Php login script using mysql database

Hi Everyone,

I have this script:
<?php
  
    $username = $_POST['myusername'];
    $password = $_POST['mypassword'];
    
    if ($username == "demo" && $password == "pass") {
    	session_start();
    	$_SESSION['id'] = session_id();
    	header ("Location:index.php");
    } else {
    	if ($username != "" && $password != "") {
    	$errorMsg = "<p class=\\"error\\">Access Denied. Username or Password Incorrect.</p>";
    	}
    }
    ?>

How can I make that check a database rather than having the username and password hardcoded? I tried a few methods and failed.

The database name is adminusers:
it has two columns (username and password).

Thanks in advance for any help and you time to read this,

This should work for you. Basically you just check if there is a record in the database that contains the username and password match.


<?php
    $username = $_POST['myusername'];
    $password = $_POST['mypassword'];

    $result = mysql_query("SELECT * FROM adminusers WHERE username='$username' AND password='$password'");
	if ($row = mysql_fetch_array($result)) {
    	session_start();
    	$_SESSION['id'] = session_id();
    	header ("Location:index.php");
    } else {
    	$errorMsg = "<p class=\\"error\\">Access Denied. Username or Password Incorrect.</p>";
    }
?>

Worked great! Thanks… there is one problem though. Now it always shows the error message… so somehow its executing the else without checking the if first.

Never Mind. I got it working now… just had to add that if statement within the else:

<?php
  require ('includes/header.inc.php');
  	$username = $_POST['myusername'];
  	$password = $_POST['mypassword'];
  	
  	$result = mysql_query("SELECT * FROM adminusers WHERE username='$username' AND password='$password'");
  	if ($row = mysql_fetch_array($result)) {
  		session_start();
  		$_SESSION['id'] = session_id();
  		header ("Location:index.php");
  	} else {
  		if ($username != "" && $password != "") {
 			$errorMsg = "<p class=\\"error\\">Access Denied. Username or Password Incorrect.</p>";
  			}
  	}
  ?>

Thanks for your help!

Don’t forget to use the php function [fphp]mysql_real_escape_string[/fphp] to clean user data.

Will this fix the problem?

	$username = $_POST['myusername'];
 	$password = $_POST['mypassword'];
 	
 	$result = mysql_query("SELECT * FROM adminusers WHERE username='$username' AND password='$password'");
 	if ($row = mysql_fetch_array($result)) {
 		session_start();
 		$_SESSION['id'] = session_id();
 		header ("Location:index.php");
 	} else {
 		if ($username != "" && $password != "") {
 			$errorMsg = "<p class=\\"error\\">Access Denied. Username or Password Incorrect.</p>";
 			}
 	}
 mysql_real_escape_string($user);
 mysql_real_escape_string($password);
 

No you need to put it before you query the db:


function quote_smart($value)
{
   // Stripslashes
   if (get_magic_quotes_gpc()) {
       $value = stripslashes($value);
   }
   // Quote if not integer
   if (!is_numeric($value)) {
       $value = mysql_real_escape_string($value);
   }
   return $value;
}

    $username = $_POST['myusername'];
    $password = $_POST['mypassword'];

    $username = quote_smart($username);
    $password = quote_smart($password);

    $result = mysql_query("SELECT * FROM adminusers WHERE username='$username' AND password='$password'");
    if ($row = mysql_fetch_array($result)) {
        session_start();
        $_SESSION['id'] = session_id();
        header ("Location:index.php");
    } else {
        if ($username != "" && $password != "") {
            $errorMsg = "<p class=\\"error\\">Access Denied. Username or Password Incorrect.</p>";
            }
    }

Edit:

Change the code to make it better

I know a little about what you have done. Is there a chance you can just go over why you added the code you did. Just a quick overview of the changes will work for me. If you have to time. Thanks!

Ok


// Stripslashes
   if (get_magic_quotes_gpc()) {
       $value = stripslashes($value);
   }

This statement checks to see if magic_quotes is turned on read more about it here. This function automatically adds slashed to data so we need to strip these slashes out first for the mysql_real_escape_string to work properly (i think) the next part:


 if (!is_numeric($value)) {
         $value = mysql_real_escape_string($value);
     }

This checks to see if the data entered is total numeric if it is, it can’t be malicious so there is no need to escape it, if it contains other values such as single or double quote and other signs it escapes the data to make sure it does not interrupt the SQL.

If we put these together in a function we don’t have to write it out again and again for each peice of data so we make it a function.


function quote_smart($value)
{
   // Stripslashes
   if (get_magic_quotes_gpc()) {
       $value = stripslashes($value);
   }
   // Quote if not integer
   if (!is_numeric($value)) {
       $value = mysql_real_escape_string($value);
   }
   return $value;
}

Thanks for all your help. I understand your logic now. Thanks again!

function quote_smart($value) 
 { 
    // Stripslashes 
    if (get_magic_quotes_gpc()) { 
 	   $value = stripslashes($value); 
    } 
    // Quote if not integer 
    if (!is_numeric($value)) { 
 	   $value = mysql_real_escape_string($value); 
    } 
    return $value; 
 }  

One thing I noticed was that the quote_smart function is not being called. As far as I understand, for that function to work does it not need to be called?

You call it here:


$username = $_POST['myusername'];
$password = $_POST['mypassword'];

$username = quote_smart($username);
$password = quote_smart($password);

Haha im an idiot… I looked over the code and didnt even see it. I guess I should have gone to be before 3… and not watched that crappy movie “XXX - State of the Union”. LOL Thanks again!

i have a question about this script. where do you type in the “localhost”, the username, password and database?

I always have my connection info in another php file that I include into all the pages.

dbconnect.inc.php:


   <?php
   //mysql user info
   $sqlhost = "localhost";
   $sqluser = "user";
   $sqlpass = "password";
   //try to contact database server using user info above
   if (!$dbconnect = mysql_connect($sqlhost,$sqluser,$sqlpass)){
   echo "There was an error connecting to the database. Please try again later.";
   }
   //select the required database on the mysql server
   if (!mysql_select_db('merit1')){
   echo "There was an error locating the requested database. Please try again later.";}
   ?>
   

You can hard code that into everypage or you can create a seperate page like I did and include it:


  <?php include ("dbconnect.inc.php"); ?>