[SOLVED] MySQL Login form

[KMLT]

OK, I got a problem with a login code..

It logs in even though if the username/password is random, or if it isn't set..

 

Index

<?php
error_reporting(E_ALL | E_STRICT);
ini_set('display_errors', True);

session_start();
?>

<html>
<head>
<title>My login</title>
</head>
<body>
<div></div>
<?php if (isset($_SESSION['username'])) { ?>
You are now logged in
<a href="logout.php?logout=1">Logout</a>
<?php } else { ?>
<form action="login.php" method="post">
	username: <input name="username" type="text" />
	password: <input name="password" type="password" />
	<input type="submit" />
</form>
<?php } ?>
<!-- Output Error -->
<?php if (in_array('error',$_SESSION)) echo $_SESSION['error']; unset($_SESSION['error']); ?>
</body>
</html>

 

Login.php

<?php
session_start();

$db_host = 'localhost'; //Hostname
$db_user = 'root'; //Username
$db_pass = ''; //Password
$db_db = 'users'; //Database name



if (isset($_POST['username']))
{
// Mysql Connection
$db_link = mysql_connect($db_host, $db_user, $db_pass)
	or die('MySQl Connection Error:'.mysql_error());
mysql_select_db($db_db)
	or die('MySQL Error: Cannot select table');

$username = mysql_real_escape_string($_POST['username']);
$password = mysql_real_escape_string($_POST['password']);

// MySQL Query
$result = mysql_query("SELECT * FROM users
	WHERE username = '$username' AND password = '$password' ");

if(!$result) {
	$_SESSION['error'] = '<span style="color: red">Login Failed</span>';
} else {
	// Mysql fetch row results
	$row = mysql_fetch_assoc($result);

	$_SESSION['userid'] = $row['id'];
	$_SESSION['username'] = $username;
	$_SESSION['error'] = 'Login successful!';
}
mysql_close($db_link);

}

header('Location: ./')
?>

 

Logout.php

<?php
session_start();

if (isset($_GET['logout']))
{
$_SESSION = array();
if ($_COOKIE[session_name()])
{
	setcookie(session_name(), '', time()-42000, '/');
}
session_destroy();
header('Location: ./');
}

?>

 

 

I just can't find out why it isn't working as it should..

 

[teng84]

try to echo this var on your index to see it it has a value or it is set

echo  $_SESSION['username'];

or

try to use empty instead of isset

[KMLT]

OK, that worked as fas as not logging in when I just clicked the login button without putting in username and password..

but I still can put in some random words there and get logged in..

[teng84]

what happen when your echo your session $_SESSION['username']  ?

[KMLT]

It just wrote the stuff I put into the username input..

Or it came up with:

Notice: Undefined index: username in D:\EasyPHP 2.0b1\www\tut\index.php on line 24

[teng84]

then user is not logged ...

can you tell us your expected output?

[KMLT]

well.. when I open index.html, if any user isn't logged on, it should show the login form..

And if a user is logged in, it should show some links and pictures and stuff.. (not in the code above)

 

But the problem seems to be with the MySQL script, because it doen't check if the username and password match with the table with the users..

Like, in my table there's a user with username = test, and pasword = 1234, so only that should grant access..

But as I said, you can still put some random words in the username and password inputs, and still get access to the same stuff..

[teng84]

do your random words and do this then tell us what happen

<?php
session_start();

$db_host = 'localhost'; //Hostname
$db_user = 'root'; //Username
$db_pass = ''; //Password
$db_db = 'users'; //Database name



if (isset($_POST['username']))
{
// Mysql Connection
$db_link = mysql_connect($db_host, $db_user, $db_pass)
	or die('MySQl Connection Error:'.mysql_error());
mysql_select_db($db_db)
	or die('MySQL Error: Cannot select table');

$username = mysql_real_escape_string($_POST['username']);
$password = mysql_real_escape_string($_POST['password']);

// MySQL Query
$result = mysql_query("SELECT * FROM users
	WHERE username = '$username' AND password = '$password' ");

if(!$result) {
	$_SESSION['error'] = '<span style="color: red">Login Failed</span>';
} else {
	// Mysql fetch row results
	$row = mysql_fetch_assoc($result);
                 print_r($row);
	$_SESSION['userid'] = $row['id'];
	$_SESSION['username'] = $username;
	$_SESSION['error'] = 'Login successful!';
}
mysql_close($db_link);

}

//header('Location: ./')
?>

[KMLT]

Hm..

now it doesn't do anything at all.. doesn't redirect to index or anything..

 

But when I go back to index, it says: "You are now logged in Logout  asdf"

(Logout being the logout link, and asdf the random username I used)

 

 

[teng84]

that means query failed because i added print r if success

 

try

<?php
session_start();

$db_host = 'localhost'; //Hostname
$db_user = 'root'; //Username
$db_pass = ''; //Password
$db_db = 'users'; //Database name



if (isset($_POST['username']))
{
// Mysql Connection
$db_link = mysql_connect($db_host, $db_user, $db_pass)
	or die('MySQl Connection Error:'.mysql_error());
mysql_select_db($db_db)
	or die('MySQL Error: Cannot select table');

$username = mysql_real_escape_string($_POST['username']);
$password = mysql_real_escape_string($_POST['password']);

// MySQL Query
$result = mysql_query("SELECT * FROM users
	WHERE username = '$username' AND password = '$password' ") or die (mysql_error());
			$row = mysql_fetch_assoc($result);
                 print_r($row);


if(!$result) {
	$_SESSION['error'] = '<span style="color: red">Login Failed</span>';
} else {
	// Mysql fetch row results
	$_SESSION['userid'] = $row['id'];
	$_SESSION['username'] = $username;
	$_SESSION['error'] = 'Login successful!';
}
mysql_close($db_link);

}

//header('Location: ./')
?>

[KMLT]

Same thing with that too..  :-\

[teng84]

then post username is not set... try to figure that out first

 

$_POST['username']

[Fahid]

Try This

 

<?php
session_start();

$db_host = 'localhost'; //Hostname
$db_user = 'root'; //Username
$db_pass = ''; //Password
$db_db = 'users'; //Database name



if (isset($_POST['username']))
{
// Mysql Connection
$db_link = mysql_connect($db_host, $db_user, $db_pass)
	or die('MySQl Connection Error:'.mysql_error());
mysql_select_db($db_db)
	or die('MySQL Error: Cannot select table');

$username = mysql_real_escape_string($_POST['username']);
$password = mysql_real_escape_string($_POST['password']);

// MySQL Query
$result = mysql_query("SELECT * FROM `users`
	WHERE `username` = '$username' AND `password` = '$password' ") or die ('Error Fetching Username & Pass', mysql_error());


if(mysql_num_rows($result) > 0) {
	// Mysql fetch row results
	$row = mysql_fetch_assoc($result);
	$_SESSION['userid'] = $row['id'];
	$_SESSION['username'] = $username;
	$_SESSION['error'] = 'Login successful!';	

} else {
	$_SESSION['error'] = '<span style="color: red">Login Failed</span>';
}
mysql_close($db_link);

}

header('Location: ./')
?>

[KMLT]

Actually it is set!

 

<?php
session_start();

$db_host = 'localhost'; //Hostname
$db_user = 'root'; //Username
$db_pass = ''; //Password
$db_db = 'users'; //Database name



if (isset($_POST['username']))
{
// Mysql Connection
$db_link = mysql_connect($db_host, $db_user, $db_pass)
	or die('MySQl Connection Error:'.mysql_error());
mysql_select_db($db_db)
	or die('MySQL Error: Cannot select table');

$username = mysql_real_escape_string($_POST['username']);
$password = mysql_real_escape_string($_POST['password']);

echo $username; // EDITED!!!

// MySQL Query
$result = mysql_query("SELECT * FROM users
	WHERE username = '$username' AND password = '$password' ") or die (mysql_error());
			$row = mysql_fetch_assoc($result);
                 print_r($row);


if(!$result) {
	$_SESSION['error'] = '<span style="color: red">Login Failed</span>';
} else {
	// Mysql fetch row results
	$_SESSION['userid'] = $row['id'];
	$_SESSION['username'] = $username;
	$_SESSION['error'] = 'Login successful!';
}
mysql_close($db_link);

}

echo "<br />";
echo $_SESSION['username']; // EDITED!!!!!

//header('Location: ./')
?>

 

Because that code made the username come up twice in the login.php site..

 

[KMLT]

Fahid;

 

Parse error: parse error, unexpected ',' in D:\EasyPHP 2.0b1\www\tut\login.php on line 24

 

 

[Fahid]

Sorry, Give it a try now

 

<?php
session_start();

$db_host = 'localhost'; //Hostname
$db_user = 'root'; //Username
$db_pass = ''; //Password
$db_db = 'users'; //Database name



if (isset($_POST['username']))
{
// Mysql Connection
$db_link = mysql_connect($db_host, $db_user, $db_pass)
	or die('MySQl Connection Error:'.mysql_error());
mysql_select_db($db_db)
	or die('MySQL Error: Cannot select table');

$username = mysql_real_escape_string($_POST['username']);
$password = mysql_real_escape_string($_POST['password']);

// MySQL Query
$result = mysql_query("SELECT * FROM `users`
	WHERE `username` = '$username' AND `password` = '$password' ") or die ('Error Fetching Username & Pass'. mysql_error());


if(mysql_num_rows($result) > 0) {
	// Mysql fetch row results
	$row = mysql_fetch_assoc($result);
	$_SESSION['userid'] = $row['id'];
	$_SESSION['username'] = $username;
	$_SESSION['error'] = 'Login successful!';	

} else {
	$_SESSION['error'] = '<span style="color: red">Login Failed</span>';
}
mysql_close($db_link);

}

header('Location: ./')
?>

[KMLT]

figured out it should be a . there, and it still doesn't work..

now I can't seem to log in at all..

whatever I do, it just seem to go back to the login form..

[KMLT]

Oh LOL.. it works..

I just wrote the wrong password.. 

 

Thank you Fahid and teng84!

[Fahid]

Happy to Help

Hurray !