[cpumatt]

This is my problem, I can't get my php program to successfully check if the username already exists in my table 'users'. I type in my information (making sure that user doesn't exist) and hit enter. I get nothing back, just a blank web page.

By the way, I know there are some security flaws (I'm fixing them later).

<?php
	
	//connectingto database
	$connect = mysql_connect(localhost, mattsmin_user, roots);
		if(!$connect) {
			die("Could not donnect: " . mysql_error()); 
		}
		
	//choose databse to use
	$database = mysql_select_db(mattsmin_data);
		if(!$database) {
			die("Could not connect to database: " . mysql_error());
		}
	
	//aquire usernames from the form login.php
	$username = $_POST['username'];
	$password = $_POST['password'];
	
	//check if user supplied a username to log in with
	if($username == FALSE) {
		echo "You forgot a username! ";
	}
	
	//check if user supplied password to log in with
	if($password == FALSE) {
		echo "You forgot a password! ";
	}
	
	$query = mysql_query("SELECT username, password FROM users WHERE username = '$username' and password = '$password' ");
	$result = mysql_query($query) or die(mysql_error());
	
	$count = mysql_num_rows($result);
	
	if($count < 0) {
		header('index.php');
	}
	else {
		echo "Username or password was typed wrong. Go <a href='login.php'>back</a>?";
	}

?>

[e_i_pi]

First up, you should use PDOs instead of the mysql_* functions. Those functions are obselete and are soon to be deprecated. They are also wide open to SQL injection, especially in instances such as the way you are handling the user input.

That said, the problem is that on line 29 you are generating a result, and then trying to mysql_query the result. You need only run the query once. Change line 29 to this:

$query = "SELECT username, password FROM users WHERE username = '$username' and password = '$password'";

...and it should work.

Look into PDOs, there are two great tutorials by Dormilich on the matter right here at DIC:
Be Prepared for your Database
Introduction to PDO

[cpumatt]

It's still not working.

Go here, and click login to see what I'm seeing: http://mattsmind.x10.mx/

Just type in any username and password. The code should generate an error message, but it's not. I'm connected to the database too.

Wait! Nevermind! I forgot to upload it from my FTP Notepad++ editor. It ended up working. Thank you, sir!

[Dormilich]

note:
- lines #16/17 are superfluous, you gain nothing on that lines except obfuscating where your data come from (which immediately trap you in SQL injection)

- lines #20/25 work because PHP fixes it automatically. Any user data always comes in as string. Always. your luck is that "" (empty string) or null are equivalent to false.

- lines #4/10 generate notices. you certainly mean the values to be strings, not constants (again an error PHP fixes for you)

- line #34, if $count < 0 ??? what is a negative count of DB results?

- line #35, if you have echo’ed a warning (missing username/password), the redirect won’t work (headers already sent)

[cpumatt]

Dormilich, on 21 June 2012 - 10:49 PM, said:

note:
- lines #16/17 are superfluous, you gain nothing on that lines except obfuscating where your data come from (which immediately trap you in SQL injection)

- lines #20/25 work because PHP fixes it automatically. Any user data always comes in as string. Always. your luck is that "" (empty string) or null are equivalent to false.

- lines #4/10 generate notices. you certainly mean the values to be strings, not constants (again an error PHP fixes for you)

- line #34, if $count < 0 ??? what is a negative count of DB results?

- line #35, if you have echo’ed a warning (missing username/password), the redirect won’t work (headers already sent)

I fixed lines #20/25 and replaced them with

if(empty($username)) {}

Would this work?

This post has been edited by Dormilich: 22 June 2012 - 02:49 PM
Reason for edit:: fixed code tags

[xtremer360]

I agree with Dormilich!

[Dormilich]

let me put it this way: it makes more sense.

[rpgmaker]

Ive just wrote a basic bit of code for you.

$tbl_name="users"; 

$myusername = mysql_real_escape_string($_POST['myusername']);
	$mypassworduncript = mysql_real_escape_string($_POST['mypassword']);
	
	
	$mypassword = md5($mypassworduncript);



$sql="SELECT * FROM $tbl_name WHERE username='$myusername' and  password='$mypassword'";
$result = mysql_query($sql);

// Replace counting function based on database you are using.
$count = mysql_num_rows($result);
// If result matched $myusername and $mypassword, table row must be 1 row

if($count == 1){
  // Register $myusername, $mypassword and redirect to file "login_success.php"
  
$_SESSION['username'] = $myusername ;


header("Location: home.php");
} else {
  echo "Wrong Username or Password";
}

You can edit the select to what ever you like...

The

if($count == 1){
  // Register $myusername, $mypassword and redirect to file "login_success.php"
  
$_SESSION['username'] = $myusername ;


header("Location: home.php");
}

Is just a simple if statement so if there is 1 row then it will do what ever is in side the if. ( in this example set a session vraible. )

Then we do a else just in case the user is not in the db

} else {
  echo "Wrong Username or Password";
}

Here we echo out a message saying there is no account or that the info is wrong. You can edit the code to your needs. Has said above by other users pdo would be the best way to do it. But just coded this quick in mysql for you.

So here is the full code

$tbl_name="users"; 

$myusername = mysql_real_escape_string($_POST['myusername']);
	$mypassworduncript = mysql_real_escape_string($_POST['mypassword']);
	
	
	$mypassword = md5($mypassworduncript);



$sql="SELECT * FROM $tbl_name WHERE username='$myusername' and  password='$mypassword'";
$result = mysql_query($sql);

// Replace counting function based on database you are using.
$count = mysql_num_rows($result);
// If result matched $myusername and $mypassword, table row must be 1 row

if($count == 1){
  // Register $myusername, $mypassword and redirect to file "login_success.php"
  
$_SESSION['username'] = $myusername ;


header("Location: home.php");
} else {
  echo "Wrong Username or Password";
}


echo"<p> </p>";

just make sure you do a db connect and a session start be for the code.

This post has been edited by rpgmaker: 24 June 2012 - 05:30 AM