login problem

zevacronet

I'm trying to make a login script for my site. I'm guessing it's a typo or something but i can't seem to find it. It always goes to a unsuccessful login. Any help would be appreciated.

<?
require_once("zevacro_fns.php");
session_start();

if ($user && $pass)
// they just tried to login
{
// connect to db
$conn=db_connect();

        if (!$conn)
            exit;

        $result = mysql_query("select username, passwrd from user where username='$user' and passwrd=password('$pass')");

        if (!$result)
        { 
           echo "Could not find you in the database";
           exit;
        }  
        else
        {
                    if (mysql_num_rows($result)<=0)
                    {
                                echo "Username does not exist<br>";
                                // unsuccessful login
                                echo "You could not be logged in.<br>";
                                echo "You must be logged in to view this page.<br>";
                                echo "Please try <a href=\"login.php\">again</a>";
                                exit;
                    }
                    else
                    {
                                // if they are in the database register the user id
                                $valid_user = $user;
                                session_register("valid_user");
                    }
        }

}

check_valid_user();
// display member page
display_member($valid_user);
?>

pnoeric

if you're using a recent version of PHP, the whole session_register() function is no longer used... which is SO not clear in the online docs :-)

instead you register a session var by putting it into the $SESSION global array... i.e. $SESSION['valid_user'] = $user;

hope that helps. I had exactly the same problem in one of my scripts...

best
eric

zevacronet

Thanks for the help eric but im still getting the same error msg. I have no idea what is wrong with this script.

jamie_kerwick

Try using

$user = $HTTP_POST_VARS['username']
$pass = $HTTP_POST_VARS['password']
/* or */
$user = $HTTP_GET_VARS['username'] 
$pass = $HTTP_GET_VARS['password']

depending on the 'method' of the form. (for testing set to get, for deployment use POST, otherwise usernames & passwords will be in the URL, in the clear.)

if you are on PHP version 4.2.2 use

$user = $_POST['username']
$pass = $_POST['password']
/* or */
$user = $_GET['username'];
$pass = $_GET['password'];

Jamie

piersk

$result = mysql_query("select username, passwrd from user where username='$user' and passwrd=password('$pass')");

Shouldnt that be:

$result = mysql_query("select username, passwrd from user where username='$user' and passwrd='$pass'");

jamie_kerwick

i'm guessing that he uses the mysql password command to encrypt the password so that its not stored in plain text in the database. (i know i do).

As such you need to compare the encrypted version of $pass to the one stored in the database.

If he doesn't then yes, passwrd = '$pass' should be used.

Jamie

zevacronet

Jamie, where should i put that in my script? My login form calls on this script that is "suppose" to check the username and password and then display a members page. Is there a easier way to do this? Thanks for the help everyone

jamie_kerwick

if you are refering to my previous post, you just need to put these lines in anywhere BEFORE the mysql_query() command

jamie

zevacronet

ok i did that jamie... I was just noticing that when i fill out the form, i dont see anything in the address bar. check it out http://www.zevacro.net/login.php username is testing and password is test

dannys

Hi,

The comments in this thread really should be enough to get your script going (unless there's something going on in another page, which you're not showing us)

This code should work, but I can't really test it as I don't have the db structure, the required files or the time 🙂

<?php
require_once("zevacro_fns.php");
session_start();

// Workaround for older versions of PHP
if (!isset($_POST))
	$_POST=$HTTP_POST_VARS;

// Get the POSTed form variables
isset($_POST['user']) ? $user=$_POST['user'] : $user="";
isset($_POST['pass']) ? $pass=$_POST['pass'] : $pass="";

if (!(empty($user)) && (empty($pass)))
// they just tried to login
{
	// connect to db
	$conn=db_connect();

if (!$conn)
exit();

$result = mysql_query("SELECT username, passwrd FROM user WHERE username='$user' AND passwrd=PASSWORD('$pass')");

if (!$result)
{
	echo "Could not find you in the database";
	exit();
}
else
{
	if (mysql_num_rows($result)<=0)
	{
		echo "Username does not exist<br>";
		// unsuccessful login
		echo "You could not be logged in.<br>";
		echo "You must be logged in to view this page.<br>";
		echo "Please try <a href=\"login.php\">again</a>";
		exit();
	}
	else
	{
		// if they are in the database register the user id
		$valid_user = $user;
		//session_register("valid_user");
		$_SESSION['valid_user']=$valid_user;
	}
}
}

check_valid_user();
// display member page
display_member($valid_user);
?>

zevacronet

that worked great! Thanks Danny! I'm kinda confused now on sessions. The check_valid_user() doesn't work cause i guess there's a new way of doing sessions or just wording it differently. this is what it used to be. I dont know how you would do it now if you guys can help me out again 🙂 Thanks for all the help!! I appreciate it!

<?php
function check_valid_user()
// see if somebody is logged in and notify them if not
{
global $valid_user;

if (session_is_registered("valid_user"))
{
echo "Logged in as $valid_user.";
echo "<br>";
}
else
{
// they are not logged in
echo "You are not logged in.<br>";
echo "To login, <a href=\"login.php\">click here</a>";
exit;
}
}
?>

dannys

Best thing to do is use $_SESSION['varname'] where you previously used $varname ($varname being your registered session variable) - there's no need to use session_register() anymore either.

So, instead of

$foo='bar';
session_register('foo');
echo $foo;

use

$_SESSION['foo']='bar';
echo $_SESSION['foo'];

It's much more logical once you're used to it (IMO anyway).

So, your check_valid_user() function should look more like

<?php
function check_valid_user()
// see if somebody is logged in and notify them if not
{

if (isset($_SESSION['valid_user'])
{
	echo "Logged in as {$_SESSION['valid_user']}.";
	echo "<br>";
}
else
{
	// they are not logged in
	echo "You are not logged in.<br>";
	echo "To login, <a href=\"login.php\">click here</a>";
	exit;
}
}
?>

$_SESSION is a 'superglobal' var so there's never any need to declare it as a global in your functions - see http://uk.php.net/manual/en/language.variables.predefined.php for more info on superglobals

zevacronet

Doesn't seem to be working. It goes to the error and says, your not logged in. Do I have to pass the user over like:

check_valid_user($valid_user);

or something like that. Thanks for the help

Gabe

zevacronet

you guys have helped out alot! But for some reason i still get the same error as before which is it wont register the username. It wont even find the username and password. Do you have to do anything special to the form that passes the username & password to the script. I dont think it's passing the data. This is everything I have, I hope someone can help me out.. Thanks for all the help guys!!

---login.php ----
<?
require_once("zevacro_fns.php");

display_head();
?>

<form name="userlogin" method="post" action="member.php">
<table width="29%" border="0" cellspacing="2" height="92">
<tr bgcolor="#CCCCCC">
<td colspan="2">Login</td>
</tr>
<tr>
<td width="31%">Username:</td>
<td width="69%">
<input type="text" name="user">
</td>
</tr>
<tr>
<td width="31%">Password:</td>
<td width="69%">
<input type="password" name="pass">
</td>
</tr>
<tr>
<td colspan="2">
<div align="center">
<input type="submit" name="Submit" value="Login">
</div>
</td>
</tr>
</table>
</form>
</body>
</html>
---end login.php----

---member.php----
<?php
require_once("zevacro_fns.php");
session_start();

// Workaround for older versions of PHP
if (!isset($POST))
$POST=$HTTP_POST_VARS;

// Get the POSTed form variables
isset($POST['user']) ? $user=$POST['user'] : $user="";
isset($POST['pass']) ? $pass=$POST['pass'] : $pass="";

if (!(empty($user)) && (empty($pass)))
// they just tried to login
{
// connect to db
$conn=db_connect();

if (!$conn)
exit();

$result = mysql_query("SELECT username, passwrd FROM user WHERE username='$user' AND passwrd=PASSWORD('$pass')");

if (!$result)
{
    echo "Could not find you in the database";
    exit();
}
else
{
    if (mysql_num_rows($result)<=0)
    {
        echo "Username does not exist<br>";
        // unsuccessful login
        echo "You could not be logged in.<br>";
        echo "You must be logged in to view this page.<br>";
        echo "Please try <a href=\"login.php\">again</a>";
        exit();
    }
    else
    {
        // if they are in the database register the user id
        $valid_user = $user;
        //session_register("valid_user");
        $_SESSION['valid_user']='$valid_user';
    }
}

}

check_valid_user();
display_head();
?>

---end member.php---

---zevacro_fns.php---
---include file userauth_fns.php----
<?
function check_valid_user()
// see if somebody is logged in and notify them if not
{

if (isset($_SESSION['valid_user']))
{
    echo "Logged in as {$_SESSION['valid_user']}.";
    echo "<br>";
}
else
{
    // they are not logged in
    echo "You are not logged in.<br>";
    echo "To login, <a href=\"login.php\">click here</a>";
    exit;
}

}
?>
--- end userauth_fns.php----

---include db_fns.php---

function db_connect()
{
$result = mysql_pconnect("localhost", "", "");
if (!$result)
return false;
if (!mysql_select_db("****"))
return false;

return $result;

}

?>
----end db_fns.php---

Weedpacket

I see the lines:

 // if they are in the database register the user id
$valid_user = $user;
//session_register("valid_user");
$_SESSION['valid_user']='$valid_user';

You want to replace them with:

 // if they are in the database register the user id
$_SESSION['valid_user']=$user;

You're using quotes around $valid_user that are (a) redundant, and (b) only single (variables aren't interpolated in single-quoted strings). All you're doing is setting $valid_user to $user, and then storing the string '$valid_user' in the session variable; not the value of $valid_user, just its name.

So no wonder you never get a match!

zevacronet

Ok, now it registers the session but the check_valid_user() function doesn't work.
<?
function check_valid_user()
// see if somebody is logged in and notify them if not
{

if (isset($_SESSION['valid_user']))
{
    echo "Logged in as {$_SESSION['valid_user']}.";
    echo "<br>";
}
else
{
    // they are not logged in
    echo "You are not logged in.<br>";
    echo "To login, <a href=\"login.php\">click here</a>";
    exit;
}

}

shouldn't that work?? Thanks again everyone