Website code

Christopher · October 19, 2012, 12:03am

its like so close i can feel it, same message tho! D:
[php]<?php
session_start();

$username = $_POST[‘username’];
$password = $_POST[‘password’];
$con = mysql_connect(“127.0.0.1”,“AdminChris”,“mobile”);
mysql_select_db(‘Users’, $con) or die(“Unable to select database”);
if (!$con) {
die(‘Could not connect: ’ . mysql_error());
} else {
echo “Connected to Database”;
}
$sql = "SELECT * FROM Main WHERE username=’$username’";
$query = mysql_query($sql, $con) or die(mysql_error($con));;
$numrows = mysql_num_rows($query);
if($numrows !=0) {
while ($rows = mysql_fetch_array($query)) {
$dbusername = $row [‘username’];
$dbpassword = $row [‘password’];
if (($username==$dbusername) && ($password==$dbpassword)) {
$_SESSION[‘username’]=$dbusername;
echo (“Login Succesful”);

     } else {
           die ("Login Unsuccessful");
     }
}

} else {
die (“please enter user and pass”);
}
?>
[/php]

ttbakiatwoam · October 19, 2012, 12:06am

[php]$sql = “SELECT * FROM Main WHERE username=’$username’”;
[/php] to [php]$sql = “SELECT * FROM Main WHERE Main.username=’$username’”;
[/php]

Christopher · October 19, 2012, 12:08am

same result D:

ttbakiatwoam · October 19, 2012, 12:10am

ok i have to go at this point but if you want to skype me you can my info should be in the message I sent you yesterday. I would verify that your sql query is written correctly. IE you can type it directly into the database and get a result sometimes they are picky.

Christopher · October 19, 2012, 1:02am

Login Form:

[php]

Login
Username	:
Password	:

[/php]

Login in request:

[php]<?php
session_start();

$username = $_REQUEST[‘username’];
$password = $_REQUEST[‘password’];
$con = mysql_connect(“127.0.0.1”,“AdminChris”,“mobile”);
mysql_select_db(‘Users’, $con) or die(“Unable to select database”);
if (!$con) {
die('Could not connect: ’ . mysql_error());
} else {
echo “Connected to Database”;
}
$sql = “SELECT * FROM Main WHERE username = ‘$username’”;
$query = mysql_query($sql, $con) or die(mysql_error($con));;
$numrows = mysql_num_rows($query);
if($numrows !=0) {
while ($rows = mysql_fetch_array($query)) {
$dbusername = $row [‘username’];
$dbpassword = $row [‘password’];
if (($username==$dbusername) && ($password==$dbpassword)) {
$_SESSION[‘username’]=$dbusername;
echo (“Login Succesful”);

     } else {
           die ("Login Unsuccessful");
     }
}

} else {
die (“please enter user and pass”);
}
?>
[/php]

ttbakiatwoam · October 19, 2012, 1:21am

minor changes but give it a shot
[php]<?php
session_start();

$username = $_REQUEST[‘username’];
$password = $_REQUEST[‘password’];
$con = mysql_connect(“127.0.0.1”,“AdminChris”,“mobile”);
mysql_select_db(‘Users’, $con) or die(“Unable to select database”);
if (!$con) {
die('Could not connect: ’ . mysql_error($con));
} else {
echo “Connected to Database”;
}
$sql = “SELECT * FROM Main WHERE username = ‘%$username%’”;
$query = mysql_query($sql, $con) or die(mysql_error($con));;
$numrows = mysql_num_rows($query);
if($numrows != 0) {
while ($rows = mysql_fetch_array($query)) {
$dbusername = $row[‘username’];
$dbpassword = $row[‘password’];
if (($username==$dbusername) && ($password==$dbpassword)) {
$_SESSION[‘username’]=$dbusername;
echo (“Login Succesful”);

     } else {
           die ("Login Unsuccessful");
     }
}

} else {
die (“please enter user and pass”);
}
?>[/php]

plintu · October 19, 2012, 2:16am

One huge problem is right here:
[php]
$rows = mysql_fetch_array($query)) {
$dbusername = $row [‘username’];
$dbpassword = $row [‘password’];
[/php]
you are giving the name “rows” to the fetch array then you are only using “row” to pull the data
[php]$row [‘username’];[/php]

I am reviewing your script right now and will see if there is more errors

Christopher · October 19, 2012, 10:51am

Still getting ‘connected to databaseenter user and pass’.

since i’m new to php i decided to change a value on the line ‘if($numrows != 0)’ i changed the number to two, and i wasn’t getting ‘please enter user and pass’ nothing changed other than than so i put it back to 0

This is currently what the code looks likes

[php]<?php
session_start();

$username = $_REQUEST[‘username’];
$password = $_REQUEST[‘password’];
$con = mysql_connect(“127.0.0.1”,“AdminChris”,“mobile”);
mysql_select_db(‘Users’, $con) or die(“Unable to select database”);
if (!$con) {
die('Could not connect: ’ . mysql_error($con));
} else {
echo “Connected to Database”;
}
$sql = “SELECT * FROM Main WHERE username = ‘%$username%’”;
$query = mysql_query($sql, $con) or die(mysql_error($con));;
$numrows = mysql_num_rows($query);
if($numrows != 0) {
while ($rows = mysql_fetch_array($query)) {
$dbusername = $rows[‘username’];
$dbpassword = $rows[‘password’];
if (($username==$dbusername) && ($password==$dbpassword)) {
$_SESSION[‘username’]=$dbusername;
echo (“Login Succesful”);

     } else {
           die ("Login Unsuccessful");
     }
}

} else {
die (“please enter user and pass”);
}
?>[/php]

plintu · October 19, 2012, 2:45pm

Give this a shot:
also when you inserted the password into the database did you give it any security (md5, etc.)? If so then we would need to md5 the $_REQUEST password in order for them ever to match up.
[php]<?php
session_start();
$username = $_REQUEST[‘username’];
$password = $_REQUEST[‘password’];
$con = mysql_connect(“127.0.0.1”,“AdminChris”,“mobile”);
mysql_select_db(‘Users’, $con) or die(“Unable to select database”);
if (!$con) {
die('Could not connect: ’ . mysql_error($con));
} else {
echo “Connected to Database”;
}
$sql = “SELECT * FROM Main WHERE username = ‘$username’”;
$query = mysql_query($sql, $con) or die(mysql_error($con));;
$numrows = mysql_num_rows($query);
if($numrows != 0) {
while (
$rows = mysql_fetch_assoc($query)) {
$dbusername = $rows[‘username’];
$dbpassword = $rows[‘password’];
if ($username==$dbusername && $password==$dbpassword) {
$_SESSION[‘username’]=$dbusername;
echo(“Login Succesful”);
} else {
die(“Login Unsuccessful”);
}
}
} else {
die (“please enter user and pass”);
}?>[/php]

Christopher · October 19, 2012, 3:49pm

The code is working!

login is sucessful,

Thank you Andrew and plintu for your time! it’s been an awesome experience! i’d say im abit more indepth with PHP now! i can finnaly start working on other areas of the site! however i have a few questions about security, is this code secure? as in intruders can’t access the information during transit/on the database (the passwords and usersnames have been changed

plintu · October 20, 2012, 6:03am

No this code is not secure, the username is vulnerable since you go straight to the database with information that the user inserted via REQUEST[‘username’] , on a live site you should never trust anything that a user inputs! then on top of having the vulnerability there it is so much easier to hack this site because in the database you have plain passwords not encrypted. So once the Main table is accessed a request on password would give a plain unencrypted password to the hacker md5 or sha1 that password and make things as difficult as possible for intruders but dont forget if you do an md5 at the user registration then you have to do an md5 check at the login as well
Hope this helps you!!!
If you learn any ONE thing here today it is this “DO NOT TRUST USERS INPUTS”!!! VALIDATE VALIDATE VALIDATE!!!
[php]
$username = mysql_real_escape_string($_REQUEST[‘username’]);
[/php]

If the username is being printed back to the screen for other viewers to see then you should also do some strip_tags on the username at registration or name changes of the user to fight against xss attacks