3 replies to this topic

[haraldur]

That is my authencation script. What is possibly wrong with it? I have an account named admin in my MySQL database and after trying to log in with it it stops on Checkuser.php the authencation file here below and does not redirect to the user/index.php, i also have the database file under the authencation file.

<?php
require_once(templates/dbconnect.php);

$username = $_POST['username'];
$password = $_POST['password'];

if (empty $username)
{
    header ("Location: index.php?report=Please+fill+in+your+username!");
}
    
if (empty $password)
{
    header ("Location: index.php?report=Please+fill+in+your+password!");
}
    
$username = stripslashes($username);
$password = stripslashes($password);
$username = mysql_real_escape_string($username);
$password = mysql_real_escape_string($password);

$query = "SELECT * FROM users WHERE username='$username' AND password='$password'";

$checkuser = mysql_query($query);

$row = mysql_num_rows($checkuser);

if ($row == 1)
{
    session_start();
    $_SESSION['username'] = $username;
    $_SESSION['logged_in'] = "1";
    header ("Location: user/index.php");
}
?> 

<?php
$host = "localhost";
$user = "root";
$pass = "root";
$database = "website";

$mysql_id = mysql_connect('$host', '$user', '$pass');
mysql_select_db('$database', $mysql_id);

?>

[Vladimir]

Put this line at the top of your script and fix all errors/warnings (it's very important):

error_reporting(E_ALL);

Instead of

$mysql_id = mysql_connect('$host', '$user', '$pass');

mysql_select_db('$database', $mysql_id);

use varibles without quotes:

$mysql_id = mysql_connect($host, $user, $pass);

mysql_select_db($database, $mysql_id);

Typically you have to check for error whenever you access DB (check manual for mysql_connect, mysql_select_db, mysql_query):

$link = mysql_connect('localhost', 'mysql_user', 'mysql_password');

if (!$link) {

    die('Not connected : ' . mysql_error());

}


// make foo the current db

$db_selected = mysql_select_db('foo', $link);

if (!$db_selected) {

    die ('Can\'t use foo : ' . mysql_error());

}


$result = mysql_query('SELECT * WHERE 1=1');

if (!$result) {

    die('Invalid query: ' . mysql_error());

}

These lines are unnecessary:

$username = stripslashes($username);

$password = stripslashes($password);

Instead disable magic quotes: PHP: Disabling Magic Quotes - Manual

When you fix all issues I listed you will easily find any problem with your script.

[mnamjad]

What i would suggest is when connecting to database always use DIE code in that. There is no need of quotes when using variable.

Code:

<?php

$host = "localhost";

$user = "root";

$pass = "root";

$database = "website";


mysql_connect($host, $user, $pass) or DIE('Connection to host is failed, perhaps the service is down!');

mysql_select_db($database)  or DIE('Database name is not available!');


?> 

In the second code, you need to use concatenation (.) operator to concatenate string and variable, use the below code

<?php

require_once(templates/dbconnect.php);


$username = $_POST['username'];

$password = $_POST['password'];


if (empty $username)

{

    header ('Location: index.php?report=Please+fill+in+your+username!');

}

    

if (empty $password)

{

    header ('Location: index.php?report=Please+fill+in+your+password!');

}

    

$username = stripslashes($username);

$password = stripslashes($password);

$username = mysql_real_escape_string($username);

$password = mysql_real_escape_string($password);


$query = "SELECT * FROM users WHERE username="'" . $username . "' " AND password= " '" . $password . "';


$checkuser = mysql_query($query);


$row = mysql_num_rows($checkuser);


if ($row == 1)

{

    session_start();

    $_SESSION['username'] = $username;

    $_SESSION['logged_in'] = "1";

    header ("Location: user/index.php");

}

?>

Edited by Orjan, 22 November 2010 - 09:43 AM.
Added code tags, do that for readibility!

[SoN9ne]

This is better than the latter

$query = "SELECT * FROM users WHERE username='{$username}' AND password='{$password}'";