Login Script

[VeritasSegus]

Hello everyone,

 

I am brand new to php and am starting off my journey by trying to create a simple login/register script.  I have run into a bit of difficulty, however, and cannot seem to get this to work. I know that the register script is very basic (lacks strlen check, doesn't verify that both passwords are the same, etc.), but for the time being I simply want to have a functional script.  Then I can continue learning by adding more components.  Here are the login.php, checklogin.php, and register.php files (in this order).  I believe that the login/checklogin files work, but the register file just shows the form without actually writing to DB when it is submitted.  Thank you very much for your help.

 

<html>
<body>
<b> Member Login </b> <br />
<form name="input" action="checklogin.php" method="post">
Username : <input type="text" name="myusername" id="username"> <br />
Password : <input type="password" name="mypassword" id="password"> <br />
<input type="checkbox" name="remember" value="checkbox"> Remember me <br />
<input type="submit" value="Login">
Not a member? <a href="./register.php">Register!</a>
</form>
</body>
</html>

 

<?php
$host="localhost";
$usr="root";
$pwd="";
$db="MemberDB";
$tbl_name="members";

mysql_connect($host, $usr, $pwd) or die("Unable to connect");
mysql_select_db($db) or die("Unable to select database");

$myusr = $_POST['myusername'];
$mypswd = md5($_POST['mypassword']);

$myusername = stripslashes(strip_tags($myusr));
$mypassword = stripslashes(strip_tags($mypswd));
$myusername = mysql_real_escape_string($myusr);
$mypassword = mysql_real_escape_string($mypswd);

$sql="SELECT *FROM $tbl_name WHERE username='$myusername' and password='$mypassword'";
$result=mysql_query($sql);

$count=mysql_num_rows($result);

if ($count==1) {
session_register("myusername");
session_register("mypassword");
header("location:menu.php");
}
else {
echo "Incorrect Username or Password";
}
?>

 

<?php
$host="localhost";
$usr="root";
$pwd="";
$db="MemberDB";
$tbl_name="members";

mysql_connect($host, $usr, $pwd) or die("Unable to connect");
mysql_select_db($db) or die("Unable to select database");

if (isset($_POST['register'])) 
{ 

$query = "INSERT INTO members ('username', 'password', 'email') 
VALUES('$_POST[username]', 'md5($_POST[password1])', '$_POST[email]')";

mysql_query($db,$query) or die();
mysql_close();

echo "You have successfully registered!";
}
else{
?>
<html>
<body>
<b> Register</b> <br />
<form name="register" action="./register.php" method="post">
Username : <input type="text" name="username" id="username"> <br />
Password : <input type="password" name="password" id="password1"> <br />
Confirm Password : <input type="password" name="password2" id="password2"> <br />
Email: <input type="text" name="email" id="email"> <br />
<input type="submit" value="register">
</form>
</body>
</html>
<?php
}
?>

[revraz]

When troubleshooting queries, you should use mysql_error after them to check for errors.

 

Suggestion is to add that after any query, also to echo your $query variable to insure all your variables are populate.

 

Your mysql_query parameters are incorrect, dont use $db as a parameter, use mysql_query($query) and an optional $link parameter if so desired.

[VeritasSegus]

Thank you for the suggestion with the mysql_error.  I have added it to all of the die(); functions.  Even after removing the $db, however, the script fails to submit the appropriate data to the database.

 

$query = "INSERT INTO members ('username', 'password', 'email') 
VALUES('$_POST[username]', 'md5($_POST[password1])', '$_POST[email]')";

mysql_query($query) or die(mysql_error());
mysql_close();

[johnny86]

Try changing it to this:

$query = "INSERT INTO members ('username', 'password', 'email') VALUES('".$_POST['username']."', '".md5($_POST['password1'])."', '".$_POST['email']."');";

[revraz]

Suggestion is to add that after any query, also to echo your $query variable to insure all your variables are populated.

[VeritasSegus]

I amended the code to incorporate your suggestion and also added "echo $query".  The echo command did not return anything (i.e. when I fill in the form and press register, the page reverts to a blank form) and the database is still not being populated.  Thank you very much for your willingness to help.

 

$query = "INSERT INTO members ('username', 'password', 'email') 
VALUES('".$_POST[username]."', '".md5($_POST[password1])."', '".$_POST[email]."')";

mysql_query($query) or die(mysql_error());
mysql_close();

echo $query;
echo "You have successfully registered!";

[VeritasSegus]

Any other comments?  I feel like it is due to some silly naming mistake for a variable

[Zurev]

I'll be honest I just read the code, not much of what the issue and I'm just noticing "SELECT *FROM" might give you some issues.

[VeritasSegus]

Hmm how do you mean?  I believe that the login functions. It is difficult to test without first registering properly.  But when I type in random username/pw I receive the notification that it is the incorrect combination.

 

I did find an error, however, in the the way I had defined my query (register.php) and now receive this error:

 

"You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''username', 'password', 'email') VALUES('Test', 'md5(Test)', 'Test@test.com')' at line 1"

 

The Test values are those that I entered into fields for register.php.  I have checked this line against several tutorials and don't see where the error lies.  This is an improvement, since I think it is now trying to input into DB.

[Zurev]

Hmm how do you mean?  I believe that the login functions. It is difficult to test without first registering properly.  But when I type in random username/pw I receive the notification that it is the incorrect combination.

 

I did find an error, however, in the the way I had defined my query (register.php) and now receive this error:

 

"You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''username', 'password', 'email') VALUES('Test', 'md5(Test)', 'Test@test.com')' at line 1"

 

The Test values are those that I entered into fields for register.php.  I have checked this line against several tutorials and don't see where the error lies.  This is an improvement, since I think it is now trying to input into DB.

 

First of all, your value shouldn't be "md5(test)" at that point, at that point it should be an actual 32 character md5 encoded string. You have to run the md5 function in php whether it be in your query string or before.

 

For example, make a variable called $md5var = md5("test");, and then call the $md5var in the query rather than what you're doing now.

 

Can you print out the exact query instead of the mysql_error text? Before it attempts to insert, echo the query out.

[VeritasSegus]

Thank you for your help Zurev.  You were correct regarding the md5, so I made it a separate variable.  As for the error in the query, the ' ' around the $_POST values needed to be removed.  Here is the corrected code:

 

$md5pwd = md5("$_POST[password]");
$query = "INSERT INTO members (username, password, email) 
VALUES('$_POST[username]', '$md5pwd', '$_POST[email]')";

 

Thank you everyone for the help

[VeritasSegus]

Oops, meant to say that the ' ' around the table values had to be removed*