Need Help in the below script

--001636c5a86f01a7d40472bcd478
Content-Type: text/plain; charset=ISO-8859-1

Hi all,

I am working on my project. I have to create a user regestration page and a
login page. I am done with registration page but when I tried to code the
login page its not working. Below is the code. Please take a look at script
and let me know where am I going wrong.



$username=$_POST['username'];
$password=$_POST['password'];

if($username&&$password)
{

$connect= mysql_connect("localhost","root","") or die("couldn't connect");

mysql_select_db("phplogin") or die("no db in the list");

$query = mysql_query("SELECT * FROM users WHEER username='$username'");

$numrows = mysql_num_rows($query);


if ($numrows!=0)
{
echo "user dosen't exist";
while ($row = mysql_fetch_assoc($query))
{
$dbusername = $row['username'];
$dbpassword = $row['password'];
}

if ($username==$dbusername && $password==$dbpassword)
{
echo "you are in";
}
else
echo "incorrent username and password";


else
die("user dosent exitst");

}

else

die("please enter a username and a password");
}


?>



--
Guru Prasad
Ubuntu Voice GTK+ Forum

--001636c5a86f01a7d40472bcd478--

Re: Need Help in the below script

--0015176f0cf4a719170472beffa2
Content-Type: text/plain; charset=ISO-8859-1

It appears that you had a missing bracket or two and you had misspelled
'WHERE' in the query.

In your code you were checking if the username and password were correct
outside of the while loop. Even though it can be uncommon, if you have
multiple users with the same username then you would only be checking the
last result, not each row.

I changed the query to make it simpler, if you check for the username and
password to match in the query, then you only have to check for the returned
rows to see if the correct username and password were used.

I added a second query to check if the username exists but the password was
wrong. For security purposes when a login attempt fails, you should not
tell a user whether the username or password was correct, once they know
that one of their parameters was correct, it is much easier for them to hack
the other parameter

You also need to be concerned about SQL injection attacks, you should always
escape any data being used in a query.
http://us.php.net/manual/en/security.database.sql-injection. php


$username = $_POST['username'];
$password = $_POST['password'];
if($username&&$password)
{
$connect= mysql_connect("localhost","root","") or die("couldn't connect");
mysql_select_db("phplogin") or die("no db in the list");
// escape data to prevent SQL injection attacks
$username = mysql_real_escape_string($username);
$password = mysql_real_escape_string($password);
$query = mysql_query("SELECT * FROM users WHERE username='$username' AND
password = '$password';");
$numrows = mysql_num_rows($query);
if ($numrows == 1)
echo "you are in";
else
{
$username_result = mysql_query("SELECT * FROM users WHERE username =
'$username';");
if(mysql_num_rows($username_result) == 0)
echo "user does not exist";
else
echo "incorrent username and password";
}
}
else
die("please enter a username and a password");
?>
Hope this helps.

Thanks,

patrick



On Fri, Sep 4, 2009 at 5:07 AM, nagendra prasad wrote:

> Hi all,
>
> I am working on my project. I have to create a user regestration page and
> a
> login page. I am done with registration page but when I tried to code the
> login page its not working. Below is the code. Please take a look at script
> and let me know where am I going wrong.
>
>
> >
> $username=$_POST['username'];
> $password=$_POST['password'];
>
> if($username&&$password)
> {
>
> $connect= mysql_connect("localhost","root","") or die("couldn't connect");
>
> mysql_select_db("phplogin") or die("no db in the list");
>
> $query = mysql_query("SELECT * FROM users WHEER username='$username'");
>
> $numrows = mysql_num_rows($query);
>
>
> if ($numrows!=0)
> {
> echo "user dosen't exist";
> while ($row = mysql_fetch_assoc($query))
> {
> $dbusername = $row['username'];
> $dbpassword = $row['password'];
> }
>
> if ($username==$dbusername && $password==$dbpassword)
> {
> echo "you are in";
> }
> else
> echo "incorrent username and password";
>
>
> else
> die("user dosent exitst");
>
> }
>
> else
>
> die("please enter a username and a password");
> }
>
>
> ?>
>
>
>
> --
> Guru Prasad
> Ubuntu Voice GTK+ Forum
>

--0015176f0cf4a719170472beffa2--

Re: Need Help in the below script

--000e0ce0d5d8b071d30472c2fc4d
Content-Type: text/plain; charset=ISO-8859-1

Hay Patrick,

Thanks so much. Its really working. You have saved my life.

Best,

--000e0ce0d5d8b071d30472c2fc4d--