authintication help

Anon

Hello,

I'm new to php. I've been trying to teach myself via "PHP and MySQL Web Development" by Luke Welling and Laura Thompson. So far I've learned a lot...

But I'm stuck trying to get a content management system set up. I seem to have most of the functionality working but am stuck with trying to get users logged in. I'm trying to get username and password combinations stored in a table to authinticate when compared to the results entered by a user via a form...

I can't get it to work for the life of me... And I'm pulling my hair out trying to find the mistake!

I'm going to provide the code I've been using and maybe you can point out the error for me? I'm going to include all the code rather than just the login authintication part -- just incase that isn't where the problem is... Please explain if you can -- since I can't seem to find it and am still learning! Thanks!!!

Shauna

<?php
function db_connect()
{
$result = @mysql_pconnect("myhost", "myusername", "mypassword");
if (!$result)
return false;
if (!@mysql_select_db("fecuokcdb"))
return false;

return $result;
}

function get_writer_record($username)
{
$conn = db_connect();
$sql = "select * from writers where username = '$username'";
$result = mysql_query($sql, $conn);
return(mysql_fetch_array($result));
}

function get_story_record($story)
{
$conn = db_connect();
$sql = "select * from stories where id = '$story'";
$result = mysql_query($sql, $conn);
return(mysql_fetch_array($result));
}
function login($username, $password)
// check username and password with db
// if yes, return true
// else return false
{
// connect to db
$conn = db_connect();
if (!$conn)
return 0;

$result = mysql_query("select * from writers
where username='$username'
and password = password('$password')");
if (!$result)
return 0;

if (mysql_num_rows($result)>0)
return 1;
else
return 0;
}

function check_auth_user()
// see if somebody is logged in and notify them if not
{
global $auth_user;
if ( (session_is_registered("auth_user")) && (isset($auth_user)) )
return true;
else
return false;
}
function query_select($name, $query, $default="")
{

$conn = db_connect();

$result = mysql_query($query, $conn);

if (!$result)
return(0);

$select = "<SELECT NAME=\"$name\">";
$select .= "<OPTION VALUE=\"\">-- Choose --</OPTION>";

for ($i=0; $i < mysql_numrows($result); $i++) {
$opt_code = mysql_result($result, $i, 0);
$opt_desc = mysql_result($result, $i, 1);
$select .= "<OPTION VALUE=\"$opt_code\"";
if ($opt_code == $default) {
$select .= " SELECTED";
}
$select .= ">[$opt_code] $opt_desc</OPTION>";
}
$select .= "</SELECT>\n";

return($select);

}
session_start();

if ( (!$username) || (!$password) ) {
print "You must enter your username and password to proceed";
exit;
}

if (login($username, $password)) {
$auth_user = $username;
session_register("auth_user");
header("Location: $HTTP_REFERER");
}
else {
print "The password you entered is incorrect";
exit;
}

[deleted]

A few constructive criticisms:
One reason why you can't find the error is that you have no error-checking.

Put this at the top of your script:
error_reporting(E_ALL);
that will give you more detailed information about possible errors in your script.

Your db_connect() function even has the @ sign to surpress all error messages. If the database connection fails you will never know that it failed, and if you do find out it failed, you'll never know why.

Also, have a look at this re-write of your logon function. It shows the most basic error checking. Now if something goes wrong in the function, it will print a small message explaining what failed. If you add this principle to all your functions you will always be informed when something goes wrong.

////////////////////////////////////////////////
// check username and password with db 
// if yes, return true 
// else return false 

function login($username, $password) 
{ 
  $bNoErrorsFound = true;
  // connect to db 
  if (!$conn = db_connect())
  {
    // database connection failed
    echo 'Database connection failed';
  }
  else
  {
    if(!$result = mysql_query("select * from writers 
                               where username='$username' 
                               and password = password('$password')"))
    {
      // MySQL query failed:
      echo "MYSQL ERROR: ".mysql_error($conn);
      $bNoErrorsFound = false;
    }
    else
    {
      if (mysql_num_rows($result)>0)
      {
        // records found
      }
      else
      {
        // No records found
        echo 'User/password not found';
        $bNoErrorsFound = false;
      };
    };
  };
  return $bNoErrorsFound;
};