Basic Error? - Page 2
Page 2 of 2 FirstFirst 12
Results 16 to 28 of 28

Thread: Basic Error?

  1. #16
    Junior Member
    Join Date
    Dec 2012
    Posts
    17
    Okay, so my website admin finally got back to me and I can now use my database. I just attempted to make a functioning Login, but with no success.
    The issue seems to be the fact that the action tag in form (<form action="process.php">) opens the php script in another tab.
    http://www.thefunnyzone.co.uk
    Username: Jon Password: password.

  2. #17
    Senior Member traq's Avatar
    Join Date
    Jun 2011
    Location
    so.Cal
    Posts
    949
    All I see is a blue page. If you need help with your PHP code, there's no point in showing us the page anyway: you need to share the code.

  3. #18
    Senior Member
    Join Date
    Aug 2008
    Location
    London, UK
    Posts
    753
    It sounds like you might have a target attribute set in the form tag. If this exists and is anything other than _self or _top then it may well be opening in a new tab.
    Ashley Sheridan
    www.ashleysheridan.co.uk

  4. #19
    Junior Member
    Join Date
    Dec 2012
    Posts
    17
    At the start of the main php document there's an include to a file with this inside:
    PHP Code:
    <form id="Process" name="Process" method="POST" action="">
        <fieldset>
            <label for="name" id="name_label">Username:</label>
            <input type="text" name="name" id="name" size="30" value="" class="text-input" />
            <label class="error" for="name" id="name_error">This field is required.</label><br/>
            <label for="password" id="password_label">Password:</label>
            <input type="password" name="password" id="password" size="30" value="" class="text-input" />
            <label class="error" for="password" id="password_error">This field is required.</label>
            <label class="error" id="login_error">Incorrect password or username.</label>
            <input type="submit" name="submit" class="button" id="submit_btn" value="Login" style="position:absolute; left:650px; top:0px;"/>
        </fieldset>
    </form>

    <?
        mysql_connect
    ("[Removed]""[Removed]""[Removed]");  
        
    mysql_select_db("[Removed]")
        
    $password $_POST['password'];
        
    $username md5($_POST['username']);
        
    $result=mysql_query("SELECT * FROM Users WHERE Username='$username' and Password='$password'");
        
    $count=mysql_num_rows($result);
        if(
    $count==1){
            
    $expires 1000 60 60 24 2;
            
    setcookie("username"$usernametime()+$expires);
            
    setcookie("password"$passwordtime()+$expires);
            echo 
    '<strong>Welcome, <? print $my_username; ?>!'
        }
    ?>

  5. #20
    Pna lbh ernq guvf¿
    Join Date
    Jul 2004
    Location
    Kansas City area
    Posts
    19,429
    Quote Originally Posted by JonsAdventure View Post
    PHP Code:
    $password $_POST['password'];
        
    $username md5($_POST['username']); 
    So you're storing the password in plain text, but you're computing the MD5 hash of the username?

    EDIT: I think the above oddity is the thing that first jumps out at me, but just to cover all the bases, here are some more issues I see:

    1. Stop Using the MySQL Extension!
    2. Your HTML form contains no input element named 'username'.
    3. User-supplied data should never be placed directly into a SQL query string, else your code will be vulnerable to SQL injection attacks and/or just plain SQL errors. Instead, you must first sanitize the data (such as by using mysqli_real_escape_string() for string data) or by using prepared statements.
    4. Your PHP code is always attempting to execute the SQL query and check for results - even if it's the first time the user has loaded the form and hasn't even submitted any login credentials yet.
    5. You never check to see if the SQL query failed to execute before attempting to use the result set.
    6. Don't use 'SELECT *' - instead, only SELECT the information that you actually need. Since in your case you don't really need information from the database (you just want to check if there is a row that matches the WHERE criteria), you could instead SELECT some constant value (e.g. do a 'SELECT 1').
    7. PHP Code:
      echo '<strong>Welcome, <? print $my_username?>!';
      PHP code won't get executed if it's placed inside a string, so unless you meant to display to your user the word "Welcome" followed by a comma, a space, a less-than symbol, a question mark, ... etc., then you should either use concatenation or variable interpolation here instead. See the manual page for string for more explanation/examples.
    8. Your current code doesn't do anything if the username and password are incorrect. Wouldn't it at least be helpful to the user if you output some error message if no matching row can be found in your DB? (Note you'll want to make sure you address issue #4 above first, otherwise you'll be saying the user's username/password combination is invalid before they've even given you one.)
    Last edited by bradgrafelman; 12-12-2012 at 01:50 PM.

  6. #21
    Junior Member
    Join Date
    Dec 2012
    Posts
    17
    Okay, 7 and 8 aren't a problem ; php runs like that in my documents, the errors are dealt by JavaScript/jQuery:




    $(function() {
    $('.error').hide();
    $('input.text-input').css({backgroundColor:"#ECECEC"});
    $('input.text-input').focus(function(){
    $(this).css({backgroundColor:"#FFDDAA"});
    });
    $('input.text-input').blur(function(){
    $(this).css({backgroundColor:"#ECECEC"});
    });
    $(".button").click(function() {
    $('.error').hide();
    var name = $("input#name").val();
    if (name == "") {
    $("label#name_error").show();
    $("input#name").focus();
    return false;
    }
    var password = $("input#password").val();
    if (password == "") {
    $("label#password_error").show();
    $("input#password").focus();
    return false;
    }
    });
    });

  7. #22
    Senior Member
    Join Date
    Aug 2008
    Location
    London, UK
    Posts
    753
    Don't ever rely on Javascript validation, ever, ever, ever! Javascript can be turned off or be unavailable, and all users are evil bastards who want to destroy your server. Any kind of validation always needs to be done server side too, as that's the only area where you have full control.
    Ashley Sheridan
    www.ashleysheridan.co.uk

  8. #23
    Junior Member
    Join Date
    Dec 2012
    Posts
    17
    Okay, I've made some edits, am I going on the right lines here?

    PHP Code:
    <form id="Process" name="Process" method="POST" action="">
        <fieldset>
            <label for="name" id="name_label">Username:</label>
            <input type="text" name="name" id="name" size="30" value="" class="text-input" />
            <label class="error" for="name" id="name_error">This field is required.</label><br/>
            <label for="password" id="password_label">Password:</label>
            <input type="password" name="password" id="password" size="30" value="" class="text-input" />
            <label class="error" for="password" id="password_error">This field is required.</label>
            <label class="error" id="login_error">Incorrect password or username.</label>
            <input type="submit" name="submit" class="button" id="submit_btn" value="Login" style="position:absolute; left:650px; top:0px;"/>
        </fieldset>
    </form>

    <?
        $mysqli 
    = new mysqli("""""""");
        if (
    $mysqli->connect_errno 0) {
            die(
    'Unable to connect to database [' $mysqli->connect_error ']');
        }
        
    $username $mysqli->real_escape_string($_POST['user']);
        
    $password md5($mysqli->real_escape_string($_POST['password']));
        
    $mysql->query("SELECT `id` FROM `Users` WHERE `Username` = '$username' && `Password` = '$password'");
        
    $sql = <<<SQL SELECT FROM `UsersWHERE `Username` = $username && `Password` = $password SQL;
        if(!
    $result $db->query($sql)){
            die(
    'There was an error running the query [' $db->error ']');
        }else(
    $result->num_rows==1){
            
    $expires 1000 60 60 24 2;
            
    setcookie("username"$usernametime()+$expires);
            
    setcookie("password"$passwordtime()+$expires);
            echo 
    '<strong>Welcome,'.$username.'!</strong>'
        };
        
    $mysqli->close();
    ?>

  9. #24
    Senior Member traq's Avatar
    Join Date
    Jun 2011
    Location
    so.Cal
    Posts
    949
    PHP Code:
    <? 
        $mysqli 
    = new mysqli(""""""""); 
        if (
    $mysqli->connect_errno 0) { 
            
    # what version of PHP are you running?
            # mysqli::connect_error() was broken before 5.2.9
            
    die('Unable to connect to database [' $mysqli->connect_error ']'); 
        } 
        
    $username $mysqli->real_escape_string($_POST['user']); 
        
    # don't hash the escaped password.
        # actually, since md5 hashes never have characters that need to be escaped,
        # you can skip it if you like.
        # others here might point out that md5 is considered "broken" for security purposes nowadays.
        
    $password md5($mysqli->real_escape_string($_POST['password'])); 
        
    # why two queries?  why not just one, and see if it's empty or not?
        
    $mysql->query("SELECT `id` FROM `Users` WHERE `Username` = '$username' && `Password` = '$password'"); 
        
    # this WON'T WORK.
    //    $sql = <<<SQL SELECT * FROM `Users` WHERE `Username` = $username && `Password` = $password SQL; 
        # a heredoc needs to be like this:
        
    $sql = <<< SQL
    SELECT * FROM `Users` WHERE `Username` = '$username' && `Password` = '$password'
    SQL
    ;
        
    # explanation:
        # opening token needs to be on its own line. 
        # likewise with the closing token, 
        #   which also must NOT be indented or have any other characters (even whitespace) on the same line
        # (technically, the closing ; can *sometimes* be included, 
        #   but for simplicity I just always put it on the following line).
        # also note I added 'quotes' to the string values in your SQL.
        
    if(!$result $db->query($sql)){ 
            die(
    'There was an error running the query [' $db->error ']'); 
        
    # this should be else*if*
        
    }else($result->num_rows==1){ 
        
    # but personally I'd change the whole approach:  
        #    if( num rows === 1){ good }elseif( error ){ ugly }else{ bad }
            
    $expires 1000 60 60 24 2
            
    setcookie("username"$usernametime()+$expires); 
            
    # why two cookies?
            # WHY SAVE THE HASH IN A COOKIE?  (bad security!)
            
    setcookie("password"$passwordtime()+$expires); 
            echo 
    '<strong>Welcome,'.$username.'!</strong>';  
        }; 
        
    $mysqli->close();
    Last edited by traq; 12-13-2012 at 04:04 PM.

  10. #25
    Junior Member
    Join Date
    Dec 2012
    Posts
    17
    Thanks again traq, so the current php file looks like this:
    PHP Code:
    <?  
        $mysqli 
    = new mysqli("");
        if (
    $mysqli->connect_errno 0) {  
            die(
    'Unable to connect to database [' $mysqli->connect_error ']');  
        }  
        
    $username $mysqli->real_escape_string($_POST['user']);  
        
    $password md5($_POST['password']);  
        
    $sql = <<< SQL 
    SELECT 
    FROM `UsersWHERE `Username` = '$username' && `Password` = '$password' 
    SQL 

        if(
    $result->num rows === 1){ 
            
    $expires 1000 60 60 24 2;  
            
    setcookie("username"$usernametime()+$expires);  
            echo 
    '<strong>Welcome,'.$username.'!</strong>';
        }elseif( !
    $result $db->query($sql) ){ 
            die(
    'There was an error running the query [' $db->error ']');  
        }else{ 
            die(
    'Damn, something messed up pretty badly.');  
        }  
        
    $mysqli->close();
    ?>
    The html code which calls the function:
    HTML Code:
    <form id="Process" name="Process" method="POST" action="Login/index.php">
    	<fieldset>
    		<label for="name" id="name_label">Username:</label>
    		<input type="text" name="name" id="name" size="30" value="" class="text-input" />
    		<label class="error" for="name" id="name_error">This field is required.</label><br/>
    		<label for="password" id="password_label">Password:</label>
    		<input type="password" name="password" id="password" size="30" value="" class="text-input" />
    		<label class="error" for="password" id="password_error">This field is required.</label>
    		<label class="error" id="login_error">Incorrect password or username.</label>
    		<input type="submit" name="submit" class="button" id="submit_btn" value="Login" style="position:absolute; left:650px; top:0px;"/>
    	</fieldset>
    </form>
    Oh, and I'm running php 5.3/.

  11. #26
    Junior Member
    Join Date
    Dec 2012
    Posts
    17
    The website is now working properly (don't use ie), but I'm having the same problem as before, the form submit button opens the file instead of running it.
    http://www.thefunnyzone.co.uk

  12. #27
    Senior Member traq's Avatar
    Join Date
    Jun 2011
    Location
    so.Cal
    Posts
    949
    PHP Code:
    if( !$result ){
        
    /* mysql error */
    }elseif( $result->num_rows === ){
        
    /* login successful */
    }else{
        
    /* no matching username/password found */

    sorry for the confusion.

  13. #28
    Senior Member
    Join Date
    Aug 2008
    Location
    London, UK
    Posts
    753
    Quote Originally Posted by JonsAdventure View Post
    The website is now working properly (don't use ie), but I'm having the same problem as before, the form submit button opens the file instead of running it.
    http://www.thefunnyzone.co.uk
    The login form on that URL is just redirecting to a blank index.php file. Either you've got an error that's set to not display, or it really is blank. Nothing seems to be opening in a new tab though.
    Ashley Sheridan
    www.ashleysheridan.co.uk

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •