my problem is :whenever i log in ,it always shown 'You are not log in'.
Never show "You are logged in as :xxx"
For example:i do a testing,i input username:abc and password:1234 in "user" table.
Next,i try to log in using abc and 1234.But,still shown 'You are not log in'
can anyone tell me which part have bugs?or how i edit the code?
I already use a phpeditor to check bugs,but no warning shown.
Hope u able to help me.
TQ
-------------------------------------------------------

//login.html
<html>
<head>

<title>Login here</title>
</head>
<body>
<form method="POST" action="login.php">
 
 
 Username
 <input type="text" name="username" size="20"></p>
 Password
 <p><input type="text" name="password" size="20"></p>
 
 <input type="submit" value="Submit" name="B1">
 <input type="reset" value="Reset" name="B2"></p>
</form>
</body>
</html>
----------------------------------------------------------------------
//login.php
<?php
session_start();
if(isset($_POST['username'])&&isset($_POST['password']))
{
$username=$_POST['username'];
$password=$_POST['password'];
$db=new mysqli('localhost','root','','kelly'); 
if(mysqli_connect_errno()){
echo 'Connection to database failed:'.mysqli_connect_error();
exit();
}
$query='select* from user '
."where username='$username'"
 ."and password=sha1('$password')";
$result=$db->query($query);
 
if($result->num_rows >0)
{
$_SESSION['valid_user']=$username;
}
$db->close();
}
?>
<html>
<body>
<h1>Home Page</h1>
<?php
if(isset($_SESSION['valid_user']))
{
 echo'You are logged in as :'.$_SESSION['valid_user'].'<br />';
}
else
{
 echo'You are not log in';
}
?>
-----------------------------------------------------------------------//end

Hi,

If you look at the code that authenticates the username and password against the users table in the database:

$query='select* from user '
."where username='$username'"
."and password=sha1('$password')";
$result=$db->query($query);

if($result->num_rows >0)
{
$_SESSION['valid_user']=$username;
}
$db->close();
}

You'll notice that the username and sha1() value of the password are validated against the database. Not the plain password.

So in your database you'll have to insert the sha1 of the password.

Eg: if you want the:

username: username
password: password

You'll have to insert:

username: username
password: 5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8

into the database.

Then you can log in with username:password.

I'd suggest you modify the code in login.php to let the user know if their authentication params (user/pass) are valid or not.

eg:

<?php
session_start();
if(isset($_POST['username'])&&isset($_POST['password']))
{
$username=$_POST['username'];
$password=$_POST['password'];
$db=new mysqli('localhost','root','','kelly');
if(mysqli_connect_errno()){
echo 'Connection to database failed:'.mysqli_connect_error();
exit();
}
$query='select* from user '
."where username='$username'"
."and password=sha1('$password')";
$result=$db->query($query);

if($result->num_rows >0)
{
$_SESSION['valid_user']=$username;
} else { // modification to show when authentication fails
echo 'Sorry, your username and password are incorrect.';
}


$db->close();
}
?>

or something of the sort.

This article has been dead for over six months. Start a new discussion instead.