Validation And Login Page

vexer007

PLEASE HAVE A LOOK AT THE CODE BELOW TO SEE IF YOU CAN SPOT WHY IT KEEPS GOING TO THE view-blog.php PAGE NO MATTER WHETHER THE PASSWORD OR USERNAME IS WRONG PLEASE.

		$submit = $_POST['submit'];
					$username = $_POST['username']; 
					$password = $_POST['password']; 			
	if(isset($submit)) 	{

// check if user exists in the database
$query = "SELECT username, email FROM users WHERE username = '$username' AND pass = '$password'";
$result = $conn->execute($query);
$Recordset = ($result);
if ($Recordset) {
	die("<META http-equiv=\"Refresh\" content=\"0;url=view-blog.php\">");
exit();
} else {	
	echo '<p><font color="990000" size="+2">OOPS!! The EMAIL AND OR, USERNAME you entered are not valid registered user detail</font></p>';
	echo '<p> Please either re-enter the correct email and a matching username, or Register an Account using the link on this page!</p>';
	echo '<b><hr color="990000">';
	}
$conn->close();

} else {
echo '<p><strong><font color="000000" size="+2"> Welcome - Please Add Your Comment </font></strong></p>';
echo '<b><hr color="990000">';
}
?>

THANK YOU FOR YOUR HELP!

bpat1434

Okay, let me say this to begin with: Please don't shout. We're all here to help. Yes it may frustrate you, but it is not necessary. Second, please use the [ PHP ] BB Code tags or [ CODE ] tags (remove the space between the []'s).

Now, your script is very very minimal. I would retrieve the row of the user, and then check to see if the passwords match. This way, you know that you're getting the one row, and that the passwords will match or fail.

What you are doing with the check here:

 if ($Recordset) {
die("<META http-equiv=\"Refresh\" content=\"0;url=view-blog.php\">");
exit();

is saying: If $Recordset is set, or holds a value, then die and refresh to view-blog.php. You aren't authenticating right so that users are directed to other pages.

Here's an example of my own Login.php form I usually use:

<?php
if(!isset($_REQUEST['username']) || empty($_REQUEST['username'])){
    // Show the login page
}
else{
    $sup_user = $_REQUEST['username'];
    $sup_pass = md5($_REQUEST['password']);
    $query = "SELECT * FROM users WHERE username = '$sup_user' LIMIT 1";
    $result = mysql_query($result);
    while($row = mysql_fetch_array($result)){
        $db_pass = $row['password'];
    }
    if($db_pass === $sup_pass){
        // Login successful, show them the page
    }
    else{
        // Login Failed, show login again, clear values
    }
}
?>

That's the login system I use.

But your error comes from your check of $Recordset. You have to check to see if is something (whatever value) or not, then it should work.

~Brett

vexer007

Sorry for using uppercase i didnt mean to yell and also double posting.

I have changed the code now to:

$query = ("SELECT username FROM users WHERE username = '$username' LIMIT 1");
$result = $conn->execute($query);
$Recordset = ($result);
while (!$Recordset->EOF) {
$dbpassword = $Recordset->Fields("pass");
}

 if($db_password === $password){ 
    echo ("Login successful, show them the page");
} 
else { 
 echo ("Login Failed, show login again, clear values ");
}

}

But some how it is having problem with the LIMIT 1 in the query statement.