PHP/MySQL Username/Password Validation

Anon

Hi,

I'm trying to check to see if a username/password combination exists in a mysql database. For example, I have the person's username that he/she typed in in the variable $username. I have their password (I haven't coded the encryption part yet, but that's beside the point) in the variable $password.

When I query the database and ask it if the username=$username AND password=$password, it will bring back any field in the database that has any "pattern match" of the $username. So, for example, if in the database I had my name and a password:

username: dave
password: password

and somebody came by and typed in "da" for the $username and "pass" for the password, it lets 'em go on by because it finds the match.

My initial thought was to create a regular expression that would check to see if the field "username" in the database Begins and Ends with the pattern $username.. but it didn't work. Any ideas on how I do this?

Anon

<?php
$strSQL = "SELECT * FROM Admin WHERE username=$username AND password=$password";

mysql_connect("localhost");

$result = mysql_db_query("mydb",$strSQL);

if (!$mysql_num_rows)
{
echo "Wrong username or password";
}
else
{
echo "Hello $username!";
}

/ And after all you can set a cookie to be able to track user /

This code above must work without problem, maybe you are using LIKE in your SQL statement, don't use it.

Hope this helps...

Serdar
www.php.org.tr

Anon

Hi there,

Ok, I tried the code out, and it didn't give me a parse error or anything. But when I tried it out:

<?php
$db = db_connect(); // run the function that connects to the database

$result = mysql_query("SELECT * FROM members WHERE username=$username AND password=$password", $db);

if(!$mysql_num_rows) {
$error = "<p><b>Sorry! Your username and password didn't match!<b>";

 displayIntro(basicIntro(), basicTitle()); // display the introduction to the page

 displayForm($error);  // display login form

} else {
echo "Welcome $username!";
}
?>

ran it, and tried to put in a username and password I setup in the database, it came back with the error about the username/password not matching.

Any more ideas?

Thanks so much,
-dave

Anon

Maybe this will help, I had the same problem where a query refused to work, ie:

SELECT * FROM table WHERE id_name=$id

After busting my head on a wall for about an hour, I added single quotes around the variable as a last ditch effort:

SELECT * FROM table WHERE id_name='$id'

and viola! it worked. Add a single quote set around your variables and see if it works.

Jim

Anon

Well Jim, I tried it and still nothing. Thanks for the tip, though! It was a good idea.. I've seen that ' ' thing work other places.

I still have no idea what's going on with this query. If anyone has any ideas, I'm still trying to sort the problem out.

-dave

Anon

Hey guys,

Alright, I think I've made some kind of advance on this problem. Here's my code:

$result = mysql_query("SELECT * FROM members WHERE email='$loginEmail' AND password='$loginPassword'", $db);

if(mysql_result($result,0,"nickname")) {
printf("Welcome, %s", mysql_result($result,0,"nickname"));
} else {
$error = "<p><b>Sorry! Your username and password didn't match! Try again</b>";

     // Display page intro's
 displayIntro(basicIntro(), basicTitle());
displayForm($error);

}

Now, it's checking my username/password correctly, without letting me gain access by putting in half the username or half the password. But it's giving me this warning each time the username/password doesn't match the database (in fact, it gives me this warning for every query that returns nothing. Including query's that are in if statements, checking to see if there is anything that results from that query):

Warning: Unable to jump to row 0 on MySQL result index 2

So, there's one more little thing (that warning) and I'm sure I'm not the first to encounter it. What can I do to keep that warning from happening?

Thanks for all your help everyone, and I really mean that
-dave

Anon

Hi, I would recommend trying to see what $result is before sending it the mysql_result call. Do your $result= statement, then echo($result). See if it is doing anything. Another way to check is to use something like:

if(!$result = mysql_query("SELECT * FROM members WHERE email='$loginEmail' AND password='$loginPassword'", $db)) {
echo("No result passed);
}

This would let you know if the query is working or not. If it is, you may want to do a mysql_fetch_object or something like it to see what the results were that were returned.

If nothing is returned, run:

if(!$result = mysql_query("SELECT * FROM members", $db)) {
echo("No results found");
}

This will tell you if you even connected to make the query at all.

I know this is a bit tedious, but I resort to it when nothing else works. Lets you determine where the disconnect is.

Let me know if it helps.

Jim

Anon

Dave,

I don't know if this will help at this stage but this is the code that I am using without any problems:

$cnx = mysql_connect('localhost','isb735','451gkr');

mysql_select_db("isb735_db",$cnx);

$query = mysql_query("SELECT * FROM db_name WHERE username='$username' AND password='$password'") or die (mysql_error());

$row = mysql_fetch_array($query);

$numRows = mysql_numrows($query);

$db_row = $row["db_row"];

if ( $numRows == 0) {

echo "Sorry your username & password were not accepted";
}

Hope this helps

Mike

Anon

Jim and Mike -

Thanks a lot for all your help. I worked with your suggestions and tweaked what I had enough to get it working.

Thanks again for all your help,
dave

freddymio

It would have been nice to see the complete WORKING-OK script.
Kind of a "SUMMARY" or "GOT IT" posting.
Freddy

guruparthi

Try this,

<html>
<head>
<style type="text/css">
input{
border:1px solid olive;
border-radius:5px;
}
h1{
color:darkgreen;
font-size:22px;
text-align:center;
}
</style>
</head>
<body>
<h1>Login<h1>
<form action='#' method='post'>
<table cellspacing='5' align='center'>
<tr><td>User name:</td><td><input type='text' name='name'/></td></tr>
<tr><td>Password:</td><td><input type='password' name='pwd'/></td></tr>
<tr><td></td><td><input type='submit' name='submit' value='Submit'/></td></tr>
</table>

</form>
<?php
session_start();
if(isset($POST['submit']))
{
mysql_connect('localhost','root','') or die(mysql_error());
mysql_select_db('new') or die(mysql_error());
$name=$POST['name'];
$pwd=$POST['pwd'];
if($name!=''&&$pwd!='')
{
$query=mysql_query("select * from login where name='".$name."' and password='".$pwd."'") or die(mysql_error());
$res=mysql_fetch_row($query);
if($res)
{
$SESSION['name']=$name;
header('location:welcome.php');
}
else
{
echo'You entered username or password is incorrect';
}
}
else
{
echo'Enter both username and password';
}
}
?>
</body>
</html>

Reference: http://www.phponwebsites.com/2014/07/php-mysql-login-validation.html