Web Hosting Talk






PDA

View Full Version : PHP/SQL Login Script Help.

KieranT
11-27-2008, 04:31 PM
PHP/SQL Login Script Help.

Hi,
I'm creating a simple login script using:
main_login.php
checklogin.php
login_success.php
main_login.php :
Code:
<table width="300" border="0" align="center" cellpadding="0" cellspacing="1" bgcolor="#CCCCCC">
<tr>
<form name="form1" method="post" action="checklogin.php">
<td>
<table width="100%" border="0" cellpadding="3" cellspacing="1" bgcolor="#FFFFFF">
<tr>
<td colspan="3"><strong>Member Login </strong></td>
</tr>
<tr>
<td width="78">Username</td>
<td width="6">:</td>
<td width="294"><input name="account" type="text" id="account"></td>
</tr>
<tr>
<td>Password</td>
<td>:</td>
<td><input name="password" type="text" id="password"></td>
</tr>
<tr>
<td></td>
<td></td>
<td><input type="submit" name="Submit" value="Login"></td>
</tr>
</table>
</td>
</form>
</tr>
</table>
checklogin.php
Code:
<?php
ob_start();
$host="localhost"; // Host name
$username="****"; // Mysql username
$password="****"; // Mysql password
$db_name="****"; // Database name
$tbl_name="membersb"; // Table name

// Connect to server and select databse.
mysql_connect("$host", "$username", "$password")or die("cannot connect");
mysql_select_db("$db_name")or die("cannot select DB");

// Define $account and $password
$account=$_POST['Account'];
$password=$_POST['Password'];

// To protect MySQL injection (more detail about MySQL injection)
$account = stripslashes($account);
$password = stripslashes($password);
$account = mysql_real_escape_string($account);
$password = mysql_real_escape_string($password);

$sql="SELECT * FROM $tbl_name WHERE username='$account' and password='$password'";
$result=mysql_query($sql);

// Mysql_num_row is counting table row
$count=mysql_num_rows($result);
// If result matched $account and $password, table row must be 1 row

if($count==1){
// Register $account, $password and redirect to file "login_success.php"
session_register("account");
session_register("password");
header("location:login_success.php");
}
else {
echo "Wrong Username or Password";
}

ob_end_flush();
?>
login_success.php
Code:
<?
session_start();
if(!session_is_registered(myusername)){
header("location:main_login.php");
}
?>

<html>
<body>
Login Successful
</body>
</html>
Anyway my problem is that when I enter an account//password that's stored in the table I get this error:
Warning: mysql_num_rows(): supplied argument is not a valid MySQL result resource in /home/****/public_html/php/checklogin.php on line 27
Anybody have any ideas?
Kier
KieranT
11-27-2008, 05:21 PM
*Update
Fixed the error, but for some reason my user/pass is always wrong
I know the info is correct as im using another script to read the database
Code:
$result = mysql_query("SELECT * FROM membersb")
or die(mysql_error());







Last edited by KieranT : 11-27-2008 at 04:28 PM.
azizny
11-27-2008, 06:55 PM
Why reinvent the wheel.. Use a ready script.
Peace,





__________________NEW: What Is Their IP - Anyone's IP a click away.
URL Tracker, Shortener, Blocker, Unblocker, Whois and More.
KieranT
11-27-2008, 07:20 PM
Quote:



Originally Posted by azizny


Why reinvent the wheel.. Use a ready script.
Peace,


Because I'm trying to learn, if you have nothing constructive to say do not post in my threads.
azizny
11-27-2008, 08:21 PM
Quote:



Originally Posted by CourtixGaming


Because I'm trying to learn, if you have nothing constructive to say do not post in my threads.


The error:
"supplied argument is not a valid MySQL result resource"
Appears when the query is invalid: wrong field names and/or invalid syntax.
Peace,





__________________NEW: What Is Their IP - Anyone's IP a click away.
URL Tracker, Shortener, Blocker, Unblocker, Whois and More.
KieranT
11-27-2008, 09:52 PM
And if you actually read the thread properly rather than trolling you will noticed I had actually solved this issue...
bear
11-27-2008, 10:10 PM
account != Account
Case sensitive. You have the form field in lowercase, and the POST in upper.
Quote:


$account=$_POST['Account'];
$password=$_POST['Password'];


Then you have this:
Code:
$sql="SELECT * FROM $tbl_name WHERE username='$account' and password='$password'";
Does the field "username" exist in the table, or is it "account"?





__________________Did you know WHT has a help desk?
Have a forum? Let's face it, you need help.
foobic
11-27-2008, 10:15 PM
Quote:



Originally Posted by CourtixGaming


Fixed the error, but for some reason my user/pass is always wrong


<snip> (beaten by bear!)
While it's good that you want to learn for yourself, I'd say it also does no harm to take a look at how other people tackle this common problem. One thing you'll find that's almost universal is storing password hashes instead of the full plain-text - this gives a little extra security in the event that someone manages to read your database.





__________________
Chris <ClonePanel>
"Not everything that can be counted counts, and not everything that counts can be counted" - Albert Einstein
bear
11-27-2008, 10:31 PM
You may need to also remove the single quotes from within that query, as PHP typically sees those as 'take this literally' and won't parse it for substitutions.
I'm fairly new to sql and php, so by all means test it.





__________________Did you know WHT has a help desk?
Have a forum? Let's face it, you need help.
foobic
11-27-2008, 10:54 PM
Quote:



Originally Posted by bear


You may need to also remove the single quotes from within that query, as PHP typically sees those as 'take this literally' and won't parse it for substitutions.
I'm fairly new to sql and php, so by all means test it.


No, those are right, I think. PHP will happily substitute the variables because they're inside (ultimately) a double-quoted string and MySQL needs the single quotes.
Prepared statements would be a better way to do it but that's for another day!





__________________
Chris <ClonePanel>
"Not everything that can be counted counts, and not everything that counts can be counted" - Albert Einstein
KieranT
11-28-2008, 05:07 AM
Thanks for all the suggestions guys,
Quote:



Originally Posted by bear


account != Account
Case sensitive. You have the form field in lowercase, and the POST in upper.


Thanks, never noticed it seems I have used Account everywhere other than the form (when creating tables etc) I'l fix this now
Quote:



Originally Posted by bear


Then you have this:
Code:
$sql="SELECT * FROM $tbl_name WHERE username='$account' and password='$password'";
Does the field "username" exist in the table, or is it "account"?


Sorry I should have updated, this is what I did to fix the previous error
Kieran