Problem with login verification

[giannis]

I have the following code:

 

<?php
include "connect.php";
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">  
<head>  
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />  
<title>Welcome</title> 
<script type="text/javascript" src="js/jquery.min.js"></script>
<script type="text/javascript" src="js/jquery.ketchup.js"></script>
<script type="text/javascript" src="js/jquery.ketchup.messages.js"></script>
<script type="text/javascript" src="js/jquery.ketchup.validations.basic.js"></script>
<script language="javascript" type="text/javascript" src="niceforms.js"></script>
<link rel="stylesheet" type="text/css" media="all" href="niceforms-default.css" />
<link rel="stylesheet" type="text/css" media="screen" href="css/jquery.ketchup.css" />

</head>
<body>
<div id="container">
<?php
if(!empty($_SESSION['connection_status']) && !empty($_SESSION['username']))
  {
  ?>
  <form action="logout.php" class="niceform">
  <fieldset>
  <legend>Member Area</legend>
  <div id= "container">
  <p>Thanks for logging in <b><?=$_SESSION['username']?></b> !</p>
  <p><input type="submit" name="submit" id="submit" value="Logout" /></p>
  </div>
  </fieldset>
  </form>
  <?php
  }
  elseif(!empty($_POST['username']) && !empty($_POST['password']))
    {
    $username = mysql_real_escape_string($_POST['username']);
    $password = md5(mysql_real_escape_string($_POST['password']));
    $validation = mysql_query("SELECT * FROM users WHERE username = '".$username."' AND password = '".$password."'");

    if(mysql_num_rows($validation) == 1)
        {
        $row = mysql_fetch_array($validation);
        $email = $row ['email'];
        
        $_SESSION['username'] = $username;
        $_SESSION['email'] = $email;
        $_SESSION['connection_status'] = 1;
        
        echo "<h1>Success</h1>";
        echo "<p>Members area is loading.</p>";
        echo "<meta http-equiv='refresh' content='=4;index.php' />";
        }
          else
            {
            echo "<h1>Error</h1>";
            echo "<p> There was an error, please try again  <a href=\"index.php\">here </a> .</p>";
            }
     }
    else
     {
        ?>
        <form method="post" action="index.php" name="loginform" id="loginform" class="niceform">  
        <fieldset>
        <legend>Member Login</legend>
        <p>Thanks for visiting. Please login below or click <a href="register.php">here</a> to register.</p>  
        <dl>
        <dt><label for="username">Username:</label><br /></dt>
        <dd><input type="text" name="username" id="username" class= "validate(rangelength(4,30))"/></dd>
        </dl>
        <dl>  
        <dt><label for="password">Password:</label><br /></dt>
        <dd><input type="password" name="password" id="password" class= "validate(rangelength(4,30))" /></dd>
        </dl>
        <p><a href="forgot_password.php">Forgot password?</a></p>
        </fieldset>
        <fieldset class="action">
        <input type="submit" name="submit" id="submit" value="Sign In" />  
        </fieldset>  
        </form>  
        
        <?php
       }
       ?>
       
       </div>
       <script type = "text/javascript">
       $(document).ready(function() {
  $('#loginform').ketchup();
});
</script>
       </boby>
       </html>
       
       

            

 

When I try to login with true username/password, I always get: There was an error, please try again here  .

[rwwd]

  elseif(!empty($_POST['username']) && !empty($_POST['password']))
    {
    $username = mysql_real_escape_string($_POST['username']);
    $password = md5(mysql_real_escape_string($_POST['password']));
    $validation = mysql_query("SELECT * FROM users WHERE username = '".$username."' AND password = '".$password."'");

//Check to see what num_rows returns
echo mysql_num_rows($validation);

//if not 1, there is an issue with the sql end of things
    if(mysql_num_rows($validation) == 1)

 

Check by echoing to screen the sql statement, then copy and paste that (assuming that it's properly constructed & as expected) into your sql console of choice and run it to see if you get the results as expected.. Go from there, and you should be fine..

 

Rw

[chintansshah]

please check how many number of rows return using select query, I think it's return more then 2.

 

[NLCJ]

Just a typo I saw when I took a quick look at it, you have </boby> instead of </body>.

[giannis]

please check how many number of rows return using select query, I think it's return more then 2.

 

for which lines are you talking about?

[chintansshah]

I am talking about this query.

 

$validation = mysql_query("SELECT * FROM users WHERE username = '".$username."' AND password = '".$password."'");

 

[giannis]

Shouldn't I check if both username and password are valid in order to procede the login?

[BlueSkyIS]

That is what the query does...

 

WHERE username = '$username' AND password = 'password'

 

 

If either username or password is invalid, this query is false and no records will match. Therefore, the user will not be logged in.

[giannis]

so, the code is fine?

[BlueSkyIS]

If the query returns 1 and only 1 record, the login information is valid. I only meant to reply to your question; I didn't review all the code.