homepage Welcome to WebmasterWorld Guest from 54.166.110.247
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member

Home / Forums Index / Code, Content, and Presentation / PHP Server Side Scripting
Forum Library, Charter, Moderators: coopster & jatar k

PHP Server Side Scripting Forum

    
Login Page not working
Login fails even though name and password are correct
TheKG




msg:4401787
 9:18 pm on Dec 27, 2011 (gmt 0)

I'm having trouble creating a login page. Set up a MySql database and table. The table has 3 fields; id, username & password. Every time I try to log in, I receive the message that the login failed. After hours of research, I still cannot pinpoint where this goes wrong.

Here's the code for the "login.htm" page:

<html>
<body>

<form action="login.php" method="post">
<p>Username
<input type="text" name="username" id="username" />
</p>
<p>Password
<input type="password" name="password" id="password" />
</p>
<p>
<input type="submit" />
</p>

</form>

</body>

</html>

Here's the code for the "login.php" page:

<?php
session_start();

include('admin/misc2.inc');

$cxn = mysqli_connect($host,$user,$passwd,$dbname) or die ("couldn't connect to server" . mysqli_error());

$myusername=$_POST['username'];
$mypassword=$_POST['password'];

// To protect MySQL injection
$myusername = stripslashes($myusername);
$mypassword = stripslashes($mypassword);
$myusername = mysqli_real_escape_string($myusername);
$mypassword = mysqli_real_escape_string($mypassword);

$result = mysqli_query($cxn,"SELECT * FROM `members` WHERE username='$myusername' AND password='$mypassword'") or die("cannot execute query");

$num = mysqli_num_rows($result);

if($num > 0)
{

$_SESSION['username'];
header("location:success.php");
}

else
echo "login fail please click here to <a href=\"login.htm\">login</a>";

?>

Any assistance will be appreciated.

 

jecasc




msg:4401793
 9:59 pm on Dec 27, 2011 (gmt 0)

Should it not be:

else {
echo "login fail please click here to <a href=\"login.htm\">login</a>";
}

or

else echo "login fail please click here to <a href=\"login.htm\">login</a>";

Matthew1980




msg:4401806
 10:26 pm on Dec 27, 2011 (gmt 0)

Hi there TheKG,

In the structure of the DB have you got the field 'Password' setup as a strightforward varchar() or text() field or are you using some sort of algorithm (Sha1()/md5()/password()) to encrypt the data? if you are, then the query you build up from the provided data needs to reflect this.

And as jecasc correctly notes; the if statement is missing it's else braces.

What I would recommend at the very least is that you echo the populated sql string to screen, copy it and then paste it into your preferred MySql client to see that the populated string actually gives the results that you expect, else you won't progress very far.

And this point raises a good point for building the query OUTSIDE the mysqli_query() function, as this will does and can, improve debugging attempts for you further down the line.

The only other thing that bothers me about this, is the use of $_SESSION's here and how you're populating it on successful login, you're defining it, but not assigning it anything for later use? Maybe you just want the script to function before you concentrate on the aesthetics, but, if you don't assign it, you could end up with undefined index error's - admittedly, you would need to have error_reporting() on to catch 'em, but I thought as I would note it for you.

Have fun with your project,

Cheers,
MRb

AlexK




msg:4401955
 6:04 pm on Dec 28, 2011 (gmt 0)

A small, general extra:

When building a site/page, add the following:

error_reporting( E_ALL );

...and fix *every* error, warning or notice. You cannot imagine how many so-called notices are actually full-blown script errors. Fix them all.

On your public-facing scripts, allow zero errors to show.

On your specific question, far better to store encrypted (md5 is a typical one) and test for password equality to the retrieved value

eg
SELECT `md5` from `db` WHERE `name`='username'

Then:
1 is `name` in the DB at all?
2 if yes, test md5(password)=mysql_md5 (in PHP)

Thus, break it down into small steps and, if you have errors, test one step at a time. Try to resist the urge to cram it all into one huge algorithm.

Matthew1980




msg:4401961
 6:22 pm on Dec 28, 2011 (gmt 0)

Hi all,

As AlexK points out, modular approach to this is best; I will add another thing to this:-

When building a site/page, add the following:

error_reporting( E_ALL );

>>...and fix *every* error, warning or notice.

To do that you would need to have this:-

(Checking for notices)
error_reporting(E_ALL ^ E_NOTICE);

or:-

(for old functions)
error_reporting(E_ALL ^ E_DEPRECATED);

or:-

(for strict standards)
error_reporting(E_ALL ^ E_STRICT);

Hope that makes sense.

Cheers,
MRb

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Code, Content, and Presentation / PHP Server Side Scripting
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved