an error in login page

Forum Moderators: coopster

Message Too Old, No Replies

an error in login page

lindaonline15

11:23 am on Aug 28, 2008 (gmt 0)

hi all,

I have this login page, it works and gives a welcome to the user, how ever, it gives this error:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ')' at line 1

this is the code:

<html>
<head>
<title>Login</title>
<head>

<body>

<?PHP

//Connect to database

mysql_connect("localhost", "admin", "admin") or die(mysql_error());
mysql_select_db("ueros_db") or die(mysql_error());

session_start();
$username = $_POST['username'];
$password = md5($_POST['password']);

$query = "SELECT * FROM users WHERE username='$username' AND password='$password'";

$result = mysql_query($query);

if (mysql_num_rows($result) != 1) {
$error = "Bad Login";
include "login.html";

} else {
$_SESSION['username'] = "$username";
print("<h3>Welcome $username!</h3>");
include "search.php";
}

</body>
</html>

can anyone tell me whats the problem here?

vincevincevince

11:28 am on Aug 28, 2008 (gmt 0)

Two problems:

1) You should only check the database if someone's POSTed a username and password:
if ($_POST[username]&&$_POST[password]) $result=mysql_query($query);

2) You must absolutely in all cases and without exception for any reason process your username with mysql_real_escape_string() before sending it to MySQL

_{Once you fix #1, but before you fix #2, try logging in with these details:
username=}

<script>top.location=\'http://www.webmasterworld.com\'</script>' OR 1 OR '1

password=anything

lindaonline15

11:36 am on Aug 28, 2008 (gmt 0)

I couldnt login with user and pass u just said. or maybe I didnt get what to do. I just copied whole line for user name, is that right?

for the function, should it be like this?
$username = mysql_real_escape_string($_POST['username']);

I still have the error:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ')' at line 1

vincevincevince

11:38 am on Aug 28, 2008 (gmt 0)

Have ou done this:

1) You should only check the database if someone's POSTed a username and password:
if ($_POST[username]&&$_POST[password]) $result=mysql_query($query);

lindaonline15

11:41 am on Aug 28, 2008 (gmt 0)

yes. this is my code actually now:

<html>
<head>
<title>Login</title>
<head>

<body>

<?PHP

//Connect to database

mysql_connect("localhost", "admin", "admin") or die(mysql_error());
mysql_select_db("ueros_db") or die(mysql_error());

session_start();
$username = mysql_real_escape_string($_POST['username']);
$password = md5($_POST['password']);

$query = "SELECT * FROM users WHERE username='$username' AND password='$password'";

if ($_POST[username]&&$_POST[password]) $result=mysql_query($query);

if (mysql_num_rows($result) != 1) {
$error = "Bad Login";
include "login.html";

} else {
$_SESSION['username'] = "$username";
print("<h3>Welcome $username!</h3>");
include "search.php";
}

</body>
</html>

vincevincevince

11:56 am on Aug 28, 2008 (gmt 0)

Sorry - I think I found the wrong problem ... I am beginning to think the error is not from that script. Can you track down which URL gives you the error?

You can edit 'die(mysql_error())' and instead put 'die(mysql_error()." on line ".__LINE__." in file ".__FILE__);

lindaonline15

12:05 pm on Aug 28, 2008 (gmt 0)

I dont know what is wrong with it... I tried it in both
mysql_connect("localhost", "admin", "admin") or die(mysql_error()." on line ".__LINE__." in file ".__FILE__);
and
mysql_select_db("ueros_db") or die(mysql_error()." on line ".__LINE__." in file ".__FILE__);

both the error is still the same...

vincevincevince

12:07 pm on Aug 28, 2008 (gmt 0)

Try checking search.php...

lindaonline15

1:13 pm on Aug 28, 2008 (gmt 0)

yes, thank you very much. the mistake was, my search has two pages, search.html and search.php. I should have put search.html. now I dont get any errors. thanks again