...

View Full Version : login script doesn't work



Bob42
02-29-2008, 03:51 AM
I've created a login script, but it's not working. I enter in my correct username and password, but it gives me my error message. I'm not sure why, but I think it's because my password isn't being converted to sha1 properly, therefore the database can't read it.



session_start();
require("../connect.php");

if (isset($_POST['submit']))
{
if ($_POST['username'] != '' && $_POST['password'] != '')
{
$username = mysql_real_escape_string($_POST['username']);
$password = mysql_real_escape_string(sha1($_POST['password']));

$sql = mysql_query("SELECT * FROM users WHERE username='$username' AND password='$password'");
$rs = mysql_fetch_assoc($sql);
$ip = $_SERVER['REMOTE_ADDR'];
$browser = $_SERVER['HTTP_USER_AGENT'];

if (isset($_POST['remember']))
{
setcookie("cookiename", $username, time()+60*60*24*100, "/");
setcookie("cookiepass", $password, time()+60*60*24*100, "/");
}

if (!$sql)
{
echo "<p class=\"hack\">Username and password could not be found.<br /><img src=\"../images/queryerror.jpg\" alt=\"\" /></p>";
exit;
}

$count = mysql_num_rows($sql);

if ($count == 1)
{
$_SESSION['username_session'] = $username;
$_SESSION['status_session'] = $rs['status'];
$_SESSION['ip_session'] = $ip;
$_SESSION['browser_session'] = $browser;
$_SESSION['db_logged_in'] = true;
header("Location: ../panel.php");
}
else
{
echo "<p class=\"hack\">Stop hacking!<br /><img src=\"../images/hackerror.jpg\" alt=\"\" /></p>";
exit;
}
}
}
else
{
echo "<p class=\"hack\">You are not suppose to be in here.<br /><img src=\"../images/hackerror.jpg\" alt=\"\" /></p>";
exit;
}


I'm receiving the "Stop hacking!" message.

_Aerospace_Eng_
02-29-2008, 03:58 AM
Your query could be failing but you aren't doing any error checking. Change this

$sql = mysql_query("SELECT * FROM users WHERE username='$username' AND password='$password'");
to this

$sql = mysql_query("SELECT * FROM users WHERE username='$username' AND password='$password'") or die(mysql_error());
Also make sure the password field in your database allows enough characters to fit your whole password. Another thing, posting the actual form might help as well.

Earunder
02-29-2008, 05:22 PM
you could change the following:



if (!$sql)
{
echo "<p class=\"hack\">Username and password could not be found.<br /><img src=\"../images/queryerror.jpg\" alt=\"\" /></p>";
exit;
}

$count = mysql_num_rows($sql);

if ($count == 1)
{
$_SESSION['username_session'] = $username;
$_SESSION['status_session'] = $rs['status'];
$_SESSION['ip_session'] = $ip;
$_SESSION['browser_session'] = $browser;
$_SESSION['db_logged_in'] = true;
header("Location: ../panel.php");
}


to:



if (!$sql)
{
echo "<p class=\"hack\">Username and password could not be found.<br /><img src=\"../images/queryerror.jpg\" alt=\"\" /></p>";
exit;
} else {
$_SESSION['username_session'] = $username;
$_SESSION['status_session'] = $rs['status'];
$_SESSION['ip_session'] = $ip;
$_SESSION['browser_session'] = $browser;
$_SESSION['db_logged_in'] = true;
header("Location: ../panel.php");
exit;
}


IMO the rest seems un-needed. Just my 2 cents.

If you want to keep your code the same without change, you forgot
exit; after
header("Location: ../panel.php");



EZ Archive Ads Plugin for vBulletin Copyright 2006 Computer Help Forum