[josiahmahar]

when the user submits an invalid username or password it is supposed to display an error message but it does not show up any help on why its not showing up would be really helpfull thanks the code so far is

<?php

	$username = '$_post["username"]';
	$password = '$post["password"]';
	
if ($username&&$password)
{
	$connect = mysql_connect("localhost", "josiah", "nastassja") or die ("could not connect");
	mysql_select_db ("userlogin") or die  ("could not find database");	


} 

	else
		die ("wrong username and password");
	
?>

[JackOfAllTrades]

First, don't put the variables in quotes.

Second, NEVER trust user input, unless you want to be hacked. Read about SQL Injection.

Third, you probably want to check if the variables are set before assigning them.

if (!isset($_POST['username']) || !isset($_POST['password']))
{
    die("No username and/or password provided");
}

$connect = mysql_connect("localhost", "josiah", "nastassja") or die ("could not connect");
mysql_select_db ("userlogin") or die  ("could not find database");

$username = mysql_real_escape_string($_POST['username');
$password = mysql_real_escape_string($_POST['password');

Also, you should never store your passwords in the database as the user enters them. You should salt and hash them. See this post for a class which will do this for you.

[josiahmahar]

lol that is a fair bit over my head. do you know where i could find detailed tutorials on stopping people from hacking through user input and on password hashing? the two links you gave me are good for explaining what the uses of password hashing and protecting against code injection but they dont really explain how to go about doing this

[Valek]

MD5
SHA1
More robust hashing support (like RIPEMD-160)

DIC tutorial on hashing written by akozlik.

[josiahmahar]

hey umm guys i did the whole hash thing and made the changes you showed me but the message still doesnt show up giving me any errors about the invalid username/password my edited code is

<?php  


   $username = mysql_real_escape_string($_POST['username']);
$hash1 = sha1($username);  

  $password = mysql_real_escape_string($_POST['password']);
$hash2 = sha1($password);  
if (!isset($_POST['username']) || !isset($_POST['password']))  

{
     die("missing username and/or password");  
 }
$connect = mysql_connect("localhost", "****", "****") or die ("could not connect");  
mysql_select_db ("userlogin") or die  ("could not find database"); 
  
 

?> 

i know my username and password are being hashed now at least and sorry for all the posts i just want to get as much done in the next few weeks as i can since ill be a lot busier after that

This post has been edited by Dormilich: 22 January 2011 - 01:20 AM

[Dormilich]

you never query your DB for the username/password.

[Valek]

You don't need to hash the username. Also, the only "validation" you're doing is checking whether they've filled out the fields, not that the data is valid or conforms to any rules you may have for them.

[Dormilich]

if you hash the password, make sure you also have the hashed version saved in the DB.

[JackOfAllTrades]

Glad I went through the effort of providing some code for you to ignore.

There's a REASON that I don't call mysql_real_escape_string until AFTER I connect to the DB...you MUST have a connection to the database to use this function.

Please spend a little bit of time reading this tutorial, and THINKING about what you're doing.

[josiahmahar]

JackOfAllTrades, on 22 January 2011 - 05:00 AM, said:

Glad I went through the effort of providing some code for you to ignore.

There's a REASON that I don't call mysql_real_escape_string until AFTER I connect to the DB...you MUST have a connection to the database to use this function.

Please spend a little bit of time reading this tutorial, and THINKING about what you're doing.

haha thank you for that insightful tutorial however i was just over tired and when i woke up this morning i fixed it as soon as i saw it. however like i said im not very good at this and if you have time to answer one one more stupid (seeing as the answer is going to be a simple mistake) question that would be great. How come whenever i log in and have it post the username it posts "array" instead of the username once again my code is

 <?php  
 session_start();

if (!isset($_POST['username']) || !isset($_POST['password']))  

{
     die("missing username and/or password");  
 }
 else{
	$connect = mysql_connect("localhost", "***", "***") or die ("could not connect"); 
	 
	mysql_select_db ("userlogin") or die  ("could not find database"); 
	
   $username = mysql_real_escape_string($_POST['username']);
  
  $password = mysql_real_escape_string($_POST['password']);
	$hash2 = sha1($password);
  
  $query = mysql_query("SELECT * FROM users WHERE username='$username'");
  
	$numrows = mysql_num_rows($query);
 
 if ($numrows!=0){
	while ($row = mysql_fetch_assoc($query)){
		$dbuser = $row['username'];
		$dbpass = $row['password'];
	}
	if ($username==$dbuser&&$hash2==$dbpass){
	echo "succesfully logged in!<br>";
	 echo "<a href='http://yourlife.dyndns.org/form.php'> click</a> here to submitt post " ;
	 
	 $_SESSION['username']=$username;	
	}
else
	die("wrong password");
}

 else 
 	die("username does not exist!");
}

echo $_SESSION;

?> 

This post has been edited by josiahmahar: 22 January 2011 - 02:25 PM

[Valek]

You're echoing $_SESSION, which is a superglobal array. If you want to see an array's contents, my usual method is something like this (written for your case here):

echo "<pre>" . print_r($_SESSION, true) . "</pre>";

print_r() displays all contents of an array. The second argument being set to true tells it to return the result instead of outputting it. The <pre> tags tell it that the contents of those tags is pre-formatted and should display line breaks and such as they appear. This is to ensure readability.

This post has been edited by Valek: 22 January 2011 - 04:25 PM

[josiahmahar]

thank you that worked great but is there a way that you can make it show just the username so that if i put lets say

 <?php
session_start();
$time = date("H:i");

echo "welcome", "<pre>" . print_r($_SESSION, true) . "</pre>", "it is $time" ;
?>

i want it so it would show

"welcome josiahmahar it is 00:37"
instead of

"welcome Array
(
[username] => josiahmahar
)
it is 00:37"
and do you know why my current time is 6 hours ahead??

This post has been edited by josiahmahar: 22 January 2011 - 05:40 PM

[Valek]

echo $_SESSION['username']

That'll echo just the username you set earlier in the script.

Also, where is the server it's running on located? If it's on your local PC, you should use some of PHP's time functions to ensure it's using the right timezone. Check out DateTime, specifically DateTime::setTimezone()

This post has been edited by Valek: 22 January 2011 - 05:39 PM

[josiahmahar]

hello again i got another question for you guys since i cant seem find this when i search google i could simply not be searching the right thing but when a user is registering for an account on my site (i know its a miracle i didnt have to ask any more stupid questions while i was doing it) they can register an account that is already registered eg: i have an account called "josiahmahar" i can than register another account called "josiah mahar" would any of you be able to recomend a tutorial on how to stop this or at least what to search since my previous searches came back with how to stop multiple logging on which im not interested in at the moment. thanks again and on more thing should i be posting these things as new questions or is posting them on this one fine??

[Valek]

Well, those names don't match, so that makes sense, actually. So it's technically not the same name. PHP doesn't know where a space in a two-word name made one is "supposed" to be, it just knows that the two strings are not equivalent.

The same goes for MySQL, in the case of SELECT queries to ensure the name is not already taken.

This post has been edited by Valek: 23 January 2011 - 04:16 AM