first problem solved now have another question on this php script

Fiveohhh

Diamond Member
Jan 18, 2002
3,776
0
0
got the first part figured out now I have another question. Why doesn't it verify the password. If I have the username correct it redirects me nomatter what PW I put in.


heres the sumission form:

<html>
<head>
<title>Login</head>
</HEAD>
<body>
<form action="auth.php" method="post">
User Name: <input type="text" name="name">

Password: <input type="text" name="password">

<input type="submit" value="Login">
</form>



heres the php code

<?php
$conn = mysql_connect("localhost", "xxxxxx", "xxxxxx");
mysql_select_db("fiveohhh_login", $conn);
$uname = $_POST[name];
$sql = "select name from logins where name = '$uname'";
$result = mysql_query($sql) or die (mysql_error());
extract(mysql_fetch_assoc($result));
if ($password == $_POST[password]) {
header ("Location: http://www.jza2000.com/");
} else {
echo "sorry wrong username or password";
}
?>
 

Entity

Lifer
Oct 11, 1999
10,090
0
0
Have you tried quoting the sql query?

$sql = "SELECT name FROM logins WHERE name='$uname'";

Is the username you're trying to login as yiyt?

Rob
 

Fiveohhh

Diamond Member
Jan 18, 2002
3,776
0
0
ahh the single quotes around $uname fixed it. Thanks a bunch been bothering me awhile. Why do they need to be there I had another script basically identical and didn't need them. Would it be because its not a number? My other script used a number to select the column. Thanks again
 

JW310

Golden Member
Oct 30, 1999
1,582
0
0
Originally posted by: Fiveohhh
ahh the single quotes around $uname fixed it. Thanks a bunch been bothering me awhile. Why do they need to be there I had another script basically identical and didn't need them. Would it be because its not a number? My other script used a number to select the column. Thanks again

Yes, the reason you need the single quotes around the variable in this case is because it's a string value instead of a number.

Part of the reason the script isn't verifying the password is that you're not getting the password from the database in the SQL statement. Something like the following should work:

$sql = "SELECT name, password FROM `logins` WHERE `name` = '$uname'";

Also, as a general suggestion for the $_POST variables, I recommend putting the value inside the square brackets in double quotes; PHP can sometimes be flaky like that. In other words, $uname = $_POST[name]; should be $uname = $_POST["name"]; and if ($password == $_POST[password]) { should be if ($password == $_POST["password"]) {.

Chances are, the way the script is right now, it wants the double quotes in the $_POST[] variables, and is getting a null value for both the username and password in the database selection. Thus, no matter what username/password combo you try, it would work.

JW
 

JW310

Golden Member
Oct 30, 1999
1,582
0
0
And now that I think about it, the way you're selecting the username and password from the database, any username with a null password would work, since selecting the username from the database would turn up no entries, and thus the $password would be empty. Match that up with an empty $_POST["password"] and you're looking for trouble.

Might want to add in some code to prevent empty passwords from being used. I.E. "if the submitted password is blank (empty), display that an invalid username/password was entered".

JW
 

Fiveohhh

Diamond Member
Jan 18, 2002
3,776
0
0
well I got is set so the if you have the right info you get redirected. now I'm trying to get it setup so blanks return a blank message and can't get it to evaluate the if !isset statement. any reason why it doesn't exit out after it finds they're not set?

<?php
$conn = mysql_connect("localhost", "xxxxxx", "xxxxxx");
mysql_select_db("fiveohhh_login", $conn);
$uname = $_POST["name"];
$upass = $_POST["password"];
if (!isset($uname) or !isset($upass)) {
echo "you left an entry blank.";
exit;
}
$sql = "select name, password from logins where name = '$uname'";
$result = mysql_query($sql) or die (mysql_error());
extract(mysql_fetch_assoc($result));
if ($password == $_POST["password"]) {
header ("Location: http://www.jza2000.com/");
} else {
echo "sorry wrong username or password";
}
?>
 

JW310

Golden Member
Oct 30, 1999
1,582
0
0
Try using empty() instead of isset() to do the blank field checking. I've had better luck using empty than I have with isset for that kind of stuff. A good place to check to see which one will work is here: PHP Cheat Sheet.

JW
 

Entity

Lifer
Oct 11, 1999
10,090
0
0
Yeah, I think empty() might be better, since a post variable is being sent, but it's blank (I think). I usually just go with the manual route:

if($_POST['password'] == "" || $_POST['user'] == "")
{
# empty login or password sent
stuff();
}
else
{
# entered properly
validateLogin($_POST['password'], $_POST['user']);
}

Rob