Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Page 1 of 2 12 LastLast
Results 1 to 15 of 18

Thread: log in script

  1. #1
    New Coder
    Join Date
    Jan 2010
    Posts
    36
    Thanks
    0
    Thanked 0 Times in 0 Posts

    log in script

    i have created a log in page for my website...
    with two fields
    usernam and password ... when an user enters username and password , its logging in and tat is working fine ... and if the user enters a wrong password ...it displays a message "invalid password "..
    but the problem is whe the user enters a wrong username... i need to display a message " wrong username"... it not working... wats happening is ...when the user enters wrong username and password... it will not log in but not dispalying the message,,,

    code is as follows

    PHP Code:

    $email
    =$_POST['email'];                       // value of the text box field
    $password=$_POST['password'];           // value of the text box field
    $message"Invalid Password";
    $msg="Email and Password do not match";

    $result=mysql_query("SELECT * FROM ".TABLE_USERS." where email='".$_POST['email']."' and password='".$_POST['password']."'");
    if(
    $a=mysql_fetch_array($result))
    {

        if(
    $a["email"]==$email)
        {
          if(
    $a["password"]==$password)
          {
          
    header("Location:after_login.php");
          }
         else
          {
           
    //if password is wrong,  message is displayed
              
    echo $msg:

          }
        }
        else
        {
        echo 
    $msg;
        
         }
      } 
    sombody help me to solve this... any help will be appreciated...thank u...

  • #2
    Master Coder
    Join Date
    Jun 2003
    Location
    Cottage Grove, Minnesota
    Posts
    9,502
    Thanks
    8
    Thanked 1,089 Times in 1,080 Posts
    You are querying your database for the password AND email to be found.
    If they are BOTH found correct, the $a array contains a row.

    That means, if either one, or both are incorrect, $a array will be empty.

    I can't figure out how you can even get ANY error message, because it
    won't even process those lines if $a array is empty. And if it does process
    those lines, BOTH password and email must be correct.

    So, it's my guess that you have PHP register_globals enabled, and you're
    seeing the $message variable when you return back from checking the login.

    You'll never see the $msg variable because those lines only execute if BOTH
    the email and password match exactly, and therefore, it will always go to after_login.php

    Check your PHP config (with your webhost) and see if register_globals is enabled.
    It should not be enabled, as it poses a security risk. When you disable register_globals,
    you'll discover that your variable "values" no longer carry over from script to script.
    That's sort of the point. You should be using PHP sessions to handle the login, not the
    value of global variables.



    .
    Last edited by mlseim; 01-22-2010 at 01:45 PM.

  • #3
    New Coder
    Join Date
    Jan 2010
    Posts
    36
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Thank u for ur reply...
    where can i find the register_globals??? i checked in config.php page , but could not find any.....

  • #4
    New Coder
    Join Date
    Jan 2010
    Posts
    36
    Thanks
    0
    Thanked 0 Times in 0 Posts
    one more query ......
    if i change my line of code
    PHP Code:
    $result=mysql_query("SELECT * FROM ".TABLE_USERS." where email='".$_POST['email']."' and password='".$_POST['password']."'"); 
    to
    PHP Code:
    $result=mysql_query("SELECT * FROM ".TABLE_USERS." where email='".$_POST['email']."'); 
    what difference will happen in the execution of the above shown code in my previous thread???

  • #5
    Master Coder
    Join Date
    Jun 2003
    Location
    Cottage Grove, Minnesota
    Posts
    9,502
    Thanks
    8
    Thanked 1,089 Times in 1,080 Posts
    You'll end-up with an array of all records that matched the email only.
    Not a problem unless you have 2 (or more) people that use the same email,
    like a husband/wife.

    I would say that you keep it as you originally had it.
    Don't let the user know which of the 2 was wrong. That might help a hacker
    use brute-force if they know the email was right, but the password was wrong.

    Best to just tell them the log-in was invalid, and if they forgot their password,
    you can create a new one and send it to their email.

    ====================

    There is a way to disable register_globals using .htaccess

    Be careful about messing with your .htaccess file, or email your webhost
    and request they disable register_globals. It's possible that register_globals
    is already disabled, but my hunch is that it's enabled ... by the way your
    script seems to be working.

    Here is the line you can try in your .htaccess file:
    php_flag register_globals off

    After all that, you're going to need to learn about PHP SESSIONS.
    Google has a lot of tutorials about that. A PHP session is like a cookie that gets
    stored on the server (not the user's PC). Once a session variable is set, you can
    read it from any script and know that the user is logged-in. It gets destroyed when
    the user closes their browser.

  • #6
    New Coder
    Join Date
    Jan 2010
    Posts
    36
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Thanks a lo for ur suggestions....
    i went through the tutorials of SESSIONS...
    where can i use SESSIONS in tat page of code??
    how can it help??

  • #7
    New Coder
    Join Date
    Jan 2010
    Posts
    36
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Thank u for ur suggestions ...tried but it didnt help...


    i changed my code to the following ..




    PHP Code:
     $email=$_POST['email'];
        
    $password=$_POST['password'];
        
        
    $msg="Invalid Email or Password";
         
       
    $result=mysql_query("SELECT * FROM ".TABLE_USERS." where      
             email='"
    .$_POST['email']."' and password='".$_POST['password']."'");
         
        
        
       if(
    $a=mysql_fetch_array($result))
       {
        
           if(
    $a["email"]==$email && $a["password"]==$password)
          {
                  
    header("Location:after_login.php");
             }
       
      else
           {
                 echo   
    $msg ;
       
             }
     } 




    When i am entering the correct email and password , log in is working fine...
    but when i enter the wrong email or password , it's not logging in and tats ok , but the problem is ''Invalid email or password " msg is not displayed even if i wrote 'echo $msg' .. i dont understand wat the problem is ...please help....

  • #8
    Master Coder
    Join Date
    Jun 2003
    Location
    Cottage Grove, Minnesota
    Posts
    9,502
    Thanks
    8
    Thanked 1,089 Times in 1,080 Posts
    Here's another mistake ...

    if($a=mysql_fetch_array($result))

    should be:

    if($a==mysql_fetch_array($result))

  • #9
    New to the CF scene
    Join Date
    Jul 2009
    Posts
    6
    Thanks
    2
    Thanked 0 Times in 0 Posts
    I think this will do it for you. Just insert your SQL Statement.

    PHP Code:
    if(isset($_POST['email']) && isset($_POST['password'])) {
        
        
    $error = array();
        
    $redirect 'page.php';
        
        
    $email mysql_real_escape_string($_POST['email']);
        
    $password mysql_real_escape_string($_POST['password']);
        
        
    $result mysql_query("YOUR SQL STATEMENT");
        if(
    mysql_num_rows($result) > 0) {
            
    $row mysql_fetch_assoc($result);
            
            if(
    $email == $row['email']) {
                if(
    $password == $row['password']) {
                    
    header('Location: ' $redirect);
                }
                else{
                    
    $error[] = 'Password does not match given email.';
                }
            }
            else{
                
    $error[] = 'No user found with given email.';
            }
            
            
    printErrors();
        }
        
        function 
    printErrors() {
            foreach(
    $error as $err) {
                echo 
    'Error: ' $err;
            }
        }


  • #10
    New Coder
    Join Date
    Jan 2010
    Posts
    36
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Thanks for your help

    i tried with register_globals , it is set to off in my phpinfo.php

    with following code

    PHP Code:
    $email=$_POST['email'];
    $password=$_POST['password'];

    $message "Invalid Email or Password";


    $result=mysql_query("SELECT * FROM ".TABLE_USERS." where email='".$_POST['email']."'");



    if(
    $a=mysql_fetch_array($result))
    {

        if(
    $a["email"]==$email)
        {
          if(
    $a["password"]==$password)
          {
            
            
    header("location:after_login.php");
          }
          else
          {
            
            echo 
    $message;
          }

        }
        else
        {
          echo 
    $message;
        }

    if i am entering the correct email and wrong password , it will display $message variable .
    if i am entering the email wrong , its not showing the $ message .

    i changed the code to the following

    PHP Code:
    $email=$_POST['email'];
    $password=$_POST['password'];

    $message "Invalid Email or Password";


    $result=mysql_query("SELECT * FROM ".TABLE_USERS." where email='".$_POST['email']."'");



    if(
    $a=mysql_fetch_array($result))
    {

        if(
    $a["email"]==$email)
        {
          if(
    $a["password"]==$password)
          {
            
            
    header("location:after_login.php");
          }
          else
          {
            
            echo 
    $message;
          }

        }
        else
        {
          echo 
    $message;
        }
        }
    else
    {
    echo 
    $message ;

    but now what happens is without entering email and password , $message variable is displayed . whenever i refresh the browser it will display the $message variable is displayed .. i am geeting mad with this...
    please help...

  • #11
    Master Coder
    Join Date
    Jun 2003
    Location
    Cottage Grove, Minnesota
    Posts
    9,502
    Thanks
    8
    Thanked 1,089 Times in 1,080 Posts
    I think it all begins with the query.
    You first started this thread with a script that looked for BOTH, using an AND operation.
    That was actually the correct query, except you didn't use this message: "Invalid Email or Password"

    Then you went to looking for only the email.
    That's a problem because if the email isn't found, it won't check for password either.


    So, with that ... this would be the script that I think you should use:
    PHP Code:
    <?php
    session_start
    (); // start PHP sessions

    $email=$_POST['email'];
    $password=$_POST['password'];

    $message "Invalid Email or Password";

    $result=mysql_query("SELECT * FROM ".TABLE_USERS." where email='".$_POST['email']."' and password='".$_POST['password']."'");

    if(
    $a=mysql_fetch_array($result))
    {
        
    // write a session variable - successful login
        
    $_SESSION['user'] = 'logged_in';
        
    header("location:after_login.php");
    }
    else
    {
        echo 
    $message;
    }

    Now, you are going to have another issue ...
    How will you know they are logged in after you go to "after_login.php"?

    That's where you need to use PHP sessions.
    See in the script above where I write a session variable if logged-in.

    Now, on every other script, you simply look for the session variable.
    If it exists, they are logged in, otherwise, you kick them out.

    Like this:
    PHP Code:
    <?php
    session_start
    ();
    if(isset(
    $_SESSION['user'])){
    //they are logged-in, so do nothing.
    }
    else{
    //they are not logged-in, so kick them out.
    header ("location: index.php");
    }
    ?>

    <html>
    blah blah
    the rest of your protected page goes here ...
    </html>
    Last edited by mlseim; 01-26-2010 at 02:26 PM.

  • #12
    New Coder
    Join Date
    Jan 2010
    Posts
    36
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Thanks for the suggestion .. i tried wat you said ..
    When i run the code . wat happened is , the page is showing $message variable("Invalid Email or password") even before i enter anything in the form fields..
    ie i am able to log in when i enter the correct email and password but when i log out and come back to the main page that message is displayed . . y is it like tat ??

    I hope you understood the problem ...

  • #13
    Master Coder
    Join Date
    Jun 2003
    Location
    Cottage Grove, Minnesota
    Posts
    9,502
    Thanks
    8
    Thanked 1,089 Times in 1,080 Posts
    How do you log out?
    Do you destroy the session?

    Try closing your browser and going back in, is the message still there?

  • #14
    New Coder
    Join Date
    Jan 2010
    Posts
    36
    Thanks
    0
    Thanked 0 Times in 0 Posts
    i tried , it is still there ...
    can u suggest me a code for checking the email and password for log in
    ie in my 'users table' , there are two fields , email and password and values test@test.com and test123..

    i need to log in from my webpage ..
    if the entered email and password does not match with that in the database , it should display an error message and if it matches , it should log in

    it will be of great help to me..

  • #15
    Supreme Master coder! abduraooft's Avatar
    Join Date
    Mar 2007
    Location
    N/A
    Posts
    14,862
    Thanks
    160
    Thanked 2,223 Times in 2,210 Posts
    Quote Originally Posted by mlseim View Post
    Here's another mistake ...

    if($a=mysql_fetch_array($result))

    should be:

    if($a==mysql_fetch_array($result))
    Hi renu-86,

    It appears like you've missed the above comment.
    The Dream is not what you see in sleep; Dream is the thing which doesn't let you sleep. --(Dr. APJ. Abdul Kalam)


  •  
    Page 1 of 2 12 LastLast

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •