQL );

 

 

 

if(crypt($pass, $sEncryptedPassword) == ($sEncryptedPassword))

{ // if logged on okay, remembers user's name as session variable

$_SESSION['user'] = $user;

header("Location: protected.php");

session_write_close();

exit();

}

 

else

 

{

header("Location: login.htm");

session_write_close();

}

 

 

 

// closes the connection, frees up resources

$adoCon->Close();

$adoCon = null;

 

 

 

?>

 

what its meant to do is to compare the password (then encryped) to the encrypted pass in the database, and if their the same, then login, else go back to the login page, but whatever happens it goes to the protected page.

[trq]

You never actually check anything against your db results. In fact you don't use the results at all.

[revraz]

Also, once you get that fixed, make sure you understand how session_write_close() works

 

http://us.php.net/session_write_close

[rich___]

how do i check against my results?

[adam291086]

ok

 

you need to do a query on your database with the username and password, use google for the help. Then once you have done the query you need to make sure the result you get back = 1. This means there is one record in your database and therefore the user is registered. If the result = 0 then the user is not registered and therefore can't view the page.

[~n[EO]n~]

You never actually check anything against your db results. In fact you don't use the results at all.

 

What he meant is you have queried the database but have not used the results

<?php 
// your compared your post values from the DB 
$sSQL = "SELECT * FROM tblUsers WHERE userName='$user' AND userPass = '$sEncryptedPassword';";
$rsMain = $adoCon->Execute( $sSQL );
// after that you did nothing.... ..... here you need to allow or deny the login based on the result 
if ($rsMain) {
echo "you are valid user";
} else {
echo "you are invalid user";
}

?>

 

and you are missing quote in this line too.

if(empty($_POST['txtPassword']) || empty($_POST['txtUsername']))

[rich___]

thanks for the help, but even with the changes suggested it still gives me "you are valid user" even if the pass is wrong, im confused

[revraz]

Repost your updated code in code tags.

[rich___]

<?php
// allows session info to be used on this page
session_start();

// if this script isn't receiving form data, exit fast
if(!isset($_POST['btnLogin']))
{	header("Location: login.htm");		
	session_write_close();
	exit();
}


if(empty($_POST['txtPassword']) || empty($_POST['txtUsername'])) // if empty fields, give 

error msg
{
   echo ('please enter in both fields');
}

else

// gets username and password as typed into the login form
{ 
   $pass = $_POST['txtPassword'];
   $user = $_POST['txtUsername'];
}

$sEncryptedPassword = crypt($pass);

// creates a new connection object
$adoCon = new COM("ADODB.Connection");

// the path to the folder holding this PHP script
$sHere = dirname(__FILE__); 

// opens the connection using a standard connection string
try
{ 
$adoCon->Open("Provider=Microsoft.Jet.OLEDB.4.0;
Data Source=C:\\xampp\\htdocs\\xampp\\db1.mdb");
}

catch(Exception $e)
{	
echo('Sorry - There was a problem with opening the database.<br />');
}



$sSQL = "SELECT * FROM tblUsers WHERE userName='$user' AND userPass = '$spass';";
$rsMain = $adoCon->Execute( $sSQL );

// only checks the password if the user exists
//if( isset($aValidUsers[$user]) )
// checks to see if the username/password pair is valid by encrypting
// the password and comparing against the real encrypted password

if (isset($rsMain)) {	


if(crypt($pass, $sEncryptedPassword) == ($sEncryptedPassword))
{	// if logged on okay, remembers user's name as session variable
	$_SESSION['user'] = $user;		
	header("Location: protected.php");
	session_write_close();
	exit();
}		
else	

{
header("Location: login.htm");
session_write_close();
}
header("Location: login.htm");
session_write_close();
}







// closes the connection, frees up resources
$adoCon->Close();
$adoCon = null;


?>

[rich___]

it just keeps telling me ive logged in, no matter what, all i want it to do is to not log in if the user isnt there or the pass doesnt work, which i think it shud, maybe i need to use the query more.. if i knew how to properly :s

[rich___]

oh and yes i know its meant to be 'pass' instead of 'spass' ive changed it and still the same outcome

[teng84]

whats the output of this line sample plezz

$rsMain = $adoCon->Execute( $sSQL );

[rich___]

i dont know when i type echo($rsMain); i get this - Catchable fatal error: Object of class variant could not be converted to string in C:\xampp\htdocs\xampp\login.php on line 50

 

[teng84]

remove this "error msg" on that line it should be commented

[rich___]

check above post ^^

[rich___]

$rsMain = $adoCon->Execute( $sSQL ); doesnt output anything

[teng84]

can we see this function in your class

 

Execute

[rich___]

sry mate uve lost me. thers nothing i can show u but the code, unless u tell me to try something can i can post up errors if they appear. i know whats wrong with it, i dont use the query to my advantage, but i know what i would like to do, which is compare the user name and pass from the db to whats been entered, and if its correct then goto protected.php, othewise fail it, but ive no idea where to begin to start coding that, any ideas?

[teng84]

now you confused me too lol

<?php
session_start();
$pass= 'mypassword';
$sEncryptedPassword = crypt('mypassword');
if(crypt($pass, $sEncryptedPassword) == ($sEncryptedPassword))
{	echo "Password verified!";

//	$_SESSION['user'] = $user;		
//	header("Location: protected.php");
//	session_write_close();
//	exit();
}		
else{
//	header("Location: login.htm");
//	session_write_close();
echo  'failed';
}
?>

 

try that code first so you can have a good start..

[teng84]

note: if theres an error message or any output before and after your header you cant have the header file to function and you will always stay at the same page