Re: Need Help in the below script

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



It appears that you had a missing bracket or two and you had misspelled
'WHERE' in the query.

In your code you were checking if the username and password were correct
outside of the while loop.  Even though it can be uncommon, if you have
multiple users with the same username then you would only be checking the
last result, not each row.

I changed the query to make it simpler, if you check for the username and
password to match in the query, then you only have to check for the returned
rows to see if the correct username and password were used.

I added a second query to check if the username exists but the password was
wrong.  For security purposes when a login attempt fails, you should not
tell a user whether the username or password was correct, once they know
that one of their parameters was correct, it is much easier for them to hack
the other parameter

You also need to be concerned about SQL injection attacks, you should always
escape any data being used in a query.
http://us.php.net/manual/en/security.database.sql-injection.php


<?php
$username = $_POST['username'];
$password = $_POST['password'];
if($username&&$password)
{
$connect= mysql_connect("localhost","root","") or die("couldn't connect");
 mysql_select_db("phplogin") or die("no db in the list");
// escape data to prevent SQL injection attacks
$username = mysql_real_escape_string($username);
 $password = mysql_real_escape_string($password);
$query = mysql_query("SELECT * FROM users WHERE username='$username' AND
password = '$password';");
 $numrows = mysql_num_rows($query);
if ($numrows == 1)
echo "you are in";
 else
{
$username_result = mysql_query("SELECT * FROM users WHERE username =
'$username';");
 if(mysql_num_rows($username_result) == 0)
echo "user does not exist";
 else
echo "incorrent username and password";
}
}
else
die("please enter a username and a password");
?>
Hope this helps.

Thanks,

patrick



On Fri, Sep 4, 2009 at 5:07 AM, nagendra prasad <nagendra802000@xxxxxxxxx>wrote:

> Hi all,
>
> I am working on my project. I have to create a user  regestration page and
> a
> login page. I am done with registration page but when I tried to code the
> login page its not working. Below is the code. Please take a look at script
> and let me know where am I going wrong.
>
>
> <?php
>
> $username=$_POST['username'];
> $password=$_POST['password'];
>
> if($username&&$password)
> {
>
> $connect= mysql_connect("localhost","root","") or die("couldn't connect");
>
> mysql_select_db("phplogin") or die("no db in the list");
>
> $query = mysql_query("SELECT * FROM users WHEER username='$username'");
>
> $numrows = mysql_num_rows($query);
>
>
> if ($numrows!=0)
> {
> echo "user dosen't exist";
> while ($row = mysql_fetch_assoc($query))
> {
> $dbusername = $row['username'];
> $dbpassword = $row['password'];
> }
>
> if ($username==$dbusername && $password==$dbpassword)
> {
> echo "you are in";
> }
> else
> echo "incorrent username and password";
>
>
> else
>    die("user dosent exitst");
>
> }
>
> else
>
> die("please enter a username and a password");
> }
>
>
> ?>
>
>
>
> --
> Guru Prasad
> Ubuntu Voice GTK+ Forum
>

[Index of Archives]     [PHP Home]     [PHP Users]     [Postgresql Discussion]     [Kernel Newbies]     [Postgresql]     [Yosemite News]

  Powered by Linux