Username & Password

[robukni]

Hi I am having problems creating a user login feature. I have created a form to allow users to create a username and password which then adds this information to mysql.

When i try to login it says:

no such login in the system. please try again.

The login name and password is correct so it has to be my process code which is:

PHP: Select all

<?php

$host = 'localhost'; 
$user = 'username';
$pass = 'password';
$db = 'users';
$table = 'members';

$dbh=mysql_connect ("$host", "$user", "$pass") or die ('I cannot connect to the database because:' . mysql_error());
mysql_select_db ("$db"); 
$sql="SELECT Username FROM $table WHERE Username='".$Username."' and Password='".$Password."'";
$r = mysql_query($sql);
if(!$r) {
$err=mysql_error();
print $err;
exit();
}
if(mysql_affected_rows()==0){
print "no such login in the system. please try again.";
exit();
}
else{
print "successfully logged into system.";
}

?>

Can anyone help me with why it is not working, or is there a better way of doing it?


Thanks
Robert

[karinne]

Where do you grab $Username and $Password? I don't see those variables assigned to anything anywhere in your code.

[robukni]

This is my signin Form:

<FORM ACTION="authenticate.php" METHOD="get">
USERNAME: <INPUT NAME="Username" TYPE="text" ID="Username"><BR><BR>
PASSWORD: <INPUT NAME="Password" TYPE="text" ID="Password"><BR><BR>
<INPUT NAME="Login" TYPE="submit">
</FORM>

so how would i declare those two variables in php script, like this?

$Username =$_POST['Username'];
$Password =$_POST['Password'];


Thanks
Robert

[karinne]

So ... authenticate is the code you posted previously?

Then yes ... by using

PHP: Select all

 $Username =$_POST['Username'];
$Password =$_POST['Password']; 

in there, you will be assigning the input to those variables.

I'll move this to the php forum since your problem lies with the coding and not the database

[robukni]

hmmm still not working when i tried that and authenticate is the code i posted previously.

The username and password are correct i have checked the entries in the database i entered on other form.

What else could be wrong?

Thanks
Robert

[karinne]

add $r to

PHP: Select all

if(mysql_affected_rows()==0){ 

so it becomes

PHP: Select all

if(mysql_affected_rows($r)==0){ 

try that and see.

[robukni]

Hmm tried that brought up an error. I cant figure it out at all.

Have to look some more at it


Thanks
Robert

[Ryan Fait]

You're not using any type of encryption are you? Perhaps the password is encrypted and you're not encrypting the submitted password before checking it against the database?

[karinne]

Ok ... try changing this

PHP: Select all

if(mysql_affected_rows($r)==0){ 

to

PHP: Select all

if(!mysql_num_rows($r)){ 

[robukni]

Hi ok that worked thanks.

One more question how do i load a certain page when they successfully login?

At the minute if they just type the url in of the page it will still bring it up without logging in.

Difficult to explain hope you know what i mean.


Thanks
Robert

[robukni]

Ok for the above question i have came accross the following code

PHP: Select all

<?php
session_start();if ( $log_out )
{
session_unregister( "valid_user" );
session_destroy();
session_start();
}
function write_log_in( $text )
{
echo "

$text

<form method='post' action=''><br />
<p>User ID: <input type='text' name='user_name/><br />
<p>Password: <input type='password' name='password'/><br />
<p><input type='submit' value='Log In'/><br/>
</form>
";

} // end write_log_in function
function verify()
{
// check to see if they’re already logged in
if ( session_is_registered( "valid_user" ) ) return true;
// check to see if visitor has just tried to log on
$user_name = $_POST["user_name"];
$password = $_POST["password"];


if ( $user_name && $password )
{
// verify password and log in to database
$db = mysql_pconnect( "localhost", "$user_name", "$password" );
if ( $db )
{
// register session variable and exit the verify function
$valid_user = $user_name;
$_SESSION['valid_user'] = $valid_user;
return true;
}
else
{
// bad user and password
$text = "User Name and Password did not match";
write_log_in( $text );
}
}
else
{
// user must log in
$text = "This is a secure server. Please log in.";
write_log_in( $text );
}
} // end verify function
?>

<html>

<head>
<title></title>

<body>


<?php
// check for valid user
if ( verify() )
{
echo "

Log out";
// begin secure content
echo "

Clatu, verata, nicto

";
// end secure content
} // end if ( verify() )
?>
</body>
</html>

This code will work but the problem i have is i want to add the fuction:

PHP: Select all

select = "select user_name from users
where user_name='$user_name'
and password=PASSWORD( '$password' )";
$query = mysql_query( $select );
if ( mysql_num_rows( $query ) == 1 )
{
// validated user and password 

How would i do this?

Thanks
Robert

[masonbarge]

If you are checking for a unique user name, do that as a distinct module and forget the password. Then check the password once you have validated the unique user name.

Security issues: 1) The change to POST is a good one. 2) You very badly need to take the database connection out of this file and put it into a separate file stored in your root directory, where it cannot be accessed directly over the internet. Then include it at the top of your php (require_once). Like this:

Code: Select all

<?php
#Script 7.0 - mysql_connect.php March 30 2007
DEFINE ('DB_USER' , 'myfile_user');
DEFINE ('DB_PASSWORD' , '888mypw3x');
DEFINE ('DB_HOST' , 'localhost');
DEFINE ('DB_NAME' , 'myfilez_mydatabasename');
$dbc = @mysql_connect (DB_HOST, DB_USER, DB_PASSWORD) OR die ('Could not connect to MySQL:' . mysql_error() );
@mysql_select_db (DB_NAME) OR die ('Could not select database' . mysql_error() );

//escape data function
function escape_data ($data)  {
    if (ini_get('magic_quotes_gpc'))  {
    $data = stripslashes($data);
    }
    if (function_exists('mysql_real_escape_string'))  {
        global $dbc;
        $data = mysql_real_escape_string(trim($data), $dbc);
    }  else  {
    $data = mysql_escape_string(trim($data));
}
return $data;
}
?>

You would save this file in your root directory as, say, 'mysql_login_connect.php'. I have obviously included a stripslash feature that should work in PHP 4x and 5x. Just remove it if you want. You could end this file at the fifth line:

Code: Select all

OR die ('Could not connect to MySQL');

Then drop down one level into the public_html directory and put something like this at the top of your login page. I've just copied the first lines of a working file (both examples are just copies of actual files with name & password changes) so excuse any extraneous matter:

Code: Select all

<?php
//Script 9.1 - login.php  July 4, 2006
//Send NOTHING to the browser prior to the setcookie() lines (I left this comment in, in case you want to use this for cookies

if (isset($_POST['submitted']))  {
    require_once('../mysql_login_connect.php');

// Note - the '../' accesses the root directory, which can be done from your php script
 but not from a web browser directly.  If this was a subfile in say "mysite", you would use '../../', and so on.

    $errors = array();
                                                    
    if (empty($_POST['email']))  {
        $errors[] = 'You forgot to enter your email';
    }  else  {
        $e = escape_data($_POST['email']);
    }

Obviously this contains some stuff like references to my error reporting method, which you can ignore, adopt, or replace.

[karinne]

Ah ... thanks for the tip Mason!

[robukni]

Hi thanks for your reply. I have got my login system working and made those two changes which are POST and put the DB login to separate page.

What other measures can i take to improve security?
I was thinkin about password encryption maybe.

my code to create account is s follows

Code: Select all

<?php 
if ((!preg_match("/^([a-zA-Z0-9])+@([a-zA-Z0-9_-])+(\.[a-zA-Z0-9_-]+)+/", $_POST['email'])) )
{
echo " The information you entered is not valid. <A HREF=purchase.php>Click here</A> to try again.";
}
else
{
include("dbconnect.php"); 

// connect to the mysql server
$link = mysql_connect($server, $db_user, $db_pass)
or die ("Could not connect to mysql because ".mysql_error());

// select the database
mysql_select_db($database)
or die ("Could not select database because ".mysql_error());

// check if the username is taken
$check = "select id from $table where username = '".$_POST['username']."';"; 
$qry = mysql_query($check)
or die ("Could not match data because ".mysql_error());
$num_rows = mysql_num_rows($qry); 
if ($num_rows != 0) { 

echo "Sorry, there the username $username is already taken.<br>";
echo "<a href=linkname.php>Try again</a>";
exit; 
} else {

// insert the data
$insert = mysql_query("insert into $table values ('', '".$_POST['username']."', '".$_POST['password']."', '".$_POST['name']."', '".$_POST['address']."', '".$_POST['email']."', '".$_POST['fax']."', '".$_POST['telephone']."')")
or die("Could not insert data because ".mysql_error());

// print a success message
echo "Your user account has been created!<br><br>"; 
echo "Please login using the menu on the right"; 
}
}
?>

Another problem if anyone can help me with.
The service i am creating this for will have to be bought. but at the minute when i submit this the user will have full access to the website.

The process is register - buy - finished.

How do i prevent the user from having access after regsitering until they pay through paypal??

I am using payapl at the moment as i am not experienced with E-Commerce.

Any suggestions welcome.


Thanks
Robert