Hey people, Im new to PHP and MySQL and have bumped into a little problem trying to get my username and password verified. Most of the script is functional for example not granting access if the both/one of the login fields are empty.

But, it actually seems to allow the user to login if they have entered text into both the username and password fields regardless of whether these (username/password) are stored in the corresponding login database.

Here is the main script:




<html>
<body>

<form action="index3.php?login=yes" method="POST">
Username:<input type="text" name="user"><br />
Password:<input type="password" name="pass"><br/>
<input type="submit" name="login" value="login" ><p>
</form>

<?php

$user=$_POST['user'];
$pass=$_POST['pass'];
$login=$_POST['login'];

function denied()
	{
	echo '<h3><span style= "color:red"> Access Denied!!! </span></h3><br><br>';
	}

function granted ($user) //function with username parameter retrieved
	{
	echo '<h3><span style= "color:green"> Access Granted!!! </span></h3>';
	echo 'Welcome, ' . $user; 
	}

if($login=='login')
{
$con= include_once "mysql_connect.php";

$query = "SELECT id FROM login WHERE user='$user' AND pass='$pass' ";
echo $query;
$result = mysql_query($query) or die ("ERROR IN SQL STATEMENT: ".mysql_error());
$row = mysql_fetch_assoc($result);


	if (empty($user) || empty($pass))
	{
	denied();
	die("<br>Please fill out user login fields carefully....<br>");
	}

	if ($result!=1) 
	{
	granted($user);
	}

	else
	{
	denied ();
	}
}

?>

</body>
</html>

And the following is external scripting associated with the the above:

<?php

$db_host = "localhost";
$db_username = "root";
$db_pass = "rhianna";
$db_name = "login";

@mysql_connect("$db_host", "$db_username", "$db_pass") or die ("Could not connect to MySQL");
@mysql_select_db("$db_name") or die ("No $db_name Database ");

?>  

Any ideas of what the problem is and how i could possibly resolve this issue?

For some reason i believe it could be something to do with the password not being verified correctly once retrieved from the database, maybe in the $return variable but im not entirely sure, just a guess. Even if it is that i wouldn't know another way of going about fixing it.

    whts this... if (empty($user) || empty($pass)) , i think instead of $user and $pass try $row[0] and $row[1]

      No...That's probably a part of the verification that I'm actually sure works correctly...I'm sure its simply states that if either of the fields are empty then access is denied.

        $result will always evaluate as "true" (as long as the query syntax was valid), since it is just a query result resource ID and will be set even if the query returns no result rows. Instead use mysql_num_rows() to determine if any match was found.

          Cool thanks i just fixed it using the following:

          Fixed it with the following:

          if (mysql_num_rows($result)==1) 
              {  
          granted($user);
          }

          Works perfectly now. Thanks dude.

            Write a Reply...