LOGIN HELP NEEDED

odyssey

Im having a problem with my login.php which says "result found: 1
User does not exist! Please try again!" but i have been able to register and see the data in my database.

This is my login.php. can any body tell me why im getting that error?

<?php

$v_username = addSlashes($POST['username']);
$v_password = addSlashes(md5($POST['password']));

if($POST['username']=="" || $POST['password']=="")
{
echo "Please, you must supply username and password fields!";
}
else
{
$conn = mysql_connect("localhost","USERNAME","PS") or die ("Couldnt connect to database");
if (!$conn)
{
die('Could not connect: ' . mysql_error());
}
else
{
mysql_select_db("DATABASE",$conn) or die ("Couldnt find database");

$result = mysql_query("SELECT * FROM users WHERE username='$v_username'");
$intResultCount=count($result);

echo "result found: ". $intResultCount ."<br />";


if ($intResultCount==1)
{
    if( $v_username != $result['username'])
    {echo "User does not exist!" . " ". "Please try again!";}
        elseif ($result['username'] == $v_username && $result['password'] == $v_password)
        {
        echo "Congratulations". " " . $v_username . "!"."<br />";
        echo "You have successfully logged in!";
    echo $intResultCount . "<br />";
    }
        else
        {echo "The password is invalid! Please try again.";}
        }


}

}
?>

laserlight

For starters, you need to properly indent your code so that it is readable, e.g.,

<?php

$v_username = addSlashes($_POST['username']);
$v_password = addSlashes(md5($_POST['password']));

if ($_POST['username'] == "" || $_POST['password'] == "")
{
    echo "Please, you must supply username and password fields!";
}
else
{
    $conn = mysql_connect("localhost", "USERNAME", "PS") or die ("Couldnt connect to database");
    if (!$conn)
    {
        die('Could not connect: ' . mysql_error());
    }
    else
    {
        mysql_select_db("DATABASE",$conn) or die ("Couldnt find database");

    $result = mysql_query("SELECT * FROM users WHERE username='$v_username'");
    $intResultCount = count($result);

    echo "result found: " . $intResultCount . "<br />";

    if ($intResultCount == 1)
    {
        if ($v_username != $result['username'])
        {
            echo "User does not exist!" . " ". "Please try again!";
        }
        elseif ($result['username'] == $v_username && $result['password'] == $v_password)
        {
            echo "Congratulations" . " " . $v_username . "!" . "<br />";
            echo "You have successfully logged in!";
            echo $intResultCount . "<br />";
        }
        else
        {
            echo "The password is invalid! Please try again.";
        }
    }
}
}
?>

Now, one problem is that $result is a resource result. It is not an array. You first need to do a:

$result = mysql_fetch_assoc($result);

Next, we see that the error message comes when $v_username != $result['username']. Of course, since you selected the row such that the username is equal to $v_username, this appears to be impossible. The problem is, you used addslashes to obtain $v_username, so if a character was escaped by the addslashes, $v_username != $result['username']. Also

The correct approach is to dispense with the use of addslashes, especially the use of addslashes so early on. Rather:

$v_username = $_POST['username'];
$v_password = md5($_POST['password']);

// ...

$query = sprintf("SELECT * FROM users WHERE username='$v_username'",
                 mysql_real_escape_string($v_username));
$result = mysql_query($query);
$row = mysql_fetch_assoc($result);

if ($row)
{
    if ($row['password'] == $v_password)
    {
        echo "Congratulations" . " " . $v_username . "!" . "<br />";
        echo "You have successfully logged in!";
        echo $intResultCount . "<br />";
    }
    else
    {
        echo "The password is invalid! Please try again.";
    }
}
else
{
    echo "User does not exist!" . " ". "Please try again!";
}

Note that your current scheme of storing the MD5 hashes of passwords in the database is insecure should the database be compromised and your users reuse their passwords. You should also store a user specific salt value for use in the hashing.

odyssey

Thanks for the information. $result = mysql_fetch_assoc($result); gives me an error and thats why im not using it but from you reply i tried it all over again and still get the same problem earlier. im stuck on the same problem earlier.

Derokorian

You should check to see if the query was successful before attempting to use the result. Also count($result) will not do what you want, instead you need to use something like mysql_num_rows().

$query = "SELECT * FROM users WHERE username='$v_username'";
$result = mysql_query($query);
if( !$result ) {
   echo "Query failed.<br>Query: $query<br>MySQL said: (". mysql_errno() .") ". mysql_error();
   exit;
}
$intResultCount = mysql_num_rows($result);
if( $intResultCount > 0 ) {
   // username found check it here
   $row = mysql_fetch_assoc($result);
   if( $row['password'] == $v_password ) {
      echo "logged in";
   } else {
      echo "Username/Password mismatch";
   }
} else {
   echo "No user by that name found.";
}

laserlight

odyssey wrote:
$result = mysql_fetch_assoc($result); gives me an error and thats why im not using it

What is the error message? Note that in my example, this line is wrong:

$query = sprintf("SELECT * FROM users WHERE username='$v_username'",
                 mysql_real_escape_string($v_username));

it should have been:

$query = sprintf("SELECT * FROM users WHERE username='%s'",
                 mysql_real_escape_string($v_username));

Derokorian is right to say that you should check that $result is not false before proceeding, though note that the example with the use of exit is just a debugging example; in your actual code, you should handle such an error more gracefully.

You could indeed use mysql_num_rows here, but I don't see a point: mysql_fetch_assoc will return false if there is no row in the result set.

Oh, and why are you using the legacy MySQL extension for new code in the first place? You should be using the PDO extension or MySQLi extension instead.

odyssey

ooops, the query failed. I need help with that and im glad you guys are helping. I tried with the code from Derokorian.