Forum Moderators: coopster
As a newcomer to PHP, I've been pulling my hair out trying to get a friend of mines wedding website done. He wants a simple username/password login for users so they can accept an invite and leave a comment. I've sorted a form for populating my MySQL database so I can update records, but I can't get the login page sorted.
I'm also a bit concerned about security so I have 2 questions:
1) With my code below, all I get is a blank page. Anyone know why?
and 2) is there a way of adding a short bit of php script to subsequent pages to check if a user is logged in by referencing password and username in my mysql database, and if not, send them back to the login page?
Here's my code that produces a blank page:
(Thanks in advance)
<?php require_once('header.inc');?>
<?php
require_once('dbconnect.php');
// Select the Database
if (!@mysql_select_db('wedding')) {
exit('<p>Can\'t select the WEDDING database</p>');
}
session_start();
$_SESSION['logged'] = 0;
if (isset($_POST['submit'])) {
$sql = "SELECT * FROM people WHERE username='$_POST['username']'"; //make sure tablename and username match your form and database
$sql = mysql_query($sql);
$result = mysql_fetch_assoc($sql);
if($_POST['username'] == $result['username'] &&
$_POST['password'] == $result['password']) {
$_SESSION['user'] = $result['id'];
$_SESSION['logged'] = 1;
exit('Login success');
}
else {
exit('Login Failed. Please try putting in your details again');
}
?>
Welcome to Webmasterworld.
Although i havent tested your code but with just a single look it looks like your query has formatting errors.
$sql = "SELECT * FROM people WHERE username='$_POST['username']'";
should be
$username=$_POST['username'];
$sql = "SELECT * FROM people WHERE username='$username'";
Regards
Kami
[edited by: Anyango at 9:28 am (utc) on Mar. 30, 2007]
Anyango is correct. You cannot have arrays within a string like that unless you surround it with brackets like this:
$sql = "SELECT * FROM people WHERE username='{$_POST['username']}'";
Also, you should be escaping your variables that are going into the query:
$username = [url=http://www.php.net/mysql-real-escape-string]mysl_real_escape_string[/url]($_POST['username']);
$sql = "SELECT * FROM people WHERE username='$username'";
We have a great thread on PHP Authentication in our library: [webmasterworld.com...] Take a peak, it will certainly guide you through the process.
Good luck!
I tried that mod, but still getting a blank page. Here's my updated code - any ideas? I've posted my form as well so you can see how I'm passing the variables. Any ideas? Thanks for your help so far:
login.php
...
<form name="authenticate" method="post" action="authenticate.php">
<input name="username" type="text" value="username" size="20"/><br>
<input name="password" type="text" value="password" size="20"/><br><br>
<input type="submit" name="submit" value="submit"/>
<input type="reset" name="reset" value="reset"/>
</form>
...
authenticate.php
<?php
require_once('dbconnect.php');
// Select the Database
if (!@mysql_select_db('wedding')) {
exit('<p>Can\'t select the WEDDING database</p>');
}
// Start session
session_start();
$_SESSION['logged'] = 0;
// Check against database if form submitted
if (isset($_POST['submit'])) {
$username = $_POST['username'];
$sql = "SELECT * FROM people WHERE username='$username'"; //make sure tablename and username match your form and database
$sql = mysql_query($sql);
$result = mysql_fetch_assoc($sql);
if($_POST['username'] == $result['username'] &&
$_POST['password'] == $result['password']) {
$_SESSION['user'] = $result['id'];
$_SESSION['logged'] = 1;
exit('Login success'); // Content would follow on here
}
else {
exit('Login Failed. Please try putting in your details again');
}
}
?>
1) Check your error logs on your server. Most likely the same error log for your server itself.
2) Add some error handling to your code:
<?php
session_start();
#
require_once('dbconnect.php');
#
if (!mysql_select_db('wedding')) {
exit('<p>Can\'t select the WEDDING database</p>');
}
#
$_SESSION['logged'] = 0;
#
if (isset($_POST['submit'])) {
#
$username = mysql_real_escape_string($_POST['username']);
$sql = "SELECT * FROM people WHERE username='$username'";
$sql = mysql_query($sql) [b]or die(mysql_error())[/b];
$result = mysql_fetch_assoc($sql);
#
if(($_POST['username'] == $result['username']) &&
($_POST['password'] == $result['password'])) {
$_SESSION['user'] = $result['id'];
$_SESSION['logged'] = 1;
#
echo 'Login success'; // Content would follow on here
#
} else {
#
exit('Login Failed. Please try putting in your details again');
#
}
}
Don't worry; it happens to the best of us.
should be$username=$_POST['username'];
$sql = "SELECT * FROM people WHERE username='$username'";
Creates slower pages by creating more work. Yes, probably just milliseconds however my logic is how many milliseconds = a second? [1000] How many seconds = a minute? I think the code should be:
$sql='SELECT * FROM people WHERE username=\''.addslashes(strip_tags($_POST['username'])).'\' limit 1';
The person may also want to combine the mysql stuff into: $result=mysql_fetch_assoc(mysql_query('SELECT * FROM people WHERE username=\''.addslashes(strip_tags($_POST['username'])).'\' limit 1'));
