• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 184
  • Last Modified:

Login script verification issue...

I am using the code below to process a username and password passed from a form. The code is supposed to verify the login info with a database and if correct show helpcenter_access.php. For some reason the code hangs on a blank page with checklogin.php (page this code is one) in the browser url. It is verify correct and wrong usernames because if I enter an incorrect login it gives me the wrong username message, but it is not forwarding to the helpcenter_access.php...

<?php
$host="localhost"; // Host name
$username="USERNAME"; // Mysql username
$password="PASSWORD"; // Mysql password
$db_name="DATABASENAME"; // Database name
$tbl_name="members"; // Table name

// Connect to server and select databse.
mysql_connect("$host", "$username", "$password")or die("cannot connect");
mysql_select_db("$db_name")or die("cannot select DB");

// username and password sent from signup form
$myusername=$_POST['myusername'];
$mypassword=$_POST['mypassword'];

$sql="SELECT * FROM $tbl_name WHERE username='$myusername' and password='$mypassword'";
$result=mysql_query($sql);

// Mysql_num_row is counting table row
$count=mysql_num_rows($result);
// If result matched $myusername and $mypassword, table row must be 1 row

if($count==1){
// Register $myusername, $mypassword and redirect to file "helpcenter_access.php"
session_register("myusername");
session_register("mypassword");
header("location:helpcenter_access.php");
}
else {
echo "Wrong Username or Password";
}
?>
0
guy4graphics
Asked:
guy4graphics
  • 7
  • 7
  • 3
  • +1
1 Solution
 
guy4graphicsAuthor Commented:
btw - my server is running PHP 4.3.9
0
 
thenoneCommented:
Try changing if($count==1){

to if($count=>1){
0
 
guy4graphicsAuthor Commented:
i tried it and no difference...
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
ll_jaxnCommented:
why dont you just include("helpcenter_access.php");

Also, the location: might need more of a real URL
You probably have a script error in helpcenter_access too!
0
 
ll_jaxnCommented:
Opps, I forgot to mention, you should MD5(password) your passwords (-:
0
 
ll_jaxnCommented:
Opps, one more...turn PHP ERROR MESSAGES on in the php.ini if it is off...then you will see errors messages.
0
 
gemdeals395Commented:
<?php
$host="localhost"; // Host name
$username="USERNAME"; // Mysql username
$password="PASSWORD"; // Mysql password
$db_name="DATABASENAME"; // Database name
$tbl_name="members"; // Table name

// Connect to server and select databse.
mysql_connect("$host", "$username", "$password")or die("cannot connect");
mysql_select_db("$db_name")or die("cannot select DB");

// username and password sent from signup form
$myusername=$_POST['myusername'];
$mypassword=$_POST['mypassword'];

$sql="SELECT * FROM $tbl_name WHERE username='$myusername' and password='$mypassword'";
$result=mysql_query($sql);

if(!mysql_num_rows($result)) {
echo "Wrong Username or Password";
}
else {
$_SESSION['myusername'] = $myusername;
$_SESSION['mypassword'] = $mypassword;
header("location:helpcenter_access.php");
}
?>

Try something like that. When you said register to session if you use the _SESSION global you can now access the user id and password by simply typing $_SESSION['myusername'] anywhere in your script you need that info. On this example remember that if you have not called session_start() then do so at the beginning of this script. And after you have it working I would for sure encrypt those passwords :)

Hope that helps ;)
0
 
gemdeals395Commented:
Another thing I would recommend is setting a security level upon successful login so you can display different stuff depending on who loggen on or if they are logged in at all. You could do something like this at the same time you register the username and password to session

if(!mysql_num_rows($result)) {
echo "Wrong Username or Password";
}
else {
$_SESSION['myusername'] = $myusername;
$_SESSION['mypassword'] = $mypassword;
$_SESSION['securityLevel'] = 1;
header("location:helpcenter_access.php");
}

So when a user first comes to your site and a new session is set up do something like:

if (!isset($_SESSION['securityLevel'])) {
      $_SESSION['securityLevel'] = (int) 0;
}

Then on your page you can do something like this:

if ($_SESSION['securityLevel'] == '0') { //User is not logged in do this

} elseif($_SESSION['securityLevel == '1') { //standard user is logged on do this

} elseif($_SESSION['securityLevel == '2') { //admin is logged on do this

} else {
    session_destroy();
}

Hope that helps ;)
0
 
guy4graphicsAuthor Commented:
gemdeals395 - thanks for your input...

I am trying to implement the first script you provided. As far as the sessionstart you mentioned should it be setup like this?



<?php

session_start();

$host="localhost"; // Host name
$username="USERNAME"; // Mysql username
$password="PASSWORD"; // Mysql password
$db_name="DATABASENAME"; // Database name
$tbl_name="members"; // Table name

// Connect to server and select databse.
mysql_connect("$host", "$username", "$password")or die("cannot connect");
mysql_select_db("$db_name")or die("cannot select DB");

// username and password sent from signup form
$myusername=$_POST['myusername'];
$mypassword=$_POST['mypassword'];

$sql="SELECT * FROM $tbl_name WHERE username='$myusername' and password='$mypassword'";
$result=mysql_query($sql);

if(!mysql_num_rows($result)) {
echo "Wrong Username or Password";
}
else {
$_SESSION['myusername'] = $myusername;
$_SESSION['mypassword'] = $mypassword;
header("location:helpcenter_access.php");
}
?>
0
 
gemdeals395Commented:
When you first have a visitor come to the site its really a good idea to go ahead and fire off session_start() so that then when your saving variables during their visit all of the _SESSION vatiables and such will be avaliable for you to use until either you kill the session with session_destroy() or they close the browser. But just make sure that atleast before any PHP is executed to always call session_start().
0
 
guy4graphicsAuthor Commented:
I am getting these errors when running the code on my last comment:


Warning: session_start(): Cannot send session cookie - headers already sent by (output started at /var/www/vhosts/DOMAIN.com/httpdocs/checklogin.php:2) in /var/www/vhosts/DOMAIN.com/httpdocs/checklogin.php on line 4

Warning: session_start(): Cannot send session cache limiter - headers already sent (output started at /var/www/vhosts/DOMAIN.com/httpdocs/checklogin.php:2) in /var/www/vhosts/DOMAIN.com/httpdocs/checklogin.php on line 4

Warning: Cannot modify header information - headers already sent by (output started at /var/www/vhosts/DOMAIN.com/httpdocs/checklogin.php:2) in /var/www/vhosts/DOMAIN.com/httpdocs/checklogin.php on line 29
0
 
gemdeals395Commented:
Remove the session_start or make session_start look like this to suppress errors:

@session_start();

Looks like session_start was already called on a previous page so as long as it is called once thats all you need. And in that login script make sure the script is above html output and if you have already sent output from something before this script and are trying to output something in this script as a test youll get an error. My guess is you have the script further down in the page running after output is sent to the browser and here:

if(!mysql_num_rows($result)) {
echo "Wrong Username or Password";
}
else {
$_SESSION['myusername'] = $myusername;
$_SESSION['mypassword'] = $mypassword;
$_SESSION['securityLevel'] = 1;
header("location:helpcenter_access.php");
}

When you call header (''); it has to be used before any output is sent to the browser or that headers already sent error will happen.
0
 
guy4graphicsAuthor Commented:
>> This is the login form I am using:

<form name="form1" method="post" action="checklogin.php">

<br />
<label for="email">Username:</label>
<input class="inputgeneral" name="myusername" type="text" id="myusername"/><br /><br />

<label for="subject">Password:</label>
<input class="inputgeneral" name="mypassword" type="text" id="mypassword"/><br />
<br />
<input class="inputsubmit" type="submit" name="Submit" value="Login"/>

</form>

>> As you can see it passes the input to checklogin.php which just contains the php script.

>> It gives me this warning now:

Warning: Cannot modify header information - headers already sent by (output started at /var/www/vhosts/DOMAIN.com/httpdocs/checklogin.php:2) in /var/www/vhosts/DOMAIN.com/httpdocs/checklogin.php on line 29
0
 
gemdeals395Commented:
is this form on a different page then checklogin.php ? What is the complete code on your checklogin.php page?
0
 
guy4graphicsAuthor Commented:
yes and here is the complete code on checklogin.php:


<?php

@session_start();

$host="OMITTED"; // Host name
$username="OMITTED"; // Mysql username
$password="OMITTED"; // Mysql password
$db_name="OMITTED"; // Database name
$tbl_name="members"; // Table name

// Connect to server and select databse.
mysql_connect("$host", "$username", "$password")or die("cannot connect");
mysql_select_db("$db_name")or die("cannot select DB");

// username and password sent from signup form
$myusername=$_POST['myusername'];
$mypassword=$_POST['mypassword'];

$sql="SELECT * FROM $tbl_name WHERE username='$myusername' and password='$mypassword'";
$result=mysql_query($sql);

if(!mysql_num_rows($result)) {
echo "Wrong Username or Password";
}
else {
$_SESSION['myusername'] = $myusername;
$_SESSION['mypassword'] = $mypassword;
header("location:helpcenter_access.php");
}
?>
0
 
gemdeals395Commented:
Do you still get the error if you comment out the session start like:

//@session_start();
0
 
gemdeals395Commented:
Well I made a page names login.html and another named logincheck.php and connected to one of my databases which of course would not check a username and password and got:

Wrong Username or Password

On my local machine I have all my errors on so the only thing I changed to suppress the login error when the $result was null was adding the @ sign on mysql_num_rows like this:

if(!@mysql_num_rows($result)) {
echo "Wrong Username or Password";
} else {
$_SESSION['myusername'] = $myusername;
$_SESSION['mypassword'] = $mypassword;
header("location:helpcenter_access.php");
}
0
 
guy4graphicsAuthor Commented:
seems like everything works fine, I think the hang-up has to do with the page redirection I changed header to require but still got the same result. Blank page or blank page with warnings on logincheck.php. Any other ideas??

I am running PHP 4.3.9, double checked the database connecting, like you said 'Wrong Username or Password" works fine.

Here is where I got the original script from... http://www.tutorialized.com/view/tutorial/PHP-Simple-login-script/9963
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 7
  • 7
  • 3
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now