Tryin 2 create login form and validate login & password. resouces not valid in fetch

numerical25

Im trying to create a login form that ask for login name and password. once submited, the form submits to the same page again but assigns the value 1 to the URL varible. An If statement gets the URL varible and begins to check if the login name and password is correct. See script below

Below starts a session. if the user session is not defined the display the login form.

<?php session_start(); ?>
	<?php if ( !isset($_SESSION['user'])){ ?>
	<table border="0" cellspacing="0" cellpadding="0">
	<form action="admin.php?admin=1" method="post">
  <tr>
    <td width="82">Login:</td>
    <td width="144"><input type="text" name="loginName" /></td>
  </tr>
  <tr>
    <td>Password: </td>
    <td><input type="password" name="password" /></td>
  </tr>
  <tr>
    <td>&nbsp;</td>
    <td><input type="submit" name="Submit" value="login" /></td>
  </tr>
  </form>
</table>
	<?php } ?>

As you can see from the top script. once the form is submited the value 1 is assigned to the URL varible admin. the below script checks to see if the URL admin ==1 if so then it creates a connection. Im using dreamweaver so dreamweaver creates a require_once to the document ok.php which connects to mySQL. the connection works. from then on Im not sure what I did wrong.

<?php if ($_GET['admin'] == 1){ ?>
	<div id="admin">
			<?php require_once('Connections/ok.php'); ?>
			<?php $query = "SELECT loginName, passWord
						FROM users
						WHERE passWord = '$_POST[password]'";
				  mysql_select_db(database_ok,$ok);
				  $results = mysql_query($query);
				  $check = mysql_fetch_assoc($results);
				  if (strcasecmp($check['loginName'],$_POST['loginName']) == 0 
				  		&& strcmp($check['passWord'],$_POST['password']) == 0) {
						echo "success";
						}else { echo "Wrong"; }
							?>
	</div>
	<?php }?>

In the end I get this error once I submit the form.

Warning: mysql_fetch_assoc(): supplied argument is not a valid MySQL result resource in C:\www\apache\htdocs\admin.php on line 48
Wrong

anyone have any suggestions ??

NogDog

That error normally means your query was flawed in some way and MySQL was not able to process it. See if this helps:

$query = "SELECT loginName, passWord
                        FROM users
                        WHERE passWord = '{$_POST['password']}'";

To check for SQL syntax errors, try something like this when you execute the query to get some debug info:

$results = mysql_query($query) or die("Query failed ($query): " . mysql_error());

Lastly, inserting $_POST values directly into your query may leave you open to SQL injection attacks by hackers. You should take a look at the documentation for [man]mysql_real_escape_string[/man] to help reduce this risk.

numerical25

ok, I changed those now I get this error below

Query failed (SELECT loginName, passWord FROM users WHERE passWord = 'useradmin'): No database selected

Plus, what are the {$_POST['password']} <---brackets for ?? are they needed? cause i used them without it and still could send the varible value through. does it have anything to do with escaping the strings ???

what does escaping the strings do exactly? does it encrypt the text or hide letters into it or something?

NogDog

numerical25 wrote:
ok, I changed those now I get this error below

Query failed (SELECT loginName, passWord FROM users WHERE passWord = 'useradmin'): No database selected

The error message says it all: you have not (successfully) selected a database. If you are doing a mysql_select_db() in the Connections/ok.php file, then apparently it is not working. You can use the same pattern there to die() if it fails:

mysql_select_db('database') or die ("DB select failed: " . mysql_error());

Plus, what are the {$_POST['password']} <---brackets for ?? are they needed? cause i used them without it and still could send the varible value through. does it have anything to do with escaping the strings ???

It's called "complex variable notation" and is used to help the PHP parser know for sure where a variable name begins and ends when being used within a string. It's most often needed when using an array variable within a double-quoted string, where a quoted string literal is being used for the array index. (Not quoting the index might work, but is incorrect coding practice and has a possibility of causing certain difficult to locate bugs.)

what does escaping the strings do exactly? does it encrypt the text or hide letters into it or something?

The mysql_real_escape_string() function will escape certain characters so that they are treated as normal characters rather than any special meaning they might have in SQL. If you don't do this, a hacker might do something like sending the value:

password';DELETE FROM users WHERE password LIKE '%

Then if you put that directly into your query, you'd end up with:

SELECT loginName, passWord
   FROM users
   WHERE passWord = 'password';DELETE FROM users WHERE password LIKE '%'

Next thing you know, your users table is empty. :eek:

bradgrafelman

Why have PHP check if the usernames are a match? Why not just add that as a second condition in your query's WHERE statement?
Once you do that, all you'd need to do is check if [man]mysql_num_rows/man returned 0 or not.

Piranha

NogDog wrote:
(Not quoting the index might work, but is incorrect coding practice and has a possibility of causing certain difficult to locate bugs.)

That is in fact not true according to [man]string[/man] in the manual. Inside strings you should not use ' signs for array variables unless you use the complex variable notation that you mention.

I would suggest that you get into the habit of using the complex variable notation, it is cleaner coding.

NogDog

Piranha wrote:
That is in fact not true according to [man]string[/man] in the manual. Inside strings you should not use ' signs for array variables unless you use the complex variable notation that you mention.

I would suggest that you get into the habit of using the complex variable notation, it is cleaner coding.

Huh? Perhaps I did not make myself clear, but that is what I was saying: $foo[bar] is incorrect (though it might work in some situations), so if using the correct $foo['bar'] with quoted array index within a quoted string, then you need to use complex notation (or else string concatenation).

numerical25

Ok ok, I now got it all to work almost. This is how my coding is now set up..

Now for some reason, If I submit a blank form. I get a success. If i submit anything else regardless if its the right password or not, I get a failure. Im starting to think that the varible wasnt carrying no value. But after i fetch the value $check['loginName'] I echo the varible and I get this...

Resource #4

Im a little confused

<?php session_start(); ?>
	<?php if ( !isset($_SESSION['user'])){ ?>
	<table border="0" cellspacing="0" cellpadding="0">
	<form action="admin.php?admin=1" method="post">
  <tr>
    <td width="82">Login:</td>
    <td width="144"><input type="text" name="loginName" /></td>
  </tr>
  <tr>
    <td>Password: </td>
    <td><input type="password" name="password" /></td>
  </tr>
  <tr>
    <td>&nbsp;</td>
    <td><input type="submit" name="Submit" value="login" /></td>
  </tr>
  </form>
</table>
	<?php } ?>

<?php if ($_GET['admin'] == 1){ ?>
	<div id="admin">


		<?php echo $_POST[loginName];
		require_once('Connections/ok.php');
		mysql_select_db($database_ok,$ok);
		$query = "SELECT loginName, passWord
					FROM users
					WHERE passWord = '$_POST[loginName]'";

$results = mysql_query($query) or die("Query failed ($query): " . mysql_error());
echo $results;
$check = mysql_fetch_assoc($results);


			  echo $check['loginName']." ".$check['passWord'];
			  if (strcasecmp($check['loginName'],$_POST['loginName']) == 0 
			  		&& strcmp($check['passWord'],$_POST['password']) == 0) {
					echo "success";
					}else { echo "failed"; }
						?>
</div>
<?php }?>

rr1024

A simple fix might be to do something like this or you can use strlen($_POST[loginName] ) > 0 kind thing

However, I would listen to NogDog...because sql injection happens quite often

also you may consider some error coding....return some message if the post is empty or value is not what you expect like a-zA-Z0-9 ect....


<?php if ($_GET['admin'] == 1 AND !EMPTY( $_POST[loginName] ) ){ ?>

numerical25

I figured it out!!

<?php if ($_GET['admin'] == 1){ ?> 
    <div id="admin"> 


        <?php echo $_POST[loginName]; 
        require_once('Connections/ok.php'); 
        mysql_select_db($database_ok,$ok); //<-------$database_ok use to be database_ok
        $query = "SELECT loginName, passWord 
                    FROM users 
                    WHERE passWord = '$_POST[loginName]'"; //<--where passWord = '$_POST[loginName]' ???????? should be Where loginName = '$_POST['loginName']

$results = mysql_query($query) or die("Query failed ($query): " . mysql_error()); 
echo $results; 
$check = mysql_fetch_assoc($results); 


              echo $check['loginName']." ".$check['passWord']; 
              if (strcasecmp($check['loginName'],$_POST['loginName']) == 0 
                      && strcmp($check['passWord'],$_POST['password']) == 0) { 
                    echo "success"; 
                    }else { echo "failed"; } 
                        ?> 
</div> 
<?php }?>

And what rr 1024 was saying. I put some control over empty forms... Plus I put brackets in my query like NogDog said, thanks alot, appreciate the help everyone

bradgrafelman

This:

echo $results;

is where you're going to see a "Resource #n" message.

Then again, I don't know why I'm explaining this since you're obviously ignoring the rest of our comments (SQL injection, adding username to WHERE clause, etc.).

I suppose there's no use in trying as you'll just ignore them, but I might as well mention another SQL optimization tip: Since there's really only one row you're interested in, you should add a "LIMIT 1" clause to the end of your query.

Piranha

NogDog wrote:
Huh? Perhaps I did not make myself clear, but that is what I was saying: $foo[bar] is incorrect (though it might work in some situations), so if using the correct $foo['bar'] with quoted array index within a quoted string, then you need to use complex notation (or else string concatenation).

Obviously I didn't make myself clear, I should have pasted from the manual:

// These examples are specific to using arrays inside of strings.
// When outside of a string, always quote your array string keys
// and do not use {braces} when outside of strings either.

// Let's show all errors
error_reporting(E_ALL);

$fruits = array('strawberry' => 'red', 'banana' => 'yellow');

// Works but note that this works differently outside string-quotes
echo "A banana is $fruits[banana].";

// Works
echo "A banana is {$fruits['banana']}.";

// Works but PHP looks for a constant named banana first
// as described below.
echo "A banana is {$fruits[banana]}.";

// Won't work, use braces.  This results in a parse error.
echo "A banana is $fruits['banana'].";

// Works
echo "A banana is " . $fruits['banana'] . ".";

In other words, outside a string use

$value = $array['name'];

But inside a string use one of the following

echo "The value is $array[name]";
echo "The value is {$array['name']}";
echo "The value is " . $array['name'];

The following won't work however

 echo "The value is $array['name']";

NogDog

Piranha wrote:
Obviously I didn't make myself clear, I should have pasted from the manual:
...
But inside a string use one of the following
echo "The value is $array[name]";
echo "The value is {$array['name']}";
echo "The value is " . $array['name'];
...

Well, using that first example is in direct contradiction with the "Why is $foo[bar] wrong? section of the Arrays page. But I guess that's what you get when both the manual and the language itself is created by committee. 😉

laserlight

Well, using that first example is in direct contradiction with the "Why is $foo[bar] wrong? section of the Arrays page.

No, there is no contradiction. Look carefully at the "More examples to demonstrate this fact:"

// The following is okay as it's inside a string.  Constants are not
// looked for within strings so no E_NOTICE error here
print "Hello $arr[fruit]";      // Hello apple

Piranha

To bad that you are not reading the manual page that you provide as a link NogDog. :p Just RTFM next time. :p No offence m8, just fun to say it to someone that are a better developer.

Below the example lasersight quote here is the following example:

// This will not work, results in a parse error such as:
// Parse error: parse error, expecting T_STRING' or T_VARIABLE' or T_NUM_STRING'
// This of course applies to using superglobals in strings as well
print "Hello $arr['fruit']";
print "Hello $_GET['foo']";

Which shows that it is actually wrong to use apostrofes in arrays in strings.

laserlight

Well, I suppose NogDog might be referring to the statement:
"You should always use quotes around a string literal array index."

Though the explanation right after that makes it clear that it is true since code that do not follow that advice would have an undefined constant. However, the string literal array index of an array in a quoted string is not an undefined constant, so it would be at worst an exception to the rule.

NogDog

OK, you've convinced me. I missed that one sentence. Guilty as charged. But please, do not ever throw a "RTFM" at me. Believe me, I read it, and I always go there first when I have a question. In this case I missed one small detail that did not register with my brain. But please do not insult me again with a "RTFM".

PS: I do appreciate you taking the time to pound it into my thick skull until I finally got it, though. :p

Piranha

No offence ment with it, was ment as a joke. Obviously it wasn't a good joke, it won't happen again.

NogDog

No worries: it's mostly just me being too sensitive, and probably upset by realizing I was wrong -- something that happens so rarely I don't know how to deal with it (I wish!).

Piranha

But I have to say that it is a really strange way of handling programming, using one way everywhere with one exception where there is no use for an exception. It would have been better to have to use the curly braces and generate an error if it's not used, it would avoid the confusion.