7 Replies - 1924 Views - Last Post: 24 June 2012 - 05:28 AM Rate Topic: -----

#1 cpumatt  Icon User is offline

  • New D.I.C Head

Reputation: 0
  • View blog
  • Posts: 24
  • Joined: 05-June 12

Checking if user exists

Posted 21 June 2012 - 07:47 PM

This is my problem, I can't get my php program to successfully check if the username already exists in my table 'users'. I type in my information (making sure that user doesn't exist) and hit enter. I get nothing back, just a blank web page.

By the way, I know there are some security flaws (I'm fixing them later).

<?php
	
	//connectingto database
	$connect = mysql_connect(localhost, mattsmin_user, roots);
		if(!$connect) {
			die("Could not donnect: " . mysql_error()); 
		}
		
	//choose databse to use
	$database = mysql_select_db(mattsmin_data);
		if(!$database) {
			die("Could not connect to database: " . mysql_error());
		}
	
	//aquire usernames from the form login.php
	$username = $_POST['username'];
	$password = $_POST['password'];
	
	//check if user supplied a username to log in with
	if($username == FALSE) {
		echo "You forgot a username! ";
	}
	
	//check if user supplied password to log in with
	if($password == FALSE) {
		echo "You forgot a password! ";
	}
	
	$query = mysql_query("SELECT username, password FROM users WHERE username = '$username' and password = '$password' ");
	$result = mysql_query($query) or die(mysql_error());
	
	$count = mysql_num_rows($result);
	
	if($count < 0) {
		header('index.php');
	}
	else {
		echo "Username or password was typed wrong. Go <a href='login.php'>back</a>?";
	}

?>



Is This A Good Question/Topic? 0
  • +

Replies To: Checking if user exists

#2 e_i_pi  Icon User is offline

  • = -1
  • member icon

Reputation: 783
  • View blog
  • Posts: 1,664
  • Joined: 30-January 09

Re: Checking if user exists

Posted 21 June 2012 - 07:54 PM

First up, you should use PDOs instead of the mysql_* functions. Those functions are obselete and are soon to be deprecated. They are also wide open to SQL injection, especially in instances such as the way you are handling the user input.

That said, the problem is that on line 29 you are generating a result, and then trying to mysql_query the result. You need only run the query once. Change line 29 to this:
$query = "SELECT username, password FROM users WHERE username = '$username' and password = '$password'";


...and it should work.

Look into PDOs, there are two great tutorials by Dormilich on the matter right here at DIC:
Be Prepared for your Database
Introduction to PDO
Was This Post Helpful? 3
  • +
  • -

#3 cpumatt  Icon User is offline

  • New D.I.C Head

Reputation: 0
  • View blog
  • Posts: 24
  • Joined: 05-June 12

Re: Checking if user exists

Posted 21 June 2012 - 08:46 PM

It's still not working.

Go here, and click login to see what I'm seeing: http://mattsmind.x10.mx/

Just type in any username and password. The code should generate an error message, but it's not. I'm connected to the database too.

Wait! Nevermind! I forgot to upload it from my FTP Notepad++ editor. It ended up working. Thank you, sir!
Was This Post Helpful? 0
  • +
  • -

#4 Dormilich  Icon User is offline

  • 痛覚残留
  • member icon

Reputation: 3402
  • View blog
  • Posts: 9,617
  • Joined: 08-June 10

Re: Checking if user exists

Posted 21 June 2012 - 10:49 PM

note:
- lines #16/17 are superfluous, you gain nothing on that lines except obfuscating where your data come from (which immediately trap you in SQL injection)

- lines #20/25 work because PHP fixes it automatically. Any user data always comes in as string. Always. your luck is that "" (empty string) or null are equivalent to false.

- lines #4/10 generate notices. you certainly mean the values to be strings, not constants (again an error PHP fixes for you)

- line #34, if $count < 0 ??? what is a negative count of DB results?

- line #35, if you have echo’ed a warning (missing username/password), the redirect won’t work (headers already sent)
Was This Post Helpful? 4
  • +
  • -

#5 cpumatt  Icon User is offline

  • New D.I.C Head

Reputation: 0
  • View blog
  • Posts: 24
  • Joined: 05-June 12

Re: Checking if user exists

Posted 22 June 2012 - 07:51 AM

View PostDormilich, on 21 June 2012 - 10:49 PM, said:

note:
- lines #16/17 are superfluous, you gain nothing on that lines except obfuscating where your data come from (which immediately trap you in SQL injection)

- lines #20/25 work because PHP fixes it automatically. Any user data always comes in as string. Always. your luck is that "" (empty string) or null are equivalent to false.

- lines #4/10 generate notices. you certainly mean the values to be strings, not constants (again an error PHP fixes for you)

- line #34, if $count < 0 ??? what is a negative count of DB results?

- line #35, if you have echo’ed a warning (missing username/password), the redirect won’t work (headers already sent)



I fixed lines #20/25 and replaced them with
if(empty($username)) {}


Would this work?

This post has been edited by Dormilich: 22 June 2012 - 02:49 PM
Reason for edit:: fixed code tags

Was This Post Helpful? 0
  • +
  • -

#6 xtremer360  Icon User is offline

  • D.I.C Head

Reputation: -2
  • View blog
  • Posts: 123
  • Joined: 03-March 11

Re: Checking if user exists

Posted 22 June 2012 - 10:58 AM

I agree with Dormilich!
Was This Post Helpful? -2
  • +
  • -

#7 Dormilich  Icon User is offline

  • 痛覚残留
  • member icon

Reputation: 3402
  • View blog
  • Posts: 9,617
  • Joined: 08-June 10

Re: Checking if user exists

Posted 22 June 2012 - 02:50 PM

let me put it this way: it makes more sense.
Was This Post Helpful? 0
  • +
  • -

#8 rpgmaker  Icon User is offline

  • D.I.C Head

Reputation: 2
  • View blog
  • Posts: 224
  • Joined: 02-October 11

Re: Checking if user exists

Posted 24 June 2012 - 05:28 AM

Ive just wrote a basic bit of code for you.



$tbl_name="users"; 

$myusername = mysql_real_escape_string($_POST['myusername']);
	$mypassworduncript = mysql_real_escape_string($_POST['mypassword']);
	
	
	$mypassword = md5($mypassworduncript);



$sql="SELECT * FROM $tbl_name WHERE username='$myusername' and  password='$mypassword'";
$result = mysql_query($sql);

// Replace counting function based on database you are using.
$count = mysql_num_rows($result);
// If result matched $myusername and $mypassword, table row must be 1 row

if($count == 1){
  // Register $myusername, $mypassword and redirect to file "login_success.php"
  
$_SESSION['username'] = $myusername ;


header("Location: home.php");
} else {
  echo "Wrong Username or Password";
}




You can edit the select to what ever you like...

The
if($count == 1){
  // Register $myusername, $mypassword and redirect to file "login_success.php"
  
$_SESSION['username'] = $myusername ;


header("Location: home.php");
}


Is just a simple if statement so if there is 1 row then it will do what ever is in side the if. ( in this example set a session vraible. )

Then we do a else just in case the user is not in the db


} else {
  echo "Wrong Username or Password";
}


Here we echo out a message saying there is no account or that the info is wrong. You can edit the code to your needs. Has said above by other users pdo would be the best way to do it. But just coded this quick in mysql for you.

So here is the full code



$tbl_name="users"; 

$myusername = mysql_real_escape_string($_POST['myusername']);
	$mypassworduncript = mysql_real_escape_string($_POST['mypassword']);
	
	
	$mypassword = md5($mypassworduncript);



$sql="SELECT * FROM $tbl_name WHERE username='$myusername' and  password='$mypassword'";
$result = mysql_query($sql);

// Replace counting function based on database you are using.
$count = mysql_num_rows($result);
// If result matched $myusername and $mypassword, table row must be 1 row

if($count == 1){
  // Register $myusername, $mypassword and redirect to file "login_success.php"
  
$_SESSION['username'] = $myusername ;


header("Location: home.php");
} else {
  echo "Wrong Username or Password";
}


echo"<p> </p>";




just make sure you do a db connect and a session start be for the code.

This post has been edited by rpgmaker: 24 June 2012 - 05:30 AM

Was This Post Helpful? 0
  • +
  • -

Page 1 of 1