MySQL Login System

[Prosidius]

I'm making a blog where people login. The login system uses the one and famous MySQL. Well I set the password to 123 in the database but the file that checks the db thinks it's wrong.

Login2.php:

<?
session_start();
require('functions.php');
require('connect.php');

echo '<html>
<head>';
include '/home/adamb10/public_html/UltraBlog/themes/style1.css';

echo '<title>';
$result = mysql_query('SELECT title FROM Userdata') or die("Error: ".mysql_error());
while ($row = mysql_fetch_assoc($result))
{
    echo $row['title'];
}
echo '
</title>
</head>

<body>
<center><table width="80%" cellspacing="1" cellpadding="1" border="0" class="border">

<td class="windowbg2" colspan="3"><center><font size="3"><b>';
$result = mysql_query('SELECT title FROM Userdata') or die("Error: ".mysql_error());
while ($row = mysql_fetch_assoc($result))
{
    echo $row['title'];
}
echo '</b></font></center>
<tr>';
include 'Sources/urls.php';
echo '<------HEADER------>
<br><br><br><br><br><br>
<table width="50%" cellspacing="1" cellpadding="1" border="0" class="border">';
$password = $_POST['password'];
// DEFINE THE SESSION VARIABLE
$_SESSION['pass'] = $password;
$result = mysql_query("SELECT * FROM `Userdata` WHERE 'Password'  LIMIT 1") or die ("SQL Query Error");
if (mysql_num_rows ($result) < 1)
{
$_SESSION = array();
session_destroy();
// USER IP LOGGING
if(!session_is_registered('pass')){
    $agent = $_SERVER['HTTP_USER_AGENT'];
    $uri = $_SERVER['REQUEST_URI'];
    $user = $_SERVER['PHP_AUTH_USER'];
    $ip = $_SERVER['REMOTE_ADDR'];
    $ref = $_SERVER['HTTP_REFERER'];
    $dtime = date('r');

    if($ref == ""){
        $ref = "None";
    }
    if($user == ""){
        $user = "None";
    }

    $entry_line = "$dtime - IP: $ip \n";
    $fp = fopen("/home/adamb10/public_html/UltraBlog/data/loginlog.txt", "a");
    fwrite($fp, $entry_line);
    fclose($fp);

}
 echo '<br>
<table width="50%" cellspacing="1" cellpadding="1" border="0" class="border">
<tr>
<td class="windowbg" width="100%"><right>
<b>Error</b> </right></tr>
<tr>
<td class="titlebg" width="100%">There was an error logging in.  The error returned was:
<br><b>You entered in a wrong password. Click <a href="?action=login">here</a> to return to the login page and try again.</b></tr>';
} else {
echo '<td class="windowbg" width="100%" height="19" span 2><b>Successfully Logged in</b></tr>
        <tr>
          <td class="titlebg" width="100%">
          <center>Sucessfully Logged in!<br> Click <a href="?action=acp">here</a> to proceed to the admin area.</center></tr>
</table>';

}

echo '
<br>
<br>
</center>

</table>
<br>
<------FOOTER------>

<br><br><br><br><br><br><br>';
copyright();
echo '</body>
</html>';
?>

Thanks :)

[Josh]

In the DB did you make the password field the type PASSWORD or did you make it text? If you made it PASSWORD, you need to encrypt the password that's submitted from the form before comparing the two.

[jtchange]

this part looks wrong to me...

$password = $_POST['password'];
// DEFINE THE SESSION VARIABLE
$_SESSION['pass'] = $password;
$result = mysql_query("SELECT * FROM `Userdata` WHERE 'Password'  LIMIT 1") or die ("SQL Query Error");

try this:

$password = $_POST['password'];
$username = $_POST['username']; //i'm assuming that is the name of the field..if not, change it
// DEFINE THE SESSION VARIABLE
$_SESSION['pass'] = $password;
$_SESSION['user'] = $username;
$result = mysql_query("SELECT * FROM `Userdata` WHERE 'Username'=$username && 'Password'=$password  LIMIT 1") or die ("SQL Query Error");

that's all I can think of...the original code wasn't selecting anything at all...try this

[Prosidius]

My buddy who helped do this for me told me to use the Password encyption but he gave me a weird query and MySQL didn't like it.

jtchange, will try it. :)

EDIT: Jtchange, I now get a query error.

Edited July 2, 2005 by Adamb10

[Prosidius]

Here is a pic of my database structure if that helps:

[Sphinx Myth]

  Adamb10 said:

EDIT:  Jtchange, I now get a query error.

586153582[/snapback]

Hi.

SQL query:

SELECT *
FROM `Userdata`
WHERE Username='$username' AND Password='$password'
LIMIT 1

Don't forget to escape your data with mysql_real_escape_string( ) (or mysql_escape_string( )) to prevent SQL injections.

[jtchange]

can you post the code for the form as well? this might be able to help...and please tell us what the SQL error is, as they are pretty detailed most of the time.

edit: wait, it will always just show 'SQL Query Error'....change the die("SQL Query Error") to die(mysql_error());

[Skov]

  jtchange said:

this part looks wrong to me...

$password = $_POST['password'];
// DEFINE THE SESSION VARIABLE
$_SESSION['pass'] = $password;
$result = mysql_query("SELECT * FROM `Userdata` WHERE 'Password' ?LIMIT 1") or die ("SQL Query Error");

try this:

$password = $_POST['password'];
$username = $_POST['username']; //i'm assuming that is the name of the field..if not, change it
// DEFINE THE SESSION VARIABLE
$_SESSION['pass'] = $password;
$_SESSION['user'] = $username;
$result = mysql_query("SELECT * FROM `Userdata` WHERE 'Username'=$username && 'Password'=$password ?LIMIT 1") or die ("SQL Query Error");

that's all I can think of...the original code wasn't selecting anything at all...try this

586153401[/snapback]

You don't use ' on field names, only on value:p:p

[Prosidius]

  Sphinx Myth said:

Hi.

SQL query:

SELECT *
FROM `Userdata`
WHERE Username='$username' AND Password='$password'
LIMIT 1

Don't forget to escape your data with mysql_real_escape_string( ) (or mysql_escape_string( )) to prevent SQL injections.

586154013[/snapback]

THANK YOU!! I can login now. :D

Whats that about mysql injection?

[Jayzee]

  Adamb10 said:

THANK YOU!!  I can login now.  :D

Whats that about mysql injection?

586154362[/snapback]

SQL injection is basicly additional SQL code entered by visitor in a textbox and sent thereafter by your code to your database where it is executed.

More info

[jtchange]

  Skov said:

You don't use ' on field names, only on values :p

586154151[/snapback]

i knew something didn't look right....i just wasn't sure what it was...silly me :p

today has been a stressful day...stupid osCommerce :wacko:

[dnast]

  jtchange said:

...and please tell us what the SQL error is, as they are pretty detailed most of the time.

586154027[/snapback]

I'm nitpicking just to let you know ahead of time :), but my only real gripe about MySQL is how vague the error messages are. It's usually only helpful in that sometimes you can see where your error is, even though you'll still have to figure out exactly what you did wrong...but maybe I just need to change settings or something.

[jtchange]

  dnast said:

I'm nitpicking just to let you know ahead of time :), but my only real gripe about MySQL is how vague the error messages are. It's usually only helpful in that sometimes you can see where your error is, even though you'll still have to figure out exactly what you did wrong...but maybe I just need to change settings or something.

586155338[/snapback]

true, but i'd rather it be vague, than not give me any information at all ;)