6 Replies - 4332 Views - Last Post: 26 January 2012 - 11:55 AM Rate Topic: -----

#1 decongh  Icon User is offline

  • New D.I.C Head

Reputation: -3
  • View blog
  • Posts: 39
  • Joined: 31-December 11

Login not working

Posted 25 January 2012 - 11:20 AM

I have a script that checks usernames and passwords and it works fine when i put in a username and password ,but when the form is empty and i submit it ,it still login the person.

I made some changes to the script,its still not working.Any help.

    <?
    session_start();
    //session_destroy();
     
     
    ob_start();
    $host="localhost"; // Host name
    $username="root"; // Mysql username
    $password=""; // Mysql password
    $db_name="msl"; // Database name
    $tbl_name="signedup"; // Table name
     
    // Connect to server and select databse.
    mysql_connect("$host", "$username", "$password")or die("You are not authorized to use this system.");
    mysql_select_db("$db_name")or die("You are not authorized to use this system. Contact the administrator");
     
    // Define $myusername and $mypassword
    $username=$_POST['username'];
    //$username=trim(username)
    $password=$_POST['password'];
    //$password=trim(password)
    $password = sha1(password);
     
    // To protect MySQL injection (more detail about MySQL injection)
    $username = stripslashes($username);
    $password = stripslashes($password);
    $username = mysql_real_escape_string($username);
    $password = mysql_real_escape_string($password);
     
    $sql="SELECT * FROM $tbl_name WHERE username='$username' and password='$password'";
     
    $result=mysql_query($sql);
    $qry_num = 0;
    $qry_result = mysql_QUERY($sql); //select query\
    $qry_num = mysql_numrows($qry_result);
    $i = 0;
     
    while($i < $qry_num)
     
    {
    $_SESSION['myid'] = mysql_result($qry_result,$i,"id");
    $_SESSION['permission'] = mysql_result($qry_result,$i,"permission");
    $_SESSION['block'] = mysql_result($qry_result,$i,"block");
    $i++;
    }
     
     
     
    // Mysql_num_row is counting table row
    $count=mysql_num_rows($result);
    // If result matched $username and $password, table row must be 1 row
     
    if($count==1 && $_SESSION['block']== YES)
     
    {header("location: indexwarn.php");}
     
    //if 1 is not == '' go to indexwarn.php
    if('' != 1)
     
    {header("location: indexwarn.php");}
     
    else {
    // Register $username, $password and redirect to file "login_success.php"
    session_register("username");
    session_register("password");
    header("location: admin/mxz/index.php");
    }
     
    ob_end_flush();
    ?>


Is This A Good Question/Topic? 0
  • +

Replies To: Login not working

#2 tlhIn`toq  Icon User is offline

  • Please show what you have already tried when asking a question.
  • member icon

Reputation: 5676
  • View blog
  • Posts: 12,199
  • Joined: 02-June 10

Re: Login not working

Posted 25 January 2012 - 11:49 AM

Just a thought... If one of the fields is blank don't even submit it.
-or-
Disable the submit button if the fields are blank
-or-
Make your check smarter....
If the username is blank, the return value from the database is therefore blank. And blank does equal blank so it matches.
-or-
If one of the fields is blank then return failed
-or-
Well you get the idea... There are lots of ways you could handle this if you think about it a little more.

This post has been edited by tlhIn`toq: 25 January 2012 - 12:10 PM

Was This Post Helpful? 2
  • +
  • -

#3 JackOfAllTrades  Icon User is offline

  • Saucy!
  • member icon

Reputation: 6109
  • View blog
  • Posts: 23,666
  • Joined: 23-August 08

Re: Login not working

Posted 25 January 2012 - 12:00 PM

Quote

think about a little more


THIS, THIS, THIS!!! If you actually want to be a programmer, you're going to need to THINK...a LOT! Take what my Klingon friend has given you and put some thought into it.

There are far too many people out there unwilling to put any brain power into solving problems; don't be one of those people.
Was This Post Helpful? 0
  • +
  • -

#4 decongh  Icon User is offline

  • New D.I.C Head

Reputation: -3
  • View blog
  • Posts: 39
  • Joined: 31-December 11

Re: Login not working

Posted 26 January 2012 - 01:59 AM

??There are far too many people out there unwilling to put any brain power into solving problems; don't be one of those people. ??

What do you mean by that,or is just your way of life????

That i have no brains to do anything on my own????
If you have nothing to contribute to this forum, i suggest you keep your month shut up not down.The way you think,is not the same way others think.I will not take kind to your insults, not one bit.

tlhIn`toq's guide is the way forward, learn from him. His valuable contributions is what we need here, not your insults and bossy way of handling things.You are Offensively self-assured that your brain power is so high, well,we are just learning.

Some of us are new to programming,hence some of the questions we ask.If some questions troubles you, just move on, and stop the insults.I personally do not think this is where you belong.
Was This Post Helpful? -2
  • +
  • -

#5 JackOfAllTrades  Icon User is offline

  • Saucy!
  • member icon

Reputation: 6109
  • View blog
  • Posts: 23,666
  • Joined: 23-August 08

Re: Login not working

Posted 26 January 2012 - 04:50 AM

It's called driving the point home.

In any event, to your problems. The tutorial from which you're working is crap because it stores passwords in cleartext; NEVER store passwords in cleartext. Sadly, the login script tutorial here does the same thing. I will need to fix that by creating a new one at some point.

I am therefore VERY HAPPY to see that you took pains to change to use sha1 on the password, AND that you're using mysql_real_escape_string; I don't think you need the stripslashes calls as a result. You also don't need to use mysql_real_escape_string call on the hashed password, as that will be sanitized by virtue of it being hashed.

I would keep the trim calls on your username and password that you've commented out.

Now, to the code you added.

$sql="SELECT * FROM $tbl_name WHERE username='$username' and password='$password'";
 
$result=mysql_query($sql);
$qry_num = 0;
$qry_result = mysql_QUERY($sql); //select query\
$qry_num = mysql_numrows($qry_result);
$i = 0;
 
while($i < $qry_num)
{
    $_SESSION['myid'] = mysql_result($qry_result,$i,"id");
    $_SESSION['permission'] = mysql_result($qry_result,$i,"permission");
    $_SESSION['block'] = mysql_result($qry_result,$i,"block");
    $i++;
}


If you only care about the id, permission, and block fields, then only SELECT those from the database.

SELECT id, permission, block FROM $tbl_name WHERE username='$username' and password='$password'


Next, you're running the query and doing nothing with it:
 
$result=mysql_query($sql);
$qry_num = 0;


Lose that.

Now you're running the query
$qry_result = mysql_QUERY($sql); //select query
$qry_num = mysql_numrows($qry_result);


, but you don't check for failure (is QUERY supposed to be capitalized here??? Also, it's mysql_num_rows)

$qry_result = mysql_query($sql); //select query
if (!$qry_result) {
    die("Query {$sql} failed: " . mysql_error());
}
$qry_num = mysql_num_rows($qry_result);


You call mysql_num_rows again later for some reason; that's not necessary, so remove that.

After you call mysql_num_rows, if the value of $qry_num is 0, you should immediately redirect back to login.

$i = 0;
while($i < $qry_num)
{
    $_SESSION['myid'] = mysql_result($qry_result,$i,"id");
    $_SESSION['permission'] = mysql_result($qry_result,$i,"permission");
    $_SESSION['block'] = mysql_result($qry_result,$i,"block");
    $i++;
}


The better way to do that would be:
$row = mysql_fetch_array($qry_result);
$_SESSION['myid'] = $row['id'];
$_SESSION['permission'] = $row['permission'];
$_SESSION['block'] = $row['block'];


Don't know what you're doing here:
//if 1 is not == '' go to indexwarn.php
if('' != 1)


That makes no sense whatsoever.

There's no need to use session_register on the password. You should avoid keeping copies of the password anywhere but in the DB.
Was This Post Helpful? 4
  • +
  • -

#6 xxxjj18  Icon User is offline

  • D.I.C Head
  • member icon

Reputation: 53
  • View blog
  • Posts: 167
  • Joined: 30-November 11

Re: Login not working

Posted 26 January 2012 - 05:42 AM

You could do a simple

$username = htmlspecialchars($_POST["username"]);
$password = htmlspecialchars($_POST["password"]);

if(isset($username) && isset($password)) {

  //Fields are good, now you can log them in

}else{
  print "Please fill out all fields!";
}



Edit:

But JackOfAllTrades is right; the tutorial you're using is very... Off the point lol.

I don't think he was trying to be a jerk about it or anything; he was just making the point to put a little more effort into it, though in a more brash way. I understand his point though; there were plenty of times when I was beginning out programming that I made simple mistakes because I wasn't paying attention or truly understanding what the script did.

Anyway, I'd recommend that you choose a different tutorial; that one has an odd way of doing things -- let alone an insecure and inefficient one.

Good luck with your programming

This post has been edited by xxxjj18: 26 January 2012 - 05:53 AM

Was This Post Helpful? 1
  • +
  • -

#7 decongh  Icon User is offline

  • New D.I.C Head

Reputation: -3
  • View blog
  • Posts: 39
  • Joined: 31-December 11

Re: Login not working

Posted 26 January 2012 - 11:55 AM

View PostJackOfAllTrades, on 26 January 2012 - 04:50 AM, said:

It's called driving the point home.

In any event, to your problems. The tutorial from which you're working is crap because it stores passwords in cleartext; NEVER store passwords in cleartext. Sadly, the login script tutorial here does the same thing. I will need to fix that by creating a new one at some point.

I am therefore VERY HAPPY to see that you took pains to change to use sha1 on the password, AND that you're using mysql_real_escape_string; I don't think you need the stripslashes calls as a result. You also don't need to use mysql_real_escape_string call on the hashed password, as that will be sanitized by virtue of it being hashed.

I would keep the trim calls on your username and password that you've commented out.

Now, to the code you added.

$sql="SELECT * FROM $tbl_name WHERE username='$username' and password='$password'";
 
$result=mysql_query($sql);
$qry_num = 0;
$qry_result = mysql_QUERY($sql); //select query\
$qry_num = mysql_numrows($qry_result);
$i = 0;
 
while($i < $qry_num)
{
    $_SESSION['myid'] = mysql_result($qry_result,$i,"id");
    $_SESSION['permission'] = mysql_result($qry_result,$i,"permission");
    $_SESSION['block'] = mysql_result($qry_result,$i,"block");
    $i++;
}


If you only care about the id, permission, and block fields, then only SELECT those from the database.

SELECT id, permission, block FROM $tbl_name WHERE username='$username' and password='$password'


Next, you're running the query and doing nothing with it:
 
$result=mysql_query($sql);
$qry_num = 0;


Lose that.

Now you're running the query
$qry_result = mysql_QUERY($sql); //select query
$qry_num = mysql_numrows($qry_result);


, but you don't check for failure (is QUERY supposed to be capitalized here??? Also, it's mysql_num_rows)

$qry_result = mysql_query($sql); //select query
if (!$qry_result) {
    die("Query {$sql} failed: " . mysql_error());
}
$qry_num = mysql_num_rows($qry_result);


You call mysql_num_rows again later for some reason; that's not necessary, so remove that.

After you call mysql_num_rows, if the value of $qry_num is 0, you should immediately redirect back to login.

$i = 0;
while($i < $qry_num)
{
    $_SESSION['myid'] = mysql_result($qry_result,$i,"id");
    $_SESSION['permission'] = mysql_result($qry_result,$i,"permission");
    $_SESSION['block'] = mysql_result($qry_result,$i,"block");
    $i++;
}


The better way to do that would be:
$row = mysql_fetch_array($qry_result);
$_SESSION['myid'] = $row['id'];
$_SESSION['permission'] = $row['permission'];
$_SESSION['block'] = $row['block'];


Don't know what you're doing here:
//if 1 is not == '' go to indexwarn.php
if('' != 1)


That makes no sense whatsoever.

There's no need to use session_register on the password. You should avoid keeping copies of the password anywhere but in the DB.

Am very grateful for your help,thanks

View Postxxxjj18, on 26 January 2012 - 05:42 AM, said:

You could do a simple

$username = htmlspecialchars($_POST["username"]);
$password = htmlspecialchars($_POST["password"]);

if(isset($username) && isset($password)) {

  //Fields are good, now you can log them in

}else{
  print "Please fill out all fields!";
}



Edit:

But JackOfAllTrades is right; the tutorial you're using is very... Off the point lol.

I don't think he was trying to be a jerk about it or anything; he was just making the point to put a little more effort into it, though in a more brash way. I understand his point though; there were plenty of times when I was beginning out programming that I made simple mistakes because I wasn't paying attention or truly understanding what the script did.

Anyway, I'd recommend that you choose a different tutorial; that one has an odd way of doing things -- let alone an insecure and inefficient one.

Good luck with your programming

Thanks for wishing me luck, i will get there soon,am grateful.
Was This Post Helpful? 0
  • +
  • -

Page 1 of 1