http://daniel.valvi.co.uk/thf/login.php

Source:


<?php
session_start();
require_once('config.php');

if($_SESSION['username']) {
die('You are already logged in.');
} else {

}

if(isset($username) || isset($password)){
die('You left a field blank. Please go <a href="login.php">back</a> and fix it.');
} else {

}
$username = clean($_POST['username']);
$password = clean(encrypt($_POST['password']));
$result = mysql_query("SELECT * FROM users WHERE username='$username' AND password='$password'");
$row = mysql_fetch_array($result);
$id = $row['id'];
$select_user = mysql_query("SELECT * FROM users WHERE id='$id'");
$row2 = mysql_fetch_array($select_user);
$user = $row2['username'];
$get_level = mysql_query("SELECT * FROM users WHERE username='$username' AND id='$id'");
$row5 = mysql_fetch_array($get_level);
$level = $id['level'];
$pass_check = mysql_query("SELECT * FROM users WHERE username='$username'");
$row3 = mysql_fetch_array($pass_check);
$select_pass = mysql_query("SELECT * FROM users WHERE username='$username'");
$row4 = mysql_fetch_array($select_pass);
$real_password = $row4['password'];
if($password != $real_password) {
die('Your username or password was incorrect. Please go <a href="login.php">back</a> and fix it.');
} else {

}
$_SESSION['username'] = $username;
$_SESSION['level'] = $level;
echo 'Welcome to TrueHabbo Faces, <b>'.$_SESSION['username'].'</b>. Click <a href="index.php">here</a> to go back to the main page.';
?>



What's wrong with it?

Wouldn't it be better to ask what the problem is that you're suffering from? :S

Pretty much everything...
How would I validate a login? My code is useless.

I... really have no idea, I'll be honest with you. This is something I did in a User system:


{

// MySQL_Real_Escape is a method of clearing the database input. Not completely safe...
$username = mysql_real_escape_string($_POST['username']);

// MD5 is an encryption method which protects Passwors from being found easily by hackers.
// It can be made more advanced, but the standard PHP encryption is good enough for general safety.
$password = md5(mysql_real_escape_string($_POST['password']));

// Checks the login data using a MYSQL query, selecting the database and then searching to see whether the password matches the Username.
$checklogin = mysql_query ("SELECT * FROM users WHERE Username = '".$username."' AND Password = '".$password."'");

// If statement. If the checklogin is correct and true, then the login is verified and it will submit the user through to their homepage.
if(mysql_num_rows($checklogin) == 1)
{
// Obtains users Email Address for future use.
$row = mysql_fetch_array($checklogin);
$email = $row['EmailAddress'];
$uid = $row['UserID'];
$lcount = $row['Logged'] +1;

//$sql = mysql_query("SELECT $uid FROM 'users'");
$update = mysql_query("UPDATE users SET Logged = '$lcount' WHERE UserID = '$uid'");

// $id = $_GET['UserID'];
// $sql = mysql_query("SELECT 'Logged' FROM 'users' WHERE 'UserID' =");
// $fetch = mysql_fetch_array($sql);

$_SESSION['Username'] = $username;
$_SESSION['EmailAddress'] = $email;
$_SESSION['LoggedIn'] = 1;
$_SESSION['Logged'] = $lcount;
$_SESSION['UserID'] = $uid;

// Greeting message on the page, stating successful login.
echo "<h1>Success!</h1>";
echo "<p>Logging into user system...</p>";
echo "<meta http-equiv='refresh' content='=2;index.php' />";
}
else
{ // If the username or password is incorrect then this error comes up:
echo "<h1>Error</h1>";
echo "<p>Your account did not match its password. Please <a href='index.php'>click here to try again</a>.</p>";

}
}

That does work, so like... See what you can do lol.

That helps me a lot, thanks! I'll try it out and +rep.

It does :P The form grabs the information and puts into the variable $password, then it goes into the mysql_query (check_login) which searches for the username and then searches for the password. If the password doesn't match whats with that username then $check_login will omit a false (==0) and will miss out the chunk below, and go into an else die part.

It does work, I've tried it. :P

Gah it doesn't work. www.daniel.valvi.co.uk/thf/login.php (http://www.daniel.valvi.co.uk/thf/login.php)

It goes right through the code.

Source:


<?php
session_start();
require_once('config.php');

if($_SESSION['username']) {
die('You are already logged in.');
} else {

}

if(isset($username) || isset($password)){
die('You left a field blank. Please go <a href="login.php">back</a> and fix it.');
} else {

}
$username = clean($_POST['username']);
$password = clean(encrypt($_POST['password']));
$checklogin = mysql_query("SELECT * FROM users WHERE Username = '".$username."' AND Password = '".$password."'");
if(mysql_num_rows($checklogin) == 1) {
$row = mysql_fetch_array($checklogin);
$email = $row['email'];
$uid = $row['id'];
$_SESSION['username'] = $username;
$_SESSION['loggedin'] = 1;
echo 'Welcome to TrueHabbo Faces, <b>'.$_SESSION['username'].'</b>. Click <a href="index.php">here</a> to go back to the main page.';
} else {
echo 'Your password did not match the specified username.';
}
?>

Make sure that uh, your forms are named right. Should be named Username & Password. Note that is with capitals, unless you want to change the code.

Yeah, it's named right.

Username: <br />
<input type="text" name="username">
<br /><br />
Password: <br />
<input type="text" name="password">

You sure about that?

Yeah, I have

$username = clean($_POST['username']);
$password = clean(encrypt($_POST['password']));

Oh yeah, sorry I'm getting mixed up between the MySQL tables and the forms... Oh dear.

I'd just wait till one of the PHP wizards come on tbh, I can't see the problem. Best of luck to yee.

Try this:


<?php
session_start();
require_once('config.php');

if($_SESSION['username']) {
die('You are already logged in.');
} else {
if($_POST['submit']){ // check if the form has been submitted
if(isset($username) || isset($password)){
die('You left a field blank. Please go <a href="login.php">back</a> and fix it.');
} else {

$username = clean($_POST['username']);
$password = clean(encrypt($_POST['password']));
$checklogin = mysql_query("SELECT * FROM users WHERE Username = '".$username."' AND Password = '".$password."'");

if(mysql_num_rows($checklogin) == 1) {
$row = mysql_fetch_array($checklogin);
$email = $row['email'];
$uid = $row['id'];
$_SESSION['username'] = $username;
$_SESSION['loggedin'] = 1;
echo 'Welcome to TrueHabbo Faces, <b>'.$_SESSION['username'].'</b>. Click <a href="index.php">here</a> to go back to the main page.';
} else {
echo 'Your password did not match the specified username.';
}
} else { // since it wasn't submitted yet, show the form.
echo ("<form action=\"login_check.php\" method=\"post\" enctype=\"text/plain\">
Username: <br>
<input name=\"username\" type=\"text\">
<br><br>
Password: <br>
<input name=\"password\" type=\"text\">
<br><br>
<input value=\"Login!\" name=\"submit\" type=\"submit\">
");
}
}
?>

Parse error: syntax error, unexpected T_ELSE in /home/danielv/public_html/thf/login_check.php on line 27

<?php
session_start();
//require_once('config.php');

if($_SESSION['username']) {
die('You are already logged in.');
} else {
if($_POST['login']){ // check if the form has been submitted
if(isset($username) || isset($password)){
die('You left a field blank. Please go <a href="login.php">back</a> and fix it.');
} else {

$username = clean($_POST['username']);
$password = clean(encrypt($_POST['password']));
$checklogin = mysql_query("SELECT * FROM users WHERE Username = '".$username."' AND Password = '".$password."'");

if(mysql_num_rows($checklogin) == 1) {
$row = mysql_fetch_array($checklogin);
$email = $row['email'];
$uid = $row['id'];
$_SESSION['username'] = $username;
$_SESSION['loggedin'] = 1;
echo 'Welcome to TrueHabbo Faces, <b>'.$_SESSION['username'].'</b>. Click <a href="index.php">here</a> to go back to the main page.';
} else {
echo 'Your password did not match the specified username.';
}
}
} else { // since it wasn't submitted yet, show the form.
echo ("<form method=\"post\">
Username: <br>
<input name=\"username\" type=\"text\">
<br><br>
Password: <br>
<input name=\"password\" type=\"text\">
<br><br>
<input type=\"submit\" name=\"login\" value=\"Login\">
");
}
}
?> try that..

Nothing happens. www.daniel.valvi.co.uk/thf/login_check.php

I updated the above code..


<?php
session_start();
//require_once('config.php');

if($_SESSION['username']) {
die('You are already logged in.');
} else {
if($_POST['login']){ // check if the form has been submitted
if(isset($username) || isset($password)){
die('You left a field blank. Please go <a href="login.php">back</a> and fix it.');
} else {

$username = clean($_POST['username']);
$password = clean(encrypt($_POST['password']));
$checklogin = mysql_query("SELECT * FROM users WHERE Username = '".$username."' AND Password = '".$password."'");

if(mysql_num_rows($checklogin) == 1) {
$row = mysql_fetch_array($checklogin);
$email = $row['email'];
$uid = $row['id'];
$_SESSION['username'] = $username;
$_SESSION['loggedin'] = 1;
echo 'Welcome to TrueHabbo Faces, <b>'.$_SESSION['username'].'</b>. Click <a href="index.php">here</a> to go back to the main page.';
} else {
echo 'Your password did not match the specified username.';
}
}
} else { // since it wasn't submitted yet, show the form.
echo ("<form method=\"post\">
Username: <br>
<input name=\"username\" type=\"text\">
<br><br>
Password: <br>
<input name=\"password\" type=\"text\">
<br><br>
<input type=\"submit\" name=\"login\" value=\"Login\">
");
}
}
?>

Works so far. Now I'll add some login info to the database and see if it lets me in. Also what's up with:

Warning: Unknown: Your script possibly relies on a session side-effect which existed until PHP 4.2.3. Please be advised that the session extension does not consider global variables as a source of data, unless register_globals is enabled. You can disable this functionality and this warning by setting session.bug_compat_42 or session.bug_compat_warn to off, respectively. in Unknown on line 0

Edit: it sets the session even though the login info was wrong

where does that come up :S?

Okay thanks! Everything works except the session problem.

www.daniel.valvi.co.uk/thf/login_check.php (http://www.daniel.valvi.co.uk/thf/login_check.php)

Login with whatever you want. It will say that the info is wrong. Then reload the page. It will say you're already logged in. For some reason it still sets the $_SESSION['username'] variable.

Hmm.. not sure why, check this?


<?php
session_start();
//require_once('config.php');

if($_SESSION['username']) {
die('You are already logged in.');
} else {
if($_POST['login']){ // check if the form has been submitted

$username = clean($_POST['username']);
$password = clean(encrypt($_POST['password']));

if(isset($username) || isset($password)){
die('You left a field blank. Please go <a href="login.php">back</a> and fix it.');
} else {


$checklogin = mysql_query("SELECT * FROM users WHERE Username = '{$username}' AND Password = '{$password}'");
$num_rows = mysql_num_rows($query);

// Check if the login was successful. (1 = succesfull)
if($num_rows == 1) {

$row = mysql_fetch_array($checklogin);
$email = $row['email'];
$uid = $row['id'];
$_SESSION['username'] = $username;
$_SESSION['loggedin'] = 1;
echo 'Welcome to TrueHabbo Faces, <b>'.$_SESSION['username'].'</b>. Click <a href="index.php">here</a> to go back to the main page.';
} else {
echo 'Your password did not match the specified username.';
}
}
} else { // since it wasn't submitted yet, show the form.
echo ("<form method=\"post\">
Username: <br>
<input name=\"username\" type=\"text\">
<br><br>
Password: <br>
<input name=\"password\" type=\"text\">
<br><br>
<input type=\"submit\" name=\"login\" value=\"Login\">
");
}
}
?> I just realised, you aren't checking if anything is set.. You check if username is empty but you haven't processed it.. (make sense??)
i updated the code to fix it i think.

Try this, I rewrote it for you:



<?php
session_start();
require_once ('config.php');

if ($_SESSION['user_id']) {
// user is already logged in //
header("Location: main.php"); // redirects to your "logged in page".
exit();
}

if ($_GET["action"] == "login") {

$username = clean($_POST['username']);
$password = clean($_POST['password']);

if ($username == "" || $password == "") {
// user left username or password blank.
header("Location: login.php?error=blank"); // redirect back to the login page.
exit();
}

$password = md5($password);

$check_username_q = mysql_query("SELECT * FROM `users` WHERE `username`='$username' LIMIT 0,1");
$check_username = mysql_num_rows($check_username_q);

if (!$check_username) {
// username was invalid.
header("Location: login.php?error=username"); // back to the login page.
exit();
}

$check_password = mysql_query("SELECT * FROM `users` WHERE `username`='$username' AND `password`='$password' LIMIT 0,1");
$check_password = mysql_num_rows($check_password);

if (!$check_password) {
// password was invalid.
header("Location: login.php?error=password"); // back to login page.
exit();
}

$get_details = mysql_fetch_array($check_username_q);

$_SESSION['user_id'] = $get_details["id"]; // sets ID for user_id.
header("Location: main.php"); // redirects to main page.

}
?>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>

<head>
<meta http-equiv="content-type" content="text/html; charset=iso-8859-1">

<title>Login</title>
</head>

<body>

<?php
$error = $_GET["error"];

if ($error != "") {
echo "<fieldset>";
echo "<legend>ERROR!</legend>";
switch ($error) {
case "blank":
echo "<strong>You have left a required field blank.</strong>";
break;

case "username":
echo "<strong>The username you provided was incorrect.</strong>";
break;

case "password":
echo "<strong>The password you have entered was incorrect.</strong>";
break;

default:
echo "<strong>CANNOT HANDLE ERROR</strong>";
break;
}
echo "</fieldset>";
}
?>

<form method="post" action="?action=login" name="login_form">

<fieldset>
<legend>Login</legend>

<table>
<tr>
<td><label for="username"><strong>Username:</strong></label></td>
<td><input type="text" name="username" /></td>
</tr>

<tr>
<td><label for="password"><strong>Password:</strong></label></td>
<td><input type="password" name="password" /></td>
</tr>

<tr>
<td>&nbsp;</td>
<td><input type="submit" value="Login" /></td>
</tr>
</table>
</fieldset>

</form>

</body>
</html>

I used die() so wouldn't that be a form of processing. Thanks Dentafrice, I'll try it out

Your codes are all far too complex.



<?php
if( empty( $_POST[ 'username' ] ) === true or empty( $_POST[ 'password' ] ) === true ) {
redirect( '/index.php?error=missingfields' );
exit();
}

$username = strtolower( $text->cleanSql( $_POST[ 'username' ] ) );
$password = $text->cleanSql( $_POST[ 'password' ] );

$query = $db->runQuery( 'SELECT `id`, `username`, `password`, `hash` FROM `users` WHERE LOWER( `username` ) = \'' . $username . '\'' );

if( $db->countRows( $query ) !== 1 ) {
$err->addError( 'Sorry, your username or password was incorrect.' );
redirect( '/index.php?error=badlogin' );
exit();
}

$fetch = $db->fetchAssoc( $query );

if( $text->hashPass( $password, $fetch[ 'hash' ] ) !== $fetch[ 'password' ] ) {
$err->addError( 'Sorry, your username or password was incorrect.' );
redirect( '/index.php?act=badlogin' );
exit();
}

# We have a valid user & password, lets go and give them their cookies and send them on their way.
setcookie( 'authId', $fetch[ 'id' ], time() + 604800, '/' );
setcookie( 'authPass', $text->hashPass( $fetch[ 'password' ], $fetch[ 'hash' ] ), time() + 604800, '/' );
?>

theres a redirect function? php.net has nothing on it

its called header(location:)

Dentafrice, your code returns "you left a field blank" all the time. I cannot seem to find a way to check for a blank field that actually works..

actually, your code doesn't work at all. the username check does nothing and it's always the wrong password

blinger your code doesn't work either

here, go to techtuts.com forum and then look at the usersystem there

already did plus it's unsecure, unorganized, and crappy. plus i'm pretty sure jewish bear defaced it a while ago

bump...

Edit by Robbie! (Forum Moderator) - Please do not double post without adding extra information