username and password LOGIN

radioJGH

hi... heres my problem
i am just learning php and mysql... i want to log in to my site using a username and password.... i have some code, none that uses sessions, nor cookies.... yet... i am just trying to get it to authenticate me... i have the table set up and everything.. i haev a username and password in it.. but this code gives me an error on the last line of the back end script... here is my form

// this is my form

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title>Login</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
</head>

<body>
<p>Members Area Login</p>
<form method="post" action="authenticateuser.php">
  <p>Username:<br>
    <input type ="text" name="username" size="25" maxlength="25"><br>
<p>Password:</p><br>
<input type="password" name="password" size="25" maxlength="25"></p>
<p><input type="submit" name="signin" value="login"></p>
</form>
</body>
</html>


//this is my php script

<?
//check for required fields
if ((!$_POST[username]) || (!$_POST[password])) {
	header("Location: [url]http://memberspage[/url]");
	exit;
}
//setup names of database and table to use
$db_name = "mydbname";
$table_name = "auth_users";
$welcome_page = header("Location: [url]http://welcome[/url] page");


$connection = mysql_connect("localhost", "fakeusername", "fakepassword") or die ("Could not connect to database!");
$db = mysql_select_db("$db_name") or die ("Could not select database");
if (isset($signin)) // name of submit button
{
	$password=md5("$_POST[password]");
    $query = "select * from table where username='$username' and password=(password('$password'))"; // don't use password() function if you didn't use it to input into the database
    $result = mysql_query($query) or die ("Could not select records");

$isAuth = false; //set to false originally

while($row = mysql_fetch_array($result))
{
    if($row['username'] == $username && $row['password'] == $password) // if true set $isAuth to true, if not it will stay false
    {
        $isAuth = true;
    }  
}  

if($isAuth = true)
{

   echo "$welcome_page";
}
else
{
echo "no username/password found";
}
?>



<html>
<head>
<title>Untitled Document</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
</head>

<body>

</body>
</html>

i have tried pasting in code from others in some parts.. ieven use the same variable names just to compare it.... why does this script not work?😕

Weedpacket

What's the error?

If it's on the very last line, it's probably because you're missing a } somewhere. In fact, I count six { but only five }. The missing one I guess should be either before the last "else" or after the last "echo".

suntra

Also, please replace

header("Location: <a href="http://memberspage" target="_blank">http://memberspage</a>");

With

header("Location: [url]http://memberspage\n[/url]");

( header("Location: [url]http://[/url][...]\n"); )

thewonderfulone

At around

$db = mysql_select_db("$db_name") or die ("Could not select database");

if (isset($signin)) // name of submit button

perhaps it should be


$db = mysql_select_db("$db_name") or die ("Could not select database");
$signin  = $_POST['signin'];
if (isset($signin)) // name of submit button

radioJGH

this is unbelievable.....

when i log in, now it says it cant find the authenticateuser.php

im not surprised, it seems as i get so close to having something work, and it always fails.... i will work on this and get back to you in a few

radioJGH

alright.. . fixed my code error.. one too few curly brackets..

now.. when i submit.. it reloads the login page.. like it didnt find the username and password in the database.... i know for sure its set up right..... any clues?

Weedpacket

Well, you're setting $password to md5($POST['password']), but without setting $username to anything at the same time ($POST['username']), chances are it will be empty when you go to put it in the query, and also later, when you check it against what comes out of the database.

Code_guy

In your code, you check the username and password twice.

in the where clause of your sql query you use:
password=(password('$password'))

but later you use:
if($row['username'] == $username && $row['password'] == $password)

(2nd time without the password function)

so one or the other will not match

Which one did you use when you entered it in the database?

Why check twice?

Code_guy

suntra,

The forum adds the anchor tags if the 'Automatically parse URLs' checkbox is checked.

If it finds a url inside a php block it still adds the tag and it is displayed in the code.

Sombody should fix that in the forums code.

I learned this the hard way in an earlyer post of mine.

radioJGH

thanks for the help...

i ended up getting it last night... the password check at the top forces them to enter a password and name, if they dont.. the page refreshes.....

i just had to change the variables from

$_POST['password']
to
$password

worked like a charm....

Code_guy

It's impossible your code would work with the error I described above.

Here is why you think it does:
You can't write
$welcome_page = header("Location: http://welcome_page");
and then
echo "$welcome_page";

header() sends the header to the browser and then returns an integer (which you put in $welcome_page).

Again: The header is sent as soon as that line is executed, before checking the password.

radioJGH

its a simple if statement...

//check for required fields
if ((!$username) || (!$password)) {
	header("Location: [url]http://www.jgarretthood.com/members/index.htm[/url]");
	exit;
}

if there isnt a username and password entered.... then it reloads the index page......

it works every time i have tried it... i am now trying to get sessions to work with it.... so that i can keep people out of the pages behind the login.... any help with that you can give me?

Code_guy

I'm talking about the line below that:

$db_name = "mydbname";
$table_name = "auth_users";
$welcome_page = header("Location: [url]http://welcome_page[/url]");

That line get's executed any time there is any username and password. So it will send the header which will redirect the browser to welcome_page no matter what password or username is sent.

The rest of the code, which is suposed to check the password against the database is now irrelevant. Since the password is checked twice in two different ways one of the checks will fail and the script will echo "no username/password found" but the header which redirects the browser was allready sent, so it dosn't matter.

Try entering different junk for username and password.

Also although $password will work instead of $_POST['password'] if register_globals = on, the latter is prefered.

Two quotes from the php.ini file that comes with php 4.3:

; Note that register_globals is going to be depracated (i.e., turned off by
; default) in the next version of PHP, because it often leads to security bugs.

; You should do your best to write your scripts so that they do not require
; register_globals to be on; Using form variables as globals can easily lead
; to possible security problems, if the code is not very well thought of.

radioJGH

that makes sense.. i see what you are saying now

check this out.....
this is my login page......

<? 
session_start();
if (isset($username)) {
exit;
}
?>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title>Login</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
</head>

<body>
<p>Members Area Login</p>
<form method="post" action="this is going to a file to do the authentication of the usre">
  <p>Username:<br>
    <input type ="text" name="username" size="25" maxlength="25"><br>
<p>Password:</p><br>
<input type="password" name="password" size="25" maxlength="25"></p>
<p><input type="submit" name="signin" value="login"></p>
</form>
</body>
</html>
<?

session_register("username");
session_register("password");
$db_name = "db";
$table_name ="table";
$connection = mysql_connect("localhost", "username", "pword") or die ("Could not connect to database!");
$db = mysql_select_db("$db_name") or die ("Could not select database");
$sql = "SELECT * FROM $table_name WHERE username = '$username' AND password = PASSWORD('$password')";
$result = mysql_query($sql);
if (!$result) {  

die("A database error occurred while checking your login details.");
}
if (mysql_num_rows($result) == 0) {
  session_unregister("username");
  session_unregister("password");
  exit;
}
$username = mysql_result($result,0,"fullname");
?>

this is my authentication page

<? 
//check for required fields
if ((!$username) || (!$password)) {
	echo "<p>please try again</p>");
	exit;
}
//setup names of database and table to use
$db_name = "jgarretthood_com";
$table_name = "auth_users";
$connection = mysql_connect("localhost", "grphcs", "multisync") or die ("Could not connect to database!");
$db = mysql_select_db("$db_name") or die ("Could not select database");

if (isset($signin)) // name of submit button
{
	$password=md5("$password");
    $query = "select * from $table_name where username='$username' and password=(password('$password'))"; // don't use password() function if you didn't use it to input into the database
    $result = mysql_query($query) or die ("Could not select records");

$isAuth = false; //set to false originally

while($row = mysql_fetch_array($result))
{
    if($row['username'] == $username && $row['password'] == $password) // if true set $isAuth to true, if not it will stay false
    {
        $isAuth = true;
    }  
}  

if($isAuth = true)
{
  header("Location: [url]http://www.jgarretthood.com/members/welcome.htm[/url]");
  exit;
} else {
	echo "no username/password found";
}
}
?>

im using sessions here.... trying to get it to work.. but after i login, it prints out that the database could not be selected...

Code_guy

That means that mysql can't find a database named jgarretthood_com on localhost or it dosn't have access to it with the username "grphcs" and the password "multisync".

You also havn't fixed the other errors in your code.
The php code on the login page also will not work and isn't needed. You are use the username and password variables before they exist. (ie: before the form has been submited)

radioJGH

code guy said:
Member

Registered: Dec 2002
Location:
Posts: 55
I'm talking about the line below that:
$db_name = "mydbname";
$table_name = "auth_users";
$welcome_page = header("Location: <a href="http://welcome_page" target="_blank">[url]http://welcome_page[/url]</a>");
That line get's executed any time there is any username and password. So it will send the header which will redirect the browser to welcome_page no matter what password or username is sent.

The rest of the code, which is suposed to check the password against the database is now irrelevant. Since the password is checked twice in two different ways one of the checks will fail and the script will echo "no username/password found" but the header which redirects the browser was allready sent, so it dosn't matter.

Try entering different junk for username and password.

Also although $password will work instead of $_POST['password'] if register_globals = on, the latter is prefered.

Two quotes from the php.ini file that comes with php 4.3:

; Note that register_globals is going to be depracated (i.e., turned off by
; default) in the next version of PHP, because it often leads to security bugs.

; You should do your best to write your scripts so that they do not require
; register_globals to be on; Using form variables as globals can easily lead
; to possible security problems, if the code is not very well thought of.

can you give me an example of an if statement that will check to see if the user has entered stuff for username and password... and if they dont... what should happen? cause i know what you mean.. but not real sure how to get it to work..everything ih ave tried... doesnt work...