• Learning PHP; trying to make a login system
    23 replies, posted
Hello. I started learning PHP and I already "learnt" all the basics so I decided to move to something a tad more complicated - a login/posting system (registration will be later). So right now I'm making the login system, I have the form for the Username and Password, I have a database with a table in 3 fields (UserName, Password and UserID), I made myself a user with phpmyadmin. So now I'm doing "action.php" for the login form and I want it to post the inserted fields from the form, connect to the database, select all fields and compare it to the data posted in the form. Then if data is existing and correct, it will login (and that's that for now) and if not - show an error message. Here's the code I made: [code] <?php $username = $_POST['username']; $password = md5($_POST['password']); $conn = mysql_connect("localhost", "root", ""); mysql_select_db("system"); $sql = mysql_query ("SELECT * FROM users WHERE password = '$password'"); $result = mysql_fetch_array($sql); if($password == $result['password']) { echo "congrats! you have logged in!"; } else { echo "WRONG!";} ?> [/code] But it says there is an error in the "if" line. The problem is I have no idea in what order all these commands have to be, so I'm guessing that's my problem. Also, the error from the "if" line is: [quote]Notice: Undefined index: password in C:\wamp\www\action.php on line 8[/quote] So that's it. Thanks for help. P.S. Ignore the mysql_connect with root :P The server is on my pc and you can't access it from the internet..
Why would you test the password. I would check to see if there is a username in the table and then fetch that row and compare passwords md5()'d. You're getting an undefined index because there probably isn't a 'password' in the array. Do this: print_r($result); and post the results.
Also, [b]always[/b] use mysql_real_escape_string() on user supplied data, or else cool guys can insert their own SQL code and - among other naugty things - login as anyone
Thanks for answers. I'm not at home right, so I'll try that command saturday when I'll be back.
[QUOTE=turb_;20680416]Also, [b]always[/b] use mysql_real_escape_string() on user supplied data, or else cool guys can insert their own SQL code and - among other naugty things - login as anyone[/QUOTE] You reminded me of an xkcd issue. [url=http://xkcd.com/327/][img]http://imgs.xkcd.com/comics/exploits_of_a_mom.png[/img][/url] But yeah, always a good idea to use mysql_real_escape_string()... I've had issues with that function in the past though, I found work arounds but it was probably just an issue with the server.
[QUOTE=<ToD> Aaron;20696730]You reminded me of an xkcd issue. [url=http://xkcd.com/327/][img]http://imgs.xkcd.com/comics/exploits_of_a_mom.png[/img][/url] [/QUOTE] haha - thats brilliant!
[QUOTE=andersonmat;20680382]Why would you test the password. I would check to see if there is a username in the table and then fetch that row and compare passwords md5()'d. You're getting an undefined index because there probably isn't a 'password' in the array. Do this: print_r($result); and post the results.[/QUOTE] This is what I get: [code] ( [0] => Crembo [UserName] => Crembo [1] => 854c7c161f81a93aaaed0cf04991c493 [Password] => 854c7c161f81a93aaaed0cf04991c493 [2] => 1 [UserID] => 1 ) [/code] Interesting thing is, I get this only when the password is correct. When I type in the wrong password, all it says is "WRONG!" (just like in the if...) without the error. EDIT: What the hell... I just changed if($password == $result['[b]p[/b]assword']) to if($password == $result['[b]P[/b]assword']) and it works.. What is this shit? :| EDIT2: Also, how do I use "mysql_real_escape_string()" command? Where am I suppose to put it?
That was your problem it was Password not password. [editline]11:07AM[/editline] mysql_real_escape_string() would be used around the input.
php is case sensitive, as is anything on real computers... unix etc. :P
Ahm I guess my PHP knowledge is not enough to understand how to use it. Maybe you could post an example? Tried googling but haven't found any good, understandable example... EDIT:Actually, I guess using logic is required for PHP (unlike HTML) so I just used it and voilla, mysql_real_escape_string() works. But I need a bit more help. How can I make it to check both password and username? At the moment the username can be anything, and if the pass is correct it just logs in.
[php]$sql = mysql_query ("SELECT * FROM users WHERE password = '$password' AND username = '$username'");[/php] And then you can check if there was something with those values by [php]if(mysql_num_rows($sql) > 0){ // user exists! } else { //user doesn't exist! } [/php]
Great, I've got the password and username check working, but I can't really understand the if... command you wrote there. I tried putting it after my if... command but it doesn't work.
What do you mean it doesn't work? What error does it give you? And post your current code.
Well code without the if... you wrote: [php] <?php $username = $_POST['username']; $password = md5($_POST['password']); $conn = mysql_connect("localhost", "root", ""); mysql_real_escape_string($username); mysql_real_escape_string($password); mysql_select_db("system"); $sql = mysql_query ("SELECT * FROM users WHERE password = '$password' AND username = '$username'"); $result = mysql_fetch_array($sql); if($password == $result['Password'] AND $username == $result['UserName']) { echo "congrats! you have logged in!"; } else { echo "WRONG!";}; mysql_close($conn); ?> [/php] Where is your if... suppose to be? If I leave it exactly how you wrote it, nothing changes. If I change your if.. to this: [php] if(mysql_num_rows($sql) > 0){ ( echo ("User exists") } else { echo ("User doesn't exist") } [/php] (I added the code after "else { echo "WRONG!";};") It comes up with this error: [code] Parse error: parse error in C:\wamp\www\action.php on line 13 [/code] Also, thanks for the help and sorry for being annoying with all the questions :P
Try this [php] <?php $conn = mysql_connect("localhost", "root", ""); mysql_select_db("system", $conn); $username = mysql_real_escape_string($_POST['username']); $password = md5($_POST['password']); $sql = mysql_query("SELECT * FROM `users` WHERE `users`.`UserName`='". $username ."' LIMIT 1"); $result = mysql_fetch_array($sql); if($password == $result['Password']){ echo "You have sucessfully logged in."; } else{ echo "Username or Password was wrong."; } mysql_close($conn); ?> [/php]
Won't this do exactly the same what my code correctly does? If not, could you explain what you changed and why? I can see few code differences but I don't understand why did them.
You have to set the newly escaped string to a variable or it's pointless. Use google and get a fucking book. We're not here to spoon feed you code and fix your broken code. I'm no being an asshole, just telling you that you can always find you answers with a little time and determination. By us giving you code, it won't teach you anything.
Jeez no need to be so aggressive... Guess I'm out of here, thanks for the help anyway.
I'm telling you that you need to learn how to program. If we give you code, you aren't learning anything.
Actually, I am learning. If you give me a code, I try to understand it. Otherwise I wouldn't ask "why you changed that" etc. Yes, I agree that if I would just copy what you write I wouldn't learn anything, but I am not and that's the point.
[QUOTE=<ToD> Aaron;20696730]You reminded me of an xkcd issue. [url=http://xkcd.com/327/][img]http://imgs.xkcd.com/comics/exploits_of_a_mom.png[/img][/url] But yeah, always a good idea to use mysql_real_escape_string()... I've had issues with that function in the past though, I found work arounds but it was probably just an issue with the server.[/QUOTE] A client we were working for suddenly got a boner for privacy one day and announced that whenever we downloaded any databases to work on said clients site we had to run an anonymising script on it that they provided. It was after we ran the script the first time, be noticed that the developer had set it so every members name was set to "Bobby Tables". We lol'd. Also he's not being an ass, the main concern here is not that you will just reuse the code, but you're only trying to teach yourself the solution to one problem. Great, you could study the fuck out of this thread, you could make functioning ogin scripts until the sun comes down. But you're still going to suck at the next thing you want to do, and then you're going to come back. It's not an efficient way to learn, a book will be expensive, but consider it an investment in your future. Chew through the hole thing, trying all the convoluted examples they offer and you'll have a much better core understanding of the language rather than trying to understand the language problem by problem.
Actually, I have a book, but it it doesn't me at all. It tried using it for making an insert command using a form and it didn't help me at all. There is some kind of insert command in this book, but it doesn't even work properly. I got the command to work only after googling. So it's either the book or me not knowing how to use it properly. Anyway, for my other troubles I guess I'll have to ask other people..
[QUOTE=Crhem van der B;20723237]Won't this do exactly the same what my code correctly does? If not, could you explain what you changed and why? I can see few code differences but I don't understand why did them.[/QUOTE] [php] <?php $conn = mysql_connect("localhost", "root", ""); mysql_select_db("system", $conn); $username = mysql_real_escape_string($_POST['username']); $password = md5($_POST['password']); $sql = mysql_query("SELECT * FROM `users` WHERE `users`.`UserName`='". $username ."' LIMIT 1"); $result = mysql_fetch_array($sql); if($password == $result['Password']){ echo "You have sucessfully logged in."; } else{ echo "Username or Password was wrong."; } mysql_close($conn); ?> [/php] I pretty much just cleaned it up a bit. $username = $_POST['username']; mysql_real_escape_string($username); became: $username = mysql_real_escape_string($_POST['username']); Added ` to your query. You want to use them around collumn names because if you have a collumn named "where" for example and you try doing something like "SELECT * FROM `table` WHERE where='location'" you're going to get an SQL error, so if you do "SELECT * FROM `table` WHERE `where`='location'" it will work perfectly fine. Changed your if/else statement because it's kinda pointless to do "WHERE username='$username' AND password='$password'" and then compare the exact same data in an if/else. So I left the script to check both username and password but the if/else checks the password. Another way you could do it would be to do your query like this "SELECT COUNT(*) FROM users WHERE password = '$password' AND username = '$username'" and then check if comes up with a user with something like: $result = mysql_fetch_array($sql); $count = $result[0];
[QUOTE=Crhem van der B;20724385]So it's either the book or me not knowing how to use it properly[/QUOTE] take a guess
Sorry, you need to Log In to post a reply to this thread.