I am trying to do a simple login page. However, even when I input a
correct user name and password, I get the "You are not authorized!"
display. If anyone could looks over my code and see if anything is
incorrect that would be great! Thanks.
Here is my html form:
<HTML>
<HEAD>
<TITLE>Steering Committee Login</TITLE>
</HEAD>
<center><form action="login.php" method="post">
<table border=0>
<tr>
<td><strong>Username:</strong></td>
<td><input type="text" name="username" size="10" maxsize="10"></td>
</tr>
<tr>
<td><strong>Password:</strong></td>
<td><input type="password" name="password" size="10" maxsize="10"></td>
</tr>
<tr>
<td colspan="2" align="center">
<input type="submit" value="Login">
</td>
</tr>
</table>
</form>
</center>
</body>
</html>
Here is the login.php file:
<?
include "database_info.php";
$connection = mysql_connect($server,$login,$password) or die("Couldn't
make connection.");
$db = mysql_select_db("ertcomm", $connection) or die("Couldn't select
database.");
$sql = "SELECT ID FROM login WHERE username='$username' and
password='$password'";
$sql_result = mysql_query($sql,$connection) or die("Couldn't execute
query.");
$num = mysql_numrows($sql_result);
if ($num == 1)
echo "You are now logged in!";
else if ($num == 0)
echo "You are not authorized!";
?> 19  1668 
Do you have Global Variables turned off? I believe if you do, you will
need to $_POST['password'], not just $password and the same for
username.
I am not sure about global variables. Where would I check? I tried
the $_POST['password'], but it would just give me a blank screen.
$sql = "SELECT ID FROM login WHERE username=$_POST['username'] and
password=$_POST['password']";
Try this, I'm not sure if it will help, but it's how I'd do it:
$password = $_POST['password'];
$username = $_POST['username'];
$sql = "SELECT ID FROM login WHERE username='$username' and
password='$password'";
As for global variables, it's in the setup somewhere, I haven't changed
it personally, hopefully someone can come along and tell you how to
check it.
ps: also, isn't ID a special keyword? Did you try doing it as "SELECT
`id` FROM ..."
On Wed, 17 May 2006 11:35:21 -0700, Jessica Parker wrote: ps: also, isn't ID a special keyword? Did you try doing it as "SELECT `id`
FROM ..."
No, it's certainly not. I've use it as the name of the autoincrement
field on hundreds of tables over the years...
Cheers,
Andy
--
Andy Jeffries MBCS CITP ZCE | gPHPEdit Lead Developer http://www.gphpedit.org | PHP editor for Gnome 2 http://www.andyjeffries.co.uk | Personal site and photos
Unless you turned global variables on, it is off by default, unless you
are using a version of PHP < 4. The PHP developers turned off global
variables as the default because it provided a loophole in code that
could be used maliciously.
"No, it's certainly not. I've use it as the name of the autoincrement
field on hundreds of tables over the years..."
I know you can use it, but I thought you have to put the tick marks
around it. I use it as the primary key all the time, but I've had
problems in the past when I do just "SELECT id" rather than "SELECT
`id`"
Could this be MySQL related?
On Wed, 17 May 2006 12:26:56 -0700, Jessica Parker wrote: "No, it's certainly not. I've use it as the name of the autoincrement
field on hundreds of tables over the years..."
I know you can use it, but I thought you have to put the tick marks around
it.
Nope.
I use it as the primary key all the time, but I've had problems in the
past when I do just "SELECT id" rather than "SELECT `id`"
What problems? Can you reproduce them now? That way we can see what the
error is and find out what was happening in your case.
Could this be MySQL related?
Certainly not here:
mysql> select id from test;
+----+
| id |
+----+
| 1 |
+----+
1 row in set (0.00 sec)
Cheers,
Andy
--
Andy Jeffries MBCS CITP ZCE | gPHPEdit Lead Developer http://www.gphpedit.org | PHP editor for Gnome 2 http://www.andyjeffries.co.uk | Personal site and photos
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Jessica Parker wrote: Try this, I'm not sure if it will help, but it's how I'd do it:
$password = $_POST['password'];
$username = $_POST['username'];
$sql = "SELECT ID FROM login WHERE username='$username' and
password='$password'";
Bad. This leaves the door open for SQL injection attacks.
Please *do* escape every piece of data that will be put into a SQL query,
like this:
$password = mysql_escape_string($_POST['password']);
$username = mysql_escape_string($_POST['username']);
$sql = "SELECT ID FROM login WHERE username='$username' and
password='$password'";
d_goto: if you ever want to access to an array element inside a
double-quoted string, you must put it inside curly braces, like:
$sql = " select foo from foo where username = {$array['username']} ";
Please RTFM about string variables.
- --
- ----------------------------------
Iván Sánchez Ortega -i-punto-sanchez--arroba-mirame-punto-net http://acm.asoc.fi.upm.es/~mr/ ; http://acm.asoc.fi.upm.es/~ivan/
MSN:i_*************************@hotmail.com
Jabber:iv*********@jabber.org ; iv*********@kdetalk.net
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)
iD8DBQFEa3qB3jcQ2mg3Pc8RApSgAKCESaBskkuC1+2UYPV+eR ZtTVfdSgCdFq7G
NtDxpIcYIfiN/lWS3PbQr0E=
=HBlW
-----END PGP SIGNATURE-----
Thanks for all the input. Jessica's suggestion worked :)
$password = $_POST['password'];
$username = $_POST['username'];
$sql = "SELECT ID FROM login WHERE username='$username' and
password='$password'";
On Wed, 17 May 2006 21:33:17 +0200, Iván Sánchez Ortega wrote: -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Jessica Parker wrote:
Try this, I'm not sure if it will help, but it's how I'd do it:
$password = $_POST['password'];
$username = $_POST['username'];
$sql = "SELECT ID FROM login WHERE username='$username' and
password='$password'";
Bad. This leaves the door open for SQL injection attacks.
Please *do* escape every piece of data that will be put into a SQL query,
like this:
$password = mysql_escape_string($_POST['password']); $username =
mysql_escape_string($_POST['username']); $sql = "SELECT ID FROM login
WHERE username='$username' and password='$password'";
Also though, be advised it's probably a bad idea to write new code using
*deprecated functions*: http://uk.php.net/mysql_escape_string
This function is deprecated
Instead use: http://uk.php.net/mysql_real_escape_string
Cheers,
Andy
--
Andy Jeffries MBCS CITP ZCE | gPHPEdit Lead Developer http://www.gphpedit.org | PHP editor for Gnome 2 http://www.andyjeffries.co.uk | Personal site and photos
Yeah, I always do the real escape string, as well as strip_tags. I have
them build into my own safe_POST() function so I forgot to include it
to help him.
Thanks for the reminder :)
d_****@hotmail.com wrote: $connection = mysql_connect($server,$login,$password) or die("Couldn't
...
password='$password'";
Are you really using $password in both places?
If he does it after he connects, it will work. It's not the best idea,
but it will work.
He should probably change one to $pass so that he can connect again
later, right?
On Wed, 17 May 2006 19:15:58 -0700, Jessica Parker wrote: If he does it after he connects, it will work. It's not the best idea, but
it will work.
He should probably change one to $pass so that he can connect again later,
right?
I think Mary's point (correct me if I'm wrong here Mary) is that he seems
to have a table set up with valid user (ID, username, password) but also
has to set up a MySQL user account for each one to connect with.
Perfectly valid, but a royal pain in the ass and probably not as intended...
Cheers,
Andy
--
Andy Jeffries MBCS CITP ZCE | gPHPEdit Lead Developer http://www.gphpedit.org | PHP editor for Gnome 2 http://www.andyjeffries.co.uk | Personal site and photos
Andy Jeffries wrote: On Wed, 17 May 2006 19:15:58 -0700, Jessica Parker wrote: If he does it after he connects, it will work. It's not the best idea,
but it will work.
He should probably change one to $pass so that he can connect again
later, right?
I think Mary's point (correct me if I'm wrong here Mary) is that he seems
I was just checking that this isn't real code and that they're not using
the same variable name in two places... or doing this:
to have a table set up with valid user (ID, username, password) but also
has to set up a MySQL user account for each one to connect with.
Perfectly valid, but a royal pain in the ass and probably not as
intended...
Nope, but OTOH if you use the supplied username / password to make
the database connection, no further authentication is required and
they are pretty much guaranteed not to be able to get any further...
On Thu, 18 May 2006 12:48:38 +0000, Mary Pegg wrote: to have a table set up with valid user (ID, username, password) but also
has to set up a MySQL user account for each one to connect with.
Perfectly valid, but a royal pain in the ass and probably not as
intended...
Nope, but OTOH if you use the supplied username / password to make the
database connection, no further authentication is required and they are
pretty much guaranteed not to be able to get any further...
True, but it's also then a pain in the ass to retrieve other attributes
relating to the logged in user (real name, DOB, email address).
Also if your database is open to the world on port 3306 (it shouldn't be,
but you never know - someone may feel they have a justifiable reason) then
you're gifting them access to be able to examine the table/database
structure.
Cheers,
Andy
--
Andy Jeffries MBCS CITP ZCE | gPHPEdit Lead Developer http://www.gphpedit.org | PHP editor for Gnome 2 http://www.andyjeffries.co.uk | Personal site and photos
Andy Jeffries wrote: True, but it's also then a pain in the ass to retrieve other attributes
relating to the logged in user (real name, DOB, email address).
Also if your database is open to the world on port 3306 (it shouldn't be,
but you never know - someone may feel they have a justifiable reason) then
you're gifting them access to be able to examine the table/database
structure.
Hey, I don't think it's a good idea - I'm just pointing out the
side-effects.
.... Simple type error...
$num = mysql_numrows($sql_result);
it's mysql_num_rows..
This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics
by: Jim |
last post by:
Hey guys
I DESPERATLY need some help with this small javascript i have on this
website. All that it's supposed to do is change the button image once
it's pressed but alas... I copy-pasted the code...
|
by: Mark |
last post by:
the Following bit of code doesn't work.
It seems to respond to the second, starting with 'add iif statement
for Good Practice', but not to the first, starting 'add iif statement
for archived'
...
|
by: Chad |
last post by:
I have a link (.ascx) and that generates an Add form on that page. The
autopostback dropdown is within a "If Not IsPostBack Then" statement.
The form that is created is all via static html in the...
|
by: simon |
last post by:
I have simple html(aspx) page, but vertical height won't work.
Even if i had set the height of a table=100%, the table is not 100% height.
I spend a lot of time(my real page is more...
|
by: musosdev |
last post by:
Hi guys
Okay, I've setup my projects to open and compile fine in VS2005 using FPSE
and remote web, but it's *really* slow. So I thought I'd have a go at doing
it the normal way, by loading from...
|
by: b. hotting |
last post by:
Hi,
I don't see why this won't work,
it are 3 links, the last one (a get) does work, but the first 2 won't.
i would like to use a post, through hidden input types
any idea?
thanks for your...
|
by: Luciano Resende |
last post by:
I'm trying to perform a webDav call to move selected messages into a
destination folder and does anybody know why BMOVE will work when i use the
regular folder name as the request parameters, and...
|
by: Eran.Yasso |
last post by:
Hi,
I have project that automate excel(using Excel COM) which works fine
in my home.
I took the project from my home to work and tried to build the project
but it won't built.
I get error "The...
|
by: Matthew Wells |
last post by:
Hello. I'm reposting this because my prioe post's subject line was
incorrect.
I'm developing an asp.net 2.0 project using VS 2005 on XP sp2 with all
the updates. I have an aspx page with...
|
by: z55177 |
last post by:
My domain: http://www.esthevision.cz/
This is the cause of my problem.
The template is supposed to look somewhat like this: PINK STRIPE
http://themebot.com/website-templates/ht...
I created an...
|
by: Charles Arthur |
last post by:
How do i turn on java script on a villaon, callus and itel keypad mobile phone
|
by: emmanuelkatto |
last post by:
Hi All, I am Emmanuel katto from Uganda. I want to ask what challenges you've faced while migrating a website to cloud.
Please let me know.
Thanks!
Emmanuel
|
by: Sonnysonu |
last post by:
This is the data of csv file
1 2 3
1 2 3
1 2 3
1 2 3
2 3
2 3
3
the lengths should be different i have to store the data by column-wise with in the specific length.
suppose the i have to...
|
by: marktang |
last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However,...
|
by: Oralloy |
last post by:
Hello folks,
I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>".
The problem is that using the GNU compilers,...
|
by: jinu1996 |
last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven...
|
by: Hystou |
last post by:
Overview:
Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows...
|
by: tracyyun |
last post by:
Dear forum friends,
With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each...
|
by: agi2029 |
last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing,...
| |
