• We’re currently investigating an issue related to the forum theme and styling that is impacting page layout and visual formatting. The problem has been identified, and we are actively working on a resolution. There is no impact to user data or functionality, this is strictly a front-end display issue. We’ll post an update once the fix has been deployed. Thanks for your patience while we get this sorted.

stupid php question

dabuddha

dabuddha

Lifer
i dunno if this is the right forum for this but i have a php question.
i'm trying to setup a simple password page with a mysql database.
Here's what I have so far:

<?
if ($submit)
{
$db=mysql_connect("localhost","user") or die ("cant connect");
mysql_select_db("users",$db) or die ("cant change");
$result=mysql_query("select * from users where name='$username'",$db) or die ("cant do it");
while ($row=mysql_fetch_array($result))
{
if ($row["password"]==$password)
{
printf("Successfully Logged In!<a href=\\"index2.html?\\"'>Click Here</a>");
}
}
}
?>

<HTML>
<HEAD>
<TITLE></TITLE>
</HEAD>
<BODY BGCOLOR="#FFFFFF" TEXT="#000000" LINK="#0000FF" VLINK="#800080">
<form method=post action="<?echo $PHP_SELF?>">
<table cellpadding=2 cellspacing=0 border=0>
<td>Username:</td><td><input type="text" name="username" size=10></td><tr>
<td>Password:</td><td><input type="password" name="password" size=10></td><tr>
<td></td><td><input type="submit" name="submit" value="Log In"></td>
</table></form>
</BODY>
</HTML>

it's not working right though
here's what it shows:

Click Here"); } } } ?>
Username:
Password:

 
Originally posted by: dabuddha
i dunno if this is the right forum for this but i have a php question.
i'm trying to setup a simple password page with a mysql database.
Here's what I have so far:

<?
if ($submit)
{
$db=mysql_connect("localhost","user") or die ("cant connect");
mysql_select_db("users",$db) or die ("cant change");
$result=mysql_query("select * from users where name='$username'",$db) or die ("cant do it");
while ($row=mysql_fetch_array($result))
{
if ($row["password"]==$password)
{
printf("Successfully Logged In!<a href=\\"index2.html?\\"'>Click Here</a>");
}
}
}
?>

<HTML>
<HEAD>
<TITLE></TITLE>
</HEAD>
<BODY BGCOLOR="#FFFFFF" TEXT="#000000" LINK="#0000FF" VLINK="#800080">
<form method=post action="<?echo $PHP_SELF?>">
<table cellpadding=2 cellspacing=0 border=0>
<td>Username:</td><td><input type="text" name="username" size=10></td><tr>
<td>Password:</td><td><input type="password" name="password" size=10></td><tr>
<td> </td><td><input type="submit" name="submit" value="Log In"></td>
</table></form>
</BODY>
</HTML>

it's not working right though
here's what it shows:

Click Here"); } } } ?> Username:
Password:
Click to expand...

that's some out of date code.

you should use if(isset($result)), not just if($result). you should also use $_SERVER['PHP_SELF'], not $PHP_SELF. $PHP_SELF won't even work at all on a properly updated webserver.

other than that it should all work, except for the double backslashes scootin already mentioned.
 
You should also be using:

if ($_POST['submit']) {


And it'd be a little cleaner if you were to check if the password matches in the SQL query as well. And you should be encrypting / hashing the password before you store it in teh database, adn comparing teh two encrypted / hashed versions.

And use $_POST['username'] and $_POST['password'] to access POST variables. Other than that looks good 🙂
 
Originally posted by: Buddha Bart
so when someone just links directly to index2.html???

you've been 0w|\|z0r3d
Click to expand...

exactly. you should call your id validation at the beginning of each page. if validated, show the page; if not, prompt for l/p.
 
oh im using different code too
the new code uses encrypted passwords and they still wont' be able to get in 🙂
but then again, nothing is foolproof
 
I can't get in because I don't have an account.
But,
anyone with a valid account can login, view->source and see the new link. After that they'll never need to login again, they can skip right to the page. They can book mark it, IM it to their friends, even forge some get/post variables and fake being some other user. I don't know what your system does or is for, so I don't know if any of that is a problem for you. Think if you were this forum. I could login as me, fake being "Anand Lal Shimpi" and cause quite the ruckus.

If you're interested in tracking sessions in php check out session_start()
Plus check out these:
http://www.webmasterbase.com/article.php/319/78
http://www.devshed.com/Server_Side/PHP/Sessions/page1.html

Esentially what happens is
1.) user logs in
2.) user gets passed a cookie with a giant (usualy 32 characters) session key
3.) every page after that you check to make sure the user has a valid session key
4.) if the user is idle for too long, php automatically un-registeres the session key.

You can configure it a lot too, you can set it to use a session key in the URL rather than a cookie, you can change the time-out period, etc.

And remember, If it doesn't validate it doesn't belong on the web!!!

bart
 
ahh thanks for the tips
you're a life saver. What you gave me works alot better. The old code used cookies as well but it never checked if the user was logged in on all the pages
 
hey, also you should MD5 the passwords. That way, you can't see other people's passwords and they'll probably feel better about it 😉

there is a PHP function you can use. WHen they set up their password, store the MD5 hash of it. when they log in, MD5 the password they enter, and compare.
 
You must log in or register to reply here.

TRENDING THREADS

Back
Top