ACDII |
01-18-2007 02:15 PM |
PHP login script using mysql issue
I am stumped as I dont know how to see what the server is actually recieving when a query is sent to mysql. From mysql, I can run the query and get the results.
mysql> SELECT user_id, user_name FROM Users WHERE user_name='acd' AND password=SHA('mypassword');
+---------+-----------+
| user_id | user_name |
+---------+-----------+
| 2 | acd |
+---------+-----------+
1 row in set (0.00 sec)
But when I enter the same username and password I get
The following error(s) occurred:
- The User name and password entered do not match those on file.
-
Query: SELECT user_id, user_name FROM Users WHERE user_name='' AND password=SHA('')
Please try again.
It appears that the inputted information is not getting sent to the server.
Here are the scripts.
PHP Code:
<?php # login.php // Send NOTHING to the Web browser prior to the setcookie() lines! // Check if the form has been submitted. if (isset($_POST['submitted'])) { require_once ('/var/www/web2/PHP_Secure/mysql_connect.php'); // Connect to the db. $errors = array(); // Initialize error array. // Check for a user name. if (empty($_POST['user_name'])) { $errors[] = 'You forgot to enter your user name.'; } else { $un = escape_data($_POST['user_name']); } // Check for a password. if (empty($_POST['password'])) { $errors[] = 'You forgot to enter your password.'; } else { $p = escape_data($_POST['password']); } if (empty($errors)) { // If everything's OK. /* Retrieve the user_id and first_name for that email/password combination. */ $query = "SELECT user_id, user_name FROM Users WHERE user_name='$un' AND password=SHA('$p')"; $result = @mysql_query ($query); // Run the query. $row = mysql_fetch_array ($result, MYSQL_NUM); // Return a record, if applicable. if ($row) { // A record was pulled from the database. // Set the cookies & redirect. setcookie ('user_id', $row[0]); setcookie ('user_name', $row[1]); // Redirect the user to the loggedin.php page. // Start defining the URL. $url = 'http://' . $_SERVER['HTTP_HOST'] . dirname($_SERVER['PHP_SELF']); // Check for a trailing slash. if ((substr($url, -1) == '/') OR (substr($url, -1) == '\\') ) { $url = substr ($url, 0, -1); // Chop off the slash. } // Add the page. $url .= '/loggedin.php'; header("Location: $url"); exit(); // Quit the script. } else { // No record matched the query. $errors[] = 'The User name and password entered do not match those on file.'; // Public message. $errors[] = mysql_error() . '<br /><br />Query: ' . $query; // Debugging message. } } // End of if (empty($errors)) IF. mysql_close(); // Close the database connection. } else { // Form has not been submitted. $errors = NULL; } // End of the main Submit conditional. // Begin the page now. $page_title = 'Login'; include ('./includes/header.html'); if (!empty($errors)) { // Print any error messages. echo '<h1 id="mainhead">Error!</h1> <p class="error">The following error(s) occurred:<br />'; foreach ($errors as $msg) { // Print each error. echo " - $msg<br />\n"; } echo '</p><p>Please try again.</p>'; } // Create the form. ?> <h2>Login</h2> <form action="login.php" method="post"> <p>User Name: <input type="text" name="user_name" size="20" maxlength="40" /> </p> <p>Password: <input type="password" name="password" size="20" maxlength="20" /></p> <p><input type="submit" name="submit" value="Login" /></p> <input type="hidden" name="submitted" value="TRUE" /> </form> <?php include ('./includes/footer.html'); ?>
And here is the mysqlconnect.
PHP Code:
<?php #Script 7.2 - mysql_connect.php //this file contains the database access information to MySQL and selects the database. // Set the database access information as constants. DEFINE ('DB_USER', 'admin'); DEFINE ('DB_PASSWORD', 'password'); DEFINE ('DB_HOST', 'localhost'); DEFINE ('DB_NAME', 'dbname'); // Make the connection $dbc = @mysql_connect (DB_HOST, DB_USER, DB_PASSWORD) OR die ('Could not connect to MySQL: ' . mysql_error() ); // Select the database @mysql_select_db (DB_NAME) OR die ('Could not select the database: ' . mysql_error()); // Create a function for escaping the data. function escape_data ($data) { // Address Magic Quotes. if (ini_get('magic_quotes_gpc')) { $data = stripslashes($data); } // Check for mysql_real_escape_string() support. if (function_exists('mysql_real_escape_string')) { global $dbc; // Need the connection. $data = mysql_real_escape_string (trim($data), $dbc); } else { $data = mysql_escape_string (trim($data)); }} // Return the escaped value. return $data; ?>
|