[RESOLVED] headers

serg91

I have trying to figure this out for a while now with no avail. I am completely stumped on this. When I hit enter I get this:

Array ( [username] => admin [password] => admin [login] => Login ) . but from there its supposed to take me to the admin page if using the admin login and password. and to a news page if its anyone else.

my code to the form and the login val.


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Untitled Document</title>
</head>

<body>
</body>
      <form action="loginval.php" method="post" name="login">
        <table>
          <tr>
            <td>Username: </td>
            <td><input type="text" name="username"/></td>
          </tr>
          <tr>
            <td>Password: </td>
            <td><input type="password" name="password"/></td>
          </tr>
          <tr>
            <td></td>
            <td align="center"><input type="submit" name="login" value="Login"/></td>
          </tr>
        </table>
      </form>
</html>

then the loginval.php file.

<?php
ini_set('display_errors', 1); // change to 0 for production version
error_reporting(E_ALL); 

$success = true;
$message ='';
print_r($_POST);
$username = $_POST['username'];
$password = $_POST['password'];


if($username =='')	{
	$success = false;
	$message .= 'Please enter your username';
}

if($password == '')	{
	$success = false;
	$message .= 'Please enter your password';
}

if($success)	{
	$db = mysql_connect('localhost', 'root', '********');

	if($db)	{
		mysql_select_db("TREllis");
				$sql = "SELECT * FROM users WHERE username = '" . $username . "' AND password = '" . $password . "'";
				$res = mysql_query($sql);

	if ($res && mysql_num_rows($res) >0){


					if(($username == "admin") && ($password == "admin")) {
								$row = mysql_fetch_assoc($res);
								$_SESSION['logged_in'] = true;
								$_SESSION['username'] = $row['username'];
								header("Location: adminpage.php");

					}	else	{

						 if(mysql_num_rows($res) > 0){
									$row = mysql_fetch_assoc($res);
									$_SESSION['logged_in'] = true;
									$_SESSION['username'] = $row['username'];
									header("Location: news.php");
									}else{
									$success = false;
									$message .= "Incorrect login<br>";
									}
					}
	}
	}
}


?>

bradgrafelman

Are you not getting any PHP errors or warnings? Try changing this:

$res = mysql_query($sql);

to this:

$res = mysql_query($sql) or die('MySQL error: ' . mysql_error() . "<hr>$sql");

Also output the number of rows that were SELECT'ed.

Note that in order to fully check and see if the headers work, you'll have to get rid of the print_r() call at the top of the page since that is outputting data (causing headers to be sent).

serg91

I tooke out the print_r($_POST). and did a sql error script. its still not returning an error. all I get now is a blank screen.

bradgrafelman

Try echo'ing out the query as well as the number of rows that were SELECT'ed. Does the query look right? Can you paste it into another MySQL interface (e.g. the CLI, phpMyAdmin, anything) and see that the correct records were SELECT'ed? If not, you might want to take a look at your table schema and/or data inserted.

serg91

Okay I went into myadmin (sql) part of it. i typed in the
the sql statement that I have remarked out. it did not except it. so I went and tried
SELECT * FROM users WHERE username = "$username" AND password ="$password"

I got this as a response:
MySQL returned an empty result set (i.e. zero rows). (Query took 0.0005 sec)

sql query
SELECT *
FROM users
WHERE username = "$username"
AND PASSWORD = "$password"
LIMIT 0 , 30;

here is my code again with the change. I'm still getting the blank screen. so who knows.

?php
ini_set('display_errors', 1); // change to 0 for production version
error_reporting(E_ALL); 

$success = true;
$message ='';
//print_r($_POST);
$username = $_POST['username'];
$password = $_POST['password'];


if($username =='')	{
	$success = false;
	$message .= 'Please enter your username';
}

if($password == '')	{
	$success = false;
	$message .= 'Please enter your password';
}

if($success)	{
	$db = mysql_connect('localhost', 'root', '********');

	if($db)	{
		mysql_select_db("TREllis");
				//$sql = "SELECT * FROM users WHERE username = '" . $username . "' AND password = '" . $password . "'";
				$sql = 'SELECT * FROM users WHERE username = "$username" AND password ="$password"';
				$res = mysql_query($sql) or die(mysql_error());

	if ($res && mysql_num_rows($res) >0){

					if(($username == "admin") && ($password == "admin")) {
								$row = mysql_fetch_assoc($res);
								$_SESSION['logged_in'] = true;
								$_SESSION['username'] = $row['username'];
								header("location: adminpage.php");

					}	else	{

						 if(mysql_num_rows($res) > 0){
									$row = mysql_fetch_assoc($res);
									$_SESSION['logged_in'] = true;
									$_SESSION['username'] = $row['username'];
									header("location: news.php");
									}else{
									$success = false;
									$message .= "Incorrect login<br>";
									}
					}
	}
	}
}


?>

form: I have made mistakes on the form before. but I don't think I did it this time since it worked before.
<?php
// require ("dbcon.php");
?>

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Untitled Document</title>
</head>

<body>
</body>
<form action="loginval.php" method="post" name="login">
<table>
<tr>
<td>Username: </td>
<td><input type="text" name="username"/></td>
</tr>
<tr>
<td>Password: </td>
<td><input type="password" name="password"/></td>
</tr>
<tr>
<td></td>
<td align="center"><input type="submit" name="login" value="Login"/></td>
</tr>
</table>
</form>
</html>

bradgrafelman

Your problem is here:

$sql = 'SELECT * FROM users WHERE username = "$username" AND password ="$password"';

. Two things:

Strings delimited by single quotes in PHP are not processed for variable interpolation (e.g. changing $username to whatever value the variable 'username' contains). See more information about what a [man]string[/man] is for other examples/differences.
Your script is vulnerable to SQL injection attacks. User-supplied data should never be placed directly into SQL queries. Instead, you must first sanitize it with a function such as [man]mysql_real_escape_string/man.

Also, note that strings are usually surrounded by single quotes in SQL queries (IMO); if ANSI_QUOTES is enabled in MySQL then double quotes are treated differently (e.g. they reference identifiers, not strings). For maximum portability, you might consider using single quotes instead for delimiting strings in SQL queries.

serg91

I ended up deleting my whole database and rebuilt it. the problem was fixed from there.

Thank you.