Hello, I tried everthing but i could not find the fault. It works perfect but if i submit wrong user name and pass i do not get the warning: "Incorrect username or password." I only get a blank page. if ($_POST['login']) { //get the data $username = $_POST['username']; $password = $_POST['password']; $rememberme = $_POST['rememberme']; if ($username && $password) { $login = mysql_query("SELECT * FROM users WHERE username='$username' "); while ($row = mysql_fetch_assoc($login)) { $db_password = $row['password']; if (md5($password) == $db_password) $loginok = TRUE; else $loginok = FALSE; if ($loginok == TRUE) { if ($rememberme == "on") setcookie("username", $username, time()+7200); else if ($rememberme == "") $_SESSION['username'] = $username; header("Location: userarea.php"); exit(); } else die("Incorrect username or password."); exit(); } } else die("Enter username and password"); exit(); } PHP:
Try the following: <?php error_reporting(E_ALL); if ($_POST['login']) { //get the data $username = mysql_real_escape_string($_POST['username']); $password = $_POST['password']; $rememberme = $_POST['rememberme']; if ($username && $password) { $login = mysql_query("SELECT * FROM users WHERE username='{$username}'"); while ($row = mysql_fetch_assoc($login)) { $db_password = $row['password']; if (md5($password) == $db_password && mysql_num_rows($login) > 0) { $loginok = true; } else { $loginok = false; } if ($loginok == true) { if ($rememberme == "on") { setcookie("username", $username, time() + 7200); } elseif ($rememberme == "") { $_SESSION['username'] = $username; header("Location: userarea.php"); } } else { die("Incorrect username or password."); } } } else { die("Enter username and password"); } } ?> PHP: You don't need all those excess exit()'s as you have already killed execution using die(). Also remember to sanitize (mysql_real_escape_string()) user submitted data before using it within SQL queries. Also you are validating/verifying the password but not username.
Thank you for your help. I still do not get the "Incorrect username or password." warning. This time i get the login form. This is the full code: <?php include 'functions.php'; if (loggedin()) { header ("Location: userarea.php"); exit(); } if ($_POST['login']) { //get the data $username = mysql_real_escape_string($_POST['username']); $password = $_POST['password']; $rememberme = $_POST['rememberme']; if ($username && $password) { $login = mysql_query("SELECT * FROM users WHERE username='{$username}'"); while ($row = mysql_fetch_assoc($login)) { $db_password = $row['password']; if (md5($password) == $db_password && mysql_num_rows($login) > 0) { $loginok = true; } else { $loginok = false; } if ($loginok == true) { if ($rememberme == "on") { setcookie("username", $username, time() + 7200); } elseif ($rememberme == "") { $_SESSION['username'] = $username; header("Location: userarea.php"); } } else { die("Incorrect username or password."); } } } else { die("Enter username and password"); } } ?> <form action="login.php" method="POST"> Username: <br /> <input type="text" name="username"> <p /> Password: <br /> <input type="password" name="password"> <p /> <input type="checkbox" name="rememberme"> Remember me <br /> <input type="submit" name="login" value="Log in"> </form> PHP:
Id probably do it like this.. (Do you have session_start() in your functions.php? I hope so...) <?php include 'functions.php'; if (loggedin()) { header ("Location: userarea.php"); exit(); } if ($_POST['login']) { //get the data $username = mysql_real_escape_string($_POST['username']); $password = $_POST['password']; $rememberme = $_POST['rememberme']; if ($username && $password) { $login = mysql_query("SELECT * FROM users WHERE username='{$username}' AND password='".md5($password)."'"); if ( mysql_num_rows($login) > 0 ) { $loginok = true; } else { $loginok = false; } if ($loginok === true) { if ($rememberme == "on") { setcookie("username", $username, time() + 7200); $_SESSION['username'] = $username; header("Location: userarea.php"); } elseif ($rememberme == "") { $_SESSION['username'] = $username; header("Location: userarea.php"); } } else { die("Incorrect username or password."); } } else { die("Enter username and password"); } } ?> <form action="login.php" method="POST"> Username: <br /> <input type="text" name="username"> <p /> Password: <br /> <input type="password" name="password"> <p /> <input type="checkbox" name="rememberme"> Remember me <br /> <input type="submit" name="login" value="Log in"> </form> PHP: Untested, but its another way of looking at it...
I get this error: Parse error: syntax error, unexpected '}' in C:\AppServ\www\test\login.php on line 41
<?php include 'functions.php'; if (loggedin()) { header ("Location: userarea.php"); } if ($_POST['login']) { //get the data $username = mysql_real_escape_string($_POST['username']); $password = $_POST['password']; $rememberme = $_POST['rememberme']; if ($username && $password) { $login = mysql_query("SELECT * FROM users WHERE username='{$username}' AND password='".md5($password)."'"); if (mysql_num_rows($login) > 0 ) { $loginok = true; } else { $loginok = false; } if ($loginok == true) { if ($rememberme == "on") { setcookie("username", $username, time() + 7200); $_SESSION['username'] = $username; header("Location: userarea.php"); } elseif ($rememberme == "") { $_SESSION['username'] = $username; header("Location: userarea.php"); } } else { die("Incorrect username or password."); } } else { die("Enter username and password"); } } ?> <form action="login.php" method="POST"> Username: <br /> <input type="text" name="username"> <p /> Password: <br /> <input type="password" name="password"> <p /> <input type="checkbox" name="rememberme"> Remember me <br /> <input type="submit" name="login" value="Log in"> </form> PHP:
danx10, I don't think you removed the right }. I updated my code above and will paste it here, I think I removed the right }. <?php include 'functions.php'; if (loggedin()) { header ("Location: userarea.php"); exit(); } if ($_POST['login']) { //get the data $username = mysql_real_escape_string($_POST['username']); $password = $_POST['password']; $rememberme = $_POST['rememberme']; if ($username && $password) { $login = mysql_query("SELECT * FROM users WHERE username='{$username}' AND password='".md5($password)."'"); if ( mysql_num_rows($login) > 0 ) { $loginok = true; } else { $loginok = false; } if ($loginok === true) { if ($rememberme == "on") { setcookie("username", $username, time() + 7200); $_SESSION['username'] = $username; header("Location: userarea.php"); } elseif ($rememberme == "") { $_SESSION['username'] = $username; header("Location: userarea.php"); } } else { die("Incorrect username or password."); } } else { die("Enter username and password"); } } ?> <form action="login.php" method="POST"> Username: <br /> <input type="text" name="username"> <p /> Password: <br /> <input type="password" name="password"> <p /> <input type="checkbox" name="rememberme"> Remember me <br /> <input type="submit" name="login" value="Log in"> </form> PHP:
thank you all of you very very much this worked: <?php include 'functions.php'; if (loggedin()) { header ("Location: userarea.php"); exit(); } if ($_POST['login']) { //get the data $username = mysql_real_escape_string($_POST['username']); $password = $_POST['password']; $rememberme = $_POST['rememberme']; if ($username && $password) { $login = mysql_query("SELECT * FROM users WHERE username='{$username}' AND password='".md5($password)."'"); if ( mysql_num_rows($login) > 0 ) { $loginok = true; } else { $loginok = false; } if ($loginok == true) { if ($rememberme == "on") { setcookie("username", $username, time() + 7200); $_SESSION['username'] = $username; header("Location: userarea.php"); } elseif ($rememberme == "") { $_SESSION['username'] = $username; header("Location: userarea.php"); } } else { die("Incorrect username or password."); } } else { die("Enter username and password"); } } ?> <form action="login.php" method="POST"> Username: <br /> <input type="text" name="username"> <p /> Password: <br /> <input type="password" name="password"> <p /> <input type="checkbox" name="rememberme"> Remember me <br /> <input type="submit" name="login" value="Log in"> </form> PHP:
sorry 1 more question. Did you write this by mistake ? if ($loginok === true) { PHP: does it suppose to be? if ($loginok == true) { PHP:
Yes its supposed to be either: if ($loginok == true) { PHP: or if ($loginok) { PHP: But this would work also: if ($loginok === true) { PHP: Look at: http://php.net/manual/en/language.operators.comparison.php
Three equals signs makes sure its the correct datatype and the same string, but I suppose its unnecessary in this situation. Doesn't matter too much if you change it or not it will work fine either way.
hi again. Can you please check these 4 pages and tell me if there is anything wrong and secure enough to use? login.php <?php include 'functions.php'; if (loggedin()) { header ("Location: userarea.php"); exit(); } if ($_POST['login']) { //get the data $username = mysql_real_escape_string($_POST['username']); $password = $_POST['password']; $rememberme = $_POST['rememberme']; if ($username && $password) { $login = mysql_query("SELECT * FROM users WHERE username='{$username}' AND password='".md5($password)."'"); if ( mysql_num_rows($login) > 0 ) { $loginok = true; } else { $loginok = false; } if ($loginok === true) { if ($rememberme == "on") { setcookie("username", $username, time() + 7200); $_SESSION['username'] = $username; header("Location: userarea.php"); } elseif ($rememberme == "") { $_SESSION['username'] = $username; header("Location: userarea.php"); } } else { die("Incorrect username or password."); } } else { die("Enter username and password"); } } ?> <form action="login.php" method="POST"> Username: <br /> <input type="text" name="username"> <p /> Password: <br /> <input type="password" name="password"> <p /> <input type="checkbox" name="rememberme"> Remember me <br /> <input type="submit" name="login" value="Log in"> </form> PHP: logout.php <?php session_start(); // destroy session_destroy(); // unset cookies setcookie("username", "", time()-7200); header ("Location: login.php"); ?> PHP: functions.php <?php // session session_start(); // connect to database mysql_connect("localhost", "x", "x") or die (); mysql_select_db("x") or die(); // login check function loggedin() { if (isset($_SESSION['username'])||isset($_COOKIE['username'])) { $loggedin = TRUE; return $loggedin; } } ?> PHP: userarea.php <?php include 'functions.php'; if (!loggedin()) { header ("Location: login.php"); exit(); } ?> you are logged in<p /> <a href="logout.php">Log out</a> PHP:
Well, its secure as it is, but you could always tie the session to an IP and have the session expire if it hasn't been used in like, 30 minutes, forcing them to re-login. You might also want to put another session variable in there when the user logs in, like $_SESSION['user_loggedin'] = true; PHP: and in your loggedin() function, have it make sure that variable exists and is true. Then you have the other session variable for storing the username, and it can be blank if you wanted to display a guest username, for example, for users who are not logged in. This may be unnecessary in your setup though.