-
December 7th, 2005, 09:48 PM
#1
Simple PHP/MySQL - Fresh Eyes Needed
Hey Hey,
This is driving me nuts, and I know it's something stupid... All I need is a fresh set of eyes to look it over and tell me where I'm FUBARing it.
connect.php
Code:
<?
$user = "XXXXX";
$pass = "XXXXX";
$db = "XXXXXX";
$myserver = "XXXXX";
$connect = mysql_connect($myserver, $user, $pass) of die("Connect");
$select_db = mysql_select_db($db) or die("DB Selection");
?>
login.php
Code:
<?
session_start();
include 'inc/connect.php';
if ( $_POST['username'] != "" AND $_POST['password'] != "" ) {
$username = $_POST['username'];
$password = md5($_POST['password'];
$username = htmlspecialchars($username);
$username = stripslashes($username);
$query = 'SELECT * FROM tblUsers WHERE userName = "' . $username . '" AND userPassword = "' . $password . '" LIMIT 1';
$result = mysql_query($query);
$numResult = mysql_num_rows($result);
if ( $numResult == 1) {
$userInfo = mysql_fetch_array($result);
$_SESSION['sessionID'] = $userInfo['userID'];
header("Location: http://www.xxx.ca/next.php");
}
}
else {
header("Location: http://www.xxx.ca/index.php");
}
?>
It should be going to the next page but it does nothing... I just get a blank screen.... I've even put echo's after ever single line of code from line 1 to the end... and none of the echo's ever show up.... I just keep getting
Code:
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=windows-1252"></HEAD>
<BODY></BODY></HTML>
Peace,
HT
-
December 7th, 2005, 09:56 PM
#2
$connect = mysql_connect($myserver, $user, $pass) of die("Connect");
Um "of die"
09:F9:11:02:9D:74:E3:5B 8:41:56:C5:63:56:88:C0
-
December 7th, 2005, 09:59 PM
#3
Originally posted here by dinowuff
Um "of die"
You've never heard of mysql_connect of Die... It's kind of like the Earl of Grey... :P
Thanks.. but alas... that wasn't the problem.
Peace,
HT
-
December 8th, 2005, 12:37 AM
#4
Did you post ALL the code from your page/s?
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
Is this is in your original code?
If so then will cause you problems....
When you use code that generates header material (like a redirect) you must use your header code before ANYTHING is sent to the client...
-
December 8th, 2005, 12:47 AM
#5
It seems like there should be more code. I have some suggestion however.
First order of business, check the http error log, and change the error_reporting setting in the PHP.ini. It's possible the script is getting an error, but it might not be out putting it to you.
I haven't used PHP in awhile, but try putting your connect variable as the resource link-identifier in mysql_query, such as
PHP Code:
$result = mysql_query($query, $connect);
Other than that, check to make sure your if() statements are working right.
enmand
-
December 8th, 2005, 01:19 AM
#6
Hey Hey,
omin: I posted the entire code.... That's why I'm partially confused about that being included in the html that is generated...
MB: I've checked and double checked.. putting echo's on all the lines to see what happens.. As for the connection.. it's straight out of the connect/query scripts I use on all the sites I bulid.
Peace,
HT
-
December 8th, 2005, 01:58 AM
#7
Try putting an exit; after
header("Location: http://www.xxx.ca/next.php");
-
December 8th, 2005, 02:06 AM
#8
Aside from things already mentioned...
PHP Code:
$password = md5($_POST['password'];
should be
PHP Code:
$password = md5($_POST['password']);
However, the whole script is really sloppy...
PHP Code:
if ( $_POST['username'] != "" AND $_POST['password'] != "" )
would be better/faster as
PHP Code:
if (isset($_POST['username']) && isset($_POST['password']))
PHP Code:
$username = htmlspecialchars($username);
$username = stripslashes($username);
Is useless if you are going to dump the data into a query anyway...
PHP Code:
if($username == htmlspecialchars($username) && $username == stripslashes($username)){
go on to the query
}else{
exit with an error, because clearly it isn't a valid password and either a typo or an attempt at subverting the server.
}
If this is required, you have some serious problems with the database. Entires should be checked for uniqueness going into the DB, not coming out... perhaps a unique ID would be a good addition? It is also a good idea to check for duplicate entires as well for just in case. Never make assumptions... always account for the unexpected... if conditions met a very specific requirement approve them, otherwise else to a failure.
Other points are inefficiencies and the fact that this script does not secure the page in question... but at least it should work now.
cheers,
catch
-
December 8th, 2005, 02:21 AM
#9
Originally posted here by catch
Aside from things already mentioned...
PHP Code:
$password = md5($_POST['password'];
should be
PHP Code:
$password = md5($_POST['password']);
Thanks for pointing that one out..
However, the whole script is really sloppy...
PHP Code:
if ( $_POST['username'] != "" AND $_POST['password'] != "" )
would be better/faster as
PHP Code:
if (isset($_POST['username']) && isset($_POST['password']))
It was originally that... but it wasn't working and a that rewrote it changed it to that.... it's how he was taught in school apparently.
PHP Code:
$username = htmlspecialchars($username);
$username = stripslashes($username);
Is useless if you are going to dump the data into a query anyway...
Not in my opinion.. by the time you're done.. anyone that would have tried simple SQL injection like ' OR 1=1 will be foiled...
PHP Code:
if($username == htmlspecialchars($username) && $username == stripslashes($username)){
go on to the query
}else{
exit with an error, because clearly it isn't a valid password and either a typo or an attempt at subverting the server.
}
Wouldn't simply executing them be faster than executing them and performing a check? But I'll make the change... I'm not a programmer by any sense of the world.
If this is required, you have some serious problems with the database. Entires should be checked for uniqueness going into the DB, not coming out... perhaps a unique ID would be a good addition? It is also a good idea to check for duplicate entires as well for just in case. Never make assumptions... always account for the unexpected... if conditions met a very specific requirement approve them, otherwise else to a failure.
Other points are inefficiencies and the fact that this script does not secure the page in question... but at least it should work now.
There is a unique ID... the LIMIT 1 was something I picked up from classes.. not needed.. but it never hurts to have it.. I do have a unique ID....
As for the other inefficiencies.. the script isn't near done or ready for production... This was simply to demonstrate the layout and flow of pages... and figured I'd better be able to click the login button to get to the remaining pages.
Thanks for the help,
Peace,
HT
-
December 8th, 2005, 03:21 AM
#10
HT; have you got any empty lines before the <?php tags? because these are parsed as html, sent to the client as \n's and causes the header relocate to **** up.
What you want to do is make sure the first line of all files is <?php and then set an output buffer. it'll save you alot of hassle, can't remember the exact command though, but there is a function that takes all output and buffers it so that you can flush it at the end of a page, this has the advantage that you can spew out output, if you come accross an error, you just destroy the buffer content, send a new header and die();
also, don't fetch fields you don't need, ie; SELECT * is bad evil and wrong, use something like SELECT COUNT(`id`) as thereIsANick or something to that effect.
hope that helps
With all the subtlety of an artillery barrage / Follow blindly, for the true path is sketchy at best. .: Bring OS X to x86!:.
Og ingen kan minnast dei linne drag i dronningas andlet den fagre dag Då landet her kvilte i heilag fred og alle hadde kjærleik å elske med.
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|