What is wrong with this

[zrazzaq]

Hi:
I am having trouble with my login page and I can not figure it out. It keeps telling me Invalid Login page...
It is stopping at if==1 then invalid login/password...
I look at it hundreds of time and the password and login is correct I just don't know what is wrong with my code...

<?php
include("./admin/config.php");
include("$include_path/common.php");
include("$include_path/$table_file");
include("$include_path/doc_head.php");
include("$include_path/styles.php");

global $HTTP_POST_VARS,$HTTP_GET_VARS,$HTTP_SESSION_VARS;

global $_SESSION;

if ($HTTP_POST_VARS!="")
    $_POST=$HTTP_POST_VARS;

if ($HTTP_GET_VARS!="")
    $_GET=$HTTP_GET_VARS;

if ($HTTP_SESSION_VARS!="")
    $_SESSION=$HTTP_SESSION_VARS;



$return_message = "";

if(isset($_POST['login'])){


	$sql = "
		select
			username,
			id,
			is_approved
		from
			$tb_users
		where
			username = '$_POST[UN]'
		and
			password = password('$_POST[PW]')
	";
	$query = mysql_query($sql) or die(mysql_error());

	if(mysql_num_rows($query)){
		$my_id = (int) mysql_result($query, 0, "id");
		$is_approved = mysql_result($query, 0, "is_approved");
		if (!empty($is_approved))
		{
			$_SESSION['username'] = mysql_result($query, 0, "username");
			$_SESSION['userid'] = (int) mysql_result($query, 0, "id");
			$username=mysql_result($query, 0, "username");
			$userid  =(int) mysql_result($query, 0, "id");
			session_register("username");
			session_register("userid");
		}
		

		if(($_POST['keep_me_logged_in'] == "Y")&&(!empty($is_approved))){

			$md5 = md5(time());
			$sql = "
				replace into $tb_cookies (
					userid,
					cookie
				) values (
					'$_SESSION[userid]',
					'$md5'
				)
			";
			$query = mysql_query($sql) or die(mysql_error());
			setcookie("keep_me_logged_in", $md5, time() + 31536000);
			$_SESSION['sl'] = false;
			$sl=false;
			session_register("sl");
			
		} else {
			$_SESSION['sl'] = true;
			$sl=true;
  		        session_register("sl");
		}

		if (!empty($is_approved))
		{
			$r = urldecode($_GET['r']);
			if (!$r) { $r=urldecode($_POST['r']); }
			$url = $base_url . "/" . $r;
			$last_logged = date("Y-m-d H:i:s");
			$qry = "update $tb_users set last_logged = '$last_logged' where id = '$my_id'";
			$res = mysql_query($qry) or die(mysql_error());
		}
		else
		{
			$url = $base_url . "/member_pay.php?id=$my_id";
		}
		// echo " url ".$url."a";

		header("Location: $url");
		exit();

	} else {
		$return_message = "Invalid Login name/ Password <br><br>";
	}
}

include ("Ads_new.php");
include("$include_path/left.php");
include("$include_path/right.php");


$must_signup = "";
if(isset($_SESSION['m']) && $_SESSION['m'] == 1 && $lf!=1){
  $tpl->parse('BLOCK_MUST_SIGNUP', 'block_must_signup');
  unset($_SESSION['m']);
} else {
  $tpl->clear_dynamic('block_must_signup');
}

$r = urlencode($_GET['r']);

if($lf==1) 
   $return_message="Invalid Username / Password ";

$tpl->assign(array('RETURN_MESSAGE' => $return_message));
$tpl->assign(array('REDIRECT_URL' => $r));

$tpl->parse('FORM', 'login_page_form');
$login = $tpl->fetch('FORM');


$final_output = table("Login Page", $login);


$tpl->assign(array('CONTENT_TEXT' => $final_output));
$tpl->parse('PAGE', 'main');
$final_output = $tpl->fetch('PAGE');



$final_output = final_output($final_output);

//echo $final_output;
include ("copy.php");
?>

Thanks

 

[sleipnir214]

What have you done to debug this? What have you verified works correctly and not?

For what version of PHP are you writing? Theses lines:

global $HTTP_POST_VARS,$HTTP_GET_VARS,$HTTP_SESSION_VARS;

global $_SESSION;

if ($HTTP_POST_VARS!="")
    $_POST=$HTTP_POST_VARS;

if ($HTTP_GET_VARS!="")
    $_GET=$HTTP_GET_VARS;

if ($HTTP_SESSION_VARS!="")
    $_SESSION=$HTTP_SESSION_VARS;

Are completely unnecessary unless your version of PHP is older than 4.1.0.


First, check your query. Does this:

$sql = "
        select
            username,
            id,
            is_approved
        from
            $tb_users
        where
            username = '$_POST[UN]'
        and
            password = password('$_POST[PW]')
    ";

Produce a query that has in it the credentials you need to find in the database?


And you're doing some very strange things with session_register() and $_SESSION.



Want the best answers? Ask the best questions! TANSTAAFL!

 

[zrazzaq]

The version of PHP I have or actually my host site has is 4.4.1. So I would not need the global stuff???
Also, see with the query everytime a person is approved the is_approved field becomes a 1. When they are not approved then it remains a 0 until they are. For some reason it keeps telling me login is invalid....
Im new to PHP...did I write the query correctly...The globals I got off a book..I thought I needed them to...
Thanks for helping
Z

 

[sleipnir214]

No, you will not need to use global. Nor will you have to set up $_POST, $_GET, $_COOKIE, $_SESSION of $_FILES. Read

http://www.php.net/manual/en/reserved.variables.php

to see this.

Also, use only $_SESSION. You must use session_start() (which you are missing) at the beginning of every script (before your script outputs anything, even a blank line outside of the <?php...?> tags). But do not use session_register(). This is in accordance with the online manual:

http://www.php.net/manual/en/function.session-register.php

[red]Again, what have you verified actually works? Does the lookup to find a valid username and password work?[/red]





Want the best answers? Ask the best questions! TANSTAAFL!

 

[zrazzaq]

Well I think its my query...I think i wrote it incorrectly. Because I ran it the same exact query (filling out the login and password in quotes) in MySQL and it didn;t bring back anything.
Also, thank you for the manuals.
Could u help me with my query...

$sql = "
        select
            username,
            id,
            is_approved
        from
            $tb_users
        where
            username = '$_POST[UN]'
        and
            password = password('$_POST[PW]')
    ";

should it be like:

$sql = "
        select
            username,
            id,
            is_approved
        from
            platinum_users
        where
            username = '$_POST[UN]'
        and
            password = '$_POST[PW]'
    ";

Thanks
Z

 

[jpadie]

try this

$sql = "
        select
            username,
            id,
            is_approved
        from
            $tb_users
        where
            username = '$_POST[UN]'
        and
            `password` = password('$_POST[PW]')
    ";

password is, i believe a reserved word so you need backticks to tell mysql it's a field name.

 

[Itshim]

Yes, password is a reserved word, and if your not too far into the project I would suggest changing the column name.

Also you should not use MySQL's password() function in your application.

The PASSWORD() function is used by the authentication system in MySQL Server; you should not use it in your own applications. For that purpose, consider MD5() or SHA1() instead. Also see RFC 2195 for more information about handling passwords and authentication securely in your applications.

More info can be found here.