[tommyflint]

Hey i have just completed my forum and when it comes to logging in as the admin it for some reason says incorrect details! i have checked the database numerous of times to ensure i have the correct username and password and still it just wont seem to work :s any ideas?
i am fairly new too all of this, so if there is any other bit of code needed to find the problem just ask.
cheers.

<?php

session_start();

require("config.php");
require("functions.php");

$db = mysql_connect($dbhost, $dbuser, $dbpassword);
mysql_select_db($dbdatabase, $db);

if($_POST['submit']) {
	$sql = "SELECT * FROM admins WHERE username = '" . $_POST['username'] . "' AND password = '" . $_POST['password'] . "';";
	
	$result = mysql_query($sql);
	$numrows = mysql_num_rows($result);
		
	if($numrows == 1) {	
		$row = mysql_fetch_assoc($result);
		
		session_register("ADMIN");
		$_SESSION['ADMIN'] = $row['username'];
		
		switch($_GET['ref']) {
			case "add":
				header("Location: " . $config_basedir . "/addforum.php");
			break;

			case "cat":
				header("Location: " . $config_basedir . "/addcat.php");
			break;

			case "del":
				header("Location: " . $config_basedir);
			break;
			
			default:
				header("Location: " . $config_basedir);
			break;
		}		
	}
	else {
		header("Location: " . $config_basedir . "/admin.php?error=1");
	}
}
else {

	require("header.php");

	echo "<h2>Admin login</h2>";
		
	if($_GET['error']) {
		echo "Incorrect login, please try again!";
	}

?>

<form action="<?php echo pf_script_with_get($SCRIPT_NAME); ?>" method="post">

<table>
<tr>
	<td>Username</td>
	<td><input type="text" name="username"></td>
</tr>
<tr>
	<td>Password</td>
	<td><input type="password" name="password"></td>
</tr>
<tr>
	<td></td>
	<td><input type="submit" name="submit" value="Login!"></td>
</tr>
</table>
</form>

<?php
}
require("footer.php");
?>

[BetaWar]

I would suggest making the passwords NOT stored as plain text, it is too easy to get things bad done to them. Also make sure to take security into account. You don't have anything protecting from sql injections! Your usernames are also currently case sensitive so make sure that you type it in exactly as it is.

I am not seeing any errors in your code but you may want to add or die(mysql_error()); to the end of your mysql statements to make sure that it isn't erroring out and not displaying an error message.

Maybe someone else will be able to help you out more but I haven't done much with PHP in a while.

[pemcconnell]

Hi tommy,

I've tested the following code and this code will work well for you:

<?php

//put your header info & connection details here
session_start();
require("config.php");
require("functions.php");
require("header.php");

$db = mysql_connect($dbhost, $dbuser, $dbpassword);
mysql_select_db($dbdatabase, $db);

if(isset($_POST['submit'])) {
	//shouldn't have a '*' - always just choose the columns you need, or just the index if you need to check if a record is there. Also if you know how many records you want, tell
	//mysql that with the LIMIT
	//e.g. $sql = "SELECT userId FROM admins WHERE username = '" . $_POST['username'] . "' AND password = '" . $_POST['password'] . "' LIMIT 1;";
	//which will make your site faster - and less strain on the server

	$sql = "SELECT userId FROM admins WHERE username = '" . $_POST['username'] . "' AND password = '" . $_POST['password'] . " LIMIT 1';";

				//added 'or die(mysql_error()); to help you debug if this doesn't work for some reason
	$result = mysql_query($sql)or die(mysql_error());

	$numrows = mysql_num_rows($result);
				//changed the next line to '> 0' instead of == 1.	 '== 1' will work now that LIMIT 1 has been added, its just a habbit of mine to check that there are rows as a pose to checking if there is just one row returned.

	if($numrows > 0) {	
		$row = mysql_fetch_assoc($result);
		
		session_register("ADMIN");
		$_SESSION['ADMIN'] = $row['username'];
		
		echo '<h2>Logged in successfully!</h2>';

switch($_GET['ref']) {
			case "add":
				header("Location: " . $config_basedir . "/addforum.php");
			break;

			case "cat":
				header("Location: " . $config_basedir . "/addcat.php");
			break;

			case "del":
				header("Location: " . $config_basedir);
			break;
			
			default:
				header("Location: " . $config_basedir);
			break;
		}

		
	}
	else {
							   //no records found - details must be wrong
		echo "<h2>Incorrect login, please try again!</h2>";
		//header("Location: " . $config_basedir . "/admin.php?error=1");
	}
}else{
		//note that header.php is at the top now - it was being excluded when the form was submitted origionally
		//form hasn't been submitted. display default message
	
	   echo "<h2>Admin login</h2>";
		
	  if($_GET['error']) {
		  echo "Incorrect login, please try again!";
	  }
	   
?>

<!-- changed action to test.php for me to test - change it back to whatever you need it to be -->
<form action="test.php" method="post">

<table>
<tr>
	<td>Username</td>
	<td><input type="text" name="username" /></td>
</tr>
<tr>
	<td>Password</td>
	<td><input type="password" name="password" /></td>
</tr>
<tr>
	<td></td>
	<td><input type="submit" name="submit" value="Login!" /></td>
</tr>
</table>
</form>

<?php
}
//footer info here
require("footer.php");
?>

If you are still having issues I would check that you are using the correct username and password. Is there two users with the same username and password? (If so you were only checking if only one row was returned, therefore making the script think it was wrong)

I would also recommend that you review a mysql optimisation topic on this site just to improve the speed of your applications. As an outset the '*' operator in a SELECT statement is a no-no.

Other than that your code's grand - impressive for someone who is new to the language. Keep it up!


/* EDIT */

And as betawar said, you should look at encryption - not as hard as you may think. The most common form of encryption for PHP is md5 - have a look through this site to learn more. As a brief:

<?php

//MAKE SURE YOUR MySQL COLUMN WHICH WILL STORE YOUR PASSWORD HAS A LENGTH OF 32  !!!

$password = 'dogsnose';

$encryptedpassword = md5($password); // will give you an encrypted version of $password

//echo $encryptedpassword; - if you're curious to see what it does

$sql = "INSERT INTO admins (username, password) VALUES ('".$username."', '".md5($password)."');";
mysql_query($sql)or die(mysql_error());

//AND LIKEWISE

$password = 'dogsnose';
//the password in the database is the md5 version of dognose

$sql = "SELECT userid FROM admins WHERE username = '".$username."' AND password='".md5($password)."' LIMIT 1";

?>

So basically, ensure your 'password' column has a length of 32, and just wrap md5() round your $password when you're in a SQL statement

This post has been edited by pemcconnell: 07 August 2008 - 03:23 AM

[tommyflint]

Hey Cheers for the encryption tip guys, Admin login still doesn't appear to be working but ill keep trying maybe if i gave you the code for the user login which does work you could maybe work it out then.
anyway a great thanks for trying =]

<?php

session_start();

require("config.php");
require("functions.php");


$db = mysql_connect($dbhost, $dbuser, $dbpassword);
mysql_select_db($dbdatabase, $db);

if($_POST['submit']) {
$sql = "SELECT * FROM users WHERE username = '" . $_POST['username'] . "' AND password = '" . $_POST['password'] . "';";
	
	$result = mysql_query($sql);
	$numrows = mysql_num_rows($result);
		
	if($numrows == 1) {	
		$row = mysql_fetch_assoc($result);
		
		if($row['active'] == 1) {
			session_register("USERNAME");
			session_register("USERID");
		
			$_SESSION['USERNAME'] = $row['username'];
			$_SESSION['USERID'] = $row['id'];

			switch($_GET['ref']) {
				case "newpost":
					if(isset($_GET['id']) == FALSE) {
						header("Location: " . $config_basedir . "/newtopic.php");
					}
					else {
						header("Location: " . $config_basedir . "/newtopic.php?id=" . $_GET['id']);
					}
				break;
	
				case "reply":
				// fix this
					if(isset($_GET['id']) == FALSE) {
						header("Location: " . $config_basedir . "/newtopic.php");
					}
					else {
						header("Location: " . $config_basedir . "/newtopic.php?id=" . $_GET['id']);
					}
				break;
				
				default:
					header("Location: " . $config_basedir);
				break;
			}
		}
		else {
			require("header.php");
			echo "This account is not verified yet. You were emailed a link to verify the account. Please click on the link in the email to continue.";
		}			
	}
	else {
		header("Location: " . $config_basedir . "/login.php?error=1");
	}
}
else {

	require("header.php");
	
	if($_GET['error']) {
		echo "Incorrect login, please try again!";
	}

?>

<form action="<?php echo pf_script_with_get($SCRIPT_NAME); ?>" method="post">

<table>
<tr>
	<td>Username</td>
	<td><input type="text" name="username"></td>
</tr>
<tr>
	<td>Password</td>
	<td><input type="password" name="password"></td>
</tr>
<tr>
	<td></td>
	<td><input type="submit" name="submit" value="Login!"></td>
</tr>
</table>
</form>
Don't have an account? Go and <a href="register.php">Register</a>!
<?php
}
require("footer.php");
?>

[pemcconnell]

Strange - works fine on mine.

I re-wrote the code again, and re-tested, with added comments and i still can't get it to fall down.

Here is the new code:

<?php

session_start();


//REMOVED THESE AS I DON'T HAVE THEM :)
/*require("config.php");
require("functions.php");
*/

//Added header.php to top so it appears wether logged in went well or not (commented because i dont have it)
//require("header.php");

//ADDED THESE FOR MY TESTING
$dbhost = 'localhost';
$dbuser = 'root';
$dbpassword = 'myserverpassword';
$dbdatabase = 'test';

$db = mysql_connect($dbhost, $dbuser, $dbpassword);
mysql_select_db($dbdatabase, $db);

if(isset($_POST['submit'])) {
//$sql = "SELECT * FROM users WHERE username = '" . $_POST['username'] . "' AND password = '" . $_POST['password'] . "';";
$sql = "SELECT userId, active FROM users WHERE userName = '" . $_POST['username'] . "' AND userPwd = '" . $_POST['password'] . "' LIMIT 1;";
	
	$result = mysql_query($sql);
	$numrows = mysql_num_rows($result);
	
	//if($numrows == 1) {	
	if($numrows > 0) {	
		$row = mysql_fetch_assoc($result);
		
		if($row['active'] == 1) {
			echo 'logged in';
		// WORKS
			session_register("USERNAME");
			session_register("USERID");
		
			//$_SESSION['USERNAME'] = $row['username'];
			$_SESSION['USERNAME'] = $_POST['username']; //might aswell get this data from the form instead of making the database work for it
			//$_SESSION['USERID'] = $row['id']; - just changed to suit my test database table
			$_SESSION['USERID'] = $row['userId'];

			switch($_GET['ref']) {
				case "newpost":
					//if(isset($_GET['id']) == FALSE) {
					//just tidied up a bit
					if(!$_REQUEST['id']){
						header("Location: " . $config_basedir . "/newtopic.php");
					}
					else {
						header("Location: " . $config_basedir . "/newtopic.php?id=" . $_GET['id']);
					}
				break;
	
				case "reply":
				// fix this - i changed the code slightly - don't know what it's supposed to do so it mightn't have fixed anything - just took a shot in the dark :)
					if(!$_REQUEST['id']){
					//if(isset($_GET['id']) == FALSE) {
						header("Location: " . $config_basedir . "/newtopic.php");
					}
					else {
						header("Location: " . $config_basedir . "/newtopic.php?id=" . $_GET['id']);
					}
				break;
				
				default:
					//header("Location: " . $config_basedir); - commented for my testing purposes
					echo '<br />No ref found';
				break;
			}
		}
		else {
			//INACTIVE USER
			
			//header.php moved to top
			//require("header.php");
			echo "This account is not verified yet. You were emailed a link to verify the account. Please click on the link in the email to continue.";
		}			
	}
	else {
		//WRONG LOGIN DETAILS
		
		//header("Location: " . $config_basedir . "/login.php?error=1"); - commented out for testing purposes
		
		echo 'Wrong details!';
		
		// WORKS :)
	}
}
else {
	//FORM NOT SUBMITTED
	
	
	//moved header.php to top
	   //require("header.php");
	
	if($_GET['error']) {
		echo "Incorrect login, please try again!";
		
		// WORKS :)
	}

?>

<form action="<?php echo /*pf_script_with_get($SCRIPT_NAME);*/ 'test.php'; ?>" method="post">

<table>
<tr>
	<td>Username</td>
	<td><input type="text" name="username" /></td>
</tr>
<tr>
	<td>Password</td>
	<td><input type="password" name="password" /></td>
</tr>
<tr>
	<td></td>
	<td><input type="submit" name="submit" value="Login!" /></td>
</tr>
</table>
</form>
Don't have an account? Go and <a href="register.php">Register</a>!
<?php
}
//require("footer.php"); - don't have it
?>

And 'just in casey' I have added the MySQL dump of the table i was using:

SET SQL_MODE="NO_AUTO_VALUE_ON_ZERO";

--
-- Database: `test`
--

-- --------------------------------------------------------

--
-- Table structure for table `users`
--

CREATE TABLE IF NOT EXISTS `users` (
  `userId` int(11) NOT NULL auto_increment,
  `userName` varchar(30) NOT NULL,
  `userPwd` varchar(32) NOT NULL,
  `active` tinyint(1) NOT NULL default '0',
  PRIMARY KEY  (`userId`)
) ENGINE=MyISAM  DEFAULT CHARSET=latin1 AUTO_INCREMENT=2;

--
-- Dumping data for table `users`
--

INSERT INTO `users` (`userId`, `userName`, `userPwd`, `active`) VALUES
(1, 'John', 'password', 1);

I tested all three scenarios (login wrong, not activated and logged in successfully) and they all showed up perferctly.

Use only the code I have supplied first, then file by file, add in your 'requires'. There could be a problem with one of those which may be affecting your form.

Hope that works!

[tommyflint]

sorted =] thanks ever so much pemcconnell! cheers for taking the time to test it.

[pemcconnell]

Not a problem - Always glad to help

Feel free to give me a shout at any stage if you run into difficulties, but as I said before, your code is very impressive for someone who is just starting off.

[deva_charles]

pemcconnell, on 7 Aug, 2008 - 02:31 AM, said:

Hi tommy,

I've tested the following code and this code will work well for you:

<?php

//put your header info & connection details here
session_start();
require("config.php");
require("functions.php");
require("header.php");

$db = mysql_connect($dbhost, $dbuser, $dbpassword);
mysql_select_db($dbdatabase, $db);

if(isset($_POST['submit'])) {
	//shouldn't have a '*' - always just choose the columns you need, or just the index if you need to check if a record is there. Also if you know how many records you want, tell
	//mysql that with the LIMIT
	//e.g. $sql = "SELECT userId FROM admins WHERE username = '" . $_POST['username'] . "' AND password = '" . $_POST['password'] . "' LIMIT 1;";
	//which will make your site faster - and less strain on the server

	$sql = "SELECT userId FROM admins WHERE username = '" . $_POST['username'] . "' AND password = '" . $_POST['password'] . " LIMIT 1';";

				//added 'or die(mysql_error()); to help you debug if this doesn't work for some reason
	$result = mysql_query($sql)or die(mysql_error());

	$numrows = mysql_num_rows($result);
				//changed the next line to '> 0' instead of == 1.	 '== 1' will work now that LIMIT 1 has been added, its just a habbit of mine to check that there are rows as a pose to checking if there is just one row returned.

	if($numrows > 0) {	
		$row = mysql_fetch_assoc($result);
		
		session_register("ADMIN");
		$_SESSION['ADMIN'] = $row['username'];
		
		echo '<h2>Logged in successfully!</h2>';

switch($_GET['ref']) {
			case "add":
				header("Location: " . $config_basedir . "/addforum.php");
			break;

			case "cat":
				header("Location: " . $config_basedir . "/addcat.php");
			break;

			case "del":
				header("Location: " . $config_basedir);
			break;
			
			default:
				header("Location: " . $config_basedir);
			break;
		}

		
	}
	else {
							   //no records found - details must be wrong
		echo "<h2>Incorrect login, please try again!</h2>";
		//header("Location: " . $config_basedir . "/admin.php?error=1");
	}
}else{
		//note that header.php is at the top now - it was being excluded when the form was submitted origionally
		//form hasn't been submitted. display default message
	
	   echo "<h2>Admin login</h2>";
		
	  if($_GET['error']) {
		  echo "Incorrect login, please try again!";
	  }
	   
?>

<!-- changed action to test.php for me to test - change it back to whatever you need it to be -->
<form action="test.php" method="post">

<table>
<tr>
	<td>Username</td>
	<td><input type="text" name="username" /></td>
</tr>
<tr>
	<td>Password</td>
	<td><input type="password" name="password" /></td>
</tr>
<tr>
	<td></td>
	<td><input type="submit" name="submit" value="Login!" /></td>
</tr>
</table>
</form>

<?php
}
//footer info here
require("footer.php");
?>

If you are still having issues I would check that you are using the correct username and password. Is there two users with the same username and password? (If so you were only checking if only one row was returned, therefore making the script think it was wrong)

I would also recommend that you review a mysql optimisation topic on this site just to improve the speed of your applications. As an outset the '*' operator in a SELECT statement is a no-no.

Other than that your code's grand - impressive for someone who is new to the language. Keep it up!


/* EDIT */

And as betawar said, you should look at encryption - not as hard as you may think. The most common form of encryption for PHP is md5 - have a look through this site to learn more. As a brief:

<?php

//MAKE SURE YOUR MySQL COLUMN WHICH WILL STORE YOUR PASSWORD HAS A LENGTH OF 32  !!!

$password = 'dogsnose';

$encryptedpassword = md5($password); // will give you an encrypted version of $password

//echo $encryptedpassword; - if you're curious to see what it does

$sql = "INSERT INTO admins (username, password) VALUES ('".$username."', '".md5($password)."');";
mysql_query($sql)or die(mysql_error());

//AND LIKEWISE

$password = 'dogsnose';
//the password in the database is the md5 version of dognose

$sql = "SELECT userid FROM admins WHERE username = '".$username."' AND password='".md5($password)."' LIMIT 1";

?>

So basically, ensure your 'password' column has a length of 32, and just wrap md5() round your $password when you're in a SQL statement

hai frnd,

im new to php.right now my projects r in php.so my suggestion for u is


1. dont give session_start() after php statement.

Ex:

<?php

include("db_connect.php");
if(isset($_POST['submit'])){
$username=$_POST['user'];
$pwd=$_POST['pass'];
$selqry="select * from tb_admin where var_user='$username' and var_pass='$pwd'";
$resqry=mysql_query($selqry);
$rows=mysql_num_rows($resqry);
if($rows==0){
header("Location:index.php"); //return to same page
}
else{
$fetchqry=mysql_fetch_array($resqry);
$userid=$fetchqry['var_user_id'];
$usr=$fetchqry['var_user'];
session_start(); //session should be added here.
$_SESSION['sessionId']=$userid;
$_SESSION['sessionName']=$usr;

header("Location:nextPage.php");

}