why won't this work? | |
I am trying to do a simple login page. However, even when I input a
correct user name and password, I get the "You are not authorized!"
display. If anyone could looks over my code and see if anything is
incorrect that would be great! Thanks.
Here is my html form:
<HTML>
<HEAD>
<TITLE>Steering Committee Login</TITLE>
</HEAD>
<center><form action="login.php" method="post">
<table border=0>
<tr>
<td><strong>Username:</strong></td>
<td><input type="text" name="username" size="10" maxsize="10"></td>
</tr>
<tr>
<td><strong>Password:</strong></td>
<td><input type="password" name="password" size="10" maxsize="10"></td>
</tr>
<tr>
<td colspan="2" align="center">
<input type="submit" value="Login">
</td>
</tr>
</table>
</form>
</center>
</body>
</html>
Here is the login.php file:
<?
include "database_info.php";
$connection = mysql_connect($server,$login,$password) or die("Couldn't
make connection.");
$db = mysql_select_db("ertcomm", $connection) or die("Couldn't select
database.");
$sql = "SELECT ID FROM login WHERE username='$username' and
password='$password'";
$sql_result = mysql_query($sql,$connection) or die("Couldn't execute
query.");
$num = mysql_numrows($sql_result);
if ($num == 1)
echo "You are now logged in!";
else if ($num == 0)
echo "You are not authorized!";
?> | | | | re: why won't this work?
Do you have Global Variables turned off? I believe if you do, you will
need to $_POST['password'], not just $password and the same for
username.
| | | | re: why won't this work?
I am not sure about global variables. Where would I check? I tried
the $_POST['password'], but it would just give me a blank screen.
$sql = "SELECT ID FROM login WHERE username=$_POST['username'] and
password=$_POST['password']";
| | | | re: why won't this work?
Try this, I'm not sure if it will help, but it's how I'd do it:
$password = $_POST['password'];
$username = $_POST['username'];
$sql = "SELECT ID FROM login WHERE username='$username' and
password='$password'";
As for global variables, it's in the setup somewhere, I haven't changed
it personally, hopefully someone can come along and tell you how to
check it.
| | | | re: why won't this work?
ps: also, isn't ID a special keyword? Did you try doing it as "SELECT
`id` FROM ..."
| | | | re: why won't this work?
On Wed, 17 May 2006 11:35:21 -0700, Jessica Parker wrote:[color=blue]
> ps: also, isn't ID a special keyword? Did you try doing it as "SELECT `id`
> FROM ..."[/color]
No, it's certainly not. I've use it as the name of the autoincrement
field on hundreds of tables over the years...
Cheers,
Andy
--
Andy Jeffries MBCS CITP ZCE | gPHPEdit Lead Developer http://www.gphpedit.org | PHP editor for Gnome 2 http://www.andyjeffries.co.uk | Personal site and photos | | | | re: why won't this work?
Unless you turned global variables on, it is off by default, unless you
are using a version of PHP < 4. The PHP developers turned off global
variables as the default because it provided a loophole in code that
could be used maliciously.
| | | | re: why won't this work?
"No, it's certainly not. I've use it as the name of the autoincrement
field on hundreds of tables over the years..."
I know you can use it, but I thought you have to put the tick marks
around it. I use it as the primary key all the time, but I've had
problems in the past when I do just "SELECT id" rather than "SELECT
`id`"
Could this be MySQL related?
| | | | re: why won't this work?
On Wed, 17 May 2006 12:26:56 -0700, Jessica Parker wrote:[color=blue]
> "No, it's certainly not. I've use it as the name of the autoincrement
> field on hundreds of tables over the years..."
>
> I know you can use it, but I thought you have to put the tick marks around
> it.[/color]
Nope.
[color=blue]
> I use it as the primary key all the time, but I've had problems in the
> past when I do just "SELECT id" rather than "SELECT `id`"[/color]
What problems? Can you reproduce them now? That way we can see what the
error is and find out what was happening in your case.
[color=blue]
> Could this be MySQL related?[/color]
Certainly not here:
mysql> select id from test;
+----+
| id |
+----+
| 1 |
+----+
1 row in set (0.00 sec)
Cheers,
Andy
--
Andy Jeffries MBCS CITP ZCE | gPHPEdit Lead Developer http://www.gphpedit.org | PHP editor for Gnome 2 http://www.andyjeffries.co.uk | Personal site and photos | | | | re: why won't this work?
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Jessica Parker wrote:
[color=blue]
> Try this, I'm not sure if it will help, but it's how I'd do it:
> $password = $_POST['password'];
> $username = $_POST['username'];
> $sql = "SELECT ID FROM login WHERE username='$username' and
> password='$password'";[/color]
Bad. This leaves the door open for SQL injection attacks.
Please *do* escape every piece of data that will be put into a SQL query,
like this:
$password = mysql_escape_string($_POST['password']);
$username = mysql_escape_string($_POST['username']);
$sql = "SELECT ID FROM login WHERE username='$username' and
password='$password'";
d_goto: if you ever want to access to an array element inside a
double-quoted string, you must put it inside curly braces, like:
$sql = " select foo from foo where username = {$array['username']} ";
Please RTFM about string variables.
- --
- ----------------------------------
Iván Sánchez Ortega -i-punto-sanchez--arroba-mirame-punto-net http://acm.asoc.fi.upm.es/~mr/ ; http://acm.asoc.fi.upm.es/~ivan/
MSN:i_eat_s_p_a_m_for_breakfast@hotmail.com
Jabber:ivansanchez@jabber.org ; ivansanchez@kdetalk.net
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)
iD8DBQFEa3qB3jcQ2mg3Pc8RApSgAKCESaBskkuC1+2UYPV+eR ZtTVfdSgCdFq7G
NtDxpIcYIfiN/lWS3PbQr0E=
=HBlW
-----END PGP SIGNATURE----- | | | | re: why won't this work?
Thanks for all the input. Jessica's suggestion worked :)
$password = $_POST['password'];
$username = $_POST['username'];
$sql = "SELECT ID FROM login WHERE username='$username' and
password='$password'";
| | | | re: why won't this work?
On Wed, 17 May 2006 21:33:17 +0200, Iván Sánchez Ortega wrote:[color=blue]
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Jessica Parker wrote:
>[color=green]
>> Try this, I'm not sure if it will help, but it's how I'd do it:
>> $password = $_POST['password'];
>> $username = $_POST['username'];
>> $sql = "SELECT ID FROM login WHERE username='$username' and
>> password='$password'";[/color]
>
> Bad. This leaves the door open for SQL injection attacks.
>
> Please *do* escape every piece of data that will be put into a SQL query,
> like this:
>
> $password = mysql_escape_string($_POST['password']); $username =
> mysql_escape_string($_POST['username']); $sql = "SELECT ID FROM login
> WHERE username='$username' and password='$password'";[/color]
Also though, be advised it's probably a bad idea to write new code using
*deprecated functions*: http://uk.php.net/mysql_escape_string
This function is deprecated
Instead use: http://uk.php.net/mysql_real_escape_string
Cheers,
Andy
--
Andy Jeffries MBCS CITP ZCE | gPHPEdit Lead Developer http://www.gphpedit.org | PHP editor for Gnome 2 http://www.andyjeffries.co.uk | Personal site and photos | | | | re: why won't this work?
Yeah, I always do the real escape string, as well as strip_tags. I have
them build into my own safe_POST() function so I forgot to include it
to help him.
Thanks for the reminder :)
| | | | re: why won't this work?
d_goto@hotmail.com wrote:
[color=blue]
> $connection = mysql_connect($server,$login,$password) or die("Couldn't
>...
> password='$password'";[/color]
Are you really using $password in both places? | | | | re: why won't this work?
If he does it after he connects, it will work. It's not the best idea,
but it will work.
He should probably change one to $pass so that he can connect again
later, right?
| | | | re: why won't this work?
On Wed, 17 May 2006 19:15:58 -0700, Jessica Parker wrote:[color=blue]
> If he does it after he connects, it will work. It's not the best idea, but
> it will work.
> He should probably change one to $pass so that he can connect again later,
> right?[/color]
I think Mary's point (correct me if I'm wrong here Mary) is that he seems
to have a table set up with valid user (ID, username, password) but also
has to set up a MySQL user account for each one to connect with.
Perfectly valid, but a royal pain in the ass and probably not as intended...
Cheers,
Andy
--
Andy Jeffries MBCS CITP ZCE | gPHPEdit Lead Developer http://www.gphpedit.org | PHP editor for Gnome 2 http://www.andyjeffries.co.uk | Personal site and photos | | | | re: why won't this work?
Andy Jeffries wrote:
[color=blue]
> On Wed, 17 May 2006 19:15:58 -0700, Jessica Parker wrote:[color=green]
>> If he does it after he connects, it will work. It's not the best idea,
>> but it will work.
>> He should probably change one to $pass so that he can connect again
>> later, right?[/color]
>
> I think Mary's point (correct me if I'm wrong here Mary) is that he seems[/color]
I was just checking that this isn't real code and that they're not using
the same variable name in two places... or doing this:
[color=blue]
> to have a table set up with valid user (ID, username, password) but also
> has to set up a MySQL user account for each one to connect with.
>
> Perfectly valid, but a royal pain in the ass and probably not as
> intended...[/color]
Nope, but OTOH if you use the supplied username / password to make
the database connection, no further authentication is required and
they are pretty much guaranteed not to be able to get any further...
| | | | re: why won't this work?
On Thu, 18 May 2006 12:48:38 +0000, Mary Pegg wrote:[color=blue][color=green]
>> to have a table set up with valid user (ID, username, password) but also
>> has to set up a MySQL user account for each one to connect with.
>>
>> Perfectly valid, but a royal pain in the ass and probably not as
>> intended...[/color]
>
> Nope, but OTOH if you use the supplied username / password to make the
> database connection, no further authentication is required and they are
> pretty much guaranteed not to be able to get any further...[/color]
True, but it's also then a pain in the ass to retrieve other attributes
relating to the logged in user (real name, DOB, email address).
Also if your database is open to the world on port 3306 (it shouldn't be,
but you never know - someone may feel they have a justifiable reason) then
you're gifting them access to be able to examine the table/database
structure.
Cheers,
Andy
--
Andy Jeffries MBCS CITP ZCE | gPHPEdit Lead Developer http://www.gphpedit.org | PHP editor for Gnome 2 http://www.andyjeffries.co.uk | Personal site and photos | | | | re: why won't this work?
Andy Jeffries wrote:
[color=blue]
> True, but it's also then a pain in the ass to retrieve other attributes
> relating to the logged in user (real name, DOB, email address).
>
> Also if your database is open to the world on port 3306 (it shouldn't be,
> but you never know - someone may feel they have a justifiable reason) then
> you're gifting them access to be able to examine the table/database
> structure.[/color]
Hey, I don't think it's a good idea - I'm just pointing out the
side-effects.
| | | | re: why won't this work?
.... Simple type error...
$num = mysql_numrows($sql_result);
it's mysql_num_rows..
|  |
| | |  /bytes/about
We are a network of experts and professionals in IT and software development that help one another with answers to tough questions and share insights.
Get the best answers to your questions from over 226,449 network members.
|
