PHP Yet Again...
Results 1 to 6 of 6

Thread: PHP Yet Again...

  1. #1
    Banned
    Join Date
    Oct 2001
    Posts
    1,462

    PHP Yet Again...

    PHP Code:
    <?php 

    session_start
    (); 

    // Connects to the database
    $test mysql_connect("localhost""root""mypass") or die(mysql_error()); 
    mysql_select_db("php"$test) or die(mysql_error()); 


    // Someone wants to lohhin 
    if (isset($_POST['login'])) { 

       
    //Looking for the pass/user in the database 
       
    $query mysql_query("SELECT * FROM php WHERE user='" $_POST['user'] . "' AND password='" $_POST['pass'] . "'") or die(mysql_error()); 
       print 
    mysql_error();

       if (
    mysql_num_rows($query) == 1) {  
            
          
    // If the user and pass a valid
          
    $_SESSION['login'] = "true";
          
    $_SESSION["user"] = $_POST["user"]; 
           echo 
    'Welcome '.$_SESSION["user"].' you are logged in!';


       } else { 
            
          
    // It its wrong
          
    die("Wrong logininfo."); 
            
       } 
        


    // Someone want to logout 
    if (isset($_GET['action']) && $_GET['action'] == 'logout' && isset($_SESSION['login'])) { 
        
       unset(
    $_SESSION['login']); 
       
    session_destroy(); 
        
       
    header("Location: ../index.php"); 
        
    }

    // Someone is a member 
    if (isset($_GET['action']) && $_GET['action'] == 'member') {  
        
       echo 
    "Welcome member"
        


    if (isset(
    $_SESSION['login']) && $_SESSION['login'] == "true") { 
        
       
    // This is shoewd if you are logged in! 
       
    header("Location: ../index.php"); 

    // This will show if you aint logged in. 
    } else { 
        
       
    ?> 
       <html>
       <body bgcolor="#666666" text="#ffffff">
       <table width="200" border="0" cellspacing="5" cellpadding="0" align="center" valign="middle">
       <tr>
       <td style="border: 1 solid #333333;" bgcolor="#777777">
       <table width="100%" border="0" cellspacing="0" cellpadding="0">
            <tr> 
              <td bgcolor="#333333"><font size="1" face="Verdana, Arial, Helvetica, sans-serif">[b]<font color="#ffffff">&raquo;</font><font color="#ffffff">Log in 
                </font>[/b]</font></td>
            </tr>
            <tr> 
              <td bgcolor="silver"><font size="1" face="Verdana, Arial, Helvetica, sans-serif" color="#ffffff">
           <center>
            <form method="post" action="<?= $_SERVER['PHP_SELF'?>"> 
          [b]Username:[/b] 
          <input type="text" name="user">
     
          [b]Password:[/b] 
          <input type="password" name="pass">
     
          <input type="submit" name="login" value="Login"> 
       </form> 
    </center> 
           </font>
           </td>
            </tr>
          </table>
       </td>
    </tr>
    </table>

        
    <?    


    ?>
    Ok, This login page is supposed to take variable from a form on another page and login the user, instead it redirects back to the main page without loging in.... Any ideas?

  2. #2
    Senior Member
    Join Date
    Nov 2001
    Location
    Ireland
    Posts
    735
    Maybe $HTTP_POST_VARS["user"] might work better, for getting the input from a form field.

  3. #3
    Banned
    Join Date
    Oct 2001
    Posts
    1,462
    <form method="post" action="reg/login.php">
    <p align="center">Username:
    <input name="user" size="17">

    <input type="hidden" name="login">
    Password: <input type="password" value name="pass" size="17">
    <input type="submit" value="Login">
    </td>
    </tr>
    <tr>
    <td>
    <font size="1"><center>Not Registered? <a href="reg/signup.php">Sign
    Up!</a></center></font>
    </form>

  4. #4
    Senior Member
    Join Date
    Jan 2002
    Posts
    1,207
    Several things:

    1. Important security issue: You should escape strings from the user before incorporating them into an SQL string. The MySQL module has a function for doing this.

    2. I consider it best practice to select the password and manually compare it rather than using "WHERE" - because different databases sometimes consider strings which aren't exactly equal to be equal in the SQL sense (Think, MSSQL's default case-insensitivity etc, but also other cases). This reduces the keyspace by allowing attackers to get in by using something similar but not quite identical to the password. (For instance in German and ue might be considered equal)

    3. Consider encrypting the password in the db with MD5 or similar (see MySQL manual for hints to do this)

    4. Instead of using select(*) only get the columns you want. That way there will be no nasty surprises if someone subsequently adds a massive binary file in a BLOB column.

    Happy coding

    Slarty

  5. #5
    Hi mom!
    Join Date
    Aug 2001
    Posts
    1,103
    I think you have to fetch the array 'query' before you count the rows in that array, like this:
    PHP Code:
    $query mysql_query("SELECT * FROM php 
       WHERE user='" 
    $_POST['user'] . "' AND password='" $_POST['pass'] . "'"
       or die(
    mysql_error()); 

       print 
    mysql_error();

       
    $query mysql_fetch_array($query);

       if (
    mysql_num_rows($query) == 1) { 
    And please, use some hard enters if you choose to quote some long lines of code. I'm on 1152x864 and I still have to scroll to the right... I wonder what horrors 800x600 people see
    I wish to express my gratitude to the people of Italy. Thank you for inventing pizza.

  6. #6
    yeah it sucks on that lol. I'm not that bad with php so PM me if ya need help. I need help with Visual Basic.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •