sarmenhb Posted April 1, 2008 Share Posted April 1, 2008 <?php include("conn.php"); mysql_select_db("lms") or die(mysql_error()); #=========================================================== # check if username/password has been entered #=========================================================== if(isset($_POST['login'])) { if(!$_POST['username'] || !$_POST['password']) { die('enter both fields'); } #=========================================================== # check if user exists in the database #=========================================================== $username = $_POST['username']; $checkexist = mysql_query("select username from users where username = '$checkexist'") or die(mysql_error()); if(mysql_num_rows($checkexist) == TRUE) { die('that username doesnt exist in our database'); } #=========================================================== # check if the table contains anything #=========================================================== $checkdata = mysql_query("select * from users") or die(mysql_error()); if(mysql_num_rows($checkdata) <= 0) { die('no data exists in the database, you need to add a user <a href=\"admin.php\">click here</a>'); } #=================== $password = md5($_POST['password']); $query = mysql_query("select * from users"); while($row = mysql_fetch_array($query)) { #=========================================================== # check if password matches the username #=========================================================== if ($row['password'] != md5($_POST['password'])) { die('the password that was entered is incorrect'); } else { echo "<script>alert('your in');</script>"; } } ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <title>Untitled Document</title> </head> <body> <form method="post" action="<?php echo $_SERVER['PHP_SELF']; ?>"> <p>Username: </p> <p><input type="text" name="username" /></p> <br /> <br /> <p>Password: </p> <p><input type="password" name="password" /></p> <br /> <br /> <input type="submit" value=" login " name="login" /> </form> </body> </html> <?PHP } ?> Quote Link to comment Share on other sites More sharing options...
coder_ Posted April 1, 2008 Share Posted April 1, 2008 <?php $username = $_POST['username']; $checkexist = mysql_query("select username from users where username = '$username'") or die(mysql_error()); ?> Then, you could also md5() your password in Mysql database... Quote Link to comment Share on other sites More sharing options...
sarmenhb Posted April 1, 2008 Author Share Posted April 1, 2008 the password is md5'ed in the table. Quote Link to comment Share on other sites More sharing options...
sarmenhb Posted April 1, 2008 Author Share Posted April 1, 2008 anyone else know? i cant spot it ((( ??? ??? ??? ??? Quote Link to comment Share on other sites More sharing options...
coder_ Posted April 1, 2008 Share Posted April 1, 2008 why do you extract all data from database when you need just a password? <?php $query = mysql_query("select password from users"); ?> After all, you are verifing just one user, not 2,3 or more of them. BTW, you didnt tell us what's wrong. Where do you get an error? In what part of code script doesnt work her job??? More info's, please. Quote Link to comment Share on other sites More sharing options...
darkfreaks Posted April 1, 2008 Share Posted April 1, 2008 turn on error_reporting <?php ini_set('error_reporting',E_ALL);?> then tell us what errors u get Quote Link to comment Share on other sites More sharing options...
sarmenhb Posted April 1, 2008 Author Share Posted April 1, 2008 here is the new updated code, i have also included the table structure <?php include("conn.php"); mysql_select_db("lms") or die(mysql_error()); #=========================================================== # check if username/password has been entered #=========================================================== if(isset($_POST['login'])) { if(!$_POST['username'] || !$_POST['password']) { die('enter both fields'); } #=========================================================== # check if the table contains anything #=========================================================== $checkdata = mysql_query("select * from users") or die(mysql_error()); if(mysql_num_rows($checkdata) <= 0) { die('no data exists in the database, you need to add a user <a href="admin.php">click here</a>'); } #=========================================================== # check if user exists in the database #=========================================================== $username = $_POST['username']; $checkuser= mysql_query("select username from users where username = '$checkexist'") or die(mysql_error()); if(mysql_num_rows($checkuser) == 0) { die('that username doesnt exist in our database'); } else{ #=================== $password = md5($_POST['password']); $query = mysql_query("select password from users"); while($row = mysql_fetch_array($query)) { #=========================================================== # check if password matches the username #=========================================================== if ( md5($_POST['password']) != $row['password'] ) { } else { echo "<script>alert('your in');</script>"; } } } } else { ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <title>Untitled Document</title> </head> <body> <form method="post" action="<?php echo $_SERVER['PHP_SELF']; ?>" > <p>Username: </p> <p><input type="text" name="username" /> <br /> <br /> </p> <p>Password: </p> <p><input type="password" name="password" /> <br /> <br /> <input type="submit" value=" login " name="login" /> </p> </form> </body> </html> <?php } ?> table structure and its data CREATE TABLE `users` ( `id` int, `fname` varchar(20) CHARACTER SET `latin1` COLLATE `latin1_swedish_ci`, `lname` varchar(20) CHARACTER SET `latin1` COLLATE `latin1_swedish_ci`, `username` varchar(20) CHARACTER SET `latin1` COLLATE `latin1_swedish_ci`, `password` varchar(50) CHARACTER SET `latin1` COLLATE `latin1_swedish_ci`, `level` varchar(10) CHARACTER SET `latin1` COLLATE `latin1_swedish_ci` ); INSERT INTO `users` (`id`, `fname`, `lname`, `username`, `password`, `level`) VALUES (12, 'myname', 'mylastname', 'sarmenhb', '79ef12f7caa49f3c95499143dc9daf68', 'student'); COMMIT; this is the alert im receiving. the username doesnt exist in our database Quote Link to comment Share on other sites More sharing options...
zenag Posted April 1, 2008 Share Posted April 1, 2008 didn,t assign $checkexist' values anywhere ... Quote Link to comment Share on other sites More sharing options...
zenag Posted April 1, 2008 Share Posted April 1, 2008 mysql_query("select username from users where username = '$username '") is this u r trying,.. Quote Link to comment Share on other sites More sharing options...
darkfreaks Posted April 1, 2008 Share Posted April 1, 2008 <?php if(mysql_num_rows($user) == "0") { die('that username doesnt exist in our database'); }?> always use the variable user not the query Quote Link to comment Share on other sites More sharing options...
bryan52803 Posted April 1, 2008 Share Posted April 1, 2008 ^^^ Ageed. And please! Read up on mysql_real_escape_string(). It's simple, and it's the difference between keeping hackers at bay, and someone going in and dropping ALL of your database data in a single query. In addition, you should be sanitizing the POST data before it even reaches the query (substr, trim(), etc) Bryan Quote Link to comment Share on other sites More sharing options...
sarmenhb Posted April 1, 2008 Author Share Posted April 1, 2008 lol my problem was here $checkuser= mysql_query("select username from users where username = '$checkuser'") or die(mysql_error()); thanks all lol cant believe i didnt see it. Quote Link to comment Share on other sites More sharing options...
sarmenhb Posted April 1, 2008 Author Share Posted April 1, 2008 ^^^ Ageed. And please! Read up on mysql_real_escape_string(). It's simple, and it's the difference between keeping hackers at bay, and someone going in and dropping ALL of your database data in a single query. In addition, you should be sanitizing the POST data before it even reaches the query (substr, trim(), etc) Bryan yea i know lol, i am going to do that later. Quote Link to comment Share on other sites More sharing options...
coder_ Posted April 1, 2008 Share Posted April 1, 2008 But, i wrote that in my first post... Quote Link to comment Share on other sites More sharing options...
darkfreaks Posted April 1, 2008 Share Posted April 1, 2008 ill fix ya up man <?php include("conn.php"); mysql_select_db("lms") or die(mysql_error()); #=========================================================== # check if username/password has been entered #=========================================================== if(isset($_POST['login'])) { if(!$_POST['username'] || !$_POST['password']) { die('enter both fields'); } #=========================================================== # check if user exists in the database #=========================================================== $username = mysql_real_escape_string(trim(strip_tags($_POST['username']))); $checkexist = mysql_query("select username from users where username = '$username'") or die(mysql_error()); if(mysql_num_rows($checkexist) =="0") { die('that username doesnt exist in our database'); } #=========================================================== # check if the table contains anything #=========================================================== $checkdata = mysql_query("select * from users") or die(mysql_error()); if(mysql_num_rows($checkdata) <= 0) { die('no data exists in the database, you need to add a user <a href=\"admin.php\">click here</a>'); } #=================== $password = md5($_POST['password']); $query = mysql_query("select * from users"); while($row = mysql_fetch_array($query)) { #=========================================================== # check if password matches the username #=========================================================== if ($row['password'] != md5($_POST['password'])) { die('the password that was entered is incorrect'); } else { echo "<script>alert('your in');</script>"; } } ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <title>Untitled Document</title> </head> <body> <form method="post" action="<?php echo $_SERVER['PHP_SELF']; ?>"> <p>Username: </p> <p><input type="text" name="username" /></p> <br /> <br /> <p>Password: </p> <p><input type="password" name="password" /></p> <br /> <br /> <input type="submit" value=" login " name="login" /> </form> </body> </html> <?PHP } ?> Quote Link to comment Share on other sites More sharing options...
ansarka Posted April 1, 2008 Share Posted April 1, 2008 change this code #=================== $password = md5($_POST['password']); $query = mysql_query("select * from users"); while($row = mysql_fetch_array($query)) { #=========================================================== # check if password matches the username #=========================================================== if ($row['password'] != md5($_POST['password'])) { die('the password that was entered is incorrect'); } else { echo "<script>alert('your in');</script>"; } } TO $password = md5($_POST['password']); $query = mysql_query("select * from users where username = '$username' and password='$password'"); while($row = mysql_fetch_array($query)) { #=========================================================== # check if password matches the username #=========================================================== if ($row['password'] != md5($_POST['password'])) { die('the password that was entered is incorrect'); } else { echo "<script>alert('your in');</script>"; } } $password = md5($_POST['password']); $query = mysql_query("select * from users where username = '$username' and password='$password'"); Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.