OK; this is rather strange. The new code works perfectly. For one user. New users I create are still unable to use this login box; the problem is the same as before.
$query = "SELECT user_id, username FROM mismatch_user WHERE username = '$user_username' AND password = SHA('$user_password')";
For some reason, though, I don't think those variables are being cleared from their original values (Which would have been the user jimi and the password heyjoe)
Would clearing the variables at the end of the script fix this problem?
No, variables are discarded at the end of the script run unless its a session variable.
Post the entire block you are using for this now. It is also possible that you are running on a cached page, which can be gotten around by simply adding a unique querystring: t=as3939 for example. Anytime the querystring changes, the page is no longer cached.
This is what my login.php file currently looks like:
PHP Code:
<?php
require_once('connectvars.php');
if (isset($_SERVER['HTTP_AUTHORIZATION']))
{
list($_SERVER['PHP_AUTH_USER'], $_SERVER['PHP_AUTH_PW']) = explode(':', base64_decode(substr($_SERVER['HTTP_AUTHORIZATION'], 6)));
}
if (!isset($_SERVER['PHP_AUTH_USER']) || !isset($_SERVER['PHP_AUTH_PW'])) {
// The username/password weren't entered so send the authentication headers
header('HTTP/1.1 401 Unauthorized');
header('WWW-Authenticate: Basic realm="Mismatch"');
exit('<h3>Mismatch</h3>Sorry, you must enter your username and password to log in and access this page. If you ' .
'aren\'t a registered member, please <a href="signup.php">sign up</a>.');
}
// Connect to the database
$dbc = mysqli_connect(DB_HOST, DB_USER, DB_PASSWORD, DB_NAME);
// Grab the user-entered log-in data
$user_username = mysqli_real_escape_string($dbc, trim($_SERVER['PHP_AUTH_USER']));
$user_password = mysqli_real_escape_string($dbc, trim($_SERVER['PHP_AUTH_PW']));
// Look up the username and password in the database
$query = "SELECT user_id, username FROM mismatch_user WHERE username = '$user_username' AND password = SHA('$user_password')";
$data = mysqli_query($dbc, $query);
if (mysqli_num_rows($data) == 1) {
// The log-in is OK so set the user ID and username variables
$row = mysqli_fetch_array($data);
$user_id = $row['user_id'];
$username = $row['username'];
}
else {
// The username/password are incorrect so send the authentication headers
header('HTTP/1.1 401 Unauthorized');
header('WWW-Authenticate: Basic realm="Mismatch"');
exit('<h2>Mismatch</h2>Sorry, you must enter a valid username and password to log in and access this page. If you ' .
'aren\'t a registered member, please <a href="signup.php">sign up</a>.');
}
// Confirm the successful log-in
echo('<p class="login">You are logged in as ' . $username . '.</p>');
?>
else { // The username/password are incorrect so send the authentication headers header('HTTP/1.1 401 Unauthorized'); header('WWW-Authenticate: Basic realm="Mismatch"'); exit('<h2>Mismatch</h2>Sorry, you must enter a valid username and password to log in and access this page. If you ' . 'aren\'t a registered member, please <a href="signup.php">sign up</a>.'); }
And print out the results of $query after its been declared. Copy that out and run it manually against the database using a tool or just a command line interface. Does that produce results?
You can also try simply selecting on the where for the username, and visually comparing the passwords. More often than not I find that the password causing the issues when it comes to authentication than anything else, but it all depends on what you have done to generate the password in the first place.
Hm. I'm not getting any results from running this manually in PHPmyAdmin. So is is the SHA encryption that's fouling things up?
AA
It could be, how did you create the users for this?
Try pulling with just the username and comparing the results (you can do that in PHPMyAdmin). Query for the password as well, and see if it matches a SHA call of the same (using a SELECT username, password, SHA('yourinputpassword') FROM yourtable WHERE username='providedusername').
That would be modified in the httpd.conf, but now that I think of it that should only apply if you're using an htpasswd file which defeats the purpose of using PHP at all.
wait, are you on an IIS or Apache server? Run this and post the results, use whatever you want for the username and password, preferably something that doesn't authenticate:
PHP Code:
<?php
session_start();
if (!isset($_SESSION['hastried']))
{
$_SESSION['hastried'] = true;
header('HTTP/1.0 401 Unauthorized');
header('WWW-Authenticate: Basic realm="Log In"');
die('Log in required.');
}
hi, I have the same problem, and I try this code, the result is 'Log in required', then I add a .htaccess file, but it does not work. now what I should do? thank you very much
Before you post, read our: 
