www.webdeveloper.com
Results 1 to 5 of 5

Thread: PHP script bug....please help...

  1. #1
    Join Date
    Jun 2013
    Posts
    33

    PHP script bug....please help...

    This is Login script..
    I also has register script which works fine adds some fields to database including
    password with just md5 encryption.
    when i try to login with email and password, this script always shows incorrect password message when i
    type correct password and shows me member area when i type wrong password.
    i couldnot find any error. pls help

    <?php

    // Connects to your Database

    mysql_connect("localhost", "root", "dhiraj") or die(mysql_error());

    mysql_select_db("test") or die(mysql_error());




    session_start();

    $e_id;
    $pwd;

    if(!isset($_POST['submit']))
    {
    ?>


    <form action="<?php echo $_SERVER['PHP_SELF']?>" method="post">

    <table border="0">

    <tr><td colspan=2><h1>Login</h1></td></tr>

    <tr><td>Email Id:</td><td>

    <input type="text" name="email" maxlength="60">

    </td></tr>

    <tr><td>Password:</td><td>

    <input type="password" name="pass" maxlength="50">

    </td></tr>

    <tr><td colspan="2" align="right">

    <input type="submit" name="submit" value="Login">

    </td></tr>

    </table>

    </form>

    <?php
    }
    else
    {
    // if form has been submitted
    $_SESSION['e_id']=$_POST['email'];
    $_SESSION['pwd']=$_POST['pass'];



    // makes sure they filled it in

    if(!$_POST['email'] | !$_POST['pass'])
    {

    die('You did not fill in a required field.');

    }

    // checks it against the database

    $check = mysql_query("SELECT * FROM users WHERE u_email = '".$_POST['email']."'")or die(mysql_error());



    //Gives error if user dosen't exist

    $check2 = mysql_num_rows($check);

    if ($check2 == 0)
    {

    unset($_SESSION['e_id']);
    unset($_SESSION['pwd']);
    die('That user does not exist in our database. <a href=enter.php>Click Here to Register</a>');
    }

    while($info = mysql_fetch_array( $check ))

    {



    $_POST['pass'] = md5($_POST['pass']);



    //gives error if the password is wrong

    if ($_POST['pass'] != $info['u_pass'])
    {

    die('Incorrect password, please try again.');
    //this gets executed when supply correct password.

    }
    else
    {


    //then redirect them to the members area

    header("Location: members.php");
    //this gets executed when i supply wrong password.

    }

    }

    }
    ?>

  2. #2
    Join Date
    Jul 2013
    Location
    Voorheesville NY USA
    Posts
    889
    I took the liberty of cleaning up your code to make it more readable and to add some notes. Also - rules say you should use tags to wrap your code with, which I did here.

    Look for my comments - NOTE or ???
    Code:
    <?
    session_start();
    //  TURN ON ERROR REPORTING
    error_reporting(E_ALL | E_STRICT);
    ini_set('display_errors', '1');
    set_time_limit(2);
    // Connects to your Database
    mysql_connect("localhost", "root", "dhiraj") or die(mysql_error());
    mysql_select_db("test") or die(mysql_error());
    if(!isset($_POST['submit']))
    {
        // People frown on this, but I use it too.
        $action=$_SERVER['PHP_SELF'];
        $code=<<<heredocs
        <form action="$action" method="post">
        <table border="0">
        <tr>
        <td colspan=2><h1>Login</h1></td>
        </tr>
        <tr>
        <td>Email Id:</td>
        <td><input type="text" name="email" maxlength="60"></td>
        </tr>
        <tr>
        <td>Password:</td>
        <td><input type="password" name="pass" maxlength="50"></td>
        </tr>
        <tr>
        <td colspan="2" align="right"><input type="submit" name="submit" value="Login"></td>
        </tr>
        </table>
        </form>
    heredocs;
        echo $code;
    }
    else
    {
        // if form has been submitted
    //  ????
    //  Why save these values if you haven't checked them yet ???
    //  ????
        $_SESSION['e_id']=$_POST['email'];
        $_SESSION['pwd']=$_POST['pass'];
        // makes sure they filled it in
    //  ???
    //  Following statement has an invalid operator  'OR' is '||' not '|'
    //  do you have error checking turned on?
        if(!$_POST['email'] | !$_POST['pass'])
        {
            // ????
            //  Very in-elegant.  You leave your user hanging with
            //  no place to go.
            die('You did not fill in a required field.');
        }
        // checks it against the database
        //  NOTE use of {} to eliminate breaking up string
        //  NOTE - die should provide some kind of contextual message to help you determine
        //  where in your code you died.
        $check = mysql_query("SELECT * FROM users WHERE u_email = '{$_POST['email']}'") or die(mysql_error());
        //  NOTE - you need to check if the query actually ran NOW
        //
        //Gives error if user dosen't exist
        $check2 = mysql_num_rows($check);
        if ($check2 == 0)
        {
            // ???? See? if you hadn't saved them, you wouldn't need to unset them now
            unset($_SESSION['e_id']);
            unset($_SESSION['pwd']);
        // ??? This statement is flawed - you will NOT get a link from this, simply a message
            die('That user does not exist in our database. <a href=enter.php>Click Here to Register</a>');
        }
        while($info = mysql_fetch_array( $check ))
        {
            // NOTE - you should trim your input first
            $_POST['pass'] = md5($_POST['pass']);
            //gives error if the password is wrong
            //  ???? is 'u_pass' the correct name from your table??
            if ($_POST['pass'] != $info['u_pass'])
            {
                die('Incorrect password, please try again.');
                // NOTE - again - you leave your user hanging
                //   How can he try again if you don't give him a screen?
                //this gets executed when supply correct password.
            }
            else
            {
                //then redirect them to the members area
                // NOW SAVE the credentials in SESSION !!!
                // BUT - Do You Really need to save the password ??
                $_SESSION['e_id']=$_POST['email'];
                $_SESSION['pwd']=$_POST['pass'];
                header("Location: members.php");
                //this gets executed when i supply wrong password.
                // ????  You really need an exit() line here!!
            }
        }
    }
    ?>
    I didn't see your specific problem, but the errors I did see should preclude this script from even running. YOU NEED TO TURN ON ERROR CHECKING!!

    Try my code and add error checking and see what happens.

  3. #3
    Join Date
    Jul 2013
    Posts
    31
    ginerjm has said everything.
    I'd like to tell you one more thing, if you dont want your database te be hacked, pleae use mysqli_* functions or PDO Prepared statements.

  4. #4
    Join Date
    Mar 2007
    Location
    localhost
    Posts
    2,506
    Also be aware that forum code tags exist to make reading code posted easier, please use them.
    Yes, I know I'm about as subtle as being hit by a bus..(\\.\ Aug08)
    Yep... I say it like I see it, even if it is like a baseball bat in the nutz... (\\.\ Aug08)
    I want to leave this world the same way I came into it, Screaming, Incontinent & No memory!
    I laughed that hard I burst my colostomy bag... (\\.\ May03)
    Life for some is like a car accident... Mine is like a motorway pile up...

    Problems with Vista? :: Getting Cryptic wid it. :: The 'C' word! :: Whois?

  5. #5
    Join Date
    Jun 2013
    Posts
    33
    ginerjm, really thanks for help. my problem is solved. Actually, when i was hashing password with md5 i stored it in the password field whose length was not enough to store the hash. so increased that and problem solved. But this thread really important for me.

    Actually, i am right now doing this on xampp (phpmyadmin) and i am trying to create the good script before i own a web space. i am trying to be careful.
    I have more questions for you if you dont mind.

    about session variable, should i set them just before redirecting user to member area? and what's the adv. of exit after header.

    once again thanks for reply. and let me know if you have any experience with database schema.because i have a question or 2 about db design. Thanks.

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
HTML5 Development Center



Recent Articles