I am making a PHP login admin. I've followed two tutorials on Youtube, and all the comments say that this works. But it doesn't work for me.
If I enter a wrong password, then I get "wrong username and password" as expected. But if I enter the correct password, I also get "wrong username and password". The connection to the database seems to be OK.
index.htm (main login):
<form method="POST" action="checklogin.php" name="form1">
<label for="username" class="label">Username:</label><input class="inputstyle2w" type="text" name="username">
<br>
<label for="password" class="label">Password:</label><input class="inputstyle22" type="password" name="password">
<input type="submit" value="Login" name="submit">
</form>
This is the checklogin.php:
<?
$host = "cpanel1";
$username = "trekking_test";
$password = "testtest";
$db_name = "trekking_test";
$tbl_name = "members";
mysql_connect($host, $username, $password) or die (mysql_error());
mysql_select_db($db_name) or die (mysql_error_db());
$myusername = $_POST['myusername'];
$mypassword = $_POST['mypassword'];
$sql = "SELECT * FROM $tbl_name WHERE username='$myusername' and password='mypassword'";
$result = mysql_query($sql);
$count = mysql_num_rows($result);
if($count==1) {
session_register("myusername");
session_register("mypassword");
header("location:control.php");
}
else {
echo "Wrong Username or Password";
}
?>
And finally the adminpage (control.php):
<?
session_s开发者_JS百科tart();
if(!session_is_registered(myusername)) {
header("location:index.htm");
}
?>
<!doctype html>
<html lang="en" class="no-js">
<head>
<meta charset="utf-8">
<meta http-equiv="X-UA-Compatible" content="IE-edge; chrome=1">
<meta name="description" content="Tower 2.0 vefumsjónarkerfi">
<meta name="author" content="Nicejob">
<link rel="stylesheet" type="text/css" href="css/adminstyle.css">
<title>Tower 2.0 - you update your website by yourself!</title>
</head>
<body>
blah blah - you are not suppost to see this unless you are logged in
</body>
</html>
Shouldn't your inputs be named 'myusername' and 'mypassword'? That's what you're looking for with your $_POST['myusername'];...
I would bet if you echo $myusername and $mypassword just after you set them in the PHP you'll find they're empty, because you're not posting 'myusername', just 'username'.
You forgot the "$" before "mypassword" in your SQL query.
And your HTML form input fields are called "username" and "password", but you are looking for "myusername" and "mypassword" in the $_POST array.
Also read up on SQL injection. Your code is vulnerable.
Okay this is fine:
$host = "cpanel1";
$username = "trekking_test";
$password = "testtest";
$db_name = "trekking_test";
You don't need this, it's going to make your SQL confusing to read
$tbl_name = "members";
That's fine.
mysql_connect($host, $username, $password) or die (mysql_error());
mysql_select_db($db_name) or die (mysql_error_db());
No no bad. Always escape user input data EDIT and your form names don't match:
$myusername = $_POST['username'];
$mypassword = $_POST['password'];
This should be:
$myusername = mysql_real_escape_string($_POST['username']);
$mypassword = mysql_real_escape_string($_POST['password']);
You don't need all the columns since you're just checking the count, and mypassword is not in the correct format
$sql = "SELECT * FROM $tbl_name WHERE username='$myusername' and password='mypassword'";
Should be:
$sql = "SELECT `username` FROM `members` WHERE `username`='$myusername' and `password`='$mypassword'";
You're assuming the query succeeded. You should always handle the case that it doesn't:
$result = mysql_query($sql);
if(!$result) {
// Let the user know something went wrong
}
session_register is going to confuse people unfamiliar with the traditional $_SESSION['name'] = 'value' syntax, use the more traditional form instead. You just want to know they logged in, and session_start() hasn't been called:
if($count==1) {
session_start();
$_SESSION['logged_in'] = true;
// The correct format is "Location: control.php"
header("Location: control.php");
exit; //Always exit after sending Location headers
}
else {
echo "Wrong Username or Password";
}
Then on your page:
session_start();
if(!isset($_SESSION['logged_in'])) {
// Once again, Location:
header("Location: index.htm");
exit; // exit after redirect
}
This is not an answer to your question. This is why YouTube tutorials are not the perfect learning medium.
- You need to sanitize your input to prevent SQL Injection. Check out the link Pekka posted in the comments for good info on what you're guarding against. The function you'll want for MySQL is
mysql_real_escape_string, but remember you can't call that until you have connected to the database, so keep that in mind. Passwords should never be stored as plain text. The best thing to do is to use a one-way hashing algorithm. This has two of its own caveats, of course:
a. Make sure you choose an appropriate algorithm.
MD5andSHA1are not appropriate. Some methods to look up areEksblowfish(also known asbcrypt, not to be confused withblowfish, a 2-way encryption block cipher),Tiger,SHA-256,SHA-512andWhirlpoolb. You may think this is going overboard for your purposes, but the more you practice best practices the more natural they will become for you, and the better programmer you will be. You should use a rotating salt called a nonce to make the passwords more secure. A salt is a string added to a password before it is encrypted or hashed, so that
pass_hash_actual = hash_function(salt + password).- Shameless Blog Plug: This article will tell you about specific implementation in PHP for bcrypt, but I'm primarily linking it for the articles to which it links, which will give you a great overview of how and why to use a nonce with your passwords.
I was going to write up an implementation guide here, but onteria_'s guide gives you everything you need in that department, so make sure you read it thoroughly. Happy coding!
Well for one thing session_is_registered is depreciated
Do this instead:
if(!isset($_SESSION['myusername'])){...}
also add somwhere to output mysql errors, like:
$result = mysql_query($sql) or die(mysql_error());
Do you have multiple rows in the table that match the query? Since you are using:
if($count==1) {
you will get the failure message if two or more matches are found.
if($count>0) {
The query will return a result set with a single row if the login details are correct and zero rows if the login details are incorrect. Use mysql_num_rows to find out the number of rows in the result set and hence determine whether the login details were correct or not.
![Interactive visualization of a graph in python [closed]](https://www.devze.com/res/2023/04-10/09/92d32fe8c0d22fb96bd6f6e8b7d1f457.gif)
加载中,请稍侯......
精彩评论