Can you see a problem with this?????

Anon

Ok, i've been looking at this login page for a heck of a long time and i'm hoping some new eyes can see what i'm missing:

Here's what happening, as mentioned before, i'm trying to authenticate login on my a web site. I'm 100% certain that I have a good MySQL connection, none the less, i'll include my database connection script too:

DATABASE CONNECTION SCRIPT: (called dblib.inc)
<?PHP
$link;
connectToDB();
function connectToDB()
{
global $link;
$db="ldspracticedb";
$link=mysql_connect("localhost");
if(! $link)
die ("Couldn't connect to MySQL");
mysql_select_db($db, $link)
or die ("Couldn't open the $db database: ".mysql_error());
}
?>

PASSWORD CHECK:
<?PHP
include("dblib.inc");

/**************************************************************************************
This prints out the user input on the screen
**************************************************************************************/
foreach ($HTTP_POST_VARS as $key=>$val)
if (gettype($val) == "array")
{
print "$key: \n";
foreach ($val as $two_dim_value)
print ".....$two_dim_value ";
}
else
{
print "$key: $val (From the form) \n";
}

print "<HR>";

$query = "SELECT * FROM clients WHERE CUserName = '$CUserName' AND CPassword = '$CPassword'";
$result = mysql_query($query);
if(!result)
{
die("Invalid Username/combo. Try again. $query" .mysql_error());
}
else
{
print "Thanks for loggin in. Result is: $result";
}

mysql_close($link);
?>

pmanivannan

Hi Mark,

Hope, the function call connectToDB() must be called after the function definition.

Thanks.

[deleted]

Ehm..

if (!result)

shouldn't that be

if (!$result) ?

Anon

Ok, i've made the changes as suggested and a couple more but the crazy thing is still logging in everyone regardless of a correct username/password combo.

To find my actual form, i've put it up on my test site:
www.ucalgary.ca/~myuen

Here's what i've got now. I really hope you can help me out because this really shouldn't be THAT hard of a problem:

CONNECTS TO DATABASE (called dblib.inc)
<?PHP
$link;

function connectToDB()
{
global $link;
$db="ldspracticedb";
$link=mysql_connect("localhost");
if(! $link)
die ("Couldn't connect to MySQL");
mysql_select_db($db, $link)
or die ("Couldn't open the $db database: ".mysql_error());
}

connectToDB();
?>

<head>
<title>Login check</title>
</head>

<body>
<?PHP
include("dblib.inc"); //starts database connection

print "<HR>";

$query = "SELECT * FROM clients WHERE CUserName = '$CUserName' && CPassword = '$CPassword'";
$result = mysql_query($query);

if(!$result)
{
die("Invalid Username/combo. Try again." .mysql_error());
}
else
{
print "Thanks for logging in.";
}

mysql_close($link);
?>
</body>

pmanivannan

Hi,

I went to your test site. When I check the view source, the action page is member.html .
I don't understand how will you check the PHP values or include the inc files in .html files. Ok, leave that one.

Sorry to say, I don't understand the coding flow when I compared with the above mentioned code and view source.

Please let me know everything clearly. I can definitely help you.

Try out the following suggestions now:

1) The actual Text boxes names are :
cusername and Password.
But you are using the values '$CUserName' && '$CPassword' . I couldn't get where you are converting to those values.

2) Try to change the following code.

if (gettype($val) == "array")
{

The above code must be "Array"

Hope the above suggestions will work fine. Please feel free to contact for further discussions.

Thank you.

When we use the "$HTTP_POST_VARS" , the html element's(Text box, check box, submit etc.)

[deleted]

Now why didn't I notice this before?

this:

$query = "SELECT * FROM clients WHERE CUserName = '$CUserName' && CPassword = '$CPassword'";

$result = mysql_query($query);

if(!$result)

only checks if the query worked.
It does not check what the query returned.
If the username/password does not exist, the $result contains an empty resultset, but still a resultset, so if($result) will be true.

instead check for the number of results returned by the query:
if (mysql_num_rows($result)==1)
{

user exists

}
else
{

user does not exist

}