username/password

coldwerturkey

I'm working on a website, its a simple cms site, basically cut and paste from w3schools.com..

I need a login page for an admin section, I copied it from a cms system I bought from a guy, but am having troubles getting it to work on mine.

heres the error:

Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in /home/content/c/o/l/coldwerturkey/html/login.php on line 65

Warning: Cannot modify header information - headers already sent by (output started at /home/content/c/o/l/coldwerturkey/html/login.php:65) in /home/content/c/o/l/coldwerturkey/html/login.php on line 73

& heres the code (login.php) (everything to do with the admin part (add, edit, etc) and login are all in this one page):

<?php
new adminpage;
global $DATA, $_SESSION;
class adminpage {
	function adminpage() {
        global $DATA, $_SESSION;
        session_start();
        $connect = mysql_connect("***","***","***");
        mysql_select_db($DATA['coldwerturkey'],$connect);
        if($_SESSION['loggedin'] != '1' AND $_GET['code'] != '00' AND $_GET['code'] != '01') {
            header("Location: login.php?code=00");
        }
        if($_SESSION['loggedin'] == '1' AND $_GET['code'] == '') {
            header("Location: login.php?code=02");
        }
        //Print starting html
        if($_GET['code'] != '01' AND $_GET['code'] != '99') {
                $mainoutput = "<html><head></head><body>
							   <a href='login.php?code=99'>Logout</a>";
        }
        echo $mainoutput;
        switch($_GET['code']){
            case '00':
                $this->login();
            break;
            case '01':
                $this->dologin();
            break;
            case '02':
                $this->main();
            break;
            case '99':
                $this->logout();
            break;
        }
        echo "</body></html>";
    }   




function login(){
global $_SESSION, $DATA;
    //Are you logged in?
    if($_SESSION['loggedin'] == '1') {
        header("Location: login.php?code=02");
    }
    //Login form
    $lout = "<form method='POST' action='login.php?code=01'>Username:<input type='text' name='username'>
            Password:<input type='password' name='password'><input type='submit' value='Login'></form>";
    echo $lout;
}

function dologin(){
global $_SESSION, $DATA;
    $error = '0';
    //Check if form was filled
    if($_POST['username'] == '' OR $_POST['password'] == '') {
        $error = '1';
    }
    //Parse password
    $pass = md5($_POST['password']);
    //Check if credentials are good
    $check = mysql_query("SELECT password FROM blog_admin WHERE username = '{$_POST['username']}'");
    $user = mysql_fetch_array($check); //<<<<<<<< line 65 #####################
    if($user['password'] != $pass) {
        $error = '1';
    }
    if($error == '0') {
        $_SESSION['loggedin'] = '1';
        header("Location: login.php?code=02");
    } else {
        header("Location: login.php?code=00"); //<<<<<<<<<<<line 73 ###################
    }
}

function main($msg="") {
global $_SESSION, $DATA;
    if($_SESSION['loggedin'] != '1') {
        $_SESSION['loggedin'] = '0';
        $this->login();
    } else {
        //Print input form
        if($msg != "") {
            $mout = "{$msg}";
        }
        $mout .= "Content seen when logged in";
        echo $mout;
    }

}

function logout() {
global $_SESSION;
    $_SESSION['loggedin'] = 0;
    session_destroy();
    header("Location: login.php");
}            
}
?>

Anyone know why I'm getting these errors?

bradgrafelman

Well the second error is caused by the first (the "output" is the PHP error message).

As for the first error, something wen't wrong with the SQL query in the dologin() function. When debugging SQL queries, it's always helpful to have the error message returned by the SQL server, so I normally debug them like so:

$query = 'SELECT foo FROM bar...'; // place query in a variable
$exec = mysql_query($query) or die('MySQL error: ' . mysql_error() . "<hr>Query: $query");

Post back and let us know what the MySQL error is, as well as the query that was executed.

coldwerturkey

thank you for your fast response, this is the MySQL error:

MySQL error: No database selected

Query: SELECT password FROM blog_admin WHERE username = 'admin'

("admin" being my username)

I'm assuming that means exactly what its saying.. **goes over code thoroughly

edit: the database wasn't selected, I had it still selecting from a external page.. thank you so much for the help.

I have one more question though, as far as security goes, how does this code rank? Its for a small site, almost no one knows it exists and it doesn't hold any important information, just run of the mill site content.

Kudose

Change

$connect = mysql_connect("***","***","***");
        mysql_select_db($DATA['coldwerturkey'],$connect);

$connect = mysql_connect("***","***","***") or die('Could not authenticate with the database server');
        mysql_select_db($DATA['coldwerturkey'],$connect) or die('Could not select the database');

And yes, that error is generated because PHP couldn't select the database.

coldwerturkey

thank you so much.

besides the still pending question about its security, what did I do wrong that doesnt allow it to work properly on an apache server? It worked fine on my linux server that I use for my site, but not on my localhost apache server I keep on getting an error on lines 10 and 11? and what debugging can I use to solve it...

Warning: Cannot modify header information- headers already sent by (output started at /Users ... /login.php:10) in /Users ... /login.php on line 11

Lines 8-14 are

$connect = mysql_connect("localhost","","") or die('Could not authenticate with the database server');  //8
        mysql_select_db("entrys",$connect) or die('Could not select the database');                   //9
        if($_SESSION['loggedin'] != '1' AND $_GET['code'] != '00' AND $_GET['code'] != '01') { //10
            header("Location: login.php?code=00");        //11
        } //12
        if($_SESSION['loggedin'] == '1' AND $_GET['code'] == '') { //13
            header("Location: login.php?code=02");  //14
        } //15

Kudose

You're getting that error because something before you're call to header or session_start is sending content to the browser ... maybe because an error occurred.

Please post line 1-40 of login.php

coldwerturkey

but shouldnt I be getting the same error on my linux server?

<?php
new adminpage;
global $DATA, $_SESSION;
class adminpage {
	function adminpage() {
        global $DATA, $_SESSION;
        session_start();
        $connect = mysql_connect("localhost","","") or die('Could not authenticate with the database server');
        mysql_select_db("coldwerturkey",$connect) or die('Could not select the database');
        if($_SESSION['loggedin'] != '1' AND $_GET['code'] != '00' AND $_GET['code'] != '01') {
            header("Location: login.php?code=00");
        }
        if($_SESSION['loggedin'] == '1' AND $_GET['code'] == '') {
            header("Location: login.php?code=02");
        }
        //Print starting html
        if($_GET['code'] != '01' AND $_GET['code'] != '99') {
                $mainoutput = "<html><head></head><body> "; 
				    if($_GET['code'] == 02) {
				    	  echo "<a href='login.php?code=99'>Logout</a>"; 
				     } else {
				   	  echo "";
				     }  

        }
        echo $mainoutput;
        switch($_GET['code']){
            case '00':
                $this->login();
            break;
            case '01':
                $this->dologin();
            break;
            case '02':
                $this->main();
            break;
            case '03':
                $this->donew_entry();
            break;
            case '99':
                $this->logout();
            break;
        }
        echo "</body></html>";
    }

Kudose

In theory, yes. In reality, not always. There are configuration options that could be causing the issue.

One of your mysql_* calls must be generating an error and not dieing like it is supposed to. Something above line 11 ...

coldwerturkey

so what do I do to have it work on both servers?

could it be that when I installed phpmyadmin for mysql locally (on apache) I remember not configuring anything at all, just leaving all the fields blank?

Kudose

You're getting a no database selected message which tells me you're authenticating, but you can't use the database. Until I scrolled up to see the username you are using, which is none. Try setting the username to root, even on a windows box.

If that doesn't work, figure out a valid username and password combination and make sure that user has access to the database you're trying to select.

coldwerturkey

my local apache server (which is giving me the error Warning: Cannot modify header information- headers already sent by (output started at /Users ... /login.php:10) in /Users ... /login.php on line 11) mysql works fine. I used the exact same connection to put the scripts username/password on the database, along with all the stuff for the site.

(Just to verify what the problem is (I know I'm quite bad at explaining myself); The login.php script now works fine on my godaddy.com linux server, but on my macbook's local apache server, I'm getting the error bolded above. I know its not a mysql error because I've used the same connection 100 times to do 100s of different things with the database)

& thanks again for all your help so far