sessions and MySQL: In a vicious circle

scraff

This is really doing my nut in!! :eek:

I have a login script, starting on my home page.
Starting with a simple form as usual to submit the username and password, it send the veriable to the login page. THIS IS WHERE THE PROBLEM LIES!

If i have the PHP script in first that checks the username against the password, Then the start session script. even if when testing i enter the correct username+password these two errors appear:

############
Warning: mysql_result() [function.mysql-result]: Unable to jump to row 0 on MySQL result index 4 in /home/hedcasec/public_html/login/index.php on line 9

Warning: session_start() [function.session-start]: Cannot send session cache limiter - headers already sent (output started at /home/hedcasec/public_html/login/index.php:9) in /home/hedcasec/public_html/login/index.php on line 18

############

this is the coding:

<?php
require 'include.php';
$username = strtoupper ($username);
$username = ereg_replace("[^A-Za-z0-9 ]", "", $username);
mysql_connect($DBhost,$DBuser,$DBpass);
mysql_select_db("$DBName");
$query = "SELECT * FROM $table WHERE username = '$username'";
$result = mysql_query($query);
$DBPassword = mysql_result($result,0,"password"); //###LINE 9
if ($DBPassword == $password){
$Passwordcheck = 1;
}else{
$Passwordcheck = 0;
}
$numR = mysql_num_rows($result);
?>
<?php
session_start(); //########################LINE 18
session_register("username");
echo $username;
?>

If i put the Start session at the top, errors still apear
I think the first error here is that it cant find the username in the DB and the second error...i dont know.

Obviously here the start session starts wheather the password in correct or not, just ignore that!

Any help would be appresiated! thanx

xblue

the second error will probably disappear once you got rid of the first one (since the first error message simply is some html output send to the browser).

insert
echo $query;
before executing it, and see what it looks like.

bobthedog

There's probably nothing wrong with $query - as long as his table definition is ok it looks perfectly ok in the code he posted in.

The problem you are getting is when no records exist in the result set... when no records exist it is'nt possible to jump to row 0 (the first row) since no rows exist.

To get around this - you have several options:

1 - stay with the construct you have, and use [man]mysql_num_rows[/man] to find out whether any rows are returned before you try accessing them.

2 - don't use mysql_result() at all - instead use [man]mysql_fetch_array/man, or [man]mysql_fetch_row/man. This returns an entire row if one exists, or false if no more rows exist. So - you can just check whether you returned an array, and proceed with checking from there.

3 - rework this code totally. Why use mysql to do a username check and php to do a password check? Why not use MySQL to do the whole thing for you - then if any rows are returned at all you know you have a valid match... i.e.

require 'include.php'; 
$username = strtoupper ($username); 
$username = ereg_replace("[^A-Za-z0-9 ]", "", $username); 

mysql_connect($DBhost,$DBuser,$DBpass); 
mysql_select_db("$DBName"); 

$query = "SELECT * FROM $table WHERE username = '$username' AND password='$password'"; 

$result = mysql_query($query); 
$numR = mysql_num_rows($result); 

if ($numR == 1) // cud do greater than 0 - but i assume no duplicate usernames exists
{
    // Valid match
}
else
{
    // No match
}

xblue

Originally posted by scraff
even if when testing i enter the correct username+password these two errors appear:

redesigning is definitely a good advice, but I still suspect there may be something wrong with $username, based on the statement above.

you may need to use $GET['username'] or $POST['username'] if it is coming from a form in case register_globals is off.

bobthedog

but I still suspect there may be something wrong with $username, based on the statement above.

Good plan - missed that comment in his above code.

As a general pont you shud always try and use $POST, $GET etc instead of relying on register_globals. This is as much for security as for code portability.

scraff

ok thanks ppl! got it workin now!