Hello,

Am stll new at learning php, but i decided i would try and create a simple coded forum system. I have got the register page working as well as started setting out the index, however i cannot get the login page to work at all.

No matter what i put in the username and password fields on the login page it comes up with the same message all the time

"You must supply both the username and password field!"

Below is the coding for the login page

<?php
session_start();
include "./global.php";

echo "<title>Klubbed Servers - Login</title>\n";

if ($_SESSION['uid']) {
echo "You are already logged in, if you wish to login, please <a href=\"./logout.php\">click here</a>\n";
} else {

if (!$_POST['submit']) {
echo "<table border=\"0\" cellspacing=\"3\" cellpadding=\"3\">\n";
echo "<form method=\"post\" action=\"./login.php\">\n";
echo "<tr><td>Username</td><td><input type=\"text\" name\"username\"></td></tr>\n";
echo "<tr><td>Password</td><td><input type=\"password\" name\"password\"></td></tr>\n";
echo "<tr><td colspan=\"2\" align=\"right\"><input type=\"submit\" name=\"submit\" value=\"Login\"></td></tr>\n";
echo "</form></table>\n";
} else {
$user = $_POST['username'];
$pass = $_POST['password'];

if ($user && $pass) {
$sql = "SELECT id FROM `users` WHERE `username`='" . $user . "'";
$res = mysql_query($sql) or die(mysql_error());
if (mysql_num_rows($res) > 0) {
$sql2 = "SELECT id FROM `users` WHERE `username`='" . $user .
"' AND `password`='" . md5($pass) . "'";
$res2 = mysql_query($sql2) or die(mysql_error());
if (mysql_num_rows($res2) > 0) {
$row = mysql_fetch_assoc($res2);
$_SESSION['uid'] = $row['id'];

echo "You have sucessfully logged in as " . $user;

} else {
echo "Username and password combination are incorrect!\n";
}
} else {
echo "The username you supplied does not exist!\n";
}
} else {
echo "You must supply both the username and password field!\n";
}
}

}
?>

I have uploaded what i have so far at the following link, you can register an account and try for yourself.

http://klubbed-servers.com/php/

If anybody could come up with a solution that would be great.

Regards,

William Smith

Hello,
your error in this line:

if (!$_POST['submit']) {

Submit is not a $_POST value, you may change your line to:

if (!$_POST['username'] || !$_POST['password']) {


Regards

You should also sanitize your data because this is a really big hole for a login script if you use it like that

Did you copy and paste that code in here or re-type it?

You really should break in and out of php code when you are outputting large blocks of HTML, but regardless, you (as far as I can see) have no equal signs between the name attribute the username or password value.


echo "<tr><td>Username</td><td><input type=\"text\" name\"username\"></td></tr>\n";
echo "<tr><td>Password</td><td><input type=\"password\" name\"password\"></td></tr>\n";


A few more tips:
- Instead of checking if $user and $pass eval true, you should !empty($user) && !empty{$pass).
- Break in and out of PHP where you need to. It's a lot faster as PHP doesn't have to eval non-php code. Example.

<?
# normal php code above
if (!$_POST['submit']) {
?>
<table border="0" cellspacing="3" cellpadding="3">
<form method="post" action="./login.php">
<tr><td>Username</td><td><input type="text" name="username"></td></tr>
<tr><td>Password</td><td><input type="password" name="password"></td></tr>
<tr><td colspan="2" align="right"><input type="submit" name="submit" value="Login"></td></tr>
</form></table>
<?
} else {
# continue PHP code down here
?>

- As stated before you will want to sanitize your user input before you pass to the database. You wouldn't want someone putting their username as "'; DELETE FROM users;" thereby deleting all data in your user table.

You could try learning by using a ready system and implement it:

http://www.awesomephp.com/?Membership

Peace,

Hello,
your error in this line:

if (!$_POST['submit']) {
Submit is not a $_POST value, you may change your line to:

if (!$_POST['username'] || !$_POST['password']) {
Regards

Changed to this however it never worked:(

Adam-AEC

you (as far as I can see) have no equal signs between the name attribute the username or password value.

echo "<tr><td>Username</td><td><input type=\"text\" name\"username\"></td></tr>\n";
echo "<tr><td>Password</td><td><input type=\"password\" name\"password\"></td></tr>\n";


tried but never worked all i get now is

Username and password combination are incorrect!

With regards to protecting your data you could start by looking up the mysql_real_escape_string() function.

If it was me I would try echoing $sql2 just to make sure it is what I want it to be cause it seems if you keep getting 'username and password combination are incorrect' that query isn't returning what you want.

Hello,
your error in this line:

if (!$_POST['submit']) {

Submit is not a $_POST value, you may change your line to:

if (!$_POST['username'] || !$_POST['password']) {


Regards

This is wrong, as there will be 'submit' in the $_POST, as the form button is called 'submit'

Perhaps a bit of clean up is required.


<?php

session_start();
require_once './global.php';

if ($_SERVER['REQUEST_METHOD'] == 'POST')
{
$username = strlen(trim($_POST['username'])) == 0 ? FALSE : mysql_real_escape_string($username);
$password = strlen(trim($_POST['password'])) == 0 ? FALSE : mysql_real_escape_string($password);

if (!$username || !$password)
{
echo 'Please fill out the form completely.';
} else {
$query = "SELECT id FROM `users` WHERE `username` = '".$username."' AND `password` = md5('".$password."')";
$result = mysql_query($query);
if (!$result)
{
die("Sorry, there was an error in the system. Try again.");
}
if (mysql_num_rows($result) == 1)
{
$r = mysql_fetch_assoc($result);
$_SESSION['uid'] = $r['id'];
echo "Thank you, you have logged in";
} else {
echo "Invalid credentials. Please go back and try again.";
}
}

} else {

?>
<b>Welcome to the login page!</b><br />
<form method="post" action="<?php echo basename($_SERVER['PHP_SELF']); ?>">
<input type="text" name="username" value="" />
<input type="password" name="password" value="" />
<input type="submit" name="submit" value="Login"/>
</form>
<?php

}
?>


Try that :)

This is wrong, as there will be 'submit' in the $_POST, as the form button is called 'submit'

Perhaps a bit of clean up is required.


<?php

session_start();
require_once './global.php';

if ($_SERVER['REQUEST_METHOD'] == 'POST')
{
$username = strlen(trim($_POST['username'])) == 0 ? FALSE : mysql_real_escape_string($username);
$password = strlen(trim($_POST['password'])) == 0 ? FALSE : mysql_real_escape_string($password);

if (!$username || !$password)
{
echo 'Please fill out the form completely.';
} else {
$query = "SELECT id FROM `users` WHERE `username` = '".$username."' AND `password` = md5('".$password."')";
$result = mysql_query($query);
if (!$result)
{
die("Sorry, there was an error in the system. Try again.");
}
if (mysql_num_rows($result) == 1)
{
$r = mysql_fetch_assoc($result);
$_SESSION['uid'] = $r['id'];
echo "Thank you, you have logged in";
} else {
echo "Invalid credentials. Please go back and try again.";
}
}

} else {

?>
<b>Welcome to the login page!</b><br />
<form method="post" action="<?php echo basename($_SERVER['PHP_SELF']); ?>">
<input type="text" name="username" value="" />
<input type="password" name="password" value="" />
<input type="submit" name="submit" value="Login"/>
</form>
<?php

}
?>
Try that :)


Thanks for that but all i get now when i try and login is

Please fill out the form completely.

<?php

session_start();
include "./global.php";

/**
* @throws Exception
*/
function authenticate(){
if( !empty( $_SESSION['uid'] ) )
throw new Exception( "Already logged in", 0 );

if( empty( $_REQUEST['username'] ) )
throw new Exception( "Username required", 0 );

if( empty( $_REQUEST['password'] ) )
throw new Exception( "Password required", 0 );

// Note!
//
// you should always explicitly define your connection
// identifier, don't rely on magic auto-location

define( "DB", $mysql_connection ); // you need to adjust this line to your environment

$user = mysql_real_escape_string( $_REQUEST['username'], DB );
$pass = html_entity_decode( $_REQUEST['password'], ENT_QUOTES );

$res = mysql_query(
"SELECT `id`, `password` FROM `users`
WHERE `username`='$user'
LIMIT 1",
DB
);

if( !($row = mysql_fetch_assoc( $res ) )
throw new Exception( "No such username", 0 );

if( $row['password'] != md5( $pass ) )
throw new Exception( "Password mismatch", 0 );

$_SESSION['uid'] = $row['id'];
echo "Login successful";
}

$error = "";
try{
if( !empty( $_REQUEST['submit'] ) )
authenticate();
}
catch( Exception $x ){
$error = $x->getMessage();
}

if( empty( $_SESSION['uid'] ) ):
?>

<div align="center"><?= $error ?></div>
<form action="" method="post">
<input type="text" name="username">
<input type="password" name="password">
<input type="hidden" name="submit" value="1">
<input type="submit" value="Log in">
</form>

<?php

else:
// do something here... redirect to member area, etc.
endif;

?>


Don't need two queries.

I laid things out line by line to help you get a grasp on the construction. You could consolidate a few lines to make the code shorter.

Now there are more things you should address:
- adding a challenge cookie system
- creating a consistent session-naming system that x-references the challenge cookies to ensure session ownership
- some kind of turing test to prevent robot logins
- throttling erroneous logins
- buy vBulletin ;)

Good luck.
Alex

try that as well however it still never worked :S

All of the above measures should have had some measure of success. If none work, then I would offer as suggestion, that the actual code is not the problem.

I can vouch for my code, tested, it works. Did you perhaps not define DB?

Using my code, what errors do you get?

Make sure that your PHP is set to display_errors On and error_reporting E_ALL

I will look over my coding again to iron out any possible bugs and get back to you on this.

Saeven:

Nice work there =) I need to get back to more PHP and less Python.