First Login Script - Dead... Nothing Happens

44trippled

I've created my first secure login script for my web site, at http://www.silvagroup.ca/equipmentdata/login.php. I have a mysql connection to a test database. At least, I think I have the connection. I verified the host and user parameters with my web hosting company. Anyway, when I enter either a legitimate user name and password from my Member table, or a fake name and password, nothing happens. Not even the warning messages. If the login works properly, I am supposed to be directed to another page through a header call. I'm a total rookie. I don't know what's going on. Am I allowed to post code in this forum?

laserlight

Yes, you can post code on this forum if you have the authority to do so (and since you wrote it for yourself, you do). However, try and post the smallest and simplest script that demonstrates the problem, and remember to remove sensitive information like login credentials.

44trippled

<?php
/ Program: Login.php
Desc: Login program for Members Only section of
the equipment database. It provides one option:
(1) login using an existing Login Name.
*/
?>

<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<title>Login</title>
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta name="Microsoft Theme" content="network 1111, default">
</head>

<body>

<h1><a href="../default.htm">
<img border="0" src="../_borders/LOGO.jpg" width="97" height="79"></a> <font color="#669999">
<a href="../default.htm">SILVA CONSULTANCY GROUP</a> </font> </h1>

<h2><a href="equipdataserv.htm">Equipment Data Services</a></h2>

<?php
/ Program: Login.php
Desc: Login program for the Members Only section of
the equipment database. Login Names and
passwords are stored in a MySQL database.
*/
session_start(); # 9
include("dogs.inc"); #10
include("login_form.inc");

 $cxn = mysqli_connect($host,$user,$password,$dbname) 
        or die ("Couldn't connect to server.");    #15

 $sql = "SELECT LoginName FROM Member 
         WHERE LoginName='$_POST[fusername]'";     #18
 $result = mysqli_query($cxn,$sql)
           or die("Couldn't execute query.");      #20
 $num = mysqli_num_rows($result);                  #21
 if ($num > 0)  // login name was found            #22
 {
    $sql = "SELECT LoginName FROM Member 
            WHERE LoginName='$_POST[fusername]'
            AND password=md5('$_POST[fpassword]')";
    $result2 = mysqli_query($cxn,$sql)
               or die("Couldn't execute query 2.");
    $num2 = mysqli_num_rows($result2);
    if ($num2 > 0)  // password is correct         #30
    {
       $_SESSION['auth']="yes";                    #32
       $logname=$_POST['fusername']; 
       $_SESSION['logname'] = $logname;            #34
       $today = date("Y-m-d h:i:s");               #35
       $sql = "INSERT INTO Login (LoginName,loginTime)
               VALUES ('$logname','$today')";
       $result = mysqli_query($cxn,$sql) 
                 or die("Can't execute insert query.");
       header("Location: members_only.htm");        #40
    }
    else    // password is not correct             #42
    {
       $message="The Login Name, '$_POST[fusername]' 
                 exists, but you have not entered the 
                 correct password! Please try again.<br>";
       include("login_form.inc");                  #47
    } 
 }                                                 #49
 elseif ($num == 0)  // login name not found       #50
 {   
    $message = "The Login Name you entered does not 
                exist! Please try again.<br>";
    include("login_form.inc");
 }

</body>

</html>

rulian

first, add this to the top of your php
ini_set('error_reporting', E_ALL);

this will turn on error reporting
run that and post any errors that come up.

I see a couple of big no-no's alot of beginners make like putting in user submmited data straight into a query without filtering it. We'll talk about data handling and sql injections, but first lets see them errors

big_nerd

You can also add:

// Existing..
$result = mysqli_query($cxn,$sql)
// Add this
if (!$result || !is_resource($result)) {
 echo "Error: ".mysqli_error();
}

Try that, if there is an SQL error this will tell you...

bradgrafelman

Your main problem is that you output data before you call [man]session_start/man. As the manual states, you can not output any data before calling this function.

44trippled

session_start(); # 9
?>

<body>

<h1><a href="../default.htm">
<img border="0" src="../_borders/LOGO.jpg" width="97" height="79"></a> <font color="#669999">
<a href="../default.htm">SILVA CONSULTANCY GROUP</a> </font> </h1>

<h2><a href="equipdataserv.htm">Equipment Data Services</a></h2>

<?php
ini_set('error_reporting', E_ALL);
include("dogs.inc"); #10
include("login_form.inc");

 $cxn = mysqli_connect($host,$user,$password,$dbname) 
        or die ("Couldn't connect to server.");    #15

 $sql = "SELECT LoginName FROM Member 
         WHERE LoginName='$_POST[fusername]'";     #18
 $result = mysqli_query($cxn,$sql)
           or die("Couldn't execute query.");      #20
if (!$result || !is_resource($result))
	echo "Error: ".mysqli_error();
 $num = mysqli_num_rows($result);                  #21
 if ($num > 0)  // login name was found            #22
 {
    $sql = "SELECT LoginName FROM Member 
            WHERE LoginName='$_POST[fusername]'
            AND password=md5('$_POST[fpassword]')";
    $result2 = mysqli_query($cxn,$sql)
               or die("Couldn't execute query 2.");
    if (!$result || !is_resource($result))
		echo "Error: ".mysqli_error();
    $num2 = mysqli_num_rows($result2);
    if ($num2 > 0)  // password is correct         #30
    {
       $_SESSION['auth']="yes";                    #32
       $logname=$_POST['fusername']; 
       $_SESSION['logname'] = $logname;            #34
       $today = date("Y-m-d h:i:s");               #35
       $sql = "INSERT INTO Login (LoginName,loginTime)
               VALUES ('$logname','$today')";
       $result = mysqli_query($cxn,$sql) 
                 or die("Can't execute insert query.");
       if (!$result || !is_resource($result))
			echo "Error: ".mysqli_error();
       header("Location: members_only.htm");        #40
    }
    else    // password is not correct             #42
    {
       $message="The Login Name, '$_POST[fusername]' 
                 exists, but you have not entered the 
                 correct password! Please try again.<br>";
       include("login_form.inc");                  #47
    } 
 }                                                 #49
 elseif ($num == 0)  // login name not found       #50
 {   
    $message = "The Login Name you entered does not 
                exist! Please try again.<br>";
    include("login_form.inc");
 }

</body>

</html>

44trippled

<?php
/ Program: Login.php
Desc: Login program for the Members Only section of
the equipment database. Login Names and
passwords are stored in a MySQL database.
*/
session_start(); # 9
?>