validation of database info by form

osheriff

The following code is supposed to go to page x if the username and password are found on the database. It goes to page x even if details are wrong. Can someone please tell me what's wrong.

<?php

if (headers_sent() ) {
print("cannot process your request due to a system error!\n");
}else{

include "db.php";

if (($username) AND ($password)) {
$validate = "SELECT username, password FROM users WHERE username=='$username' AND password=='$password'";
$result = mysql_query($validate);

header ("location: index.php?username=$username");
exit;
}else{
header ("location: login.php?message=invalid");
exit;
}
}

<form action="<?php echo $PHP_SELF; ?>" method="POST">
Username: <input type="text" name="username">
Password: <input type="password" name="password">
<input type="submit" value="Submit">
</form>

</body>

yendor

Your if statment is only checking if the variables $username and $password are set. If they are, all you are doing is quering the database and then sending them to index.php?username=$username. As long as $username and $ password are both set, the user will always go to index.php?username=$username. You have to put some kind of check in you program to see if the database returned anything.
ONE Possiblity:

if (($username) AND ($password)) {
$validate = "SELECT username, password FROM users WHERE username=='$username' AND password=='$password'";
$result = mysql_query($validate);
$valid = mysql_num_rows($result);
if ($valid > 0) {
header ("location: index.php?username=$username");
exit;
}else{
header ("location: login.php?message=invalid");
exit;
}
}else{
echo " <h1>You must Enter a username and Password!</h1>"
exit;
}
}

Sorry this looks sloppy, but this forum doesn't preserve tabs

Hope this helps,

Rodney