Hi guys!
I’ve just started working with PHP and MySQL to build a login system. This is the code:
<?php
session_start();
if($_POST && !empty($_POST['username']) && !empty($_POST['password'])) {
$connection = mysqli_connect('localhost', 'username', 'password');
mysqli_select_db($connection, 'utenti');
$query = "SELECT * FROM utenti WHERE username = ? AND password = ? LIMIT 1";
if (mysqli_query($connection, $query) {
$_SESSION['status'] = 'authorized';
header("location: indexcopia.php");
};
}
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title>Title</title>
<!-- <link rel="icon" href="favicon.ico"> -->
<meta name="description" content=""/>
<meta name ="keywords" content=""/>
<meta http-equiv="Content-Type" content ="text/html; charset=iso-8859-1"/>
<link rel="stylesheet" href="css/styles.css" media="all"/>
</head>
<body>
<div id="header">
<h1>Title</h1>
</div>
<div id="login">
<h2>Login</h2>
<form method="post" action="">
<div>
<label for="username">Username: </label>
<input type="text" name="username"/>
</div>
<div>
<label for="password">Password: </label>
<input type="password" name="password"/>
</div>
<div>
<input type="submit" value="Login" name="submit"/>
</div>
</form>
</div>
<div id="footer">
<p>Copyright</p>
</div>
</body>
</html>
This, of course, doesn’t work
What’s wrong in the code?
Oh sorry, we call it like that in Italian.
(mysqli_num_rows($result) != 0) is the guard ^^
lorenw
October 11, 2010, 1:45pm
3
try
if(mysqli_num_rows($result) != 0){
// we have rows for the user/pass start the session
}
I would go one step further and get username, userlevel from the database and assign them to session also.
lorenw
October 10, 2010, 4:25pm
4
echo mysqli_num_rows($result); after mysqli_query.
That will tell you if you are pulling any rows.
lorenw:
try
if(mysqli_num_rows($result) != 0){
// we have rows for the user/pass start the session
}
I would go one step further and get username, userlevel from the database and assign them to session also.
I tried to change that but the problem remains. Basically, the header() function still doesn’t do anything. I’ve looked for a solution to the problem and I’ve read that sometimes there are problems with this function when you use $_POST or when you output something before using the header() function. Anyway, everything should be ok in the code, why is it that it still doesn’t work? Is there another way to do a redirect using PHP?
Sorry for the up. I’ve changed one line of code (7th line):
<?php
if('POST' === $_SERVER['REQUEST_METHOD']){
if(false === empty($_POST['username']) && false === empty($_POST['username'])){
$conn = mysqli_connect('localhost', 'root', 'root', 'users');
if(!$conn){
echo 'Database Error: ' . mysqli_connect_error() ;
exit;
}
$sql = sprintf(
"SELECT username FROM users WHERE username = '%s' AND password = '%s' LIMIT 1",
mysqli_real_escape_string($conn, $_POST['username']),
mysqli_real_escape_string($conn, $_POST['password'])
);
$result = mysqli_query($conn, $sql);
if(is_resource($result) && 1 === mysqli_num_rows($result)){
session_start();
$_SESSION['is_authorised'] = true;
header('Location: indexcopia.php');
exit;
}
}
}
?>
because the old version kept giving me database errors. Anyway, instead of being redirected to “indexcopia.php” I still remain on the same page. Why?
AnthonySterling:
Here you go.
<?php
if('POST' === $_SERVER['REQUEST_METHOD']){
if(false === empty($_POST['username']) && false === empty($_POST['username'])){
$conn = mysqli_connect('localhost', 'username', 'password', 'schema');
if(false === is_resource($conn)){
echo 'Database Error: ' . mysqli_connect_error() ;
exit;
}
$sql = sprintf(
"SELECT username FROM utenti WHERE username = '%s' AND password = '%s' LIMIT 1",
mysqli_real_escape_string($conn, $_POST['username']),
mysqli_real_escape_string($conn, $_POST['password'])
);
$result = mysqli_query($conn, $sql);
if(is_resource($result) && 1 === mysqli_num_rows($result)){
session_start();
$_SESSION['is_authorised'] = true;
header('Location: http://www.example.org/members.php');
exit;
}
}
}
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title>Title</title>
<!-- <link rel="icon" href="favicon.ico"> -->
<meta name="description" content=""/>
<meta name ="keywords" content=""/>
<meta http-equiv="Content-Type" content ="text/html; charset=iso-8859-1"/>
<link rel="stylesheet" href="css/styles.css" media="all"/>
</head>
<body>
<div id="header">
<h1>Title</h1>
</div>
<div id="login">
<h2>Login</h2>
<form method="post" action="">
<div>
<label for="username">Username: </label>
<input type="text" name="username"/>
</div>
<div>
<label for="password">Password: </label>
<input type="password" name="password"/>
</div>
<div>
<input type="submit" value="Login" name="submit"/>
</div>
</form>
</div>
<div id="footer">
<p>Copyright</p>
</div>
</body>
</html>
Thank you very much! before trying this, could you please explain what this code exactly does and what was wrong with mine?
Knew that XD
Apart from being vulnerable to sql injection, you’re not checking the output from the query to see if any records were returned in order to determine if the user is legitimate or not.
Yeah, I though so. How can I check this?
I am wondering if you would not be better off working through the w3schools php and database tutorials before continuing on with your project.
I definitely will. The only thing is, I would need this thing pretty soon
system
September 1, 2010, 1:12pm
9
Just having a quick look at your code - Lots
Apart from being vulnerable to sql injection, you’re not checking the output from the query to see if any records were returned in order to determine if the user is legitimate or not.
I am wondering if you would not be better off working through the w3schools php and database tutorials before continuing on with your project.
Yes, it works, when I insert a correct username-password combination I see a 1.
Here you go.
<?php
if('POST' === $_SERVER['REQUEST_METHOD']){
if(false === empty($_POST['username']) && false === empty($_POST['username'])){
$conn = mysqli_connect('localhost', 'username', 'password', 'schema');
if(false === is_resource($conn)){
echo 'Database Error: ' . mysqli_connect_error() ;
exit;
}
$sql = sprintf(
"SELECT username FROM utenti WHERE username = '%s' AND password = '%s' LIMIT 1",
mysqli_real_escape_string($conn, $_POST['username']),
mysqli_real_escape_string($conn, $_POST['password'])
);
$result = mysqli_query($conn, $sql);
if(is_resource($result) && 1 === mysqli_num_rows($result)){
session_start();
$_SESSION['is_authorised'] = true;
header('Location: http://www.example.org/members.php');
exit;
}
}
}
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title>Title</title>
<!-- <link rel="icon" href="favicon.ico"> -->
<meta name="description" content=""/>
<meta name ="keywords" content=""/>
<meta http-equiv="Content-Type" content ="text/html; charset=iso-8859-1"/>
<link rel="stylesheet" href="css/styles.css" media="all"/>
</head>
<body>
<div id="header">
<h1>Title</h1>
</div>
<div id="login">
<h2>Login</h2>
<form method="post" action="">
<div>
<label for="username">Username: </label>
<input type="text" name="username"/>
</div>
<div>
<label for="password">Password: </label>
<input type="password" name="password"/>
</div>
<div>
<input type="submit" value="Login" name="submit"/>
</div>
</form>
</div>
<div id="footer">
<p>Copyright</p>
</div>
</body>
</html>
‘guard of the cycle’ , what do you mean?
No wait! I’ve changed the guard of the cycle and it now works! Why is that?
