and logic not working correctly

[aabid]

Hey guys,

I don't know why but the following script is not working for me. Its a simple login script which check the validity of username and password and based on the uses header function to redirect the user.

Please have a look at the script

<?php
include('dbinfo.inc');
if(empty($_POST['username']) || empty($_POST['pword']))
{
header('Location: http://localhost/vits/index.php?login=error');
}
else
{
$username = $_POST['username'];
$pword = $_POST['pword'];
$actype = $_POST['actype'];
$connect = mysql_connect($host,$dbuser,$password) or die("Cannot connect to DB");
mysql_select_db($dbname,$connect);
$sql = "select * from memberinfo where username='$username'";
$result = mysql_query($sql,$connect);
$row = mysql_fetch_assoc($result);
}
if($row['username'] == $username && $row['pword'] == $pword && $row['actype'] == $actype)
{
session_start();
$_SESSION['username'] = $_POST['username'];
$_SESSION['loggedin'] = TRUE;
$_SESSION['actype'] = $_POST['actype'];
header('Location: http://localhost/vits/index.php?login=correct');
}
else
{
header('Location: http://localhost/vits/index.php?login=incorrect');
}
?>

 

Now the problem is it never succeeds i.e. it never goes into the if block where the checking is being done for username and password and of course actype.

No matter what I enter in login information it always throws me to this http://localhost/vits/index.php?login=incorrect'

 

Please help as am not able to sort out this problem

[litebearer]

Try echoing out your variables (including the $sql) to make certain they contain what you expect them to contain.

[Muddy_Funster]

This is a little wrong...

	$sql = "select * from memberinfo where username='$username'";
$result = mysql_query($sql,$connect);
$row = mysql_fetch_assoc($result);
}
if($row['username'] == $username && $row['pword'] == $pword && $row['actype'] == $actype)

 

try something like this :

$sql = "SELECT username, pword, actype FROM memberinfo WHERE username = '".$username."' AND pword = '".$pword."'";
$result = mysql_query($sql,$connect) or die ('Error :<br>'.mysql_error().'<br><br>When Running the following :<br><br>'.$sql);
$row = mysql_fetch_assoc($result);
}
if(($row['username'] == $username) && ($row['pword'] == $pword) && ($row['actype'] == $actype))

[Pikachu2000]

In this block of code:

There's no reason for the comparison against $username. Since that's the variable you used in the query's WHERE clause, it's impossible for it not to match.

 

Is the password hashed when it's inserted into the database to begin with? If you run the query in phpMyAdmin, and echo the value of $pword, are they identical? Is there any errant whitespace on either of them?

 

if($row['username'] == $username && $row['pword'] == $pword && $row['actype'] == $actype)

[aabid]

In this block of code:

There's no reason for the comparison against $username. Since that's the variable you used in the query's WHERE clause, it's impossible for it not to match.

 

Is the password hashed when it's inserted into the database to begin with? If you run the query in phpMyAdmin, and echo the value of $pword, are they identical? Is there any errant whitespace on either of them?

 

if($row['username'] == $username && $row['pword'] == $pword && $row['actype'] == $actype)

 

I have tried to echo out every thing, even I echoed both $_POST and $row and both seem to be containing the correct information as far as seeing from naked eye is concerned. Now I don't know if there might be any hidden spaces which are not making them equivalent to pass that if condition.

[Pikachu2000]

Then you should probably var_dump all of them to see if they actually contain the same values.

[aabid]

Well the problem seems to be sorted out and it was just a silly mistake of capitalization,  I was kinda doing like

if (Lecturer == lecturer)

then do this

 

Its obvious it won't go into the if block because of the capitalization of first word, But anyways the problem seems to be gone now thanks for the support