I didn't have the INSERT quoted right. Should be:

$result = mysql_query("INSERT INTO users (username) VALUES('joe')");

but don't put it after the SELECT while, loop. Put it just before.

[edit] Actually, I'd put it right after the select_db line.

O.k. it shows that as a value. Is there a way to add to the script you gave me that would add username, password & the USLP? I will keep working with PHP MyAdmin to try and get it to work. I appreciate the help

O.k. now when I enter a valid "username, password" it just displays a list of current records in the database. I want this to check the username & password against that of the database and if it finds a match to activate the header function at the bottom of the script. This would then redirect the user to their own landing page. I thought I had this setup to do that but, it still doesn't work. Do you know what I need to do in order to get it to process? I have attached the latest version of the script for reference.

<?php
$dbh=mysql_connect ("localhost", "username", "password") or die ('I cannot connect to the database because: ' . mysql_error());
mysql_select_db ("database");
session_start();
echo "\$dbh = $dbh<br>\n";
$username=$_POST['username'];
$password=md5($_POST['password']);
$sql = "select * from users";
$result = mysql_query($sql);
while ($query_data = mysql_fetch_array($result)) {
echo "username = '".$query_data['username']."'<br>\n"; }
$result=mysql_query($sql) or die(mysql_error());
if(mysql_num_rows($result)!=1){
$error="Not a Valid Username or Password";
echo "\mysql_num_rows ($result) = mysql_num_rows ($result)<br>\n";
}else{
$row=mysql_fetch_array($result);
$_SESSION['username']="$username";
$_SESSION['ip']=$_SERVER['REMOTE_ADDR'];
header("Location:http://members.example.com/{$row['USLP']}");
}
?>

If you need to continue testing, definitly do add error checking to the INSERT because, if username is a UNIQUE or PRIMARY KEY (as it should be), you'll get an error when you try to insert 'joe' a second time--(you'll have to change the username if you need more than one test). So change the query to:

if (!mysql_query("INSERT INTO users (username) VALUES('joe')")) die("INSERT error: ". mysql_error());

As for adding data to the table from a script, just use a form similar to your login form, but with a target script that receives the data, and...

if (!mysql_query("INSERT INTO users (username, password, UDLP) VALUES('$username', '$password', '$UDLP')")) die("INSERT error: ". mysql_error());

If you have a bunch of data that you want to import, there are many shortcuts to doing this. But the above would be, essentially, what you'd need for a registration form.

Also, I'm curious to know what that 'box' is about. View the source of the HTML output, and post back here what it says. That's going to be of key importance to figure out what PHP MyAdmin is inserting.

O.k. the box is to show that the entry is blank. I went into PHP Myadmin and entered the records again and this time they showed up. So I think the records didn't exist when I thought they did. When I type in the correct username and password it redirected the first time to the URL I wanted to but, each time after I get the following message. If I close the page and reload it works fine. Any idea why it would do this? Also I can't view the source on the HTML page because I have this script in it's own seperate page.

Warning: Cannot modify header information - headers already sent by (output started at Line 20.

Actually I can leave the username and password blank and it still redirects to the URL for member 'guest'. It only does it the first time the page is viewed. Why is it not checking what is typed in versus what is in the database?

> O.k. the box is to show that the entry is blank.

No. That's not what it was. Had it been just blank, it wouldn't have printed anything.

And, you can look at the source even though you're running a separate script. The echos were printing to the browser, right? So, when you echo something out like that, and see in with your browser, it IS in the source.

$dbh = Resource id #2<br>
username = 'guest'<br>
<br />
<b>Warning</b>: Cannot modify header information - headers already sent by (output started at /home/joe1182/public_html/members/login.php:5) in <b>/home/joe1182/public_html/members/login.php</b> on line <b>20</b><br

This is what I see when I hit View Source. This is showing the page source of login.php which is the script we have been working on. O.k. I think maybe on the box instead of having a type like VARCHAR or CHAR I didn't select anything and that is why nothing displayed. When I exported the records the only fields filled in were the password fields. I re-entered the records carefully and I was able to see it. So I believe the box displayed due to an error on my part. Do you know why this doesn't compare the username and password entered to that in the database?

o.k when I enter - WHERE username='$username' and password='$password' - I receive the following message
$dbh = Resource id #2
\mysql_num_rows (Resource id #4) = mysql_num_rows (Resource id #4)

If I take - WHERE username='$username' and password='$password' - out I receive this message.
$dbh = Resource id #2
username = 'guest'
Warning: Cannot modify header information - headers already sent by (output started at /home/joe1182/public_html/members/login.php:5) in /home/joe1182/public_html/members/login.php on line 20

Why does this happen? What can I do to check the username and password against that of the database and if it matches then redirect to the specified URL and if it doesn't match then the user would receive an error message. Any help?

There is a small box between the quotes

That's almost certainly a character encoding issue, as in the character is a UTF-8 or Windows-1252 and you are using ISO-8859-1 or some such thing.

Warning: Cannot modify header information

The moment you output anything, close the header and cannot send anything more. So once you echo in line 5, you can't then send the header("Location....") in the last line.

Tom

Let's have a look at a few things. First, display the contents of your users file. If the password is in human-readable form, something like this...

+----------+----------+------+ 
¦ username ¦ password ¦ UDLP ¦ 
+----------+----------+------+ 
¦ guest    ¦ guestpwd ¦ UDLP ¦ 
¦ other    ¦ otherpwd ¦ UDLP ¦ 
+----------+----------+------+

...then we know the password is not being encrypted when it is being entered into the database. If the password looks something like what you showed us in message #11, then it is being encrypted during the INSERT operation, as it probably should be -- it's not a good idea to store passwords in plain text value.

If it is being encrypted when you store it (INSERT/UPDATE operations), then we need to encrypt it before we compare it, which you have shown us you are doing by using the PHP md5() function. Also, you need to take a look at how the password is being encrypted during the INSERT/UPDATE operations.

I don't know what UDLP is, and for the sake of this discussion it doesn't matter, at least not yet anyway.

Not sure how to echo the password. If I go into PHP Myadmin and export the records it does encrypt the password. Does this help? I am using Md5 to encrypt the password when it is entered into the database. I enter the records into the database using PHP Myadmin. Should I create an HTML form instead?

Password looks exactly like the one in message #11

That looks like an MD5 hash.

When you compare passwords, are you encrypting the user entered password too?

In other words

if ($DB_data['password'] == md5($_POST['password')) {do stuff}

not

if ($DB_data['password'] == $_POST['password') {do stuff}

I seem to remember that you are doing it as in the first example, which is correct...

Here is the script again. The password should be compared equally with what I am looking at here. Any ideas why I can leave 'username and password' fields blank on the HTML form and get the same result as when I type in a valid username and password? So I need to remove all of the echo's before the header will work properly? Is this correct? I think it is close if we can work out these few bugs. Any ideas?

<?php
$dbh=mysql_connect ("localhost", "username", "passsword") or die ('I cannot connect to the database because: ' . mysql_error());
mysql_select_db ("database");
session_start();
$username=$_POST['username'];
$password=md5($_POST['password']);
$sql = "select * from users";
$result = mysql_query($sql);
while ($query_data = mysql_fetch_array($result)){
echo "username = '".$query_data['username']."'<br>\n"; }
$result=mysql_query($sql) or die(mysql_error());
if(mysql_num_rows($result)!=1){
$error="Not a Valid Username or Password";
}else{
$row=mysql_fetch_array($result);
echo "\mysql_num_rows ($result) = mysql_num_rows ($result)<br>\n";
$_SESSION['username']="$username";
$_SESSION['ip']=$_SERVER['REMOTE_ADDR'];
header("Location:http://members.example.com/{$row['USLP']}");
}
?>

O.k. I am using this as my current script. If I enter a username that is not valid I receive the error message. If I enter a username that is valid I am redirected to the USLP. That is what I want to happen. Now how do I add the password field? When I add it to 'WHERE username='$username' and password=$'password'" it doesn't work and I receive the error message everytime.
Any help would be appreciated.

<?php
$dbh=mysql_connect ("localhost", "username", "password") or die ('I cannot connect to the database because: ' . mysql_error());
mysql_select_db ("database");
session_start();
$username=$_POST['username'];
$password=md5($_POST['password']);
$sql = "select * from users where username='$username'";
$result = mysql_query($sql);
$result=mysql_query($sql) or die(mysql_error());
if(mysql_num_rows($result)!=1){
$error="Not a Valid Username or Password";
print $error;
}else{
$row=mysql_fetch_array($result);
$_SESSION['username']="$username";
$_SESSION['ip']=$_SERVER['REMOTE_ADDR'];
header("Location:http://members.example.com/{$row['USLP']}");
}
?>

OK, this is good. At least now we have gone through some troubleshooting measures to make sure we are getting a connection to the database and the query statement seems to look right to us. In the process, you have seemingly narrowed the issue down to the password, which is where we started going in message 41. But the particular part now is, as mentioned earlier, you need to take a look at how the password is being encrypted during the INSERT/UPDATE operations.

This is very important. Are you using the md5() function on the way in as well (during the INSERT/UPDATE operations)?

I don't understand the INSERT\UPDATE question. I am entering new users into the database using PHP MyAdmin. When I enter the password I set the action to Md5. Does this help?

I'm not familiar with PHPMyAdmin, but it sounds correct. So, if the data is going in with md5 encryption then it needs to be compared as such. Just as ergophobe just stated and you are seemingly doing. But obviously something isn't quite right. One way to check this would be to echo the two to your browser to see what you get. Let's try that.

Since your code is working as is, although we aren't checking the password yet, let's add our own "debug" block of code here, much like we were doing earlier, but this time I'll put it in between comment blocks so as to eliminate confusion. Add the following comment block to your code. I'll include a few lines of your existing code before and after so you can see where you should add it:

if(mysql_num_rows($result)!=1){ 
$error="Not a Valid Username or Password"; 
print $error; 
}else{ 
$row=mysql_fetch_array($result); 
// Start debug/comment block 
// We want to compare the password values: 
print '<pre>'; // makes it easier to read and compare 
print "The post password value: $password<br />"; 
print "Database password value: " . $row['password']; 
exit('<pre>'); // exit stops the script here 
// End debug/comment block 
$_SESSION['username']="$username"; 
$_SESSION['ip']=$_SERVER['REMOTE_ADDR']; 
header("Location:http://members.example.com/{$row['USLP']}"); 
}

The post password value: 40be4e59b9a2a2b5dffb918c0e86b3d7
Database password value: 40be4e59b9a2a2b

This is the response I get. Any idea what this means?

Yes. That means they don't match ;)

hehe. OK, serious now. Your password column in your database is probably not large enough to hold the md5 encrypted value and it is being truncated. You will probably want to set the password column value to 32 characters.

The MD5 hash of a string using the RSA Data Security, Inc. MD5 Message-Digest Algorithm [faqs.org] returns a hash which is a 32-character hexadecimal number. More information can be found in the PHP and MySQL manual pages.

[php.net...]
[dev.mysql.com...]

It just hit me as I was looking at it. I only allow like 15 characters for the password. O.k. that should fix the whole password thing. One more question. When I type in the URL that the user should be redirected to it opens right up bypassing the login page. Do you have any idea's on how I can require a username password before the page is viewed? Can I use some of this same script?

Yes, you start a session before each page that is to be protected and check the $_SESSION variables to see whether or not they are successfully logged in.

So I would add the $_SESSION part of the script before the HTML starts? Is this correct? I will give it a try. If I need more help should I start a new thread? I appreciate all of the help from everyone!

o.k. I tried starting a session but it doesn't do anything. Any hints on where to start?

Zend has a simple tutorial to get you started...

[zend.com...]

thank you so much for all you help!

Success!

Good job coopster and joe. That was quite a process!