Geek asks and answers

Why does this login page not determine the correct password?

I am doing a PHP login admin. I followed two tutorials on Youtube and all comments say this works. But this does not work for me.

If I enter the wrong password, I will get the "wrong username and password", as expected. But if I enter the correct password, I also get a "wrong username and password." The database connection seems to be in order.

index.htm (main input):

<form method="POST" action="checklogin.php" name="form1">

<label for="username" class="label">Username:</label><input class="inputstyle2w" type="text" name="username">

<br>

<label for="password" class="label">Password:</label><input class="inputstyle22" type="password" name="password">   
<input type="submit" value="Login" name="submit">

</form>

This is checklogin.php:

<?
$host = "cpanel1";
$username = "trekking_test";
$password = "testtest";
$db_name = "trekking_test";
$tbl_name = "members";

mysql_connect($host, $username, $password) or die (mysql_error());
mysql_select_db($db_name) or die (mysql_error_db());

$myusername = $_POST['myusername'];
$mypassword = $_POST['mypassword'];

$sql = "SELECT * FROM $tbl_name WHERE username='$myusername' and password='mypassword'";
$result = mysql_query($sql);

$count = mysql_num_rows($result);

if($count==1) {
    session_register("myusername");
    session_register("mypassword");
    header("location:control.php");
    }
    else {
        echo "Wrong Username or Password";
        }

?>

And finally, adminpage (control.php):

<?
session_start();
if(!session_is_registered(myusername)) {
    header("location:index.htm");
}
?>


<!doctype html>

<html lang="en" class="no-js">
    <head>
        <meta charset="utf-8">
        <meta http-equiv="X-UA-Compatible" content="IE-edge; chrome=1">
        <meta name="description" content="Tower 2.0 vefumsjónarkerfi">
        <meta name="author" content="Nicejob">
        <link rel="stylesheet" type="text/css" href="css/adminstyle.css">

        <title>Tower 2.0 - you update your website by yourself!</title>

    </head>

    <body>
blah blah - you are not suppost to see this unless you are logged in
    </body>     

</html>
+3
source share
7 answers

Ok, this is normal:

$host = "cpanel1";
$username = "trekking_test";
$password = "testtest";
$db_name = "trekking_test";

You don’t need it, it will make your SQL confuse reading

$tbl_name = "members";

It's good.

mysql_connect($host, $username, $password) or die (mysql_error());
mysql_select_db($db_name) or die (mysql_error_db());

, . , :

$myusername = $_POST['username'];
$mypassword = $_POST['password'];

:

$myusername = mysql_real_escape_string($_POST['username']);
$mypassword = mysql_real_escape_string($_POST['password']);

, , mypassword

$sql = "SELECT * FROM $tbl_name WHERE username='$myusername' and password='mypassword'";

:

$sql = "SELECT `username` FROM `members` WHERE `username`='$myusername' and `password`='$mypassword'";

, . , :

$result = mysql_query($sql);
if(!$result) {
   // Let the user know something went wrong
}

session_register , $_SESSION['name'] = 'value', . , , session_start() :

if($count==1) {
    session_start();
    $_SESSION['logged_in'] = true;
    // The correct format is "Location: control.php"
    header("Location: control.php");
    exit; //Always exit after sending Location headers
}
else {
    echo "Wrong Username or Password";
}

:

session_start();
if(!isset($_SESSION['logged_in'])) {
    // Once again, Location: 
    header("Location: index.htm");
    exit; // exit after redirect
}
+2

"myusername" "mypassword"? , , $_POST ['myusername'];...

, echo $myusername $mypassword , PHP, , , "myusername", "username".

+5

"$" "mypassword" SQL-.

HTML " " "", "myusername" "mypassword" $_POST.

SQL-. .

+4

. YouTube .

  • , SQL. Pekka, , , . , MySQL, mysql_real_escape_string, , , , .

  • . . , :

    . , . MD5 SHA1 . : Eksblowfish ( bcrypt, blowfish, ), Tiger, SHA-256, SHA-512 Whirlpool

    . , , , , . , nonce, . - , , pass_hash_actual = hash_function(salt + password).

    • -: PHP bcrypt, , , , nonce .

, onteria_ , , . !

+2

session_is_registered

:

if(!isset($_SESSION['myusername'])){...}

somwhere mysql, :

$result = mysql_query($sql) or die(mysql_error());
+1

, ? :

if($count==1) {

, .

+1
if($count>0) {

The query will return a result set with one row if the input data is correct and zero rows if the input data is incorrect. Use mysql_num_rowsto find out the number of rows in the result set and, therefore, determine if the input was valid or not.

+1
source

More articles:


All Articles