Developing Log-In System

brdnwi

I'm currently trying to create a log in system. I have a user and password in my database and I'd like to be able to compare the log in information with the information in the database. Right now, it's not working as I'd like it to. When I submit the correct information the page does not do as told. Here is my code.

<?
session_start();
$_SESSION['logged'] = 0;
include("database.php");

//Check if user is logged in
function CheckUser($username, $password){

$query = "SELECT password FROM users WHERE username = '$username'";	
$send = mysql_query($query) or die('sorry, there was an error in your query');
$array = mysql_fetch_array($send);

if($password == $array['password']){
  echo "User Confirmed";
}
}

if(isset($_POST['login'])){

  CheckUser($_POST['user'], $_POST['pass']);

}

?>

<html>
<head><title>Login</title></head>

<body>

<form action='login.php' method='post'>
<input type='text' name='user' value=''>
<br>
<input type='text' name='pass' value=''>
<br>
<input type='submit' name='login' value='Login'>
</form>

</body>

</html>

MrPotatoes

ok, i just woke up about 30secondds ago. but you should sod

if($wuery >1) or == 1.

try that. i't sht way that i have mine working

Roger_Ramjet

No, you should run the query to match username and password and if you get no result back then not a valid user or password.

//Check if user is logged in
function CheckUser($username, $password){
 // first protect your login from hackers using sql injection attack
       $u = mysql_real_escape_string($uersname);
       $p = mysql_real_escape_string($password);

$query = sprint_f("SELECT * FROM users WHERE username = '%s' AND password = '%s'", $u, $p);	
$send = mysql_query($query) or die('sorry, there was an error in your query');
 // now check for the user, and check it is only 1 user
        if ($send && (mysql_num_rows($send) === 1)) {
	  echo "User Confirmed";
	}
}

Most of that is to protect yourself from hacking.

Since a login is username and password match then that is what you should query for. It is not a usefull idea to check the user exists and then find the password is wrong; the temptation is then to give a message like 'wrong password' which just confirms to a hacker that the username exists and they only have to find the password.

MrPotatoes

oh yes. i didn't see that. i'm checking usr/pwd at the same time.

whoops

brdnwi

awesome, worked. thanks guys