it might be the single quotes around $_POST['password'] in

>> password('$_POST[password]')";

the single quotes will escape the dollar sign and the $_POST['password'] will be treated as a literal string instead of beind substituted for the actual value.

try without the quotes.

jamie's advice should indeed solve the problem.

Allow me to give some additional advice: never insert user input directly into a database query without first validating it. There's plenty of script kiddies out there willing to test your security.
An easy way to prevent SQL injection is by using the command mysql_escape_string().
$sql = "SELECT * FROM table WHERE a ='".mysql_escape_string($_POST['name'])."'";

It may look a bit messy with all the quotes, but IMHO it's worthwhile.

Thanks for the quick response. So far no luck. I tried two things below and the results are listed below. Any suggestions.

Tried: //create and issue the query
$sql = "select f_name, l_name from auth_user where username =
'$_POST[username]' AND password = password($_POST[password])";
$result = mysql_query($sql,$conn) or die(mysql_error());

Result: Unknown column 'success' in 'where clause'

Tried: //create and issue the query
$sql = "select f_name, l_name from auth_user where username =
'$_POST[username]' AND password = password($_POST['password'])";
$result = mysql_query($sql,$conn) or die(mysql_error());

Result: Parse error: parse error, expecting `T_STRING' or `T_VARIABLE' or `T_NUM_STRING' in /home/macie/public_html/listing23.8.php on line 15

Thanks for the suggestion. I'll think about that once I figure out what is going on. Most of the coding is still greek to me as far as what each piece does and I'm tring to learn to speak the language. A simple statement to me is like trigonometry, where to you it's probablt addition or subtraction.

Thanks,

Sean

Passwords for user (username: sales, password: success are loaded in the table as follows:

id f_name l_name email username password
1 Jim Hart jim@example.com sales success
2 Sean Nelson sean@example.com sell today

Password for database macie_access is as in script:
username: user
password: pass

The table to query is auth_user.

I guess the question is there an issue in the php or do I have an issue in the mysql database.

My host has a reccomended php db connector but it had issues so I configured the example connector. Could this be an issue. Here is their connector script:

$dbh=mysql_connect ("localhost", "user", "pass") or die ('I cannot connect to the database because: ' . mysql_error());
mysql_select_db ("macie_access");

I posted the login link for review but it looks like it was knocked out because it thought it was a personal url. The URL was so you could see the form in action.

All three page codes are listed below if this helps.

Thanks for taking the time to help out. It is appreciated.

Sean

<html>
<head>
<title>Listing 23.7 User Login Form</title>
</head>

<body>
<H1>Login Form</H1>
<FORM METHOD="POST"ACTION="listing23.8.php">
<P><STRONG>Username:</STRONG><BR>
<INPUT TYPE="text"NAME="username"></p>
<P><STRONG>Password:</STRONG><BR>
<INPUT TYPE="password"NAME="password"></p>
<P><INPUT TYPE="SUBMIT"NAME="submit"VALUE="Login"></p>
</FORM>
</body>
</html>

Which once again should authenticate at:

<?php
//check for required fields from the form
if ((!$_POST[username]) ¦¦ (!$_POST[password])) {
header("Location: listing23.7.php");
exit;
}

//connect to server and select database
$conn = mysql_connect("localhost", "user", "pass")
or die(mysql_error());
mysql_select_db("macie_access",$conn) or die(mysql_error());

//create and issue the query
$sql = "select f_name, l_name from auth_user where username =
'$_POST[username]' AND password = password('$_POST[password]')";
$result = mysql_query($sql,$conn) or die(mysql_error());

//get the number of rows in the result set; should be 1 if a match
if (mysql_num_rows($result) == 1) {
//if authorized, get the values of f_name l_name
$f_name = mysql_result($result, 0, 'f_name');
$l_name = mysql_result($result, 0, 'l_name');

//set authorization cookie
setcookie("auth", "1", 0, "/", "yourdomain.com", 0);

//prepare message for printing, and user menu
$msg = "<P>$f_name $l_name is authorized!</p>";
$msg .= "<P>Authorized Users' Menu:";
$msg .= "<ul><li><a href=\"listing23.8.php\">secret page</a></ul>";
} else {
//redirect back to login form if not authorized
header("Location: listing23.7.php");
exit;
}
?>
<HTML>
<HEAD>
<TITLE>Listing 23.8</TITLE>
</HEAD>
<BODY>
<? print "$msg";?>
</BODY>
</HTML>

The page that should be accessed:

<?php
if ($_COOKIE[auth] == "1") {
$msg = "<p>You are an authorized user.</p>";
} else {
//redirect back to login form if not authorized
header("Location: listing23.7.php");
exit;
}
?>
<html>
<head>
<title>Listing 23.9 Accessing a restricted page </title>
</head>
<body>
<?php print "$msg";?>
</body>
</html>

[edited by: jatar_k at 9:54 pm (utc) on June 26, 2004]
[edit reason] removed specifics [/edit]

try cating it together differently

$sql = "select f_name, l_name from auth_user where username = '" . $_POST['username'] . "' AND password = password('" . $_POST['password'] . "')";

Thanks for the help. That seems to get me through that issues but unfortunately as we move along there is the next one. I am now getting these errors:

Warning: mysql_num_rows(): supplied argument is not a valid MySQL result resource in /home/macie/public_html/listing23.8.php on line 21

Warning: Cannot modify header information - headers already sent by (output started at /home/macie/public_html/listing23.8.php:21) in /home/macie/public_html/listing23.8.php on line 36

Based on the following code:

//connect to server and select database
$conn = mysql_connect("localhost", "user", "pass")
or die(mysql_error());
mysql_select_db("macie_access",$conn) or die(mysql_error());

//create and issue the query
$sql = "select f_name, l_name from auth_user where username =
'" . $_POST['username'] . "' AND password = password('" . $_POST['password'] . "')";

//get the number of rows in the result set; should be 1 if a match

if (mysql_num_rows($result) == 1) {
//if authorized, get the values of f_name l_name

**The bad thing is that as a newbie I am reliant upon learning through using the code in the books such as SAM's , and their code does not work. So rather than see something working and disecting it, you spend all of your time trying to figure out what they go wrong.

Thank the Internet Gods for user forums!

Sean

[edited by: jatar_k at 3:49 pm (utc) on June 27, 2004]
[edit reason] isolated code a bit [/edit]

We fixed the parse error and you learned that when concatenating strings together you have to watch out for the syntax with arrays. A second method is to surround them with braces

$sql = "select f_name, l_name from auth_user where username =
'{$_POST['username']}' AND password = password('{$_POST['password']}')";

I think that's right I never use that syntax so sometimes I get it wrong. ;)

That's not the problem now though so let's look at what is going on.

First thing is always correct errors top down. Fix the first one first and it may fix others. In your case
>>Warning: Cannot modify header information - headers already sent by

that error is generated because your previous error sent output to the browser.

The first error means that your query didn't work.

Is that the actual code?
This line
$result = mysql_query($sql,$conn) or die(mysql_error());
is missing.

and if the mysql_query isn't there you would get that error.