Hey guys, i've got a right headache from this piece of code at the moment, it's a simle login script and it just sin't working, the MySQL query looks correct to me and all the other stuff looks ok, but then again i'm no PHP expert.

Could someone look at it for me please?

<?
include ('./includes/header.php');
// Check if the form has been submitted.
if (isset($_POST['submitted'])) {
require_once('../sqlconnect/connect.php');

$errors = array(); // Initialize error array.
// Check for an email address.
if (empty($_POST['email'])) {
$errors[] = 'You forgot to enter your email address.';
} else {
$em = trim($_POST['email']);
}
// Check for a password.
if (empty($_POST['pass'])) {
$errors[] = 'You forgot to enter your password.';
} else {
$pw = trim($_POST['pass']);
}
if (empty($errors)) { // If everything's OK.

$query = "SELECT * FROM members WHERE email = '$em' AND password = SHA('$pw')";

$result = @mysql_query($query);
// Run the query.
$row = mysql_fetch_array ($result, MYSQL_NUM);

// Return a record, if applicable.
if ($row){ // A record was pulled from the database.

//set session
session_name('visit');
session_start();
$_SESSION ['id'] = $row[0];
$_SESSION ['name'] = $row[1];
$_SESSION ['email'] = $row[3];
$_SESSION ['agent'] = md5($_SERVER['HTTP_USER_AGENT']);

// Redirect the user to the loggedin.php page.
// Start defining the URL.
$url = 'http://' . $_SERVER['HTTP_HOST'] . dirname($_SERVER['PHP_SELF']);
// Check for a trailing slash.
if ((substr($url, -1) == '/') OR (substr($url, -1) == '\\') ) {
$url = substr ($url, 0, -1); // Chop off the slash.
}
// Add the page.
$url .= '/loggedin.php?' . $_SESSION['agent'];

header("Location: $url");
exit();
// Quit the script.
} else { // No record matched the query.
$errors[] = 'The email address and password entered do not match those on file.'; // Public message.
$errors[] = mysql_error() . '<br />Query: ' . $query; // Debugging message.
}

} // End of if (empty($errors)) IF.

mysql_close(); // Close the database connection.

} else { // Form has not been submitted.

$errors = NULL;

} // End of the main Submit conditional.

//print errors
if (!empty($errors)){

echo '<h1 id = mainhead>Error!</h1>
<p class = error >Following occured:<br/>';

foreach ($errors as $msg){
echo " - $msg<br/>\n";
}
echo '<p>Please try again <a href = login.php>Reset</a>';
}
?>

Cheers

Oh yea oops, man i feel stupid....

Well, it just doesn't log in, it just comes up with the error "The email address and password entered do not match those on file.". I'm not sure what the real error is though, how do i find out?
This:

$errors[] = mysql_error() . '<br />Query: ' . $query; // Debugging

Is just coming up with what my query was, which seems to me to be correct. How do you find out the exact error?

Cheers

Hi,

Whilst developing a new script, I always find it helpful to have PHP error messages turned on. The setting for this can be found in the php.ini file on your server/computer.

Also, it might be worth printing to the screen your SQL query before you execute it and then to die the script.
echo $query;
die;

This will allow you to check the query is correct. And also, you can run it on the MySQL command line or in phpMyAdmin, etc to see if it does actually find a result.

Another obvious one to check, but I made this error before and it took me a while to figure it. Make sure you're hashing the password stored in the database. Once I had a plain text password stored and I was hashing the password for use in the SQL query and I was wondering why it wasn't working - duh!

Best,
R.

Another quick thing... for debugging purposes, try removing the @ in front of the mysql_query function, as this surpresses error messages.

R.

Whilst developing a new script, I always find it helpful to have PHP error messages turned on. The setting for this can be found in the php.ini file on your server/computer.

I'm doing this for a school project at the moment, so its on their server, not my computer and of course, it being a school and all; their a bit anal about accessing configuration files, so i can't access the php.ini file.

I tried doing the or mysql_die() thing, but of course it says that there is no die function available.

Any other ideas?

Hi,

To use PHP errors, you can also call this function:

ini_set("display_errors", 1);
ini_set('error_reporting',E_ALL);

And the 'die' command is literally just die; . Don't add the mysql_die beforehand.

So, if you add this to the top of your php file:

ini_set("display_errors", 1);
ini_set('error_reporting',E_ALL);

and after you've constructed your mysql query and before you execute it, call:

echo $query;
die;

Then if you can post the output and try running the query in phpMyAdmin or on the MySQL command line.

R

The MySQL query is not working, it seems like it would work though;

SELECT * FROM members WHERE email = 'test@test.com' AND password = SHA('test')

But it is not getting anything, it it because i've encrypted it into the SHA thing, and it can't search for that, its just that loads of people in my computing class at school, have got it working, with this same code.

It looks like it's running the query, because the

echo $query;
or die;

Is just displaying the actual query

Ah i figured it out!

Pretty simple when i look at it, there was nothing wrng with my code, the size of the password field in the database was too small.

Obviously the SHA() function creates the encryption up to more than 20 characters long, and i had set my MySQL database to save only 20 of those characters... haha oops.

So when you came back to SELECT * FROM members WHERE password = SHA('test'), that was trying to find a password field with over 20 characters long, and none existed.

Anyway, there was nothing wrong with my code, just the actual database.

Cheers for all your help people.

SHA encryption requires a varchar(40) field in your database, if you hadn't found that out already.

Well done.
R

This question has already been answered. Start a new discussion instead.