<?php
// Database connection file
require_once("includefiles/dbconnection.php");
$un=isset($_POST['username']) ? $_POST['username'] : "";
$pw=isset($_POST['password']) ? $_POST['password'] : "";
echo "Hellooooooo!!!!!!!!!!!!".$un." ".$pw;
// Form submitted?
if($_SERVER['REQUEST_METHOD'] == "POST"){
$errors = array();
// Validate form
foreach($_POST as $key => $value){
if(empty($value)){
$errors[$key] = $key . " was empty";
}
}
// If no errors, continue
if(count($errors) == 0){
$sql = sprintf("SELECT usergroup AS success FROM {$dbTable} WHERE username='%s' AND password=MD5('%s')", $un, $pw; extract(mysql_fetch_assoc(mysql_query($sql)));
//echo $sql;
// If this is not set, there was an error
if(!isset($success)){
$errors[] = "that username and password combination are incorrect";
}else{
// Remember me?
if(isset($_POST['remember'])){
setcookie("login", $_POST['username'] . ":" . $success, time() + (3600 * 24 * 30)); // store for 30 days
}
// Log the user in
$_SESSION['login'] = true;
$_SESSION['username'] = $_POST['username'];
$_SESSION['group'] = $success;
$_SESSION['just_logged_in'] = true; // to display a message
// Redirect back to the main page
$redirect = true;
unset($errors);
}
}
}else{
// The form was not submitted, so they shouldn't be here
$redirect = true;
}
// Redirect if needed
if(isset($redirect)){
header("Location: " . $baseURL);
exit;
}
include("login-form.php");
?>
But this page shows blank.
__________________
Compare bible texts (and other tools): TheWheelofGod
First of all, any script that uses SESSION, but start like this:
<?php
session_start();
Your blank page indicates you have a PHP script error, but your error
reporting is turned off, so it won't tell you what is wrong.
I would change the top part of your script to this ....
<?php
session_start();
error_reporting(E_ALL);
.
Should be
PHP Code:
$sql = sprintf("SELECT usergroup AS success FROM {$dbTable} WHERE username='%s' AND password=MD5('%s')"
, mysql_real_escape_string($_POST['username']), $_POST['password']);
extract(mysql_fetch_assoc(mysql_query($sql)));
echo $sql;
__________________
Compare bible texts (and other tools): TheWheelofGod
What does your last post mean?
That you found the problem, or you are asking about it?
It doesn't solve the problem but the original code was:
PHP Code:
$sql = sprintf("SELECT usergroup AS success FROM {$dbTable} WHERE username='%s' AND password=MD5('%s')" , mysql_real_escape_string($_POST['username']), $_POST['password']); extract(mysql_fetch_assoc(mysql_query($sql))); echo $sql;
instead of
PHP Code:
$sql = sprintf("SELECT usergroup AS success FROM {$dbTable} WHERE username='%s' AND password=MD5('%s')", $un, $pw; extract(mysql_fetch_assoc(mysql_query($sql)));
I thought that was the error because it was in a bracket so I removed the ; and skipped a line. But that made it worse. I declared the $un and $pw to the $_POST above as well.
__________________
Compare bible texts (and other tools): TheWheelofGod
Last edited by gilgalbiblewhee; 05-26-2011 at 08:02 PM..
gilgalbiblewhee, turn on error reporting or check the error log so you can see the what is causing the problem. You should also be hashing the password using PHP's md5() instead of passing the raw string to MySQL. You are open to SQL injection with the way you have it now.
Quote:
Originally Posted by mlseim
I've never seen a query request using sprintf ... that's a new one for me.
sprintf() just formats the string. It's similar to do prepared statements in that you use placeholders and can limit the input to types, but you still have to execute the query.
gilgalbiblewhee, turn on error reporting or check the error log so you can see the what is causing the problem. You should also be hashing the password using PHP's md5() instead of passing the raw string to MySQL. You are open to SQL injection with the way you have it now.
sprintf() just formats the string. It's similar to do prepared statements in that you use placeholders and can limit the input to types, but you still have to execute the query.
Ok. Turning on the errors shows the following:
Quote:
Warning: mysql_fetch_assoc() expects parameter 1 to be resource, boolean given in ...\login.php on line 22
Warning: extract() expects parameter 1 to be array, null given in ... \login.php on line 22
Line 22 is:
PHP Code:
$sql = sprintf("SELECT usergroup AS success FROM {$dbTable} WHERE username='%s' AND password=MD5('%s')" , mysql_real_escape_string($_POST['username']), $_POST['password']); extract(mysql_fetch_assoc(mysql_query($sql)));//line 22 echo $sql;
...and the password is md5ed:
Quote:
$sql = sprintf("SELECT usergroup AS success FROM {$dbTable} WHERE username='%s' AND password=MD5('%s')"
, mysql_real_escape_string($_POST['username']), $_POST['password']);
extract(mysql_fetch_assoc(mysql_query($sql)));//line 22
echo $sql;
__________________
Compare bible texts (and other tools): TheWheelofGod
Last edited by gilgalbiblewhee; 05-27-2011 at 01:53 AM..
Your query failed, find out why. What is the value of $sql after the sprintf line?
Quote:
Originally Posted by gilgalbiblewhee
...and the password is md5ed:
Yeah, but if you read my message I state that you should do it in PHP instead of MySQL because you are passing the raw string to MySQL to be hashed, which leaves you open to SQL injection.
Before you post, read our: 
