Incorrect username / password ?

[DaSe]

Hi guys , I'm trying to set up a basic register/login PHP script.The script registers the users upon execution but doesn't log them in properly i.e. without modification it always gives you "incorrect username" no matter if you try to put in the proper one...so I tried to modify the bit of the code in line 13 to ( if ($rows=0 ) then you can put any names no matter how many times which is again incorrect.The first row in my mySQL database is "0" not 1.I tried that as well......all connection is done locally.Appreciate any comments.Thanks.
:

1. <?php

2. session_start();

3. mysql_connect("localhost", "username of your database", "password of database");

4. mysql_select_db("myDB");

5. function user_login ($username, $password)

6. {

7. //take the username and prevent SQL injections

8. $username = mysql_real_escape_string($username);

9. //begin the query

10. $sql = mysql_query("SELECT * FROM usersystem WHERE username = 'username' AND password = 'password' LIMIT 1");

11. //check to see how many rows were returned

12. $rows = mysql_num_rows($sql);

13. if ($rows<=0 )

14. {

15. echo "Incorrect username/password";

16. }

17. else

18. {

19. //have them logged in

20. $_SESSION['sername'] = $username;

21. }

22. }

23.?>

 

[vacunita]

$sql = mysql_query("SELECT * FROM usersystem WHERE username = 'username' AND password = 'password' LIMIT 1");

Shouldn't that be using the variables instead of just 'username' and 'password' strings?


In other words:

 $sql = mysql_query("SELECT * FROM usersystem WHERE username = '[red]$[/red]username' AND password = '[red]$[/red]password' LIMIT 1");

Additionally to that, how are you calling the function in your page, and passing the username and password values to it?


And since this is a PHP question, perhaps posting it in the forum434 may be better.

----------------------------------
Phil AKA Vacunita
----------------------------------
Ignorance is not necessarily Bliss, case in point:
Unknown has caused an Unknown Error on Unknown and must be shutdown to prevent damage to Unknown.

 

[DaSe]

Hi , thanks for response.I'm calling the function with :


<?php
include("db.php");

if (isset($_POST['username']) && isset($_POST['password']))

{

user_login($_POST['username'], $_POST['password']);

}

?>



<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "

http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html>

<form action="login.php" method="post">

Username: <input name="username" type="text" />

Password: <input type="password" name="password" />

</form>
</html>


Yep ,maybe PHP forum would be more suitable.

 

[DonQuichote]

Please read about "SQL injection". If I supply a username:

'OR(1=1)-- '

I do not even have to provide a password anymore...

+++ Despite being wrong in every important aspect, that is a very good analogy +++
Hex (in Darwin's Watch)

 

[vacunita]

Uh, Don, He is escaping the username, he even mentions the SQL injection in lines 7 and 8:

7.  //take the username and prevent SQL injections

8.  $username = mysql_real_escape_string($username);

Anyway:

"password" is a reserved word in MYSQL so you you should either change the name of your field, or be using back ticks [red]``[/red] (not quotes ', or double quotes ") around it for your field name otherwise it will generate an error.

You can try to add the following to the query call and see if its returning an error which it likely is.

 $sql = mysql_query("SELECT * FROM usersystem WHERE username = '$username' AND password = '$password' LIMIT 1")[red]or die(mysql_error())[/red];

----------------------------------
Phil AKA Vacunita
----------------------------------
Ignorance is not necessarily Bliss, case in point:
Unknown has caused an Unknown Error on Unknown and must be shutdown to prevent damage to Unknown.

 

[DaSe]

Thank you guys for all info , I'll try the possible choices asap and give response.Thank you.