...

View Full Version : log in script



renu-86
01-22-2010, 02:16 PM
i have created a log in page for my website...
with two fields
usernam and password ... when an user enters username and password , its logging in and tat is working fine ... and if the user enters a wrong password ...it displays a message "invalid password "..
but the problem is whe the user enters a wrong username... i need to display a message " wrong username"... it not working... wats happening is ...when the user enters wrong username and password... it will not log in but not dispalying the message,,,

code is as follows




$email=$_POST['email']; // value of the text box field
$password=$_POST['password']; // value of the text box field
$message= "Invalid Password";
$msg="Email and Password do not match";

$result=mysql_query("SELECT * FROM ".TABLE_USERS." where email='".$_POST['email']."' and password='".$_POST['password']."'");
if($a=mysql_fetch_array($result))
{

if($a["email"]==$email)
{
if($a["password"]==$password)
{
header("Location:after_login.php");
}
else
{
//if password is wrong, message is displayed
echo $msg:

}
}
else
{
echo $msg;

}
}


sombody help me to solve this... any help will be appreciated...thank u...

mlseim
01-22-2010, 02:40 PM
You are querying your database for the password AND email to be found.
If they are BOTH found correct, the $a array contains a row.

That means, if either one, or both are incorrect, $a array will be empty.

I can't figure out how you can even get ANY error message, because it
won't even process those lines if $a array is empty. And if it does process
those lines, BOTH password and email must be correct.

So, it's my guess that you have PHP register_globals enabled, and you're
seeing the $message variable when you return back from checking the login.

You'll never see the $msg variable because those lines only execute if BOTH
the email and password match exactly, and therefore, it will always go to after_login.php

Check your PHP config (with your webhost) and see if register_globals is enabled.
It should not be enabled, as it poses a security risk. When you disable register_globals,
you'll discover that your variable "values" no longer carry over from script to script.
That's sort of the point. You should be using PHP sessions to handle the login, not the
value of global variables.



.

renu-86
01-22-2010, 03:33 PM
Thank u for ur reply...
where can i find the register_globals??? i checked in config.php page , but could not find any.....

renu-86
01-22-2010, 03:36 PM
one more query ......
if i change my line of code

$result=mysql_query("SELECT * FROM ".TABLE_USERS." where email='".$_POST['email']."' and password='".$_POST['password']."'");

to

$result=mysql_query("SELECT * FROM ".TABLE_USERS." where email='".$_POST['email']."');

what difference will happen in the execution of the above shown code in my previous thread???

mlseim
01-22-2010, 03:55 PM
You'll end-up with an array of all records that matched the email only.
Not a problem unless you have 2 (or more) people that use the same email,
like a husband/wife.

I would say that you keep it as you originally had it.
Don't let the user know which of the 2 was wrong. That might help a hacker
use brute-force if they know the email was right, but the password was wrong.

Best to just tell them the log-in was invalid, and if they forgot their password,
you can create a new one and send it to their email.

====================

There is a way to disable register_globals using .htaccess

Be careful about messing with your .htaccess file, or email your webhost
and request they disable register_globals. It's possible that register_globals
is already disabled, but my hunch is that it's enabled ... by the way your
script seems to be working.

Here is the line you can try in your .htaccess file:
php_flag register_globals off

After all that, you're going to need to learn about PHP SESSIONS.
Google has a lot of tutorials about that. A PHP session is like a cookie that gets
stored on the server (not the user's PC). Once a session variable is set, you can
read it from any script and know that the user is logged-in. It gets destroyed when
the user closes their browser.

renu-86
01-22-2010, 05:55 PM
Thanks a lo for ur suggestions....
i went through the tutorials of SESSIONS...
where can i use SESSIONS in tat page of code??
how can it help??

renu-86
01-24-2010, 08:54 AM
Thank u for ur suggestions ...tried but it didnt help...


i changed my code to the following ..





$email=$_POST['email'];
$password=$_POST['password'];

$msg="Invalid Email or Password";

$result=mysql_query("SELECT * FROM ".TABLE_USERS." where
email='".$_POST['email']."' and password='".$_POST['password']."'");



if($a=mysql_fetch_array($result))
{

if($a["email"]==$email && $a["password"]==$password)
{
header("Location:after_login.php");
}

else
{
echo $msg ;

}
}





When i am entering the correct email and password , log in is working fine...
but when i enter the wrong email or password , it's not logging in and tats ok , but the problem is ''Invalid email or password " msg is not displayed even if i wrote 'echo $msg' .. i dont understand wat the problem is ...please help....

mlseim
01-24-2010, 04:19 PM
Here's another mistake ...

if($a=mysql_fetch_array($result))

should be:

if($a==mysql_fetch_array($result))

c-rob
01-24-2010, 09:25 PM
I think this will do it for you. Just insert your SQL Statement.



if(isset($_POST['email']) && isset($_POST['password'])) {

$error = array();
$redirect = 'page.php';

$email = mysql_real_escape_string($_POST['email']);
$password = mysql_real_escape_string($_POST['password']);

$result = mysql_query("YOUR SQL STATEMENT");
if(mysql_num_rows($result) > 0) {
$row = mysql_fetch_assoc($result);

if($email == $row['email']) {
if($password == $row['password']) {
header('Location: ' . $redirect);
}
else{
$error[] = 'Password does not match given email.';
}
}
else{
$error[] = 'No user found with given email.';
}

printErrors();
}

function printErrors() {
foreach($error as $err) {
echo 'Error: ' . $err;
}
}
}

renu-86
01-26-2010, 11:57 AM
Thanks for your help

i tried with register_globals , it is set to off in my phpinfo.php

with following code



$email=$_POST['email'];
$password=$_POST['password'];

$message = "Invalid Email or Password";


$result=mysql_query("SELECT * FROM ".TABLE_USERS." where email='".$_POST['email']."'");



if($a=mysql_fetch_array($result))
{

if($a["email"]==$email)
{
if($a["password"]==$password)
{

header("location:after_login.php");
}
else
{

echo $message;
}

}
else
{
echo $message;
}
}



if i am entering the correct email and wrong password , it will display $message variable .
if i am entering the email wrong , its not showing the $ message .

i changed the code to the following


$email=$_POST['email'];
$password=$_POST['password'];

$message = "Invalid Email or Password";


$result=mysql_query("SELECT * FROM ".TABLE_USERS." where email='".$_POST['email']."'");



if($a=mysql_fetch_array($result))
{

if($a["email"]==$email)
{
if($a["password"]==$password)
{

header("location:after_login.php");
}
else
{

echo $message;
}

}
else
{
echo $message;
}
}
else
{
echo $message ;
}



but now what happens is without entering email and password , $message variable is displayed . whenever i refresh the browser it will display the $message variable is displayed .. i am geeting mad with this...
please help...

mlseim
01-26-2010, 03:18 PM
I think it all begins with the query.
You first started this thread with a script that looked for BOTH, using an AND operation.
That was actually the correct query, except you didn't use this message: "Invalid Email or Password"

Then you went to looking for only the email.
That's a problem because if the email isn't found, it won't check for password either.


So, with that ... this would be the script that I think you should use:


<?php
session_start(); // start PHP sessions

$email=$_POST['email'];
$password=$_POST['password'];

$message = "Invalid Email or Password";

$result=mysql_query("SELECT * FROM ".TABLE_USERS." where email='".$_POST['email']."' and password='".$_POST['password']."'");

if($a=mysql_fetch_array($result))
{
// write a session variable - successful login
$_SESSION['user'] = 'logged_in';
header("location:after_login.php");
}
else
{
echo $message;
}



Now, you are going to have another issue ...
How will you know they are logged in after you go to "after_login.php"?

That's where you need to use PHP sessions.
See in the script above where I write a session variable if logged-in.

Now, on every other script, you simply look for the session variable.
If it exists, they are logged in, otherwise, you kick them out.

Like this:


<?php
session_start();
if(isset($_SESSION['user'])){
//they are logged-in, so do nothing.
}
else{
//they are not logged-in, so kick them out.
header ("location: index.php");
}
?>

<html>
blah blah
the rest of your protected page goes here ...
</html>

renu-86
01-27-2010, 09:29 AM
Thanks for the suggestion .. i tried wat you said ..
When i run the code . wat happened is , the page is showing $message variable("Invalid Email or password") even before i enter anything in the form fields..
ie i am able to log in when i enter the correct email and password but when i log out and come back to the main page that message is displayed . . y is it like tat ?? :confused:

I hope you understood the problem ...

mlseim
01-27-2010, 01:20 PM
How do you log out?
Do you destroy the session?

Try closing your browser and going back in, is the message still there?

renu-86
01-27-2010, 02:00 PM
i tried , it is still there ...
can u suggest me a code for checking the email and password for log in
ie in my 'users table' , there are two fields , email and password and values test@test.com and test123..

i need to log in from my webpage ..
if the entered email and password does not match with that in the database , it should display an error message and if it matches , it should log in

it will be of great help to me..

abduraooft
01-27-2010, 02:06 PM
Here's another mistake ...

if($a=mysql_fetch_array($result))

should be:

if($a==mysql_fetch_array($result))
Hi renu-86,

It appears like you've missed the above comment.

mlseim
01-27-2010, 03:00 PM
adbduraooft is correct ...

my bad.

I had this in my script (post #11) .... use 2 == equal signs.

if($a=mysql_fetch_array($result))

renu-86
01-28-2010, 10:49 AM
that doesn't help..........:confused::confused:

renu-86
01-28-2010, 01:47 PM
tat didnt help me....
:confused::confused:



EZ Archive Ads Plugin for vBulletin Copyright 2006 Computer Help Forum