HomeBuilding Your WebsiteWeb Programming and Application Development

spot the problem with this script (please)

greg posted this at 22:35 — 23rd July 2007.

greg's picture

He has: 1,581 posts

Joined: Nov 2005

I know this is long, but I have searched and scratched my head too much now. time to ask the pro's!

There is a login form on all pages of my website. When the 'Login' button is pressed it goes to another page (the code below) with the $_POST data

what the script basically does...
if either the entered username or password is blank, sends user to another page (loginerr.php) there it tells the user they inputted the wrong details
To determine on loginerr.php what was done incorrectly, I used a session
$_SESSION['loginerror']

So depending on what this scripts IF and ELSE finds from the user input it makes the session 1, 2, 3 or 4, and in the following page, each number represents the correct message etc

if the inputs wheren't blank, connects to mysql DB and gets the username and password if they match

then it runs through what to do

My problems:
if username and password are left blank in the login form, it logs the user in as " ", that is username blank

I know this is because the data retrieved from the DB is blank, as there was no match in the DB, and the data the user entered was blank, so username and password user entered matches those it finds in the DB (blank)
so logs the user in and sets his session username to blank

I thought the following code would have solved that:
if (!$_POST['username'] | !$_POST['password']) {
$_SESSION['loginerror']=4;
header("Location: loginerr.php");
}

if blank goto another page without getting to the further code
if one is not blank its not a problem, as the following code WONT match the data found in the DB to the users inputted code
DB data is both blank, user inputted something

Any ideas what I need to adjust?

<?php
session_start();
require_once('mysql.php');

this should send the user to retry login page saying both inputs where blank
it either doesnt work at all, OR it STILL reads the rest of the code after this and logs user in with blank username??
if (!$_POST['username'] | !$_POST['password']) {
$_SESSION['loginerror']=4;
header("Location: loginerr.php");
}

mysql_select_db("DBNAME") or die(mysql_error());

$username=$_POST['username'];
$password=$_POST['password'];


$sql="SELECT * FROM tablename WHERE username='$username' and password='$password'";
$result=mysql_query($sql);


this logs in user when pword and usrname match in the DB, it works fine with the correct logins,
but also logs in user with blank username when pword and usrname are both blank (explained above)
if($username == $result['username'] && $password == $result['password']) { 
$_SESSION['user']=$username;
header("Location: /members/memindex.php");
} else {

this is when login incorrect, sends user to error page to tell try again
the session=1 (etc) is to determine what the problem is for the retry login page
(i.e. wrong username, password or username and password)
it works in as much as it sends to user to the right page, but thats only because all the above code was false,
it doesnt seem to give the correct session stuff??
if ($username != $result['username'] && $password != $result['password']) {
$_SESSION['loginerror']=3;
} elseif ($username == $result['username']) {
$_SESSION['loginerror']=1;
} elseif ($password == $result['password']) {
$_SESSION['loginerror']=2;
}
header("Location: loginerr.php");
}
?>
'

any help will be MUCH appreciated!

teammatt3 posted this at 00:09 — 24th July 2007.

teammatt3's picture

He has: 2,102 posts

Joined: Sep 2003

You only have one pipe bar in your first logical OR.

if (!$_POST['username'] | !$_POST['password']) {

needs to be

if (!$_POST['username'] || !$_POST['password']) {

I don't know if that's the only problem, but try it and see if it works.

greg posted this at 12:12 — 24th July 2007.

greg's picture

He has: 1,581 posts

Joined: Nov 2005

RATHER THAN edit this entire post(incase someone is reading/replying to it) I have solved this problem...see next post for script changes
but still have another problem (next post)

I tried it and made no difference, but I did discover something

the original script sets a value to a session then redirects the user with the header code

I changed it to just echo some text and it worked fine??

if (!$_POST['username'] || !$_POST['password']) {
echo "blank";
}
'

so there is something wrong with the header redirect within an if statement? I have seen people use a variable within the clause

if (!$_POST['username'] || !$_POST['password']) {
$blank_login = 'true';
}

then later have IF $blank_login == 'true' then do whatever

It seems to me that header("Location: loginerr.php"); isnt working correctly for some reason. because its in within the if statement?

To be honest, it might be fine, but I am not happy with the script that checks the users inputs to the data from the DB checks....
if($username == $result['username'] && $password == $result['password']) {'

$username is assigned to $_POST['username']
and of course $result['username'] is the data from the DB

but if the users left the fields blank, they wont match anything in the DB, so the DB data will be blank
and so is the users input
so that above code is returned as TRUE

and therefore logs in the user. there must be a better way to check if the info the user puts in a form matches anything in the DB

greg posted this at 13:15 — 24th July 2007.

greg's picture

He has: 1,581 posts

Joined: Nov 2005

so now what happens is if either field was blank it assigns a variable to the word "true" else variable is "false"

then, if var is false (that is neither field was blank) it connects to the DB and checks the users input
else, it goes to the login retry page informing user he didnt input anything and this also means it doesnt unnecessarily access and check the DB

The whole script now seems a little sloppy and bloated to me, but it works, and I dont like fixing things that work Laughing out loud

My problem now is it ALWAYS sets the $_SESSION['loginerror'] to the number 3

this is because of my sql query line
SELECT * FROM tablename WHERE username='$username' and password='$password'

So it will only retireve data if BOTH match
so when my following script determines which input was incorrect, i.e. the username OR password, both will be, always

because even if the user inputted the correct username OR password, it wont match the DB as the DB data will be blank because BOTH didnt match in the DB querey

how do I get it to select ANY of password and username when they match without having 2 seperate sql queries?

the updated script...

<?php
session_start();
require_once('mysql.php');

if (!$_POST['username'] || !$_POST['password']) {
$blank_login = "true";
$_SESSION['loginerror'] = 4;
} else {
$blank_login = "false";
}

if ($blank_login == "false") {
mysql_select_db("DBNAME") or die(mysql_error());

$username=$_POST['username'];
$password=$_POST['password'];

$sql="SELECT * FROM tablename WHERE username='$username' and password='$password'";
$result=mysql_query($sql);

if ($username == $result['username'] && $password == $result['password']) {
$_SESSION['user']=$username;
header("Location: /members/memindex.php");
} else {

if ($username != $result['username'] && $password != $result['password']) {
$_SESSION['loginerror']=3;
} elseif ($username == $result['username']) {
$_SESSION['loginerror']=1;
} elseif ($password == $result['password']) {
$_SESSION['loginerror']=2;
}
}
}
header("Location: loginerr.php");


?>
'

Want to join the discussion? Create an account or log in if you already have one. Joining is fast, free and painless! We’ll even whisk you back here when you’ve finished.