login form

steveDD

Ok,
This is my login script that runs from my form login.html. --> checkcorplogin.php

<?php
$host="LOCALHOST"; // Host name 
$username="USERNAME"; // Mysql username 
$password="PASSWORD"; // Mysql password 
$db_name="DBNAME"; // Database name 
$tbl_name="table1"; // Table name 


mysql_connect("$host", "$username", "$password")or die("cannot connect"); 
mysql_select_db("$db_name")or die("cannot select DB");


$myusername=$_POST['myusername']; 
$mypassword=$_POST['mypassword']; 

$myusername = stripslashes($myusername);
$mypassword = stripslashes($mypassword);
$myusername = sha1($myusername);
$mypassword = sha1($mypassword);

$sql = "SELECT * FROM `onlineoffers` WHERE username='$myusername' and password='$mypassword'"; 
$result=mysql_query($sql);

$count=mysql_num_rows($result);

if($count==1){
$_SESSION['myusername'] = $myusername; 
$_SESSION['mypassword'] = $mypassword; 
header("location:corparea.php");
}
else {
echo "Wrong Username or Password";

}
?>

The problem is when I submit the form it always goes to the wrong username/password page even though I have entered a valid one.

I am looking for the username and password in a table called onlineoffers There is also other information contained within it. It has myusername and mypassword is that correct as it is only called username and password in the DB.

Getting annoyed, not getting any errors just not getting to my corparea.php page.

Steve

MitchEvans

You are choosing the tablename at the top of the coding for some reason "table1"
Also try posting your username and password to corparea.php and make sure they are picking it up. Take out the if to make sure it can go to that page also, corparea.php.

Also try putting the php tags before and after your header code <?php header.... ?>

bradgrafelman

And why are you taking the [man]sha1/man hash of the username??

Krik

You are loging them into checkcorplogin.php and then sending them to a new page corparea.php that they are not logged into.

For every page that loads you must have some form of verifying who they are, hence the usage of sessions. The $_SESSION['myusername'] stores their user name. And every page that loads must check that information and see if it is valid and then preform actions based on wether it is valid or not.

This isn't quite the same as the login validation as you are not checking to see if there information is correct. All that is need is for you to check that the $_SESSION['myusername'] is set

if(isset($_SESSION['myusername']){

//open the table and retrieve related data

{

I usualy also store user permisions in the $_SESSIONS[] array and then load various other parts of the page if they have the correct user permissions as it corespondese to those other parts. That is a bit more advanced than what you are doing but it gives you some of idea of your options.

To avoid alot of duplicate code I recomend that you build the code for checking the $_SESSIONS[] information and just make it an include at the top of every page. It is usually a good idea to start your session in that include as well you can open your database there as all that needs to be done for every page that loads.

steveDD

bradgrafelman;10881487 wrote:
And why are you taking the [man]sha1/man hash of the username??

I was told to use Sha1 what should I do instead?

I did a form which works very similar execpt there are only username and password in the table and this works fine. I cannot understand why it is now not working, has it got something to do with all the other data contained within the DB. I am getting really frustrated with it 🙁

my other code that works fine, this doesn't include ther sha1 stuff. (I have even tried just changing the table name and the page I want it to direct me to but everytime I get wrong password.

mysql_connect("$host", "$username", "$password")or die("cannot connect"); 
mysql_select_db("$db_name")or die("cannot select DB");


$myusername=$_POST['myusername']; 
$mypassword=$_POST['mypassword']; 


$myusername = stripslashes($myusername);
$mypassword = stripslashes($mypassword);
$myusername = mysql_real_escape_string($myusername);
$mypassword = mysql_real_escape_string($mypassword);

$sql="SELECT * FROM $tbl_name WHERE username='$myusername' and password='$mypassword'";
$result=mysql_query($sql);


$count=mysql_num_rows($result);


if($count==1){

session_register("myusername");
session_register("mypassword"); 
header("location:login_success.php");
}
else {
echo "Wrong Username or Password";

}
?>

Krik

Standard practice is to only use encryptoin on passwrods. While you could do both it is a bit of over kill.

But in light of the topic a thought hit me. If you are converting both to SHA1 and then checking the database for a match. The question is are the username and password stored in the database as SHA1. If not there will be no match and that could cause problems.

steveDD

right they are not stored in the DB as Sha1 can I amend that?

Krik

yes.

The following code just copy into a new file and then run it form the browser. The concept is real simple just loop through all the records and set a variable to each columns value and then use the UPDATE query to set the new value of the data using the old data.

$query = "SELECT * FROM `onlineoffers`";

$query_res = mysql_query($query) or die(mysql_error());

while ($query_row = mysql_fetch_row($query_res)) {
list( $username, $password, $other_columns, $other_columns) = $query_row;

$update_qry = "UPDATE `onlineoffers` SET `password` = SHA1($password) WHERE `username` = $username LIMIT 1";

$res_update = mysql_query($update_qry) or die(mysql_error());

}

Make sure you list all the columns in the "list" or it will make a mess. As well if you are not sure it will work I highly recommend you backup the database first as that code will attempt to edit all the records in the onlineoffers table. And if something is wrong in the code it could mess up alot of data.

Also if you have a database administation program on your web server like phpmyadmin you may be able to just open the individual records and set it to an SHA1 in there saving you the potential mistake.

steveDD

I thiink I may have to throw my towel in on this one. I am finding it far to difficult. :-( thanks for your help though....

Steve

bradgrafelman

There's really no need to loop through each username, just execute one single query:

UPDATE onlineoffers SET password = SHA1(password)

Krik

Maybe I should suggest a tutorial.

I know most the questions you have asked as well as some coding technic issues could all be more easily remedied by finding some good tutorials.

Try searching for tutorials on login permissions or wesite security permissions and session management. As well look up best php coding practices and the top 10 coding mistakes.

There a few on phpbuilder.com/columns. But even beyond them there are tons of good ones all over the internet.

It helps to get your foundation right first and from there things get real easy.

Krik

bradgrafelman;10881675 wrote:
There's really no need to loop through each username, just execute one single query:
UPDATE onlineoffers SET password = SHA1(password)

That is true. You get so accustomed to having to edit and resubmiting the data that you forget that there is a simple way to do it fairly quickly.

steveDD

So below is my code what do I need to do to this to make it work in my database? The table is called onlineoffers it has 12 fields on each row and username is the 3rd field and password is the 4th. Could this be why it is finding the error?

mysql_connect("$host", "$username", "$password")or die("cannot connect"); 
mysql_select_db("$db_name")or die("cannot select DB");


$myusername=$_POST['myusername']; 
$mypassword=$_POST['mypassword']; 


$myusername = stripslashes($myusername);
$mypassword = stripslashes($mypassword);
$myusername = mysql_real_escape_string($myusername);
$mypassword = mysql_real_escape_string($mypassword);

$sql="SELECT * FROM $tbl_name WHERE username='$myusername' and password='$mypassword'";
$result=mysql_query($sql);


$count=mysql_num_rows($result);


if($count==1){

session_register("myusername");
session_register("mypassword"); 
header("location:login_success.php");
}
else {
echo "Wrong Username or Password";

}
?>