php MySQL - login problems

lycanthropy · Mar 24, 2006

Hey,
I am a newbie, trying to produce a login form which will compare the user name and password entered by the user to a database in MySQL which contains a user name and password previously entered in a registration form. At the moment i have code which allows users to pass through to the 'members section' however.. it will allow a user with an invalid password to enter.. here is the code for the login html and php as i have written it:

<html>

<head>

</head>

<body>

<h1> Please enter your password to use member only facilities: </h1>

<br>Password: <input type = "password" name = "password">
<font color="black">*</font><br>

<li><a href = "register.html">Register Free!!</a></li>

<?php
$connection = mysql_connect("sentinel.cs.cf.ac.uk","scm5sjc",
"MY PASSWORD HERE");

$password=$POST['password'];
$user_name=$POST['user_name'];
$errorMessage = '';

mysql_select_db("sjcdb",$connection) or die("failed!");

if ($row) {

if ($password == $row[9]){

header("Location:members.html");
}

else {

$errorMessage = 'Sorry, wrong user id / password';
echo $errorMessage;
}

}
mysql_close();

?>

</body>

</html>

Any help would be great, cheers

bbreslauer · Mar 24, 2006

There's no MySQL query here, how are you getting the data out of the database?

lycanthropy · Mar 24, 2006

<html>

<head>

</head>

<body>

<h1> Please enter your password to use member only facilities: </h1>

<br>Password: <input type = "password" name = "password">
<font color="black">*</font><br>

<li><a href = "register.html">Register Free!!</a></li>

<?php

$connection = mysql_connect("sentinel.cs.cf.ac.uk","scm5sjc",
"my password here");

$password=$_POST['password'];
$errorMessage = '';

mysql_select_db("sjcdb",$connection) or die("failed!");

//keeb additions

$query = "select * from users";

$result = mysql_query($query);

$row = mysql_fetch_array($result)

// end keeb additions..

if ($row) {
    if ($password == $row[9]){
    header("Location:members.html");
} else { 
    $errorMessage = 'Sorry, wrong user id / password'; 
    echo $errorMessage;
}

?>

</body>

Sorry, here is the query.. the password is in row 9 of the database..

obsidian · Mar 24, 2006

you're only selecting the first record in the database. what you want to do is query for the row with the username and password they submitted. if you get a matching row, they're valid, but if nothing returns, they're not:

<?php
$sql = mysql_query("SELECT * FROM users WHERE username = '$_POST[user]' AND password = '$_POST[password]'");

if (mysql_num_rows($sql) == 1) {
  // they have a valid login
} else {
  // invalid
}
?>

chayanvinayak · Mar 25, 2006

you have not written any query to check the database whether the userid and password is correct or not. first run query and then check the row returned by the query . If query return any row that means u & p is correct else false

lycanthropy · Mar 25, 2006

thanks for that, sorry for the basic errors.. it know works.. well, loads! the user can still enter with an invalid password. I have adopted the code so that it should either go through to the members section if valid or to the register page if invalid.. can you see any errors? heres the new code:

<h1> Please enter your password to use member only facilities: </h1>

<br>Password: <input type = "password" name = "password">
<font color="black">*</font><br>

<li><a href = "register.html">Register Free!!</a></li>

<?php

$connection = mysql_connect("sentinel.cs.cf.ac.uk","scm5sjc",
"password");
$password=$_POST['password'];

mysql_select_db("sjcdb",$connection) or die("failed!");

//keeb additions

$sql = mysql_query("SELECT * FROM users WHERE password = '$_POST[password]'");

if ($password == $row[9]){
// they have a valid login
header("Location:members.html");
} else {
// invalid
header("Location:register.html");
}
$result = mysql_query($query);

$row = mysql_fetch_array($result)

?>

</body>

</html>

chayanvinayak · Mar 25, 2006

try this code :

<h1> Please enter your password to use member only facilities: </h1>

<br>Password: <input type = "password" name = "password">
<font color="black">*</font><br>

<li><a href = "register.html">Register Free!!</a></li>

<?php

$connection = mysql_connect("sentinel.cs.cf.ac.uk","scm5sjc",
"password");
$password=$_POST['password'];

mysql_select_db("sjcdb",$connection) or die("failed!");

//keeb additions

$sql = mysql_query("SELECT * FROM users WHERE password = '$_POST[password]'");

if ($sql && @mysql_num_rows($sql)){
// they have a valid login
header("Location:members.html");
} else {
// invalid
header("Location:register.html");
}
$result = mysql_query($query);

$row = mysql_fetch_array($result)

?>

</body>

</html>

lycanthropy · Mar 25, 2006

cheers for the help.. unfortuantly it didn't work the user can still enter with an incorrect password. do i need to have the form page on a different one that the php code?? because the form direction is too 'members.html' so when they enter their information, they are automatically taken to the specific page without any error checking. is this where i am going wrong do you feel??

i have used the same code as above so there are no changes to show you, thanks for any response.

rincewind456 · Mar 25, 2006

It's because your doing your comparison before your doing the query. This may work better.

<?php

$connection = mysql_connect("sentinel.cs.cf.ac.uk","scm5sjc","password");

$password=$_POST['password'];

mysql_select_db("sjcdb",$connection) or die("failed!");

//keeb additions

$sql = mysql_query("SELECT * FROM users WHERE password = '$password'"); 

$result = mysql_query($query);

$num_rows = mysql_num_rows($result);

if ($num_rows >0){
// they have a valid login 
header("Location:members.html");
} else { 
// invalid 
header("Location:register.html");
} 

?>

It's not much of a check though just checking the password.

lycanthropy · Mar 25, 2006

cheers, i was hoping to get some kind of error checking working before i go on to ask for the username as well (which is already stored in the mySQL database). It still doesnt seem to work properly.. i will keep trying different pieces of code however..
cheers for your help
steve

rincewind456 · Mar 25, 2006

If it's not working then use some error checking by changing the line

$result = mysql_query($query);

to

$result = mysql_query($query)or die(mysql_error());

to see if the query is failing.

lycanthropy · Mar 25, 2006

i have added error checking and the message "Query was empty" appears, im sorry but does this ring a bell? im new so thank you for all your help over this thread.
steve

rincewind456 · Mar 26, 2006

I've not seen it before, but it is a Mysql Error, No 1065 if your interested.

I also notice that it's my code that has caused the problem. Change this

$result = mysql_query($query)or die(mysql_error());

to this

$result = mysql_query($sql)or die(mysql_error());

and it should work a bit better now.

lycanthropy · Mar 26, 2006

ive changed alot of the code around now, trying to get it to work! now, the code seems to block unauthoried users but doesnt let in legit users. My user name and password are in row 9 and 10 of my sql database. ive tried to comment as much as possible.

Code:
<?php

$auth = false; // Assume user is not authenticated

if (isset( $user_name ) && isset($password)) {

// Connect to MySQL 

mysql_connect( 'sentinel.cs.cf.ac.uk', 'scm5sjc', 'PASSWORD' ) 
    or die ( 'Unable to connect to server.' ); 

// Select database on MySQL server 

mysql_select_db( 'sjcdb' ) 
    or die ( 'Unable to select database.' ); 

// Formulate the query 

$sql = "SELECT * FROM info WHERE 
        user_name = '$user_name' AND 
        password = '$password'"; 

// Execute the query and put results in $result 

$result = mysql_query( $sql ) 
    or die ( 'Unable to execute query.' ); 

// Get number of rows in $result. 

$num = mysql_numrows( $result ); 

if ( $num != 0 ) { 

    // A matching row was found - the user is authenticated. 

    $auth = true; 

}

}

if ( ! $auth ) {
echo 'Authorization Required.';
exit;

} else {

header("Location:members.html");
}

?>

Thank you for any help!
Steven

rincewind456 · Mar 26, 2006

Well, this new code (could you please enclose it in [ php] [/code] tags, remove the space between [ and php] to get it to highlight your code syntax) is entirely different and looks as though it comes from a fairly old source. It appeares to rely on having register_globals set to on, which is not a good idea.

So I have changed it to not require register_globals:

<?php

$auth = false; // Assume user is not authenticated

if (isset( $_POST['user_name'] ) && isset($_POST['password'])) {

//CLEAN UP THE INPUT
$user_name = mysql_real_escape_string(trim( $_POST['user_name'] ));
$password = mysql_real_escape_string(trim( $_POST['password'] ));

// Connect to MySQL


mysql_connect( 'sentinel.cs.cf.ac.uk', 'scm5sjc', 'PASSWORD' )
or die ( 'Unable to connect to server.' );

// Select database on MySQL server

mysql_select_db( 'sjcdb' )
or die ( 'Unable to select database.' );

// Formulate the query

$sql = "SELECT * FROM info WHERE
user_name = '$user_name' AND
password = '$password'";

// Execute the query and put results in $result

$result = mysql_query( $sql ) or die ( 'Unable to execute query.' );

// Get number of rows in $result.

$num = mysql_numrows( $result );

if ( $num != 0 ) {

	// A matching row was found - the user is authenticated.

	$auth = true;

}

}

if ( ! $auth ) {
	echo 'Authorization Required.';
	exit;

} else {


header("Location:members.html");
}
?>

php MySQL - login problems

Llycanthropy

Bbbreslauer

Llycanthropy

Oobsidian

Cchayanvinayak

Llycanthropy

Cchayanvinayak

Llycanthropy

Rrincewind456

Llycanthropy

Rrincewind456

Llycanthropy

Rrincewind456

Llycanthropy

Rrincewind456