| ACDII |
01-18-2007 02:15 PM |
PHP login script using mysql issue
I am stumped as I dont know how to see what the server is actually recieving when a query is sent to mysql. From mysql, I can run the query and get the results.
mysql> SELECT user_id, user_name FROM Users WHERE user_name='acd' AND password=SHA('mypassword');
+---------+-----------+
| user_id | user_name |
+---------+-----------+
| 2 | acd |
+---------+-----------+
1 row in set (0.00 sec)
But when I enter the same username and password I get
The following error(s) occurred:
- The User name and password entered do not match those on file.
-
Query: SELECT user_id, user_name FROM Users WHERE user_name='' AND password=SHA('')
Please try again.
It appears that the inputted information is not getting sent to the server.
Here are the scripts.
PHP Code:
<?php # login.php
// Send NOTHING to the Web browser prior to the setcookie() lines!
// Check if the form has been submitted.
if (isset($_POST['submitted'])) {
require_once ('/var/www/web2/PHP_Secure/mysql_connect.php'); // Connect to the db.
$errors = array(); // Initialize error array.
// Check for a user name.
if (empty($_POST['user_name'])) {
$errors[] = 'You forgot to enter your user name.';
} else {
$un = escape_data($_POST['user_name']);
}
// Check for a password.
if (empty($_POST['password'])) {
$errors[] = 'You forgot to enter your password.';
} else {
$p = escape_data($_POST['password']);
}
if (empty($errors)) { // If everything's OK.
/* Retrieve the user_id and first_name for
that email/password combination. */
$query = "SELECT user_id, user_name FROM Users WHERE user_name='$un' AND password=SHA('$p')";
$result = @mysql_query ($query); // Run the query.
$row = mysql_fetch_array ($result, MYSQL_NUM); // Return a record, if applicable.
if ($row) { // A record was pulled from the database.
// Set the cookies & redirect.
setcookie ('user_id', $row[0]);
setcookie ('user_name', $row[1]);
// Redirect the user to the loggedin.php page.
// Start defining the URL.
$url = 'http://' . $_SERVER['HTTP_HOST'] . dirname($_SERVER['PHP_SELF']);
// Check for a trailing slash.
if ((substr($url, -1) == '/') OR (substr($url, -1) == '\\') ) {
$url = substr ($url, 0, -1); // Chop off the slash.
}
// Add the page.
$url .= '/loggedin.php';
header("Location: $url");
exit(); // Quit the script.
} else { // No record matched the query.
$errors[] = 'The User name and password entered do not match those on file.'; // Public message.
$errors[] = mysql_error() . '<br /><br />Query: ' . $query; // Debugging message.
}
} // End of if (empty($errors)) IF.
mysql_close(); // Close the database connection.
} else { // Form has not been submitted.
$errors = NULL;
} // End of the main Submit conditional.
// Begin the page now.
$page_title = 'Login';
include ('./includes/header.html');
if (!empty($errors)) { // Print any error messages.
echo '<h1 id="mainhead">Error!</h1>
<p class="error">The following error(s) occurred:<br />';
foreach ($errors as $msg) { // Print each error.
echo " - $msg<br />\n";
}
echo '</p><p>Please try again.</p>';
}
// Create the form.
?>
<h2>Login</h2>
<form action="login.php" method="post">
<p>User Name: <input type="text" name="user_name" size="20" maxlength="40" /> </p>
<p>Password: <input type="password" name="password" size="20" maxlength="20" /></p>
<p><input type="submit" name="submit" value="Login" /></p>
<input type="hidden" name="submitted" value="TRUE" />
</form>
<?php
include ('./includes/footer.html');
?>
And here is the mysqlconnect.
PHP Code:
<?php #Script 7.2 - mysql_connect.php
//this file contains the database access information to MySQL and selects the database.
// Set the database access information as constants.
DEFINE ('DB_USER', 'admin');
DEFINE ('DB_PASSWORD', 'password');
DEFINE ('DB_HOST', 'localhost');
DEFINE ('DB_NAME', 'dbname');
// Make the connection
$dbc = @mysql_connect (DB_HOST, DB_USER, DB_PASSWORD) OR die ('Could not connect to MySQL: ' . mysql_error() );
// Select the database
@mysql_select_db (DB_NAME) OR die ('Could not select the database: ' . mysql_error());
// Create a function for escaping the data.
function escape_data ($data) {
// Address Magic Quotes.
if (ini_get('magic_quotes_gpc')) {
$data = stripslashes($data);
}
// Check for mysql_real_escape_string() support.
if (function_exists('mysql_real_escape_string')) {
global $dbc; // Need the connection.
$data = mysql_real_escape_string (trim($data), $dbc);
} else {
$data = mysql_escape_string (trim($data));
}}
// Return the escaped value.
return $data;
?>
|
