Login page question

**polorboy** · 01-15-2007 10:07 AM

Hi everyone, well, I am working on the login section of my site and it doesn't seem to want to do anything. I have it checking the entered info against a database, but it doesn't matter if I enter valid data or just junk, the page doesn't do anything, it just reloads when I try to submit the form. Here is the php code:

PHP Code:


        <?php

    

            $username = $_POST['username'];

            $password = $_POST['password'];

            $hashpw = hash("sha512",$password);

        

              if (isset($_POST['submit']) && $_POST['submit'] == "Login") {

                if ($username != " " && $hashpw != " ") {

                    $query = "SELECT user_name FROM login_info WHERE user_name = '$username';";

                    $query2 = "SELECT password FROM login_info WHERE password = '$hashpw';";

                    $result = mysql_query($query) or die(mysql_error());

                    $result2 = mysql_query($query2) or die(mysql_error());

                    

                    if (mysql_num_rows($result) != 0 && mysql_num_rows($result2) != 0) {

                        header('Location: http://www.fakedomain.com/upload.php');

                    }

                    else {

                        print "<p><span style='color:#CC0000'>The Username and Password you entered does not exist.</span><br/>";

                        print "You can contact us at <a href='mailto:someone@fake.com'>Customer Service</a> if you need help with your account.";

                    }

                }

            }

          ?>

**Hendrick2** · 01-15-2007 10:19 AM

I do see one issue with your script your going to have.

As of now, say jim password is wiki and Jack password is pedia.

If someone would use the username jim, but use jacks password, it would log him in.

**polorboy** · 01-15-2007 10:22 AM

That was going to be my next question.

**polorboy** · 01-15-2007 12:05 PM

Anyone feel like offering some input on this? Like, what could be causing my page to just reload rather than redirect to the appropriate page or display the error message?

**NightShift58** · 01-15-2007 12:35 PM

Instead of:

PHP Code:


$query = "SELECT user_name FROM login_info WHERE user_name = '$username';";

$query2 = "SELECT password FROM login_info WHERE password = '$hashpw';";

$result = mysql_query($query) or die(mysql_error());

$result2 = mysql_query($query2) or die(mysql_error());

                    

if (mysql_num_rows($result) != 0 && mysql_num_rows($result2) != 0) {

combine the SQL statement and use:

PHP Code:


$query = "SELECT user_name FROM login_info WHERE user_name = '$username' AND password = '$hashpw' LIMIT 1;";

$result = mysql_query($query) or die(mysql_error());

                    

if (mysql_num_rows($result) != 0) {

That should take care of the untimely redirect as well.

**polorboy** · 01-15-2007 01:15 PM

I was just reading through the MySQL manual and was about to go give that a try to prevent just any combination from letting anyone in. What about the page just reloading though, will that fix that also?

**polorboy** · 01-15-2007 01:24 PM

Ok, well I am still just getting the page to reload, when I click the login button for my form it just seems to reload the page. The data is being submitted but it is not sending the header request it seems like. Does the header have to be before the <html> tags to work?

**NightShift58** · 01-15-2007 01:43 PM

Can you post the login page?

**polorboy** · 01-15-2007 01:52 PM

This is the form that is on the login page, with the php above it. That is how it is on my page.

This is before the <html>:

PHP Code:


<?php

    require('mysql_config.php');

    

    $connect = mysql_connect(SQL_HOST,SQL_USER,SQL_PASS) or die('Could not connect to the Database.' .mysql_error());    

            

    mysql_select_db(SQL_DB,$connect);

?>

Down in the <body>:

PHP Code:


        <?php

    

            $username = $_POST['username'];

            $password = $_POST['password'];

            $hashpw = hash("sha512",$password);

        

              if (isset($_POST['submit']) && $_POST['submit'] == "Login") {

                if ($username != " " && $hashpw != " ") {

                    $query = "SELECT user_name FROM login_info WHERE user_name = '$username' AND password = '$hashpw' LIMIT 1;"; 

                    $result = mysql_query($query) or die(mysql_error());

                    

                    if (mysql_num_rows($result) != 0) {

                        header('Location: http://www.fake.com/upload.php');

                    }

                    else {

                        print "<p><span style='color:#CC0000'>The Username and Password you entered does not exist.</span><br/>";

                        print "You can contact us at <a href='mailto:someone@domain.com'>Customer Service</a> if you need help with your account.";

                    }

                }

            }        

          ?>

        <form enctype="text/plain" action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post" class="login">

          <fieldset>

            <legend>

              Login

            </legend>

            <label for="username">

              Username:<br />

              <input type="text" name="username" id="username" size="20" maxlength="20" />

              <br />

              <br />

            </label>

            <label for="password">

              Password:<br />

              <input type="password" name="password" id="password" size="20" maxlength="20" />

              <br />

              <br />

            </label>

            <input type="submit" name="login" id="loginbtn" value="Login" />

          </fieldset>

        </form>

**NightShift58** · 01-15-2007 02:14 PM

Try this:

PHP Code:


<?php

$err_msg = "";    

if (isset($_POST['submit']) && $_POST['submit'] == "Login") {

  $username = $_POST['username'];

  $password = $_POST['password'];

  $hashpw = hash("sha512",$password);

  if ($username != " " && $hashpw != " ") {

    $query = "SELECT user_name FROM login_info WHERE user_name = '$username' AND password = '$hashpw' LIMIT 1;";

    $result = mysql_query($query) or die("SQL Error: $query<br>" . mysql_error());

    if (mysql_num_rows($result) == 0) {

      $err_msg  = "<p><span style='color:#CC0000'>The Username and Password you entered does not exist.</span><br/>";

      $err_msg .= "You can contact us at <a href='mailto:someone@domain.com'>Customer Service</a> if you need help with your account.<br/>";

    } else { 

      header('Location: http://www.fake.com/upload.php');

      exit;

    }

  }

}        

?>

<form enctype="text/plain" action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post" class="login">

<?php

if ($err_msg <> "") {

  print $err_msg;

}

?> 

<fieldset>

<legend>Login</legend>

<label for="username">Username:<br />

<input type="text" name="username" id="username" size="20" maxlength="20" /><br /><br />

</label>

<label for="password">Password:<br />

<input type="password" name="password" id="password" size="20" maxlength="20" /><br /><br />

</label>

<input type="submit" name="login" id="loginbtn" value="Login" />

</fieldset>

</form>

**polorboy** · 01-15-2007 03:31 PM

It still just reloads the page.

**NightShift58** · 01-15-2007 03:40 PM

I didn't catch this earlier:

PHP Code:


  if ($username != " " && $hashpw != " ") {

Change it to:

PHP Code:


  if ($username <> "" AND $hashpw <> "") {

I don't know why the space is in there. Any special reason?

**polorboy** · 01-15-2007 04:06 PM

No, not really, I was just trying to say "if the string is not empty", ergo, it has content, redirect to the address in the header(). I changed to the <> "", but I don't see what that does exactly and I am still just getting the page to reload. Here are the changes I have made to the script so far:

PHP Code:


        <?php        

              if (isset($_POST['submit']) && $_POST['submit'] == "Login") {

            

                $username = trim($_POST['username']);

                $password = trim($_POST['password']);

                $hashpw = hash("sha512",$password);

                

                print "Username: " .$username;

                print "Password: " .$password;                

                print "The password we are comparing: " .$hashpw;

                

                if ($username <> "" && $hashpw <> "") {

                    $query = "SELECT user_name FROM login_info WHERE user_name = '$username' AND password = '$hashpw' LIMIT 1;"; 

                    $result = mysql_query($query) or die(mysql_error());

                    print "This is the result of the query: " .$result;

                    

                    if (mysql_num_rows($result) != 0) {

                        header('Location: http://www.fake.com/upload.php');

                        exit();

                    }

                    else {

                        print "<p><span style='color:#CC0000'>The Username and Password you entered does not exist.</span><br/>";

                        print "You can contact us at <a href='mailto:someone@fake.com'>Customer Service</a> if you need help with your account.";

                    }

                }

            }        

          ?>

I put the variables inside the if statement becuase when they were outside it they were being assigned random values before the form was even submitted.
Though, now nothing is being printed to the screen, so the script isn't even getting into the if statement. I don't see why it wouldn't though.

**NightShift58** · 01-15-2007 04:35 PM

Did you leave out the bottom part in this post or did it go AWOL?

**NightShift58** · 01-15-2007 04:37 PM

Something's not right...

Can you post the entire login page?

Thread: Login page question

Thread Tools

Display

Login page question

Thread Information

Users Browsing this Thread

Bookmarks

Bookmarks

Posting Permissions