Member Avatar for huntaz556

I am trying to make a php login script and right now i am trying to make it so that if someone enters the wrong login info it will echo "Wrong username or password please try again"

But no matter what i dosent print anything on the screen if i put wrong login info on there, but it will login sucessfully if i enter the right login info here is the script

<?php
session_start();

$host = "*********";

$user = "*********";

$password = "**********";

$db = "*******";

$con = mysql_connect($host, $user, $password) or die(mysql_error());

mysql_select_db($db, $con) or die(mysql_error());

$username = $_REQUEST['username'];
$password = $_REQUEST['password'];

$checksql = "SELECT username, password FROM members WHERE username='" . $username . "' and password='" . $password . "'"; 
$result = mysql_query($checksql) or die(mysql_error());
$count = mysql_num_rows($result) or die(mysql_error());
if ($count == 0) {
	echo "Sorry wrong username or password";
} else {
	$username = stripslashes($username);
	$password = stripslashes($password);
	$username = mysql_real_escape_string($username);
	$password = mysql_real_escape_string($password);
	$sql = "SELECT username, password FROM members WHERE username='" . $username . "' and password='" . $password . "'";
	$r = mysql_query($sql, $con);

	if (!$r) {
		die('Invalid query: ' . mysql_error());

	}

	if ($obj = @mysql_fetch_object($r)) {
		$_SESSION["valid_user"] = $_POST["username"];
		$_SESSION["valid_time"] = time();

		header("Location: members.php");
	}
}
?>
  • 4 Contributors
  • 4 Replies
  • 1K Views
  • 2 Days Discussion Span
  • Latest Post Latest Post by broj1

Recommended Answers

All 4 Replies

Member Avatar for pzuurveen

Why do you have 2 querys that do the same thing?

Member Avatar for broj1

Do a simple debugging. Check if your query is OK. Insert this code after line 19:

die($checksql);

and enter the displayed query in phpMyAdmin (or other client). It should return 0 records or 1 record.

Or check what is the count that the query returns. Insert this code after line 21:

die($count);

It should display 0 or 1.

Member Avatar for fobos

this is from phpeasystep.com

<?php
$host="localhost"; // Host name 
$username=""; // Mysql username 
$password=""; // Mysql password 
$db_name="test"; // Database name 
$tbl_name="members"; // Table name 

// Connect to server and select databse.
mysql_connect("$host", "$username", "$password")or die("cannot connect"); 
mysql_select_db("$db_name")or die("cannot select DB");

// username and password sent from form 
$myusername=$_POST['myusername']; 
$mypassword=$_POST['mypassword']; 

// To protect MySQL injection (more detail about MySQL injection)
$myusername = stripslashes($myusername);
$mypassword = stripslashes($mypassword);
$myusername = mysql_real_escape_string($myusername);
$mypassword = mysql_real_escape_string($mypassword);

$sql="SELECT * FROM $tbl_name WHERE username='$myusername' and password='$mypassword'";
$result=mysql_query($sql);

// Mysql_num_row is counting table row
$count=mysql_num_rows($result);
// If result matched $myusername and $mypassword, table row must be 1 row

if($count==1){
// Register $myusername, $mypassword and redirect to file "login_success.php"
session_register("myusername");
session_register("mypassword"); 
header("location:login_success.php");
}
else {
echo "Wrong Username or Password";
}
?>
Member Avatar for broj1

You have to first check if $_POST and $_POST exist at all before using them. This means the whole block of code goes withing if() and 'else' gets executed when there was no username or password supplied. Stripslashes is useful only if magic_quotes_gpc is enabled (you might want to check for that). The session_register() function is also deprecated so try to avoid it. I have prepared a slightly modified code that works OK. It is just a concept, you have to adapt it to your case. And observe some formating rules since it is easier to debug.

if(isset($_POST['myusername']) and isset($_POST['mypassword'])) {

    // username and password sent from form
    $myusername = mysql_real_escape_string(trim($_POST['myusername']));
    $mypassword = mysql_real_escape_string(trim($_POST['mypassword']));

    $host="localhost";      // Host name
    $username="DBUserHere";   // Mysql username
    $password="realPasswordHere"; // Mysql password
    $db_name="test";        // Database name
    $tbl_name="test";       // Table name

    // Connect to server and select databse.
    mysql_connect("$host", "$username", "$password") or die("cannot connect");
    mysql_select_db("$db_name")or die("cannot select DB");

    $sql = "SELECT * FROM $tbl_name WHERE username='$myusername' and password='$mypassword'";
    $result = mysql_query($sql);

    // Mysql_num_row is counting table row
    $count = mysql_num_rows($result);

    // If result matched $myusername and $mypassword, table row must be 1 row
    if($count == 1) {

        // NOTE: session_register() function IS DEPRECATED, AVOID IT
        // Register $myusername, $mypassword and redirect to file "login_success.php"
        // session_register("myusername");
        // session_register("mypassword");

        // register $myusername, $mypassword in recommended fashion
        $_SESSION['myusername'] = $myusername;
        $_SESSION['mypassword'] = $mypassword;

        header("location:login_success.php");
    
    } else {

        echo "Wrong Username or Password";
        
        // redirect to login page
        header("location:login.php");
    }

} else {

    // if username and password are not in $_POST do something else
    echo 'No username or password supplied!';

    // redirect to login page
    header("location:login.php");
}
Edited by broj1 because: Code improvement
Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.