SitePoint Sponsor

User Tag List

Results 1 to 12 of 12
  1. #1
    SitePoint Evangelist jazztie's Avatar
    Join Date
    Mar 2001
    Location
    the Netherlands
    Posts
    519
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I'm using the following code to check for username and password. It's an authentication script.

    I do succeed to get the right UserID (I use it to reload the page), but I get this error-message:

    Warning: Supplied argument is not a valid MySQL result resource in C:\Inetpub\wwwroot\username\authenticatie.php on line 21

    line 21 in the original script is:
    $num = mysql_num_rows($result);

    the following code is used:
    PHP Code:
    <?php
    include("db_setting.inc");

    mysql_pconnect("$hostname","$user","$password")
    or die(
    "Failure to communicate with the database");

    mysql_select_db("$user");

    $sql mysql("$user","SELECT * FROM table 
             WHERE Username='
    $Username' AND Password = '$Password'");

    $result mysql_query($sql);
    $UserID mysql_result($sql,0,'UserID');        

    $num mysql_num_rows($result); 
                            
    if (
    $num != "0") {
    print 
    "
     <HTML>
     <HEAD> 
     <TITLE>Logged in</TITLE>
     </HEAD>
     <P>You're logged in</P>"
    ;

    exit;
    }

    else 
    {
    print 
    "<P>You are not Authorized";

    exit;
    }
        
    ?>
    can someone tell me what I should change?

    Jazz

  2. #2
    Dumb PHP codin' cat
    Join Date
    Aug 2000
    Location
    San Diego, CA
    Posts
    5,460
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    For starters
    PHP Code:
    $sql mysql("$user","SELECT * FROM table 
             WHERE Username='
    $Username' AND Password = '$Password'"); 
    Should just be

    PHP Code:
    $sql "$user","SELECT * FROM table 
             WHERE Username='
    $Username' AND Password = '$Password'"
    Please don't PM me with questions.
    Use the forums, that is what they are here for.

  3. #3
    SitePoint Evangelist jazztie's Avatar
    Join Date
    Mar 2001
    Location
    the Netherlands
    Posts
    519
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    About the last PHP code:

    If I use that code I'm not letting the parser know that it is mysql, am I?
    The code crashes as soon as I make that change... unfortunately it doesn't work.

  4. #4
    midnight coder
    Join Date
    Dec 2000
    Location
    The flat edge of the world
    Posts
    838
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Once you connected to a MySQL database, PHP knows that it's for MySQl, and mysql_query tells it that it's a MySQL db as well.

    This should work:


    $sql = "SELECT * FROM table WHERE Username='$Username' AND Password = '$Password'";

    $result = mysql_query($sql) or die (mysql_error());


    The best way to check is to enter the query to phpMyAdmin and see if an error pops up...

    SELECT * FROM table WHERE Username="bob" AND Password = "bobby"

    Also keep in mind that it's case sensitive.

  5. #5
    SitePoint Evangelist jazztie's Avatar
    Join Date
    Mar 2001
    Location
    the Netherlands
    Posts
    519
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Thank you all...

    I have found the little mistake in my code, thanks to your comments. The page is working now.

    Jazz

  6. #6
    Dumb PHP codin' cat
    Join Date
    Aug 2000
    Location
    San Diego, CA
    Posts
    5,460
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    You have probably already solved this but just to let you know why after making my change it didn't work is because this line:
    PHP Code:
    $UserID mysql_result($sql,0,'UserID'); 
    You use mysql_result() on $sql which is not the actual query, you want to use on it $result which is the actual result identifier for the query.

    PHP Code:
    $UserID mysql_result($result,0,'UserID'); 
    Please don't PM me with questions.
    Use the forums, that is what they are here for.

  7. #7
    SitePoint Wizard westmich's Avatar
    Join Date
    Mar 2000
    Location
    Muskegon, MI
    Posts
    2,328
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Can I make a suggestion, although I know very little about PHP?

    You maybe better to select username and password where username equals input only. If no results are returned then give them an error saying username was not found. If results are returned then compare the returned password with the inputed password.

    Otherwise you can not distinguish between what was incorrect, the username or password. And more importantly, you could log-in with userA's name and userB's password, i.e. it increases the odds of guessing a password.
    Westmich
    Smart Web Solutions for Smart Clients
    http://www.mindscapecreative.com

  8. #8
    SitePoint Wizard westmich's Avatar
    Join Date
    Mar 2000
    Location
    Muskegon, MI
    Posts
    2,328
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I thought would have gotton some back-lash. Nobody else noticed that querying usernames and passwords in the WHERE condition at the same time causes security problems?
    Westmich
    Smart Web Solutions for Smart Clients
    http://www.mindscapecreative.com

  9. #9
    ********* Callithumpian silver trophy freakysid's Avatar
    Join Date
    Jun 2000
    Location
    Sydney, Australia
    Posts
    3,798
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    $sql = "SELECT * FROM table WHERE Username='$Username' AND Password = '$Password'";

    1) westmich, I can understand your first point about diferentiating between a non-existing userID and an invalid password

    So you are suggesting something like this:
    PHP Code:
    $sql "SELECT * FROM table WHERE Username='$Username'";
    $result mysql_query($sql);
    if (
    mysql_num_rows($result) != 1) {
       
    // invalid userID
    } else {
       
    $user mysql_fetch_row($result);
       if ( 
    $password != $user["password"] ) {
          
    // invalid password for that user
       
    }

    2) However, the original sql (quoted above in bold) cannot produce a result that contains a row with the id of userA and the password of userB. That's the purpose of the logical AND in the where clause (the userID and password must both belong to the same record).
    Last edited by freakysid; Apr 30, 2001 at 21:01.

  10. #10
    SitePoint Wizard westmich's Avatar
    Join Date
    Mar 2000
    Location
    Muskegon, MI
    Posts
    2,328
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    You're right

    I don't know what I was thinking

    At any rate, the other advantage of distinguishing between wrong username or password applies.
    Westmich
    Smart Web Solutions for Smart Clients
    http://www.mindscapecreative.com

  11. #11
    SitePoint Evangelist jazztie's Avatar
    Join Date
    Mar 2001
    Location
    the Netherlands
    Posts
    519
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    thank you again

    Thank you again for the help... the last post that freakysid wrote really helps to put some extra functionality into the login-procedure.

  12. #12
    SitePoint Evangelist jazztie's Avatar
    Join Date
    Mar 2001
    Location
    the Netherlands
    Posts
    519
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    thanx to all


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •