Help code below wont work, keeps dying

Beginners - Learning PHP
#1 
<input name="action" type="hidden" value="login">

    <table width="90%" align="center" cellpadding="3" cellspacing="3" class="maintable">
  <tr> 
    <td colspan="3"> 
      <div align="center"><br>
                    <br>
                    <b>Enter your username and password below 
                    to access your crop insurance data.</b><br>
        <br>
      </div>
    </td>
  </tr>
  <tr> 
    <td width="62"> 
    </td>
    <td width="73"> 
                  <label for="username"><b>Username:</b></label>
                </td>
        <td width="368"> 
      <input name="username" id="username" type="text" size="30" maxlength="30">
    </td>
  </tr>
  <tr> 
    <td> 

    </td>
    <td> 
                  <label for="password"><b>Password:</b></label>
    </td>
    <td> 
      <input name="pass" id="pass" type="password" size="30" maxlength="30" >
    </td>
  <tr> 
    <td>&nbsp;
	<!-- ------------------------------------------------------------------------------------------------------------------------------------------ -->

	</td>
    <td>&nbsp; </td>
    <td>
      <input name="submit" type="submit" value="Log In" >
      <br>
      <br>
    </td>
  </tr>
</table>
<?php // Database connect: mysql_connect("localhost", "hopkins", "hop2010") or die ("A database error has occurred. Unable to connect to datasource."); import_request_variables("gP"); if (isset($_POST['action'])) { $action = $_POST["action"]; } else { $action = $_GET["action"]; } if ($action == "login") { // Make sure username and password are set and not empty. if(isset($_POST['username']) && isset($_POST['pass'])) { // Query the database and authenticate the user, then set appropriate globals. $query = "SELECT * FROM crop_insurance.userlist where username = lower(\"".$_POST['username']."\") AND password = password(lower(\"".$_POST['pass']."\" ))"; $result = mysql_query($query); $num = mysql_num_rows($result); if ($result) { while ($row = mysql_fetch_array($result)) { // Get id number to pass to client account data display page. $id = $row["id"]; } } if ($num == 1) { if ( $username == "admin" ) { echo ""; } else { echo ""; } } if ($num < 1 ) { echo "
Your log in information is not valid. Please try again.


"; } } mysql_close(); } ?>
#2

Not really sure where you found this mess, but there are some things wrong with it.

import_request_variables(“gP”); isn’t needed unless register_globals is turned off - use phpinfo() to check that.

[php]if (isset($_POST[‘action’]))
{
$action = $_POST[“action”];
}
else
{
$action = $_GET[“action”];
}
[/php]

is useless since you’re only using it for the login script. if its not, then ignore my comment.

$query = “SELECT * FROM crop_insurance.userlist where username = lower(”".$_POST[‘username’]."") AND password = password(lower("".$_POST[‘pass’]."" ))"; is horribly wrong - which could be why its hanging.

needs to be

$query = “SELECT * FROM crop_insurance.userlist where username = “’.lower($_POST[username]).’” AND password = “’.password(lower($_POST[pass])).’”)”;

And, all that php needs to go on top of the html for it run properly.

#3

[php]
$query = “SELECT * FROM crop_insurance.userlist where username = “’.lower($_POST[username]).’” AND password = “’.password(lower($_POST[pass])).’”)”;
[/php]

This is still open to sql injection unless the password() function fixes that. Username entry is definitely still open to SQL injection though.

#4

Yea I figured that would be covered in whatever tutorial he was following

Sponsor our Newsletter | Privacy Policy | Terms of Service