Biff Posted March 9, 2008 Share Posted March 9, 2008 Hi All, I have just set up a ready made league script - WebLeague 2 - and for some reason the log in for the admin section keeps redirecting me to the login failed page. The log in details are correct and there are no spaces either side. The details are also in the MySQL database. I guess this script must work as other people have used it so I thought it might be something to do with my hosting environment? The script is hosted on a Windows server running PHP 4.4.7 and MySQL 5.0.45 - I have also tried it in PHP 5 with no luck. I have checked all the variables and everything appears to be fine. Here is the code: <? session_start(); $page = "login"; require('./../variables.php'); require('./../variablesdb.php'); require('./../top.php'); ?> <p class="header">Admin section.</p> <? $sql="SELECT * FROM $admintable WHERE name = '$_POST[username]' AND password = '$_POST[password]'"; $result=mysql_query($sql,$db); $number = mysql_num_rows($result); if ($number == "1") { session_register("password"); session_register("username"); } if($_SESSION[username]){ ?> <p class='text'>You are logged in as <b><? echo "$_SESSION[username]" ?></b>.</p> <? } else { if($_POST[submit]) { ?> <p class='text'>Login failed.</p> <? } ?> <form method="post"> <table border="0" cellpadding="0"> <tr> <td><p class='text'>Name:</p></td> <td><input type="text" name="username" size="20" style="background-color: <?echo"$color5" ?>; border: 1 solid <?echo"$color1" ?>" class="text"></td> </tr> <tr> <td><p class='text'>Password:</p></td> <td><input type="password" name="password" size="20" style="background-color: <?echo"$color5" ?>; border: 1 solid <?echo"$color1" ?>" class="text"></td> </tr> <tr> <td><input type="submit" value="Log in." name="submit" style="background-color: <?echo"$color5" ?>; border: 1 solid <?echo"$color1" ?>" class="text"></td> </tr> </table> </form> <? } ?> <? require('./../bottom.php'); ?> If anyone can shed any light on why this is happening I would be really grateful. Quote Link to comment Share on other sites More sharing options...
AdRock Posted March 9, 2008 Share Posted March 9, 2008 Where is your action event in your form? You say it's post but it seems to go nowhere Quote Link to comment Share on other sites More sharing options...
haku Posted March 9, 2008 Share Posted March 9, 2008 I see a few of problems in your code. First, you should be using: <?php Not ?> Second, in the links to your includes, you are only using one period instead of two for the first set of periods. Add another period. edit: AdRock got the third one. Quote Link to comment Share on other sites More sharing options...
AdRock Posted March 9, 2008 Share Posted March 9, 2008 Another thing you should do is escape user input. Don't trust anything a user puts in a text field. You are allowing $_POST variables in your sql I would use mysql_real_escape_string on your $_POST varables and then use then clean variables in the sql w3schools has a fuinction you can use to clean user input below function check_input($value) { // Stripslashes if (get_magic_quotes_gpc()) { $value = stripslashes($value); } // Quote if not a number if (!is_numeric($value)) { $value = mysql_real_escape_string($value); } return $value; } Quote Link to comment Share on other sites More sharing options...
Biff Posted March 9, 2008 Author Share Posted March 9, 2008 Many thanks for your prompt replies. The single period seems to work fine, as soon as another is added the script can't find the includes. The whole app only uses "<?" and everything else works fine. The script is posting the login details to itself - the index.php page. I've tried changing it to <form action="index.php" method="post"> but still get the login failed page. I also tried using <?php echo $_POST["username"]; ?> to see if it is posting the variables and it is. I just can't figure out why it isn't working? Quote Link to comment Share on other sites More sharing options...
Biff Posted March 9, 2008 Author Share Posted March 9, 2008 I think it's something to do with creating the session. Can someone profecient in PHP have a look at that part of the code as I am a complete noob when it comes to PHP. Maybe it is something to do with sessions on Windows servers and the code needing to be altered slightly to be compatible? Quote Link to comment Share on other sites More sharing options...
haku Posted March 9, 2008 Share Posted March 9, 2008 $_POST[username] and $_POST[password] should be $_POST['username'] and $_POST['password'] And whether the <? tags work or not, you shouldn't use them, they are sloppy programming. Quote Link to comment Share on other sites More sharing options...
Biff Posted March 9, 2008 Author Share Posted March 9, 2008 Thanks Haku but I tried that earlier and got an error. Parse error: syntax error, unexpected T_ENCAPSED_AND_WHITESPACE, expecting T_STRING or T_VARIABLE or T_NUM_STRING in C:\blah\blah\blah.com\httpdocs\lad1\admin\index.php on line 10 Quote Link to comment Share on other sites More sharing options...
haku Posted March 9, 2008 Share Posted March 9, 2008 Thats because of how you have the quotes set up. Assign the post variables to other variables first, and use those other variables in your query. $_POST[username] doesnt exist, so your query is turning up empty, because it doesnt find anything. Quote Link to comment Share on other sites More sharing options...
Biff Posted March 9, 2008 Author Share Posted March 9, 2008 I'm not sure what you mean? I'm guessing this script works for other people as it is something I downloaded. The thing is it was written a few years ago and the site where it came from is now down. I'm guessing that the reason it doesn't work is to do with the code being a bit old or me hosting it on a Windows server. Something simple like you suggest may do the trick, but I'm not sure how to assign the variables to other variables as I am a complete novice with PHP. Quote Link to comment Share on other sites More sharing options...
Biff Posted March 9, 2008 Author Share Posted March 9, 2008 One other thing is I think '$_POST[username]' does exist as if I do <?php echo $_POST["username"]; ?> on the login failed page it shows the username. I think the problem is getting it from the database and creating the session, something here: <?php $sql="SELECT * FROM $admintable WHERE name = '$_POST[username]' AND password = '$_POST[password]'"; $result=mysql_query($sql,$db); $number = mysql_num_rows($result); if ($number == "1") { session_register("password"); session_register("username"); } if($_SESSION[username]){ ?> <p class='text'>You are logged in as <b><?php echo "$_SESSION[username]" ?></b>.</p> <?php } else { if($_POST[submit]) { ?> Quote Link to comment Share on other sites More sharing options...
haku Posted March 9, 2008 Share Posted March 9, 2008 1: $_POST[username] does not equal $_POST["username"]. Notice your use of quotes in the second one. 2: $username = $_POST['username']; $password = $_POST['password']; $sql="SELECT * FROM $admintable WHERE name = '$username' AND password = '$password'"; 3: http://www.w3schools.com/php/default.asp Quote Link to comment Share on other sites More sharing options...
Biff Posted March 9, 2008 Author Share Posted March 9, 2008 Thanks Haku, adding the following has done the trick. God knows why it wasn't in the original code? Would this have ever worked in the past without it? $username = $_POST['username']; $password = $_POST['password']; Thanks a lot for your help. I take it the code that Adrock posted earlier is some sort of security to stop people posting anything dodgy in the form, how do I implement it? function check_input($value) { // Stripslashes if (get_magic_quotes_gpc()) { $value = stripslashes($value); } // Quote if not a number if (!is_numeric($value)) { $value = mysql_real_escape_string($value); } return $value; } Quote Link to comment Share on other sites More sharing options...
haku Posted March 9, 2008 Share Posted March 9, 2008 Most scripts out there on the net are written by people who think they know how to program, but often suck. They also often have huge security holes in them. That's why i pointed you at those tutorials. Its a good place to start at the least. Its better to learn to code than to use other people's code, as you will often run into problems like this. And besides, can you really call yourself a coder/programmer if you are using someone else's code? And what happens when problems creep up in that code - you won't know how to fix them. Quote Link to comment Share on other sites More sharing options...
Biff Posted March 9, 2008 Author Share Posted March 9, 2008 I would like to learn more PHP but don't have the time to do a lot of coding so look for ready made scripts. I know more about ASP than PHP and would tend to use that if I was writing something myself. Many thanks again for your help. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.