www.webdeveloper.com
Results 1 to 10 of 10

Thread: not able to login through admin.php

  1. #1
    Join Date
    Aug 2014
    Posts
    5

    Unhappy not able to login through admin.php

    Hi All,

    Please help me, i am newbie and making an eCommerce website by reading books & watching youtube tutorials etc. etc. now i have stucked on admin page wherein i am not able to log in, though i am putting the right username & password but still i am getting wrong username & password messege..please help..i am using this script below....help would be much appreciated
    PHP Code:
    <?php

    session_start
    ();
    if(isset(
    $_SESSION['admin'])){
        
    header("location: admin/index.php");
        exit();
    }

    $msg="";
    if(isset(
    $_POST['username'])){
        
    $admin$_POST['username'];
        
    $password$_POST['password'];
        
    $admin stripslashes($admin);
        
    $passwordstripslashes($password);
        
    $admin=strip_tags($admin);
        
    $passwordstrip_tags($password);
        if((!
    $admin) || (!$password)){
            
    $msg="<p style='color: #CC0; font-weight: bold;' >Wrong Username or Password!</p>";
        
        }else{
            
    $adminmysql_real_escape_string($admin);
            
    $passwordmd5($password);
            include_once(
    "scripts/connect.php");
            
    $sql=mysql_query("SELECT * FROM admin WHERE name='$admin' AND password='$password' LIMIT 1");
            
    $countmysql_num_rows($sql);
            if(
    $count 0){
                while(
    $rowmysql_fetch_array($sql)){
                    
    $id$row['id'];
                    
    $name$row['name'];
                    
    $pass$row['password'];
                    
    $_SESSION['id']= $id;
                    
    $_SESSION['name']= $name;
                    
    $_SESSION['password']= $pass;
                    
    mysql_query("UPDATE admin SET last_log=now() WHERE name='$name' LIMIT 1");
                    
    header("location: admin/index.php");
                    
                    
                    }
                
            }else{
                
    $msg="<p style='color: #C00; font-weight: bold;' >Wrong Username or Password!</p>";
                
            }
        }
        
    }
        
    ?>
    Last edited by NogDog; 08-15-2014 at 08:44 AM. Reason: added [php] tags around code

  2. #2
    Join Date
    Aug 2014
    Posts
    5
    i am getting this error "mysql_real_escape_string(): Access denied for user 'root'@'localhost' (using password: NO)" please help

  3. #3
    Join Date
    Aug 2004
    Location
    Ankh-Morpork
    Posts
    19,384
    Try putting that line after the "include" line a couple lines after that. (I'm assuming that include file does the database connection stuff, which needs to happen before you try to use mysql_real_escape_string().)

    (PS: The MySQL PHP extension (the mysql_*() functions) is deprecated, and you really should migrate any related code to use the MySQLi or PDO extension, instead, since future versions of PHP may no longer support the old extension.)
    "Please give us a simple answer, so that we don't have to think, because if we think, we might find answers that don't fit the way we want the world to be."
    ~ Terry Pratchett in Nation

    eBookworm.us

  4. #4
    Join Date
    Aug 2014
    Posts
    5

    Unhappy still no progress

    Quote Originally Posted by NogDog View Post
    Try putting that line after the "include" line a couple lines after that. (I'm assuming that include file does the database connection stuff, which needs to happen before you try to use mysql_real_escape_string().)

    (PS: The MySQL PHP extension (the mysql_*() functions) is deprecated, and you really should migrate any related code to use the MySQLi or PDO extension, instead, since future versions of PHP may no longer support the old extension.)
    Hi...thanks for your quick reply..i did the same as per your last sugestion..but still no progress...its showing wrong username or password..

  5. #5
    Join Date
    May 2014
    Posts
    75
    Try changing:

    PHP Code:
    $sql=mysql_query("SELECT * FROM admin WHERE name='$admin' AND password='$password' LIMIT 1"); 
    Temporarily to:

    PHP Code:
    $sql=mysql_query($temp "SELECT * FROM admin WHERE name='$admin' AND password='$password' LIMIT 1;");
    echo 
    $temp
    The next time you try to login it will give you the SQL query.

    Make sure the data in the query is what you expected, try it directly in phpMyAdmin, manually compare the data to what is in the database. Is the password MD5'd in the database too?

    Basically compare all the data and make sure everything matches up nicely.

  6. #6
    Join Date
    Aug 2014
    Posts
    5

    still getting the error

    Quote Originally Posted by Gravy View Post
    Try changing:

    PHP Code:
    $sql=mysql_query("SELECT * FROM admin WHERE name='$admin' AND password='$password' LIMIT 1"); 
    Temporarily to:

    PHP Code:
    $sql=mysql_query($temp "SELECT * FROM admin WHERE name='$admin' AND password='$password' LIMIT 1;");
    echo 
    $temp
    The next time you try to login it will give you the SQL query.

    Make sure the data in the query is what you expected, try it directly in phpMyAdmin, manually compare the data to what is in the database. Is the password MD5'd in the database too?

    Basically compare all the data and make sure everything matches up nicely.

    hi gravy ... thanks for the reply ...still no success i am getting this error below in error_log file...

    [17-Aug-2014 05:57:21 UTC] PHP Warning: mysql_real_escape_string(): Access denied for user 'root'@'localhost' (using password: NO) in /home/addykhan2003/public_html/admin.php on line 21
    [17-Aug-2014 05:57:21 UTC] PHP Warning: mysql_real_escape_string(): A link to the server could not be established in /home/addykhan2003/public_html/admin.php on line 21
    [17-Aug-2014 05:57:21 UTC] PHP Notice: Undefined variable: temp in /home/addykhan2003/public_html/admin.php on line 24
    [17-Aug-2014 05:57:21 UTC] PHP Warning: mysql_num_rows() expects parameter 1 to be resource, boolean given in /home/addykhan2003/public_html/admin.php on line 25

    yes the password is md5 in database i have used this code below to hash it..n saved in my database too

    <?php

    $P= "abdul82";
    $p= md5($p);
    echo $p;



    ?>

  7. #7
    Join Date
    May 2014
    Posts
    75
    Ah, I thought you correct that.

    Then my guess is that the problem is in your scripts/connect.php file.
    Perhaps the root password you're using is wrong?

    I'm assuming your code looks something like this at the moment:

    PHP Code:
    <?php

    session_start
    ();
    if(isset(
    $_SESSION['admin'])){
        
    header("location: admin/index.php");
        exit();
    }

    $msg="";
    if(isset(
    $_POST['username'])){
        
    $admin$_POST['username'];
        
    $password$_POST['password'];
        
    $admin stripslashes($admin);
        
    $passwordstripslashes($password);
        
    $admin=strip_tags($admin);
        
    $passwordstrip_tags($password);
        if((!
    $admin) || (!$password)){
            
    $msg="<p style='color: #CC0; font-weight: bold;' >Wrong Username or Password!</p>";
        
        }else{
            include_once(
    "scripts/connect.php");

            
    $adminmysql_real_escape_string($admin);
            
    $passwordmd5($password);

            
    $sql=mysql_query($temp "SELECT * FROM admin WHERE name='$admin' AND password='$password' LIMIT 1");
            echo 
    $temp;
            
    $countmysql_num_rows($sql);
            if(
    $count 0){
                while(
    $rowmysql_fetch_array($sql)){
                    
    $id$row['id'];
                    
    $name$row['name'];
                    
    $pass$row['password'];
                    
    $_SESSION['id']= $id;
                    
    $_SESSION['name']= $name;
                    
    $_SESSION['password']= $pass;
                    
    mysql_query("UPDATE admin SET last_log=now() WHERE name='$name' LIMIT 1");
                    
    header("location: admin/index.php");
                    
                    
                    }
                
            }else{
                
    $msg="<p style='color: #C00; font-weight: bold;' >Wrong Username or Password!</p>";
                
            }
        }
        
    }
        
    ?>
    Paying special attention to the order of:
    PHP Code:
     include_once("scripts/connect.php");
     
    $adminmysql_real_escape_string($admin); 
    What are the contents of scripts/connect.php?

  8. #8
    Join Date
    Mar 2007
    Location
    localhost
    Posts
    2,360
    mysql_real_escape_string() is fine is your the only person on that server otherwise you need to have a resource identifier that is stored in a variable when you connect to the database.

    $dbh = mysql_connect(... blah blah blah

    now variable $dbh is a handle to the db so that

    $xyz = mysql_real_escape_string( $whatIwantToEscape , $dbh);

    and the same goes for queries, you would need

    $myResult = mysql_query( $dbh , $myQueryString );

    On other matters, security of your code is very bad, you should be sanitizing inputs in to an array that you then use and know is safe and not use the $_POST array directly and you should operate a check to ensure that the login came from your site and check that the $_POST['submit'] button is present.

    Reliance on the $_SERVER['REQUEST_METHOD'] to test if the request is a POST request is not good enough, a post request could be coming from anywhere, you want to know that the post came from your site, the method I use is fairly simple

    Using a whitelist and not using the $_POST array to control things...

    PHP Code:

    $whitelist 
    = array(
        
    "username"=>FILTER_SANITIZE_STRING,
        
    "password"=>FILTER_SANITIZE_STRING,
        
    "timeframe"=>FILTER_SANITIZE_STRING
    );

    foreach(
    $whitelist as $field=>&$value){
        
    $value = isset( $_POST$field ] ) ? filter_var$_POST$field ] , $value ) : false;
        if(!
    $value header("Location: /index.php");
    }
        
    if( 
    $hash!=$whitelist['timeframe']) header("Location: /index.php"); // send to home page 
    then when you are sure that your values are sanitized, you can use the values in your whitelist in your script.

    You might want to look at page salting as a way of marking your pages that your server issues, something that can be tested on form submission (login) and a check to ensure that your server issued the page and it is genuine.
    Yes, I know I'm about as subtle as being hit by a bus..(\\.\ Aug08)
    Yep... I say it like I see it, even if it is like a baseball bat in the nutz... (\\.\ Aug08)
    I want to leave this world the same way I came into it, Screaming, Incontinent & No memory!
    I laughed that hard I burst my colostomy bag... (\\.\ May03)
    Life for some is like a car accident... Mine is like a motorway pile up...

    Problems with Vista? :: Getting Cryptic wid it. :: The 'C' word! :: Whois?

  9. #9
    Join Date
    Aug 2014
    Posts
    5
    Quote Originally Posted by Gravy View Post
    Ah, I thought you correct that.

    Then my guess is that the problem is in your scripts/connect.php file.
    Perhaps the root password you're using is wrong?

    I'm assuming your code looks something like this at the moment:

    PHP Code:
    <?php

    session_start
    ();
    if(isset(
    $_SESSION['admin'])){
        
    header("location: admin/index.php");
        exit();
    }

    $msg="";
    if(isset(
    $_POST['username'])){
        
    $admin$_POST['username'];
        
    $password$_POST['password'];
        
    $admin stripslashes($admin);
        
    $passwordstripslashes($password);
        
    $admin=strip_tags($admin);
        
    $passwordstrip_tags($password);
        if((!
    $admin) || (!$password)){
            
    $msg="<p style='color: #CC0; font-weight: bold;' >Wrong Username or Password!</p>";
        
        }else{
            include_once(
    "scripts/connect.php");

            
    $adminmysql_real_escape_string($admin);
            
    $passwordmd5($password);

            
    $sql=mysql_query($temp "SELECT * FROM admin WHERE name='$admin' AND password='$password' LIMIT 1");
            echo 
    $temp;
            
    $countmysql_num_rows($sql);
            if(
    $count 0){
                while(
    $rowmysql_fetch_array($sql)){
                    
    $id$row['id'];
                    
    $name$row['name'];
                    
    $pass$row['password'];
                    
    $_SESSION['id']= $id;
                    
    $_SESSION['name']= $name;
                    
    $_SESSION['password']= $pass;
                    
    mysql_query("UPDATE admin SET last_log=now() WHERE name='$name' LIMIT 1");
                    
    header("location: admin/index.php");
                    
                    
                    }
                
            }else{
                
    $msg="<p style='color: #C00; font-weight: bold;' >Wrong Username or Password!</p>";
                
            }
        }
        
    }
        
    ?>
    Paying special attention to the order of:
    PHP Code:
     include_once("scripts/connect.php");
     
    $adminmysql_real_escape_string($admin); 
    What are the contents of scripts/connect.php?

    Hi Gravy,

    i have match the database as per
    $sql=mysql_query($temp = "SELECT * FROM admin WHERE name='$admin' AND password='$password' LIMIT 1");
    echo $temp;
    as everything is matching ... i have also made mysql_quicktest.php file to check weather my i am connected to my database or not ...i am using this code below to check my connect.php file

    mysql_quicktest.php
    <?php
    //connect to the file above here
    require "connect.php";
    echo "<h1>Success in database connection! Happy coding!<h1>"
    ?>

    connect.php

    <?php

    $host="localhost";
    $user="****"; (here i put my username)
    $pass="****";(here i put my password)
    $name="mystore";

    mysql_connect("$host","$user","$pass")or die(mysql_error());
    mysql_select_db("$name") or die(mysql_error());

    ?>

    but whenever i check this through my mysql_quicktest.php file i get the success message....what should i do

  10. #10
    Join Date
    Mar 2007
    Location
    localhost
    Posts
    2,360
    You should be using the mysqli_ not mysql_ functions and you also need to be using handler variables for your connections as indicated in my post.
    Yes, I know I'm about as subtle as being hit by a bus..(\\.\ Aug08)
    Yep... I say it like I see it, even if it is like a baseball bat in the nutz... (\\.\ Aug08)
    I want to leave this world the same way I came into it, Screaming, Incontinent & No memory!
    I laughed that hard I burst my colostomy bag... (\\.\ May03)
    Life for some is like a car accident... Mine is like a motorway pile up...

    Problems with Vista? :: Getting Cryptic wid it. :: The 'C' word! :: Whois?

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
HTML5 Development Center



Recent Articles