database user authentication

rrhody

Hey,

Can anyone give me a lead as to why my code is not authenticating properly?

if ($HTTP_POST_VARS["username"] != null) {
$user = $HTTP_POST_VARS["username"];
$passwd = $HTTP_POST_VARS["password"];
$query = "SELECT Username, Visited, User_PK from wefx where Username = $user and Password = PASSWORD('$passwd')";
$db_query = mysql_query($query, $db_connection);
$row = @mysql_fetch_row($db_query);
$num_results = @mysql_num_rows($db_query);

if ($num_results = 1) {
  if ($row[2] = 1) {
    $loggedin = "True";
    header("Location: index.html");
  } else {
    if ($row[1] = 0) {
      $loggedin = "True";
      $query = "update wefx set Visited = 1 where User_PK = $row[2]"; 
      $result = @mysql_query($query, $db_connection); 
      header("Location: index.html");
    } else {
      echo("<font color=\"red\">Access expired.</font>");
    }
  }
} else {
  echo("<font color=\"red\">Username and/or password are incorrect.</font>");
}

}

Thank you
Roger

bretticus

right off the bat I see that you are using an assignment operator '=' where you shoudl be using comparison '==' in your if statements.

rrhody

I thought php overloaded = instead of using the ==.

PyroX

You thought wrong.

There is also === , you may want to learn about that someday.

rrhody

You are right, I was thinking of actionscript. Thank you.

bretticus

nope, not C++ 😃

rrhody

Hi,

I am sorry to keep posting, but I am still not getting the correct results and don't know what else to do. Here is my current code:

<?php
require_once("includes/config.inc");

$loggedin = "False";
if ($HTTP_POST_VARS["username"] != null) {
$user = $HTTP_POST_VARS["username"];
$passwd = $HTTP_POST_VARS["password"];
$query = "SELECT Username, Visited, User_PK from wefx where Username = $user and Password = PASSWORD('$passwd')";
$db_query = mysql_query($query, $db_connection);
$row = @mysql_fetch_row($db_query);
$num_results = @mysql_num_rows($db_query);

if ($num_results == 1) {
  if ($row[2] == 1) {
    $loggedin = "True";
    header("Location: index.html");
  } else {
    if ($row[1] == 0) {
      $loggedin = "True";
      $index = $row[2];
      $query = "update wefx set Visited = 1 where User_PK = $index"; 
      $result = @mysql_query($query, $db_connection); 
      header("Location: index.html");
    } else {
      echo("<font color=\"red\">Access expired.</font>");
    }
  }
} else {
  echo("<font color=\"red\">Username and/or password are incorrect.</font>");
}

}
?>

Can you see anywhere else that I am still messing up at? I only have one user currently in my database and I am not able to log in with that user. As I said I am sorry to keep posting but I am at a loss.

Thank you

bretticus

Hmmm, well you are supressing an error message on a mysql_fetch_row and this looked suspicious to me:

$query = "SELECT Username, Visited, User_PK from wefx where Username = $user and Password = PASSWORD('$passwd')";

In Particular, the Username = $user part. If you write that query out and run it from the command line (or however), can you get away without the single quotes around $user ? It's possible this could be the problem.