SitePoint Sponsor

User Tag List

Results 1 to 13 of 13
  1. #1
    SitePoint Addict D3V4's Avatar
    Join Date
    May 2010
    Posts
    370
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Problem with login system

    Hi guys!

    I've just started working with PHP and MySQL to build a login system. This is the code:

    Code:
    <?php
    
    	session_start();
    	
    	if($_POST && !empty($_POST['username']) && !empty($_POST['password'])) {
    		
    		$connection = mysqli_connect('localhost', 'username', 'password');
    		mysqli_select_db($connection, 'utenti');
    		$query = "SELECT * FROM utenti WHERE username = ? AND password = ? LIMIT 1";
    		
    		if (mysqli_query($connection, $query) {
    			
    			$_SESSION['status'] = 'authorized';
    			header("location: indexcopia.php");
    		
    		};
    		
    	}
    		
    		
    
    ?>
    
    <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
    
    <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
    
    	<head>
    		<title>Title</title>
    		<!-- <link rel="icon" href="favicon.ico"> -->
    		<meta name="description" content=""/>
    		<meta name ="keywords" content=""/>
    		<meta http-equiv="Content-Type" content ="text/html; charset=iso-8859-1"/>
    		<link rel="stylesheet" href="css/styles.css" media="all"/>	
    	</head>
    	
    	<body>
    	
    	<div id="header">
    		<h1>Title</h1>
    	</div>
    	
    	<div id="login">
    		<h2>Login</h2>
    		<form method="post" action="">
    			<div>
    				<label for="username">Username: </label>
    				<input type="text" name="username"/>
    			</div>
    			<div>
    				<label for="password">Password: </label>	
    				<input type="password" name="password"/>
    			</div>
    			<div>
    				<input type="submit" value="Login" name="submit"/>
    			</div>
    		</form>
    	</div>
    	
    	<div id="footer">
    		<p>Copyright</p>
    	</div>
    	
    	</body>
    
    </html>
    This, of course, doesn't work

    What's wrong in the code?

  2. #2
    Non-Member Kalon's Avatar
    Join Date
    Aug 2010
    Location
    At my computer
    Posts
    2,012
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by D3V4 View Post
    What's wrong in the code?

    Just having a quick look at your code - Lots

    Apart from being vulnerable to sql injection, you're not checking the output from the query to see if any records were returned in order to determine if the user is legitimate or not.

    I am wondering if you would not be better off working through the w3schools php and database tutorials before continuing on with your project.

  3. #3
    SitePoint Addict D3V4's Avatar
    Join Date
    May 2010
    Posts
    370
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by Kalon View Post
    Just having a quick look at your code - Lots
    Knew that XD

    Apart from being vulnerable to sql injection, you're not checking the output from the query to see if any records were returned in order to determine if the user is legitimate or not.
    Yeah, I though so. How can I check this?

    I am wondering if you would not be better off working through the w3schools php and database tutorials before continuing on with your project.
    I definitely will. The only thing is, I would need this thing pretty soon

  4. #4
    Twitter: @AnthonySterling silver trophy AnthonySterling's Avatar
    Join Date
    Apr 2008
    Location
    North-East, UK.
    Posts
    6,111
    Mentioned
    3 Post(s)
    Tagged
    0 Thread(s)
    Here you go.
    PHP Code:
    <?php
    if('POST' === $_SERVER['REQUEST_METHOD']){
      if(
    false === empty($_POST['username']) && false === empty($_POST['username'])){
        
        
    $conn mysqli_connect('localhost''username''password''schema');
        
        if(
    false === is_resource($conn)){
          echo 
    'Database Error: ' mysqli_connect_error() ;
          exit;
        }
        
        
    $sql sprintf(
          
    "SELECT username FROM utenti WHERE username = '%s' AND password = '%s' LIMIT 1",
          
    mysqli_real_escape_string($conn$_POST['username']),
          
    mysqli_real_escape_string($conn$_POST['password'])
        );
        
        
    $result mysqli_query($conn$sql);
        
        if(
    is_resource($result) && === mysqli_num_rows($result)){
          
    session_start();
          
    $_SESSION['is_authorised'] = true;
          
    header('Location: http://www.example.org/members.php');
          exit;
        }
        
      }
    }
    ?>
    <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

    <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">

        <head>
            <title>Title</title>
            <!-- <link rel="icon" href="favicon.ico"> -->
            <meta name="description" content=""/>
            <meta name ="keywords" content=""/>
            <meta http-equiv="Content-Type" content ="text/html; charset=iso-8859-1"/>
            <link rel="stylesheet" href="css/styles.css" media="all"/>    
        </head>
        
        <body>
        
        <div id="header">
            <h1>Title</h1>
        </div>
        
        <div id="login">
            <h2>Login</h2>
            <form method="post" action="">
                <div>
                    <label for="username">Username: </label>
                    <input type="text" name="username"/>
                </div>
                <div>
                    <label for="password">Password: </label>    
                    <input type="password" name="password"/>
                </div>
                <div>
                    <input type="submit" value="Login" name="submit"/>
                </div>
            </form>
        </div>
        
        <div id="footer">
            <p>Copyright</p>
        </div>
        
        </body>

    </html>
    @AnthonySterling: I'm a PHP developer, a consultant for oopnorth.com and the organiser of @phpne, a PHP User Group covering the North-East of England.

  5. #5
    SitePoint Addict D3V4's Avatar
    Join Date
    May 2010
    Posts
    370
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by AnthonySterling View Post
    Here you go.
    PHP Code:
    <?php
    if('POST' === $_SERVER['REQUEST_METHOD']){
      if(
    false === empty($_POST['username']) && false === empty($_POST['username'])){
        
        
    $conn mysqli_connect('localhost''username''password''schema');
        
        if(
    false === is_resource($conn)){
          echo 
    'Database Error: ' mysqli_connect_error() ;
          exit;
        }
        
        
    $sql sprintf(
          
    "SELECT username FROM utenti WHERE username = '%s' AND password = '%s' LIMIT 1",
          
    mysqli_real_escape_string($conn$_POST['username']),
          
    mysqli_real_escape_string($conn$_POST['password'])
        );
        
        
    $result mysqli_query($conn$sql);
        
        if(
    is_resource($result) && === mysqli_num_rows($result)){
          
    session_start();
          
    $_SESSION['is_authorised'] = true;
          
    header('Location: http://www.example.org/members.php');
          exit;
        }
        
      }
    }
    ?>
    <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

    <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">

        <head>
            <title>Title</title>
            <!-- <link rel="icon" href="favicon.ico"> -->
            <meta name="description" content=""/>
            <meta name ="keywords" content=""/>
            <meta http-equiv="Content-Type" content ="text/html; charset=iso-8859-1"/>
            <link rel="stylesheet" href="css/styles.css" media="all"/>    
        </head>
        
        <body>
        
        <div id="header">
            <h1>Title</h1>
        </div>
        
        <div id="login">
            <h2>Login</h2>
            <form method="post" action="">
                <div>
                    <label for="username">Username: </label>
                    <input type="text" name="username"/>
                </div>
                <div>
                    <label for="password">Password: </label>    
                    <input type="password" name="password"/>
                </div>
                <div>
                    <input type="submit" value="Login" name="submit"/>
                </div>
            </form>
        </div>
        
        <div id="footer">
            <p>Copyright</p>
        </div>
        
        </body>

    </html>
    Thank you very much! before trying this, could you please explain what this code exactly does and what was wrong with mine?

  6. #6
    SitePoint Addict D3V4's Avatar
    Join Date
    May 2010
    Posts
    370
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Sorry for the up. I've changed one line of code (7th line):

    Code:
    <?php
    if('POST' === $_SERVER['REQUEST_METHOD']){
      if(false === empty($_POST['username']) && false === empty($_POST['username'])){
    
        $conn = mysqli_connect('localhost', 'root', 'root', 'users');
        
        if(!$conn){
          echo 'Database Error: ' . mysqli_connect_error() ;
          exit;
        }
        
        $sql = sprintf(
          "SELECT username FROM users WHERE username = '%s' AND password = '%s' LIMIT 1",
          mysqli_real_escape_string($conn, $_POST['username']),
          mysqli_real_escape_string($conn, $_POST['password'])
        );
        
        $result = mysqli_query($conn, $sql);
        
        if(is_resource($result) && 1 === mysqli_num_rows($result)){
          session_start();
          $_SESSION['is_authorised'] = true;
          header('Location: indexcopia.php');
          exit;
        }
        
      }
    }
    ?>
    because the old version kept giving me database errors. Anyway, instead of being redirected to "indexcopia.php" I still remain on the same page. Why?

  7. #7
    SitePoint Wizard lorenw's Avatar
    Join Date
    Feb 2005
    Location
    was rainy Oregon now sunny Florida
    Posts
    1,094
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    echo mysqli_num_rows($result); after mysqli_query.

    That will tell you if you are pulling any rows.
    What I lack in acuracy I make up for in misteaks

  8. #8
    SitePoint Addict D3V4's Avatar
    Join Date
    May 2010
    Posts
    370
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by lorenw View Post
    echo mysqli_num_rows($result); after mysqli_query.

    That will tell you if you are pulling any rows.
    Yes, it works, when I insert a correct username-password combination I see a 1.

  9. #9
    SitePoint Wizard lorenw's Avatar
    Join Date
    Feb 2005
    Location
    was rainy Oregon now sunny Florida
    Posts
    1,094
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    try
    Code:
    if(mysqli_num_rows($result) != 0){
    // we have rows for the user/pass start the session
    }
    I would go one step further and get username, userlevel from the database and assign them to session also.
    $_SESSION['username'] = $row['username']; etc...
    What I lack in acuracy I make up for in misteaks

  10. #10
    SitePoint Addict D3V4's Avatar
    Join Date
    May 2010
    Posts
    370
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by lorenw View Post
    try
    Code:
    if(mysqli_num_rows($result) != 0){
    // we have rows for the user/pass start the session
    }
    I would go one step further and get username, userlevel from the database and assign them to session also.
    $_SESSION['username'] = $row['username']; etc...
    I tried to change that but the problem remains. Basically, the header() function still doesn't do anything. I've looked for a solution to the problem and I've read that sometimes there are problems with this function when you use $_POST or when you output something before using the header() function. Anyway, everything should be ok in the code, why is it that it still doesn't work? Is there another way to do a redirect using PHP?

  11. #11
    SitePoint Addict D3V4's Avatar
    Join Date
    May 2010
    Posts
    370
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    No wait! I've changed the guard of the cycle and it now works! Why is that?

  12. #12
    Twitter: @AnthonySterling silver trophy AnthonySterling's Avatar
    Join Date
    Apr 2008
    Location
    North-East, UK.
    Posts
    6,111
    Mentioned
    3 Post(s)
    Tagged
    0 Thread(s)
    'guard of the cycle' , what do you mean?
    @AnthonySterling: I'm a PHP developer, a consultant for oopnorth.com and the organiser of @phpne, a PHP User Group covering the North-East of England.

  13. #13
    SitePoint Addict D3V4's Avatar
    Join Date
    May 2010
    Posts
    370
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by AnthonySterling View Post
    'guard of the cycle' , what do you mean?
    Oh sorry, we call it like that in Italian.

    (mysqli_num_rows($result) != 0) is the guard ^^


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •