5 Replies - 193 Views - Last Post: 05 November 2013 - 02:13 AM Rate Topic: ***** 1 Votes

#1 sinfulangle  Icon User is offline

  • New D.I.C Head

Reputation: 0
  • View blog
  • Posts: 10
  • Joined: 03-October 08

Why won't the whole code execute?

Posted 05 November 2013 - 12:30 AM


<?php // start php code 
session_start();

//take and set username and password from index.php
$username = $_POST['username'];
$password = $_POST['password'];

if ($username&&$password) // check for no empty fields
{
//connect to db
$connect = mysql_connect("mysql4.000webhost.com","a6344434_mgma","chd1it") or die("Couldn't connect");
mysql_select_db("a6344434_mgmadb") or die("Couldn't find db");

$query = mysql_query("SELECT * FROM MGMA WHERE username='$username'");
$numrows = mysql_num_rows($query);

if($numrows!=0)
{
while ($row = mysql_fetch_assoc($query))
{
$dbusername = $row['username'];
$dbpassword = $row['password'];
}
//check to see if they match
if($username==$dbusername&&$password==$dbpassword)
{
echo("username/password match!");
}else 
echo "Incorrect username or password!";
echo $username;
echo $password;
}
else
die("That user does not exist!");

}else
die("Please enter a username and password!"); //if no entry in field
?>




When you run it and login using the admin account which I made on MYSQL it outputs 'Incorrect username or password!adminadmin'

It should really just say AdminAdmin not 'incorrect etc..'

Some help would be appreciated thanks!

This post has been edited by Dormilich: 05 November 2013 - 02:01 AM
Reason for edit:: un-bolding


Is This A Good Question/Topic? 0
  • +

Replies To: Why won't the whole code execute?

#2 Peter O  Icon User is offline

  • D.I.C Head

Reputation: 75
  • View blog
  • Posts: 177
  • Joined: 19-October 13

Re: Why won't the whole code execute?

Posted 05 November 2013 - 12:58 AM

Have you spelled the name with the same case as the name in the db?
Was This Post Helpful? 0
  • +
  • -

#3 sinfulangle  Icon User is offline

  • New D.I.C Head

Reputation: 0
  • View blog
  • Posts: 10
  • Joined: 03-October 08

Re: Why won't the whole code execute?

Posted 05 November 2013 - 01:10 AM

View PostPeter O, on 05 November 2013 - 12:58 AM, said:

Have you spelled the name with the same case as the name in the db?


Spelt the user/pass correct?

Of course! I've checked multiple times.
Was This Post Helpful? 0
  • +
  • -

#4 Peter O  Icon User is offline

  • D.I.C Head

Reputation: 75
  • View blog
  • Posts: 177
  • Joined: 19-October 13

Re: Why won't the whole code execute?

Posted 05 November 2013 - 01:20 AM

I mean if the username in the database is stored as "Bob" but you try to log in as "bob" it would fail.
Was This Post Helpful? 0
  • +
  • -

#5 Peter O  Icon User is offline

  • D.I.C Head

Reputation: 75
  • View blog
  • Posts: 177
  • Joined: 19-October 13

Re: Why won't the whole code execute?

Posted 05 November 2013 - 01:40 AM

Do you have more than one user with the same username?

The way MySQL compares strings depends on what collation is being used. Unless you have chosen a _bin/binary collation the comparison will be case-insensitive, so if you have two users named "Bob" and "bob" they would both be selected by your query if you tried to log in as "bob", and only the last of the selected users will be checked by the program.
Was This Post Helpful? 0
  • +
  • -

#6 Dormilich  Icon User is online

  • 痛覚残留
  • member icon

Reputation: 3481
  • View blog
  • Posts: 10,038
  • Joined: 08-June 10

Re: Why won't the whole code execute?

Posted 05 November 2013 - 02:13 AM

additional comments
- line #11, be aware that remote MySQL connections usually need to be enabled explicitly
- line #11, the mysql extension is deprecated, use PDO or MySQLi instead (see signature)
- line #14, there is no check that the query does not throw an error
- line #14, wide open to SQL Injection
- line #19, do you expect duplicate usernames? if not, there is no need for a loop.
- line #25, could be done way easier with a single SQL statement:
SELECT COUNT(*) AS match FROM MGMA WHERE username=? AND password=?
-- returns 1 for a match and 0 for no match

- line #33, Syntax Error: Unexpected T_ELSE


Quote

It should really just say AdminAdmin not 'incorrect etc..'

have you checked what the DB actually returns to you?
Was This Post Helpful? 0
  • +
  • -

Page 1 of 1