Cant get login page to work

ldobson

Good Afternoon,

I am writing a simple login feature for a website and am trying
to get a simple database authentication script to work.

I`m passing two variables called "user" and "passwd" from
a simple html form and posting them with POST to this script.

The problem im having is no matter what is passed (legitimate or not is being granted permission to continue).. the SQL looks good, but I think im doing someone wrong with my if
statements.

Can someone point out where i`m going wrong?,

Thanks,

--
<?

$host = "localhost";
$username = "xxxx";
$password = "xxxxx";
$connect = mysql_connect($host, "$username", "$password")
or die("Could not connect to MySQL!");

mysql_select_db("switch_info") or die("Could not select database");

$sql="select * from tblLogin where username like '$user' and password like '$passwd';";
$result = mysql_query($sql) or die("Query failed");

if ($result) {
print "<center><big><big>Welcome $user Please click <a href=\"index.html\"> here to continue</big></big></center>";
}
else
{
print "<center><big><big>Sorry, credentials supplied are incorrect.</big></big></center>";
}

stolzyboy

try this, and also ensure you are getting your variables, not meaning that you have register_globals on, if its off access your vars with $_POST['variablename']

<?
$host = "localhost";
$username = "xxxx";
$password = "xxxxx";
$connect = mysql_connect($host, "$username", "$password")
or die("Could not connect to MySQL!");

$db = mysql_select_db("switch_info") or die("Could not select database");

$sql = "select * from tblLogin where username = '$user' and password = '$passwd';";
$result = mysql_query($sql) or die("Query failed");

if (mysql_num_rows($result) > 1) {
print "<center><big><big>Welcome $user Please click <a href=\"index.html\"> here to continue</big></big></center>";
}
else
{
print "<center><big><big>Sorry, credentials supplied are incorrect.</big></big></center>";
}
?>

mikanmao

i am wondering why you use
$sql="select from tblLogin where username like '$user' and password like '$passwd';";
instead of
$sql="select from tblLogin where username = '$user and password = '$passwd'";
i am not sure whether this difference causes the problem you have.

ldobson

Thanks stolzyboy,

Actually the solution was somthing simular:

if (mysql_num_rows($result) > 0) {

Fixed this issue, Thank you for your help 🙂

Originally posted by stolzyboy
try this, and also ensure you are getting your variables, not meaning that you have register_globals on, if its off access your vars with $_POST['variablename']

<?
$host = "localhost";
$username = "xxxx";
$password = "xxxxx";
$connect = mysql_connect($host, "$username", "$password")
or die("Could not connect to MySQL!");

$db = mysql_select_db("switch_info") or die("Could not select database");

$sql = "select * from tblLogin where username = '$user' and password = '$passwd';";
$result = mysql_query($sql) or die("Query failed");

if (mysql_num_rows($result) > 1) {
print "<center><big><big>Welcome $user Please click <a href=\"index.html\"> here to continue</big></big></center>";
}
else
{
print "<center><big><big>Sorry, credentials supplied are incorrect.</big></big></center>";
}
?>

ldobson

Greetings,

No I think both give the same result. 🙂

Originally posted by mikanmao
i am wondering why you use
$sql="select from tblLogin where username like '$user' and password like '$passwd';";
instead of
$sql="select from tblLogin where username = '$user and password = '$passwd'";
i am not sure whether this difference causes the problem you have.