Can Someone Check This

olygolfer

Hi
I am trying to set up a login for my customers. I Have placed the code below, the problem is I am not 100% sure how to set it up so it checks the username and password are exactly what is set in the database.

I have tried it by deliberetly entering a wrong password for a username but is still logs in and sets the username in the session id . Any ideas how to fix this.

username is the emailaddress

<?php 
$emailaddress = $HTTP_POST_VARS['emailaddress']; 
$password = $HTTP_POST_VARS['password']; 

if ( $emailaddress && $password)
{
$db = mysql_connect (, , );
mysql_select_db ('db76275624');
$sql = "SELECT emailaddress FROM customers Where emailaddress = ".$emailaddress." && password = ".$password."";
$result = mysql_query($sql);
echo "logged in";
 $HTTP_SESSION_VARS['emailaddress'] = $emailaddress;
}
else 
{
echo "not logged in";
}
?>

The_Chancer

Looks like you haven't actually counted the number of returned rows from the query. If you count the rows, and if the number is 0 you don't log in - i it is 1 then log in....

Something like:

[code=php]

<?php
$emailaddress = $HTTP_POST_VARS['emailaddress'];
$password = $HTTP_POST_VARS['password'];

if ( $emailaddress && $password)
{
$db = mysql_connect (, , );
mysql_select_db ('db76275624');
$sql = "SELECT emailaddress FROM customers Where emailaddress = ".$emailaddress." && password = ".$password."";
$result = mysql_query($sql);
$count=mysql_num_rows($result);
if ($count==0)
{
echo "Username / Password Incorrect";
exit;
}
echo "logged in";
$HTTP_SESSION_VARS['emailaddress'] = $emailaddress;
}
?>
[/code]

Might help....

olygolfer

thanks for the help😉

The_Chancer

No worries..

8701

i´d change the code slightly:

<?php 
$emailaddress = $HTTP_POST_VARS['emailaddress']; 
$password = $HTTP_POST_VARS['password']; 

if (isset($emailaddress) && isset($password))
{
$db = mysql_connect (, , );
mysql_select_db ('db76275624');
$sql = "SELECT emailaddress FROM customers Where emailaddress = ".$emailaddress." && password = ".$password."";
$result = mysql_query($sql);
$count=mysql_num_rows($result);
if ($count==0)
{
echo "Username / Password Incorrect";
exit;
}
else
{
echo "logged in";
 $HTTP_SESSION_VARS['emailaddress'] = $emailaddress;
}
}
?>

olygolfer

I have tried to use the code but are recieving this error.

Warning: Supplied argument is not a valid MySQL result resource in /homepages/14/d71795240/htdocs/Pages/CustomerServices/checklogin.php on line 153
Username / Password Incorrect

<?php 
$emailaddress = $HTTP_POST_VARS['emailaddress']; 
$password = $HTTP_POST_VARS['password']; 

if ( $emailaddress && $password)
{
$db = mysql_connect (, '', ');
mysql_select_db ('db76275624');
$sql = "SELECT emailaddress FROM customers Where emailaddress = ".$emailaddress." && password = ".$password."";
$result = mysql_query($sql);
$count=mysql_num_rows($result);
}
if ($count==0)
{
echo "Username / Password Incorrect";
exit;
}
else
{
echo "logged in";
 $HTTP_SESSION_VARS['emailaddress'] = $emailaddress;
}
?>

Line 153 is

$count=mysql_num_rows($result);

xblue

the email and passwords variables need quotes in the query since they are strings.

please use the mysql_error() with this kind of problems, it is often very helpful:

$sql = "SELECT emailaddress FROM customers Where emailaddress = '".$emailaddress."' && password = '".$password."'";
$result = mysql_query($sql) or die("Error: ".mysql_error()." in query: ".$sql);

olygolfer

Thanks everyone the problem is sorted now