Help with login script!!!

o0110o

Hi everybody, I'm currently working on a login script for a website, but whenever I execute the script I get a blank page. I've been staring at my script for hours now and my attention to detail has become somewhat diluted, lol. I would appreciate any help in fixing whatever the problem is and any advice is welcome.

Here is the code:

<?php
ob_start();
include_once"../includes/connect_db.php";

// ----------------------------------------------------------------------------------------
// username and password sent from form
$site_ID = $_POST['site_ID'];
$site_KEY = $_POST['site_KEY'];

// To protect MySQL injection (more detail about MySQL injection)
$site_ID = stripslashes($site_ID);
$site_KEY = stripslashes($site_KEY);
$site_ID = mysql_real_escape_string($site_ID);
$site_KEY = mysql_real_escape_string($site_KEY);
$site_KEY=md5($site_KEY);
// ----------------------------------------------------------------------------------------

// ----------------------------------------------------------------------------------------
//Checks if there is a login cookie
if(isset($_COOKIE['site_ID'])) 

{
//if there is, it logs you in and directes you to index.php
$sql = "SELECT * FROM admin WHERE username='$site_ID' and password='$site_KEY'";
$result =mysql_query($sql) or die(mysql_error());

// Mysql_num_row is counting table row
$count=mysql_num_rows($result);

if($count==1)

{
// Register $site_ID, $site_KEY and redirect to file "index.php"
session_register("site_ID");
session_register("site_KEY");
session_start();
}

elseif(session_start());

{

if(session_is_registered("site_ID"))
{header("location: index.php");}
}
} 
// ----------------------------------------------------------------------------------------

// ----------------------------------------------------------------------------------------
// If form has been submitted
if (isset($_POST['submit'])) 

{ 
// Make sure the form is filled in
if(!$_POST['site_ID'] | !$_POST['site_KEY']) 
{die('You did not fill in a required field.');}

//Gives error if user does not exist
if ($count == 0) 
{die('That user does not exist in our database.');}

//Gives error if the password is wrong
$sql1 = "SELECT * FROM admin WHERE password='$site_KEY'";
if ($_POST['site_KEY'] != mysql_query($sql1)) 
{die('Incorrect password, please try again.');}

// If result matched $site_ID and $site_KEY, table row must be 1 row
if($count==1)

{
// If the login is succesful a cookie is added
$_POST['site_ID'] = stripslashes($_POST['site_ID']);
$hour = time() + 3600;
setcookie('site_ID', $_POST['site_ID'], $hour);
setcookie('site_KEY', $_POST['site_KEY'], $hour);

// Register $site_ID, $site_KEY and redirect to file "index.php"
session_register("site_ID");
session_register("site_KEY");
session_start();
}

elseif(session_start());

{
if(session_is_registered("site_ID"))
{header("location: index.php");}
}
} 

else

{
// If there is no cookie and the form has not yet been submitted, then the form must be completed
?>
<table width='300' border='0' align='center' cellpadding='0' cellspacing='1' bgcolor='#CCCCCC'>
<tr>
<form name='form1' method='post' action="<?php echo $_SERVER['PHP_SELF']?>">
<td>
<table width='100%' border='0' cellpadding='3' cellspacing='1' bgcolor='#FFFFFF'>
<tr>
<td colspan='3'><strong>Login </strong></td>
</tr>
<tr>
<td width='78'>Username</td>
<td width='6'>:</td>
<td width='294'><input name='site_ID' type='text' id='site_ID' maxlength='40'></td>
</tr>
<tr>
<td>Password</td>
<td>:</td>
<td><input name='site_KEY' type='site_KEY' id='site_KEY' maxlength='50'></td>
</tr>
<tr>
<td><input type='submit' name='Submit' value='Login'></td>
</tr>
</table>
</td>
</form>
</tr>
</table>

<?php
// ----------------------------------------------------------------------------------------
    ob_end_clean();
}
 ?>

Thanks 🙂

dagon

turn off ob buffering and turn on error checking

error_reporting(E_ALL);
ini_set('display_errors', '1');

bradgrafelman

You should follow dagon's advice to check for errors, but I also thought I'd make some comments:

```
ob_start();
```
Why are you using output buffering?
```
$site_ID = $_POST['site_ID']; 
$site_KEY = $_POST['site_KEY'];
```
If these POST'ed items don't exist, you'll generate an E_NOTICE level error message by not checking that those array indexes exist before using them. Either move all code that uses $POST items inside of your if() statement that checks for $POST['submit'], or use isset here as well:
```
$site_ID = (isset($_POST['site_ID']) ? $_POST['site_ID'] : ''); 
$site_KEY = (isset($_POST['site_KEY']) ? $_POST['site_KEY'] : '');
```
```
$site_ID = stripslashes($site_ID); 
$site_KEY = stripslashes($site_KEY); 
```
Why do you use [man]stripslashes/man on incoming data? You should never have to do this unless magic_quotes_gpc is enabled. If this is the case, you should a) make every effort to disable it (custom php.ini file, .htaccess setting, etc. etc.) or, failing to do so, b) use [man]get_magic_quotes_gpc/man to check if magic_quotes_gpc is enabled and, if so, apply [man]stripslashes/man to all items in $POST, $GET, and $COOKIE (and $REQUEST if you use it).
```
$site_KEY = mysql_real_escape_string($site_KEY); 
$site_KEY=md5($site_KEY); 
```
If you're going to hash the data with [man]md5/man, then you should not use [man]mysql_real_escape_string/man on the data (neither before nor after applying [man]md5/man).
```
$sql = "SELECT * FROM admin WHERE username='$site_ID' and password='$site_KEY'"; 
```
You should try to never use 'SELECT ' - always list the columns that you actually need data from. In your case, since you don't appear to need data from any columns (for the cookie processing section), you could just do something like 'SELECT TRUE'.
```
session_register("site_ID"); 
session_register("site_KEY"); 
session_start(); 
```
There are two problems with this code. First being that [man]session_register/man has been deprecated for some time now and should never be used. Instead, you should be using the $_SESSION supergobal array. See this manual page for more information: [man]reserved.variables.session[/man].

Second, you can't session_register() OR add a variable to $SESSION without having a session started in the first place! Your call to session_start() should be before you try to add data to the session.
Your whole if() statement for processing the cookie value confuses me. You check if a cookie was sent, but then you never use its value - instead, you use $site_ID and $site_KEY... both of which reference the $_POST array.

Even if those referenced a cookie value, your if() statements after the query are even more confusing. If the query returned a row (meaning the credentials were valid), you set some session variables and then do... nothing. If the query did not return a row (presumably meaning the credentials were incorrect), then you attempt to start a session and, if successful, redirect the user to index.php if 'site_ID' exists in the session.

Is that logic what you intended to do?
```
if(!$_POST['site_ID'] | !$_POST['site_KEY'])
```
Two problems with this code. First, once again if those array indexes didn't exist then you would be cause an E_NOTICE level error message. You should instead use [man]isset/man to check if they exist.

Second, you use the '|' operator, which does not mean a logical OR; the single pipe '|' is used for the bitwise OR operation. Instead, you should be using a double pipe - '||' - or the keyword 'or'.
```
//Gives error if user does not exist 
if ($count == 0) 
```
Where did $count come from? You put this if() statement before the code that executes the SQL query!
```
$sql1 = "SELECT * FROM admin WHERE password='$site_KEY'"; 
if ($_POST['site_KEY'] != mysql_query($sql1))
```
Three comments about this code. First, I'd again recommend you not use 'SELECT *'. It's the same as above - since you don't really need data from any of the columns, you might as well just SELECT some constant value, e.g. boolean TRUE.

Second, why didn't you include the username column in the WHERE condition as well? If two users just happen to use the same password, then you'd have to loop through all rows that match the given password and check if any match the given username. Otherwise, only one user would be able to login and the rest would get the 'Incorrect password' error even though they entered the correct password.

Third, you don't even compare the username value correctly. [man]mysql_query/man doesn't return any data - it returns a Resource pointing to the MySQL result set. You have to use a function such as [man]mysql_result/man or [man]mysql_fetch_assoc/man to actually retrieve data from the next row in the result set.
```
// If result matched $site_ID and $site_KEY, table row must be 1 row 
if($count==1)
```
This if() statement is indeed after the SQL query has been executed, but you never used [man]mysql_num_rows/man to count how many rows were match, so again $count is undefined.

// If the login is succesful a cookie is added 
$_POST['site_ID'] = stripslashes($_POST['site_ID']);

Again, why are you using [man]stripslashes/man on incoming data?

```
// Register $site_ID, $site_KEY and redirect to file "index.php" 
session_register("site_ID"); 
session_register("site_KEY"); 
session_start(); 
```
Again, you shouldn't use [man]session_register/man at all, and you can't add data to a session that hasn't been started yet. Additionally, you never redirect the user to 'index.php' despite what the comment says.
```
elseif(session_start()); 

{ 
if(session_is_registered("site_ID")) 
{header("location: index.php");} 
} 
```
Same comment as above - your logic here doesn't make much sense. If you want to redirect the user if a session variable exists, why not check that before processing a cookie or POST'ed data?
```
// ---------------------------------------------------------------------------------------- 
    ob_end_clean(); 
```
Not only should you not be using output buffering in the first place (there's no need for it), but then once you have all of the output stored in the output buffer, the last thing you do is.... erase all of that output without ever displaying it?

o0110o

Wow. Thanks Dagon and especially you bradgrafelman. I built this script by studying various examples that I found floating around on the internet; I did my best to bring them all together into a unique script, but I'm still really new to PHP and making mistakes is what I do best, lol. I'm going to try your kind suggestions right away and I will post the results here; thanks, again 🙂

o0110o

I have implemented your suggestions to the best of my ability, I now am able to access the login form, but it remains static. Whenever I submit site_ID and site_KEY, nothing happens.

Here is the code that I have thus far:

<?php
error_reporting(E_ALL);
ini_set('display_errors', '1');
include_once"../includes/connect_db.php";

// --------------------------------------------------------------------------------------------------
// username and password sent from form
$site_ID = (isset($_POST['site_ID']) ? $_POST['site_ID'] : '');
$site_KEY = (isset($_POST['site_KEY']) ? $_POST['site_KEY'] : ''); 
$site_KEY=md5($site_KEY);
// --------------------------------------------------------------------------------------------------

// --------------------------------------------------------------------------------------------------
//Checks if there is a login cookie
if(isset($_COOKIE['site_ID'])) 

{

//if there is, it logs you in and directes you to index.php
$sql = "SELECT TRUE FROM admin WHERE username='$site_ID' and password='$site_KEY'";
$result =mysql_result($sql) or die(mysql_error());

// Mysql_num_row is counting table row
$count=mysql_num_rows($result);
if($count==1)

{

// Register $site_ID, $site_KEY and redirect to file "index.php"
session_start(); 
$_SESSION['site_ID'] = $_COOKIE['site_ID'];
$_SESSION['site_KEY'] = $_COOKIE['site_KEY'];

}

if(session_is_registered("site_ID"))
{header("location: index.php");}

} 
// --------------------------------------------------------------------------------------------------

// --------------------------------------------------------------------------------------------------
// If form has been submitted
if (isset($_POST['submit'])) 

{ 

if (isset($_POST['site_ID'] , $_POST['site_KEY'])) 

{

// makes sure they filled it in
if(!$_POST['site_ID'] || !$_POST['site_KEY'])
{die('You did not fill in a required field.');}

}

//gives error if the password is wrong
$sql1 = "SELECT TRUE FROM admin WHERE username='$site_ID' password='$site_KEY'";
$result1 =mysql_result($sql1) or die(mysql_error());

if ($_POST['site_KEY'] != $result1) 
{die('Incorrect password, please try again.');}

$count1 = mysql_num_rows($result1);

//Gives error if user dosen't exist
if ($count1 == 0) 
{die('That user does not exist in our database.');}

// If result matched $site_ID and $site_KEY, table row must be 1 row
if($count1==1)

{

// if login is ok then we add a cookie
$hour = time() + 3600;
setcookie('site_ID', $_POST['site_ID'], $hour);
setcookie('site_KEY', $_POST['site_KEY'], $hour);

// Register $site_ID, $site_KEY and redirect to file "index.php"
session_start(); 
$_SESSION['site_ID'] = $_POST['site_ID'];
$_SESSION['site_KEY'] = $_POST['site_KEY'];

}

if(session_is_registered("site_KEY"))
{header("location: index.php");}

}

else

{

?>
<table width='300' border='0' align='center' cellpadding='0' cellspacing='1' bgcolor='#CCCCCC'>
<tr>
<form name='form1' method='post' action="<?php echo $_SERVER['PHP_SELF']?>">
<td>
<table width='100%' border='0' cellpadding='3' cellspacing='1' bgcolor='#FFFFFF'>
<tr>
<td colspan='3'><strong>Login </strong></td>
</tr>
<tr>
<td width='78'>Username</td>
<td width='6'>:</td>
<td width='294'><input name='site_ID' type='text' id='site_ID' maxlength='40'></td>
</tr>
<tr>
<td>Password</td>
<td>:</td>
<td><input name='site_KEY' type='password' id='site_KEY' maxlength='50'></td>
</tr>
<tr>
<td><input type='submit' name='Submit' value='Login'></td>
</tr>
</table>
</td>
</form>
</tr>
</table>

<?php
}
 ?>

o0110o

Okay this is as far as I got, the login screen works but the redirection does not, still having trouble with this, can anyone help please?

<?php
error_reporting(E_ALL);
ini_set('display_errors', '1');
include_once"../includes/connect_db.php";

// --------------------------------------------------------------------------------------------------
// username and password sent from form
$site_ID = (isset($_POST['site_ID']) ? $_POST['site_ID'] : '');
$site_KEY = (isset($_POST['site_KEY']) ? $_POST['site_KEY'] : ''); 
$site_KEY=md5($site_KEY);
// --------------------------------------------------------------------------------------------------

// --------------------------------------------------------------------------------------------------
//Checks if there is a login cookie
if(isset($_COOKIE['site_ID'] , $_COOKIE['site_KEY'])) 

{

//if there is, it logs you in and directes you to index.php
$sql = "SELECT TRUE FROM admin WHERE username='$site_ID' and password='$site_KEY'";
$result =mysql_result($sql) or die(mysql_error());

// Mysql_num_row is counting table row
$count=mysql_num_rows($result);
if($count==1)

{

// Register $site_ID, $site_KEY and redirect to file "index.php"
session_start(); 
$_SESSION['site_ID'] = $_COOKIE['site_ID'];
$_SESSION['site_KEY'] = $_COOKIE['site_KEY'];

}

if(isset($_SESSION['site_ID'] , $_SESSION['site_KEY']))
{header("location: index.php");}

} 
// --------------------------------------------------------------------------------------------------

// --------------------------------------------------------------------------------------------------
// If form has been submitted
if (isset($_POST['submit'])) 

{ 

if (isset($_POST['site_ID'] , $_POST['site_KEY'])) 

{

// makes sure they filled it in
if(!$_POST['site_ID'] || !$_POST['site_KEY'])
{die('You did not fill in a required field.');}

}

//gives error if the password is wrong
$sql1 = "SELECT TRUE FROM admin WHERE username='$site_ID' password='$site_KEY'";
$result1 =mysql_result($sql1) or die(mysql_error());

if ($_POST['site_KEY'] != $result1) 
{die('Incorrect password, please try again.');}

$count1 = mysql_num_rows($result1);

//Gives error if user dosen't exist
if ($count1 == 0) 
{die('That user does not exist in our database.');}

// If result matched $site_ID and $site_KEY, table row must be 1 row
if($count1==1)

{

// if login is ok then we add a cookie
$hour = time() + 3600;
setcookie('site_ID', $_POST['site_ID'], $hour);
setcookie('site_KEY', $_POST['site_KEY'], $hour);

// Register $site_ID, $site_KEY and redirect to file "index.php"
session_start(); 
$_SESSION['site_ID'] = $_POST['site_ID'];
$_SESSION['site_KEY'] = $_POST['site_KEY'];

}

if(isset($_SESSION['site_ID'] , $_SESSION['site_KEY']))
{header("location: index.php");}

}

else

{

?>
<table width='300' border='0' align='center' cellpadding='0' cellspacing='1' bgcolor='#CCCCCC'>
<tr>
<form name='form1' method='post' action="<?php echo $_SERVER['PHP_SELF']?>">
<td>
<table width='100%' border='0' cellpadding='3' cellspacing='1' bgcolor='#FFFFFF'>
<tr>
<td colspan='3'><strong>Login </strong></td>
</tr>
<tr>
<td width='78'>Username</td>
<td width='6'>:</td>
<td width='294'><input name='site_ID' type='text' id='site_ID' maxlength='40'></td>
</tr>
<tr>
<td>Password</td>
<td>:</td>
<td><input name='site_KEY' type='password' id='site_KEY' maxlength='50'></td>
</tr>
<tr>
<td><input type='submit' name='Submit' value='Login'></td>
</tr>
</table>
</td>
</form>
</tr>
</table>

<?php
}
 ?>

I'm sure it's probably some simple mistake I made, and I hope you all can help me find it please 🙂

halojoy

There were a couple of things in your script that I havent seen before.
I have have seen many php codes ....

So, I have learned a couple of new things 🙂

There were like 2 serious things, that would make your script not work.
Like for example

if ($_POST['site_KEY'] != $result1)
{die('Incorrect password, please try again.');}

The posted KEY should not be compared to one md5KEY in database.

The second point I would tell you is

$hour = time() + 3600;
setcookie('site_ID', $_POST['site_ID'], $hour);
setcookie('site_KEY', $_POST['site_KEY'], $hour);

We never put posted PASSWORD in COOKIE.
This way it is easy for anyone to read and get hold of it.
Put the md5 PASWORD there. It is useless to try to login with.

I have changed a lot in your script.
But I have used your nice code. It is a good work you have done.

The Script now:

1. check for SESSION, if already logged in
2. check for COOKIE to log in with
3. check the POSTED for to log in with

I can not promise it will work now. Because I have not tried it.
But there should be a very good chance!

If there is something, we will see, as you have error_reporting activated.
Very good.

<?php // login script, o0110o, suggestion by halojoy phpbuilder
error_reporting(E_ALL);
ini_set('display_errors', '1');
include_once"../includes/connect_db.php";

// --------------------------------------------------------------------------------------------------
if(isset($_SESSION['site_ID'] , $_SESSION['site_KEY']))
{   // you are already logged in
	header("location: index.php");
	exit();
}
// --------------------------------------------------------------------------------------------------
//Checks if there is a login cookie
if(isset($_COOKIE['site_ID'] , $_COOKIE['site_KEY']))
{
	//if there is, it logs you in and directes you to index.php
	$sql = "SELECT TRUE FROM admin WHERE username='$site_ID' and password='$site_KEY'";
	$result =mysql_result($sql) or die(mysql_error());
	// Mysql_num_row is counting table row
	$count=mysql_num_rows($result);
	if($count==1)
	{
		// Register $site_ID, $site_KEY and redirect to file "index.php"
		session_start();
		$_SESSION['site_ID'] = $_COOKIE['site_ID'];
		$_SESSION['site_KEY'] = $_COOKIE['site_KEY'];
		header("location: index.php");
		exit();
	}
	else
	{
		// Bad cookie, user not found, Delete cookie maybe???
	}

}
// --------------------------------------------------------------------------------------------------

// --------------------------------------------------------------------------------------------------
// If form has been submitted
if (isset($_POST['site_ID'] , $_POST['site_KEY']))
{
	// username and password sent from form
	$site_ID  = (isset($_POST['site_ID'])  ? trim($_POST['site_ID'])  : '');
	$site_KEY = (isset($_POST['site_KEY']) ? trim($_POST['site_KEY']) : '');
	$md5_KEY  = md5($site_KEY);

// makes sure they filled it in
if(!$site_ID || !$site_KEY)
{die('You did not fill in a required field.');}

//gives error if the password is wrong
$sql1 = "SELECT TRUE FROM admin 
		WHERE username='$site_ID' password='$md5_KEY'";
$result1 =mysql_result($sql1) or die(mysql_error());
$count1 = mysql_num_rows($result1);
//Gives error if user dosen't exist
if($count1 == 0)
{die('That user does not exist in our database.');}

// If result matched $site_ID and $site_KEY, table row must be 1 row
if($count1 == 1)
{
	// if login is ok then we add a cookie
	$hour = time() + 3600;
	setcookie('site_ID', $site_ID, $hour);
	setcookie('site_KEY', $md5_KEY, $hour);

	// Register $site_ID, $site_KEY and redirect to file "index.php"
	session_start();
	$_SESSION['site_ID'] = $site_ID;
	$_SESSION['site_KEY'] = $md5_KEY;
	// you are now logged in
	header("location: index.php");
	exit();
}
else
{
	// $count1 >=2 (two or more admins in table) or less $count1 < 0
}

}

else

{

?>
<table width='300' border='0' align='center' cellpadding='0' cellspacing='1' bgcolor='#CCCCCC'>
<tr>
<form name='form1' method='post' action="<?php echo $_SERVER['PHP_SELF']?>">
<td>
<table width='100%' border='0' cellpadding='3' cellspacing='1' bgcolor='#FFFFFF'>
<tr>
<td colspan='3'><strong>Login </strong></td>
</tr>
<tr>
<td width='78'>Username</td>
<td width='6'>:</td>
<td width='294'><input name='site_ID' type='text' id='site_ID' maxlength='40'></td>
</tr>
<tr>
<td>Password</td>
<td>:</td>
<td><input name='site_KEY' type='password' id='site_KEY' maxlength='50'></td>
</tr>
<tr>
<td><input type='submit' name='Submit' value='Login'></td>
</tr>
</table>
</td>
</form>
</tr>
</table>

<?php
}
?>