Mark Steggles
asked on
php login script
Hello,
I have this php login script which checks the username and password in a database... the problem is that it goes straight to the ELSE statement. I think I have set up everything correctly i.e the user details in the database... maybe I am not querying the database correctly, I don't know. How do you debug this kind of thing? Here is the script:
<?php
// Check for required fields from the form
if ((!$_POST[username]) || (!$_POST[password])) {
header("Location: /somepage.php");
exit;
}
// Connect to server and select database
$conn = mysql_connect("localhost", "#######", "########" )
or die(mysql_error());
mysql_select_db("arbhleh_c lientDB",$ conn) or die(mysql_error());
// create and issue the query
$sql = "select clientName from clientDetails where username =
'$_POST[username]' AND password = password('$_POST[password] ')";
$result = mysql_query($sql,$conn) or die(mysql_error());
// get the number of rows in the result set; should be 1 if a match
if (mysql_num_rows($result) == 1) {
// if authorized, get the value of clientName
$clientName = mysql_result($result, 0, 'clientName');
// set authorization cookie
setcookie("auth", "1", 0, "/", "my website", 0);
// create display string
$display_block = "<p>$clientName is authorized!</p>
<p>Authorized Users' Menu:
<ul>
<li><a href=\"secretpage.php\">se cret page</a>
</ul>";
} else {
// redirect back to login form if not authorized
header("Location: /anotherpage.php");
exit;
}
?>
<html>
</html>
I have this php login script which checks the username and password in a database... the problem is that it goes straight to the ELSE statement. I think I have set up everything correctly i.e the user details in the database... maybe I am not querying the database correctly, I don't know. How do you debug this kind of thing? Here is the script:
<?php
// Check for required fields from the form
if ((!$_POST[username]) || (!$_POST[password])) {
header("Location: /somepage.php");
exit;
}
// Connect to server and select database
$conn = mysql_connect("localhost",
or die(mysql_error());
mysql_select_db("arbhleh_c
// create and issue the query
$sql = "select clientName from clientDetails where username =
'$_POST[username]' AND password = password('$_POST[password]
$result = mysql_query($sql,$conn) or die(mysql_error());
// get the number of rows in the result set; should be 1 if a match
if (mysql_num_rows($result) == 1) {
// if authorized, get the value of clientName
$clientName = mysql_result($result, 0, 'clientName');
// set authorization cookie
setcookie("auth", "1", 0, "/", "my website", 0);
// create display string
$display_block = "<p>$clientName is authorized!</p>
<p>Authorized Users' Menu:
<ul>
<li><a href=\"secretpage.php\">se
</ul>";
} else {
// redirect back to login form if not authorized
header("Location: /anotherpage.php");
exit;
}
?>
<html>
</html>
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Since he didn't quote the array keys, there is no problem in the double-quoted string.
PHP does recognize that properly, even though it's not too good, so the evaluation works.
(simple test:
<?php
echo $_GET[username].'<br />';
echo "$_GET[username]";
?>
script.php?username=asd
displays
"asd
asd" )
But he's right, if you do it like $_POST['username'] you need to use the curly braces or break the string like you would with a single-quoted string.
PHP does recognize that properly, even though it's not too good, so the evaluation works.
(simple test:
<?php
echo $_GET[username].'<br />';
echo "$_GET[username]";
?>
script.php?username=asd
displays
"asd
asd" )
But he's right, if you do it like $_POST['username'] you need to use the curly braces or break the string like you would with a single-quoted string.
Yes - it works - but unquoted array keys are first evaluated as constants, then as variables. I should have clarified - that's not going to cause his query to fail, but it's going to be a performance hit on script execution.
$username=$_POST["username "];
$password=$_POST["password "];
$sql = "select clientName from clientDetails where
username = mysql_real_escape_string(' $username' ) AND
password = mysql_real_escape_string(' $password' )";
Never, EVER, use a POST variable directly in your query. It leaves you WIDE OPEN to SQL Injection hacking.
$password=$_POST["password
$sql = "select clientName from clientDetails where
username = mysql_real_escape_string('
password = mysql_real_escape_string('
Never, EVER, use a POST variable directly in your query. It leaves you WIDE OPEN to SQL Injection hacking.
ASKER
Hey geezers,
THanks for help so far... I changed to this but now get a syntax error:
// create and issue the query
$sql = "select clientName from clientDetails where $username =
mysql_real_escape_string(' {$_POST['u sername']} ') AND $password = mysql_real_escape_string(' {$_POST['p assword']} ')";
$result = mysql_query($sql,$conn) or die(mysql_error());
THanks for help so far... I changed to this but now get a syntax error:
// create and issue the query
$sql = "select clientName from clientDetails where $username =
mysql_real_escape_string('
$result = mysql_query($sql,$conn) or die(mysql_error());
string('{$_POST['username' ]}') AND...
You can't use the single quote in both places, and you can't use double quote in two different places either. Do it the way I posted, and it will work fine.
You can't use the single quote in both places, and you can't use double quote in two different places either. Do it the way I posted, and it will work fine.
Well, no dollar signs needed before the field names... Also, no functions can be called from within strings.
$sql = "SELECT `clientName` FROM `clientDetails` WHERE `username` = '".mysql_real_escape_strin g($_POST[' username'] )."' AND `password` = '".mysql_real_escape_strin g($_POST[' password'] )."'";
$result = mysql_query($sql,$conn) or die(mysql_error());
$sql = "SELECT `clientName` FROM `clientDetails` WHERE `username` = '".mysql_real_escape_strin
$result = mysql_query($sql,$conn) or die(mysql_error());
ASKER
Ok, Im still getting a syntax error
<?php
// Check for required fields from the form
if ((!$_POST[username]) || (!$_POST[password])) {
header("Location: /webdesign.php");
exit;
}
// Connect to server and select database
$conn = mysql_connect("localhost", "arbhleh", "chaos181" )
or die(mysql_error());
mysql_select_db("arbhleh_c lientDB",$ conn) or die(mysql_error());
// create and issue the query
$sql = "SELECT 'clientName' FROM 'clientDetails' WHERE 'username' =
'".mysql_real_escape_strin g($_POST[' username'] )."' AND 'password' = '".mysql_real_escape_strin g($_POST[' password'] )."'";
$result = mysql_query($sql,$conn) or die(mysql_error());
// get the number of rows in the result set; should be 1 if a match
if (mysql_num_rows($result) == 1) {
// if authorized, get the value of clientName
$clientName = mysql_result($result, 0, 'clientName');
// set authorization cookie
setcookie("auth", "1", 0, "/", "futurekode.co.uk", 0);
// create display string
$display_block = "<p>$clientName is authorized!</p>
<p>Authorized Users' Menu:
<ul>
<li><a href=\"secretpage.php\">se cret page</a>
</ul>";
} else {
// redirect back to login form if not authorized
header("Location: /pricing.php");
exit;
}
?>
<?php
// Check for required fields from the form
if ((!$_POST[username]) || (!$_POST[password])) {
header("Location: /webdesign.php");
exit;
}
// Connect to server and select database
$conn = mysql_connect("localhost",
or die(mysql_error());
mysql_select_db("arbhleh_c
// create and issue the query
$sql = "SELECT 'clientName' FROM 'clientDetails' WHERE 'username' =
'".mysql_real_escape_strin
$result = mysql_query($sql,$conn) or die(mysql_error());
// get the number of rows in the result set; should be 1 if a match
if (mysql_num_rows($result) == 1) {
// if authorized, get the value of clientName
$clientName = mysql_result($result, 0, 'clientName');
// set authorization cookie
setcookie("auth", "1", 0, "/", "futurekode.co.uk", 0);
// create display string
$display_block = "<p>$clientName is authorized!</p>
<p>Authorized Users' Menu:
<ul>
<li><a href=\"secretpage.php\">se
</ul>";
} else {
// redirect back to login form if not authorized
header("Location: /pricing.php");
exit;
}
?>
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
You do NOT need to use any kind of quotes around table or field names. Just use them normally.
You don't need to in this case, but it's generally a good idea to avoid conflicts with reserved names.
It's generally a good idea to make the code as neat and readable as possible, and not use reserved names for your tables or fields :))
ASKER
Works now... Thanks for all your help :D
I might be wrong, but I think the problem is that you don't escape the column names in the query.
You want to check the field 'password' against a function with the same name. To do this you must escape the password field with `` so that mysql knows that you mean the column and not the function.
Basically escaping all databases and fields is a good idea.
$sql = "select `clientName` from `clientDetails` where `username` =
'$_POST[username]' AND `password` = password('$_POST[password]
Also, I would add a LIMIT 1 to the end.
Regards,
Lukas