stupid php question

[dabuddha]

i dunno if this is the right forum for this but i have a php question.
i'm trying to setup a simple password page with a mysql database.
Here's what I have so far:

<?
if ($submit)
{
$db=mysql_connect("localhost","user") or die ("cant connect");
mysql_select_db("users",$db) or die ("cant change");
$result=mysql_query("select * from users where name='$username'",$db) or die ("cant do it");
while ($row=mysql_fetch_array($result))
{
if ($row["password"]==$password)
{
printf("Successfully Logged In!<a href=\\"index2.html?\\"'>Click Here</a>");
}
}
}
?>

<HTML>
<HEAD>
<TITLE></TITLE>
</HEAD>
<BODY BGCOLOR="#FFFFFF" TEXT="#000000" LINK="#0000FF" VLINK="#800080">
<form method=post action="<?echo $PHP_SELF?>">
<table cellpadding=2 cellspacing=0 border=0>
<td>Username:</td><td><input type="text" name="username" size=10></td><tr>
<td>Password:</td><td><input type="password" name="password" size=10></td><tr>
<td></td><td><input type="submit" name="submit" value="Log In"></td>
</table></form>
</BODY>
</HTML>

it's not working right though
here's what it shows:

Click Here"); } } } ?>
Username:
Password:

 

[Scootin159]

try changing \\" to \" in your printf

 

[NikPreviousAcct]

Also try changing it to "Software - Applications, Programming, and Games".

 

[Barnaby W. Füi]

Originally posted by: dabuddha
i dunno if this is the right forum for this but i have a php question.
i'm trying to setup a simple password page with a mysql database.
Here's what I have so far:

<?
if ($submit)
{
$db=mysql_connect("localhost","user") or die ("cant connect");
mysql_select_db("users",$db) or die ("cant change");
$result=mysql_query("select * from users where name='$username'",$db) or die ("cant do it");
while ($row=mysql_fetch_array($result))
{
if ($row["password"]==$password)
{
printf("Successfully Logged In!<a href=\\"index2.html?\\"'>Click Here</a>");
}
}
}
?>

<HTML>
<HEAD>
<TITLE></TITLE>
</HEAD>
<BODY BGCOLOR="#FFFFFF" TEXT="#000000" LINK="#0000FF" VLINK="#800080">
<form method=post action="<?echo $PHP_SELF?>">
<table cellpadding=2 cellspacing=0 border=0>
<td>Username:</td><td><input type="text" name="username" size=10></td><tr>
<td>Password:</td><td><input type="password" name="password" size=10></td><tr>
<td> </td><td><input type="submit" name="submit" value="Log In"></td>
</table></form>
</BODY>
</HTML>

it's not working right though
here's what it shows:

Click Here"); } } } ?> Username:
Password:

that's some out of date code.

you should use if(isset($result)), not just if($result). you should also use $_SERVER['PHP_SELF'], not $PHP_SELF. $PHP_SELF won't even work at all on a properly updated webserver.

other than that it should all work, except for the double backslashes scootin already mentioned.

 

[Superwormy]

You should also be using:

if ($_POST['submit']) {


And it'd be a little cleaner if you were to check if the password matches in the SQL query as well. And you should be encrypting / hashing the password before you store it in teh database, adn comparing teh two encrypted / hashed versions.

And use $_POST['username'] and $_POST['password'] to access POST variables. Other than that looks good

 

[Buddha Bart]

so when someone just links directly to index2.html???

you've been 0w|\|z0r3d

 

[dabuddha]

hehe thats just a temp link
it'll be well nested in various directories

 

[mjquilly]

Originally posted by: Buddha Bart
so when someone just links directly to index2.html???

you've been 0w|\|z0r3d

exactly. you should call your id validation at the beginning of each page. if validated, show the page; if not, prompt for l/p.

 

[mjquilly]

Originally posted by: dabuddha
hehe thats just a temp link
it'll be well nested in various directories

that doesn't really help...

 

[dabuddha]

oh im using different code too
the new code uses encrypted passwords and they still wont' be able to get in
but then again, nothing is foolproof

 

[Buddha Bart]

give us the link when you're done

 

[Buddha Bart]

I can't get in because I don't have an account.
But,
anyone with a valid account can login, view->source and see the new link. After that they'll never need to login again, they can skip right to the page. They can book mark it, IM it to their friends, even forge some get/post variables and fake being some other user. I don't know what your system does or is for, so I don't know if any of that is a problem for you. Think if you were this forum. I could login as me, fake being "Anand Lal Shimpi" and cause quite the ruckus.

If you're interested in tracking sessions in php check out session_start()
Plus check out these:
http://www.webmasterbase.com/article.php/319/78
http://www.devshed.com/Server_Side/PHP/Sessions/page1.html

Esentially what happens is
1.) user logs in
2.) user gets passed a cookie with a giant (usualy 32 characters) session key
3.) every page after that you check to make sure the user has a valid session key
4.) if the user is idle for too long, php automatically un-registeres the session key.

You can configure it a lot too, you can set it to use a session key in the URL rather than a cookie, you can change the time-out period, etc.

And remember, If it doesn't validate it doesn't belong on the web!!!

bart

 

[dabuddha]

ahh thanks for the tips
you're a life saver. What you gave me works alot better. The old code used cookies as well but it never checked if the user was logged in on all the pages

 

[CTho9305]

hey, also you should MD5 the passwords. That way, you can't see other people's passwords and they'll probably feel better about it

there is a PHP function you can use. WHen they set up their password, store the MD5 hash of it. when they log in, MD5 the password they enter, and compare.