<?php

$data = mysql_query("SELECT * FROM `users` WHERE `username` = '$username'");

if($grab_login === 1){
header("Location: index.php");
} else {
if($_GET['do'] == login){
$user = $_POST['username'];
$password = $_POST['password'];

if($user == $data['username'] || $password == $data['password']){
$_SESSION['username'] = $user;
$_SESSION['logged_in'] = 1;
header("Location: index.php");
} else {
echo "your login credentials were incorrect.";
}
}
}
?>
<form action="?do=login">
<input type="text" name="username" />
<input type="password" name="password" />
<input type="submit" value="login" />That is my login code, and it isn't working correctly. If I enter false credentials it doesn't give me the error. Also, when you click login, the url turns into "url.com/login.php?do=login&username=username&password=password. +rep

Closed by Johno! (Forum Moderator): To prevent further pointless posting.

That login does not make any sense what so ever. We need to see it all, and if that is all of it... then wth.

ref "the url turns into "url.com/login.php?do=login&username=username&password=pass" - add method="POST" to your form tag

Why wth? I don't see anything wrong with it? There's a config.php include at the top of the page (not included in that code). If you want I can show config.php?

<?php

//where is it getting $username from?
$data = mysql_query("SELECT * FROM `users` WHERE `username` = '$username'");

//where is it getting $grab_login
if($grab_login === 1){
header("Location: index.php");
} else {
if($_GET['do'] == login){
$user = $_POST['username'];
$password = $_POST['password'];

//$data['username'] doesnt correspond to anything? same with pass
if($user == $data['username'] || $password == $data['password']){
$_SESSION['username'] = $user;
$_SESSION['logged_in'] = 1;
header("Location: index.php");
} else {
echo "your login credentials were incorrect.";
}
}
}
?>

answer those questions in comments.

All of those variables are defined in config.php.

Lol, epic fail.

For my own curiosity, what difference does three ==='s mean?

all of them? so why have the query at the top and no fetch_array to go with it? At the moment its check the credentials with a resource return (or w/e :P).

And L?ke I believe 3 = (===) means the value and data type must be the same (integer, boolean etc..).

All of them but $data. Why do I need to use fetch_array?

because your using that information to see if the username and password are correct?

This script is seriously confusing, and if its not then fair enough im an idiot.

<?php

$data = mysql_query("SELECT * FROM `users` WHERE `username` = '$username'");

// if logged in goto homepage, if not continue
if($grab_login === 1){
header("Location: index.php");
} else {
if($_GET['do'] == login){
$user = $_POST['username'];
$password = $_POST['password'];

// checks if the username and password the user entered matches the ones in the database
if($user == $data['username'] || $password == $data['password']){
$_SESSION['username'] = $user;
$_SESSION['logged_in'] = 1;
header("Location: index.php");
} else {
echo "your login credentials were incorrect.";
}
}
}
?>
<form action="?do=login">
<input type="text" name="username" />
<input type="password" name="password" />
<input type="submit" value="login" />

All I want to do is check if the information the user entered is correct (matches the ones in the database).

<?php

////////// You need to GRAB the array for the information
$data = mysql_query("SELECT * FROM `users` WHERE `username` = '$username'");

// if logged in goto homepage, if not continue
if($grab_login === 1){
header("Location: index.php");
} else {
if($_GET['do'] == login){
$user = $_POST['username'];
$password = $_POST['password'];

////////// needs the array of data to check against.....
if($user == $data['username'] || $password == $data['password']){
$_SESSION['username'] = $user;
$_SESSION['logged_in'] = 1;
header("Location: index.php");
} else {
echo "your login credentials were incorrect.";
}
}
}
?>
<form action="?do=login">
<input type="text" name="username" />
<input type="password" name="password" />
<input type="submit" value="login" />

Would this be correct?


<?php

$query = mysql_query("SELECT * FROM `users` WHERE `username` = '$username'");
$data = mysql_fetch_array($query);

if($grab_login === 1){
header("Location: index.php");
} else {
if($_GET['do'] == login){
$user = $_POST['username'];
$password = $_POST['password'];

if($user == $data['username'] || $password == $data['password']){
$_SESSION['username'] = $user;
$_SESSION['logged_in'] = 1;
header("Location: index.php");
} else {
echo "your login credentials were incorrect.";
}
}
}
?>
<form action="?do=login">
<input type="text" name="username" />
<input type="password" name="password" />
<input type="submit" value="login" />

@Source; Oh right, thanks.

I just tested it and yeah, it works. Now it just gives me an error regarding the header. The "can't modify headers, bla bla bla".

<?php
//w/e includes
include "config.php";

if($_GET['do'] == 'login'){

//get the info from post
$user = $_POST['username'];
$password = $_POST['password'];

// grab any rows with that username and pass and count the rows returned
$userQ = mysql_query("SELECT * FROM `users` WHERE `username` = '$user' and `password` = '$password");
$userC = mysql_num_rows( $userQ );

// if it returns 1 then the details must of been correct
if( $userC == 1 ){
$_SESSION['username'] = $user;
$_SESSION['logged_in'] = 1;
header("Location: index.php");
} else {
echo "Sorry the information you provided was wrong";
}


}

<form method="post" action="?do=login">
<input type="text" name="username" />
<input type="password" name="password" />
<input type="submit" value="login" />
</form>
?>
Wrote it up super quick, so soz for any errors. But that seems more logical to me? Also disclaimer would be "Make sure in the released version all inputs are filtered blah blah blah, and maybe try mysql sessions rather than browser sessions... blah blah"

also even that is a bad login, as it can easily be spoofed (changing your session logged_in to 1). Anyway, the main idea was to recreate what you already have.

Thanks Matt, last thing: I get this when I try to use headers:
Warning: Cannot modify header information - headers already sent by (output started at /home/x/public_html/test/login.php:11) in /home/x/public_html/test/login.php on line 17

Is session_start etc... right at the top of your config.php and executed before any other information is sent to the browser?

Yes, it is.

well unfortuantly I don't have time to read through all of your script etc... maybe make a new thread with it all in for other members to have a widdle.

Alright, thanks for all your help.

I get this when I try to use headers:
Warning: Cannot modify header information - headers already sent by (output started at /home/x/public_html/test/login.php:11) in /home/x/public_html/test/login.php on line 17

Try adding this at the top:


ob_start();

Thanks, that worked.

asuming your MD5ing your passwords..

EDIT: Just saw you had a fix.



<?php

// if logged in goto homepage, if not continue
if($grab_login == 1) {
header( "Location: index.php" );
} else {
if($_GET ['do'] == "login") {

// make sure you clean these..
$username = $_POST ['username'];
$password = md5( $_POST ['password'] );

$data = @mysql_query( "SELECT * FROM `users` WHERE `username` = '$username' AND `password`='$password'" );
$count = @mysql_num_rows( $data );

// checks if the username and password the user entered matches the ones in the database
if($count != 0) {
$_SESSION ['username'] = $username;
$_SESSION ['logged_in'] = 1;
header( "Location: index.php" );
} else {
echo "your login credentials were incorrect.";
}
}
}
?>
<form action="?do=login" method="post"><input type="text"
name="username" /> <input type="password" name="password" /> <input
type="submit" value="login" />

Good move using POST instead of GET, esp for a login script. Stuff like that can potentially be picked up on the statistics software on your server, potentially allowing you to see passwords in plaintext.

Good move using POST instead of GET, esp for a login script. Stuff like that can potentially be picked up on the statistics software on your server, potentially allowing you to see passwords in plaintext.
I don't know any idiot who would use GET for something that processes sensitive data..

I don't know any idiot who would use GET for something that processes sensitive data..

Well, this script didn't specify a method up until the last revision. When there's no method, it results to GET...

You don't think I know that? i don't need to be told what it reverts to when no method is specified.

I'm just saying, it's clear this user doesn't know much about this, or how it all works in general.

You don't think I know that? i don't need to be told what it reverts to when no method is specified.

I'm just saying, it's clear this user doesn't know much about this, or how it all works in general.

Hence I commended him on adding POST, explaining the reasons why GET is bad for this sort of form.

Stop jumping down my throat.

Stop jumping down my throat.

Dentafrice doesn't like people correcting him.. he can't handle it :'(

Hence I commended him on adding POST, explaining the reasons why GET is bad for this sort of form.

Stop jumping down my throat.

I'm not jumping down your throat, but I just think most people are smarter then that, I've never in my 4-5 years on this forum seen anyone use GET for a login submission. Ever.

Thanks for telling us all some common sense!


Dentafrice doesn't like people correcting him.. he can't handle it :'(

No one corrected me, are you stupid? If you'd read the posts you'd see no-one corrected me, I just saw a stupid post Beau posted, and criticized him for it.

Shows how much some of you pay attention :rolleyes:.

Bit touchy aren't we? Are you on your period or something.

Bit touchy aren't we? Are you on your period or something.
Congratulations! Pat on the back for the well thought out and mature response :rolleyes:.

Wow... I forgot your clearly a female, Caleb.

*Removed*

Edited by ,Jess, (Forum Super Moderator): Please do not post inappropriately.

*Removed*
Wow, this is the sort of stuff that gets me good.

Wow, this is the sort of stuff that gets me good.
there's more inside for $9.95.. we can go private.. no nudity in the chatroom..

there's more inside for $9.95.. we can go private.. no nudity in the chatroom..
http://www.google.co.uk/search?um=1&hl=en&client=firefox-a&rls=org.mozilla:en-GB:official&q=only%20%249.95&ie=UTF-8&sa=N&tab=iw



girls going crazy

save $10.. now only $9.95

save $10.. now only $9.95
repeat after me:

very nice - how much?

VURYYY NICE HOW MUCH?!

VURYYY NICE HOW MUCH?!

http://tbn0.google.com/images?q=tbn:vZ68BjLmmeSrmM:http://farm4.static.flickr.com/3088/2755886966_29bfe3862d.jpg

nine ninety-five: no grumpy, no b&w,

I still can't believe no admin is doing anything.

Close this thread up before the bad words start coming up xD

But really must you guys always fight? Aren't we all civilised? Sure some people might think they're funny but just ignore them and move on. Only real men can ignore and kids will fight back and just make it worse and dig a hole so deep you can't get back up and then what... Well your stuck down there untill you can start flying :D

Well, that was just some random way to say chill out and get back on subject for crying out loud. We know $_GET is bad if you want to send info because you see the info in plain text. God, no need to fight about it. Everyone goes down the error road.

Waz O.o RAWR! >:[

I still can't believe no admin is doing anything.

Close this thread up before the bad words start coming up xD

But really must you guys always fight? Aren't we all civilised? Sure some people might think they're funny but just ignore them and move on. Only real men can ignore and kids will fight back and just make it worse and dig a hole so deep you can't get back up and then what... Well your stuck down there untill you can start flying :D

Well, that was just some random way to say chill out and get back on subject for crying out loud. We know $_GET is bad if you want to send info because you see the info in plain text. God, no need to fight about it. Everyone goes down the error road.

Waz O.o RAWR! >:[
Exactly my point. Everyone knows that it is bad.. that's why there's no reason for him to pretend to be smart and post something telling us common sense.