Login script not working

yes, sorry the copyright character was included with the copy and paste, sorry! the problem is that when i run this script, i login with the username and password i have set for myself, and all it does is take me back to the same login screen, the congradulations screen does not appear, which means the script is not working but i dont know why...

The big thing I see is you need to escape your query values to combat possible SQL injection attacks. Change:

$sql = "SELECT * FROM $table_name WHERE username =
'$_POST[username]' AND password = password('$_POST[password]')";

...to...

$username = mysql_real_escape_string($_POST['username']);
$sql = "SELECT * FROM $table_name WHERE username = '" . $username . "' AND password = password('" . $_POST[password] . "')";

I've also changed your variable references to be outside the string, so they evaluate properly. I would have used the mysql_real_escape_string on your $_POST['password'], but it would likely change the outcome of the password() function, and not match your database value.

For further troubleshooing - comment out the calls to header(), and put in some echo statements for debugging, so you can tell exactly where it's failing - if you're getting sent back to the login page at the top of the script, or because the query returned 0 results.

Drop in these debugging statements and let us know which section of the script is bouncing you back to show_login.html.

i get this:

Parse error: syntax error, unexpected T_LOGICAL_OR in C:\Program Files\Apache Group\Apache2\htdocs\authorize.php on line 17

Line 17: if ($num != 0) or die(mysql_error()); {

If that is indeed line 17, it doesn't match the original script provided above. It looks like you're trying to do this (from the original script provided above):

if ($num != 0) {
   $msg = "<P>Congratulations, you're authorized!</p>";
} else {
   header("Location: http://127.0.0.1/show_login.html");
   exit;
}

This block should work - but again, it doesn't match the error for line 17 that you say you're getting.

You can't 'or' an if - you need to use 'else' to accomplish what it looks like your line 17 error is trying to do above. If you need to test multiple things in your if, you can use if(test1=1 || test2=1). the double-pipe is the logical 'or' used in the if tests.

Double check your source and try again.

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'WHERE username = 'SOME' AND password = password('SOME')' at line

Since "password" is a reserved keyword in MySQL, wrap it in back-quotes to get it to behave as a fieldname instead of a function:

`password` = password('SOME')

nothing seems to be working

$sql = "SELECT * FROM $table_name WHERE username =
'$_POST[username]' AND password = password('$_POST[password]')";
$result = @mysql_query($sql,$connection) or die(mysql_error());



if that is the exact code the book provides my suggestion is to throw the book in the bin right now as its seriously flawed as 'DrNikon224' comment says it opens up SQL injection possibilities and should NEVER be used!

Right, thanks for the info

if any is intrested as to what book it's from it is called: PHP Fast  & Easy Web Development, 2nd Edition

I would recommend the following books:-


The PHP Anthology
Essential PHP Security



both are created by well recognized experts



James

lol...may be i am stupid, but i will do it like this


<?
if ((!isset($_POST['username'])) || (!isset($_POST['password']))) {
   header( "Location: http://127.0.0.1/show_login.html");
   exit;
}
else{
$username = $_POST['username'];
$password = $_POST['password'];
$db_name = "testDB";
$table_name = "auth_users";
$connection = @mysql_connect("localhost", "spike", "9sj7En4")
or die(mysql_error());
$db = @mysql_select_db($db_name, $connection) ©Ú
die(mysql_error());

$sql = "SELECT * FROM $table_name WHERE username =
'".$username."' AND password = '".password($password)."";
$result = @mysql_query($sql,$connection) or die(mysql_error());

$num = mysql_num_rows($result);
if ($num != 0) {
   $msg = "<P>Congratulations, you're authorized!</p>";
} else {
   header("Location: http://127.0.0.1/show_login.html");
   exit;
}

}
?>
<HTML>
<HEAD>
<TITLE>Secret Area</TITLE>
</HEAD>
<BODY>
<? echo "$msg"; ?>
</BODY>
</HTML>



by the way, have really saved the password in the db using password(YOURPASSOWORD).

Check if your two passwords really match. But first run this code.

password is a mysql function aint it?

if so that code will not work!!!

You need to continue using the mysql_real_escape_string() function...

$username = mysql_real_escape_string($_POST['username'])

...to properly apply escaping to applicable characters to prevent SQL injection. "password()" is a mysql function - it needs to be inside the quotes in your sql statement. If your password field is still named "password", you need to wrap it in back-quotes...

`password`=password(" . $password . ")

...so that the MYSQL server interprets it as text, and not an incomplete call to password() - causing an error.

As kshitij_ahuja stated, you need to compare the password value you're checking to make sure they're hashed the same and will return a match in your query.

from PHP.net

'a best practice query'

function quote_smart($value)
{
   // Stripslashes
   if (get_magic_quotes_gpc()) {
       $value = stripslashes($value);
   }
   // Quote if not integer
   if (!is_numeric($value)) {
       $value = "'" . mysql_real_escape_string($value) . "'";
   }
   return $value;
}



http://php.net/mysql_real_escape_string

Ok i have some new code (yes, i've changed it all, sorry) but i would still like help on it thanks and i've increased the points as well because none of the code here works at all!


here below is the new code that i would like assistance on it, the issue is this, first of all the all seems to be working fine except, when i click the submit button with the fields either full or blank it will still print me a blank page, i don't know what's wrong?

code:

<?php
session_start();

if(isset($_POST['userid']) && isset($_POST['password']))
{
//if the user has just tried to log in
$userid = $_POST['userid'];
$password = $_POST['password'];

$db_conn = new mysqli('********', '**********', '*********');
if (mysqli_connect_errno())
{
echo 'Connection to the database failed: '.mysqli_connect_errno();
exit();
}

//query the appropriate database
$selected = mysqli_select_db( $mysql, 'auth');
if (!$selected)
{
echo "Cannot select database";
exit;
}

$query = 'select * from table_name'
."where name='$userid' "
." and password=sha1('$password')";

$result = $db_conn->query($query);
if ($result->num_rows >0 )
{
//if they are in the database register the user id
$_SESSION['valid_user'] = $userid;
}
$db_conn->close();
}
?>
<html>
<body>
<h1>Home page</h1>
<?
if (isset($_SESSION['valid_user']))
{
echo 'You are logged in as: '.$_SESSION['valid_user'].' <br />';
echo '<a href="logout.php">Log out</a><br />';
}
else
{
if (isset($userid))
{
//if thee've tried and failed to log in
echo 'Could not log you in.<br />';
}
else
{
//they have not tried to log in yet or have logged out
echo 'You are not logged in.<br />';
}

//provide for to log in
echo '<form method="post" action="authmain2.php">';
echo '<table>';
echo '<tr><td>Userid:</td>';
echo '<td><input type="text" name="userid"></td></tr>';
echo '<tr><td>Password:</td>';
echo '<td><input type="password" name="password"></td></tr>';
echo '<tr><td colspan="2" align="center">';
echo '<input type="submit" value="Log in"></td></tr>';
echo '</table></form>';
}
?>
<br />
<a href="members_only2.php">Members section</a>
</body>
</html>

you need to be checking if the query was run successfull after doing:-

$result = $db_conn->query($query);


do something like:-

$result = $db_conn->query($query);

if(!$result) {
   echo 'query failed';
}



chances are your query failed for some reason!



James

i tried doing it your way which just ended up giving me a blank screen to begin with

and my way of

$result = $db_conn->query($query) or die("query failed");
if ($result->num_rows >0 )
{


nothing works, even mine just takes you to a blank screen after clicking on the submit button!

Is error repoting turned on and up to full?

place this at top of your page:-


error_reporting(E_ALL);

umm nothing, it's still the same problem!

i've set it up like this:

<?php error_reporting(E_ALL); ?>
<?php

session_start();

if(isset($_POST['userid']) && isset($_POST['password']))
{

it may not be turned on, run this test script:-


<?php
echo ini_get('display_errors');
?>


let us know what is returned from that, the default php.ini does not dsiplay errors so you may have to change your php.ini configuration!



James

I add the above code at the top of my code,
ran the script, same, i try and login and nothing happens,

also its a work project so i dont have access to the php.ini file :(

run that script in a seperate file, it should output either 1 or 0, I would like to know whether errors are turned on?
because thats probably the most likely cause of not getting output but just geting a white screen like u r.



james

nothing appears on my local work server, i check the phpinfo file for the work server
and errors are off:

display_errors Off Off
display_startup_errors Off Off


However, i've decided to upload a copy of the scrip to my site and there it works with PHP Version 4.4.1 and at work we are using PHP Version 5.0.3
when i run the script from my site, the number 1 appears above my form!

ahh, thats why!


so, sounds like a compatibility problem, its probably worth trying to see if you can override the setting with a .htaccess file, most decent web hosts allow that, otherwise I would suggest installing that PHP version on your local machine then testing what functions your using that PHP v4 does not have, some but not all functions can be replicated under PHP v4 for compatibiility with PHP v5 - if that makes any sense :)


try placing the following into a .htaccess file and uploading into your web servers document root directory:-

php_value  display_errors  On

or maybe its:-

php_value  display_errors  0


I cant remember, should hopefully work though :)


if that dont work you will probably get an internal server error!



James

i executed the code at home and ran the following code:
<?php
echo ini_get('display_errors');
?>


my output:
1
Warning: session_start() [function.session-start]: Cannot send session cookie - headers already sent by (output started at C:\Program Files\Apache Group\Apache2\htdocs\authmain.php:2) in C:\Program Files\Apache Group\Apache2\htdocs\authmain.php on line 5

Warning: session_start() [function.session-start]: Cannot send session cache limiter - headers already sent (output started at C:\Program Files\Apache Group\Apache2\htdocs\authmain.php:2) in C:\Program Files\Apache Group\Apache2\htdocs\authmain.php on line 5

ok, so errors are turned off, you need them turned on, thats your problem why your getting a white screen, you have a fatal error in your code!


Did you try my suggestion with the .htaccess to attempt to turn them on?

No i didn't beacuse i have errors turned on my local machine using PHP 5. however at work they are turned off for some odd reason, due to the large amount of logs it generates on their server they have turned it off, and the .htaccess file does not work at work, i don't know why....

i hope i would fix the problem at home and send the ready application to work without errors or problems....based on the above error, can you suggest anything??

when i click on the submit button i get the following error:

Fatal error: Class 'mysqli' not found in C:\Program Files\Apache Group\Apache2\htdocs\authmain.php on line 10

Line 10: $db_conn = new mysqli("something", "something", "something". "something");

Right, i got mysqli is not enabled, however when i search my PC,several php.ini files turn up, even though i have it installed on my c:/ drive and with PHP 5 the ini file is called php.ini --recommended any suggestions on this?

you should rename it to php.ini

i added extension=php_mysqli.dll without the ";" in front and restarted apache, and nothig i still get mysqli not loaded from the previous script....

can you paste your php.ini in here, minus any sensitive data you may have put in their?

sure, i;ll have it here soon!

This is where i added the mysqli module:

; Windows Extensions
; Note that ODBC support is built in, so no dll is needed for it.
; Note that many DLL files are located in the extensions/ (PHP 4) ext/ (PHP
5)
; extension folders as well as the separate PECL DLL download (PHP 5).
; Be sure to appropriately set the extension_dir directive.

;extension=php_mbstring.dll
;extension=php_bz2.dll
;extension=php_curl.dll
;extension=php_dba.dll
;extension=php_dbase.dll
;extension=php_exif.dll
;extension=php_fdf.dll
;extension=php_filepro.dll
;extension=php_gd2.dll
;extension=php_gettext.dll
;extension=php_ifx.dll
;extension=php_imap.dll
;extension=php_interbase.dll
;extension=php_ldap.dll
;extension=php_mcrypt.dll
;extension=php_mhash.dll
;extension=php_mime_magic.dll
;extension=php_ming.dll
;extension=php_mssql.dll
;extension=php_msql.dll
;extension=php_mysql.dll
extension=php_mysqli.dll
;extension=php_oci8.dll
;extension=php_openssl.dll
;extension=php_oracle.dll
;extension=php_pgsql.dll
;extension=php_shmop.dll
;extension=php_snmp.dll
;extension=php_sockets.dll
;extension=php_sqlite.dll
;extension=php_sybase_ct.dll
;extension=php_tidy.dll
;extension=php_xmlrpc.dll
;extension=php_xsl.dll

have you set the extension_dir directove, its a little above the info you posted from php.ini ?

You mean this:
; Directory in which the loadable extensions (modules) reside.
extension_dir = "./"

nope!

also, would i be able to use the regular mysql_connect function and the new mysqli function as well using the same configuration??

set that to the location of your extensions,

eg.

extension_dir = "C:\php\extensions"


mysql is builtin to php 4 so yes you should be able to use regualr mysql_connect functions, with php 5 you have to enable it:-

http://php.net/mysql

aha alright thanks, chaning these values will not conflict with me using mysql_connect will it?

no, doubt it

thank you for your help!

no probs, I take it you got it to work?

yes i did, but i think i will only use this for the book i'm currenlt reading through, speaking of books, would you be able to recommend a decent title! - Tekked

to learn PHP?

Personally I taught myself from the PHP manual so cant personally comment on how good these are but the authors are well recognised and well respected within the PHP community:-

http://www.amazon.com/exec/obidos/search-handle-url/index=books&field-author-exact=Rasmus%20Lerdorf&rank=-relevance%2C%2Bavailability%2C-daterank/102-6083691-8977720

I would recommend one of those because one of the authors is the origanal creator of PHP itself

I've got some experince, got the basics down quite well, just want to get on with doing projects...thanks for the link