Programming Forums > Web Development and Design > PHP

kishou · Jan 10th, 2008, 1:25 AM

hey i need some help with this login form.
everytime i do this i get login failed even though it is in the database/table/row!
Plz tell me whats wrong?
Yes i already connected and selected the database.

(Toggle Plain Text)

$username = mysql_real_escape_string($_POST['username']);
$password = mysql_real_escape_string($_POST['password']);
$result = mysql_query("SELECT * FROM registered_members");
$row = mysql_fetch_array($result);
if ($username==$row['Username']&&$password==$row['Password'])
{
die ("Login successful");
}
else
die('Login failed');

dr.p · Jan 10th, 2008, 1:52 AM

You only need to use mysql_real_escape_string to quote a string for use in a query. MySQL returns strings from the database in a literal (unescaped) form. You should read about mysql_real_escape_string in the php manual.

Also, $row in your code is going to represent the FIRST user selected from the database. Your SQL query selects ALL users, instead of selecting ONLY the user identified by $username. This will result in checking the password against the wrong user most of the time if you have multiple users in the table.

Example:

(Toggle Plain Text)

$username = mysql_real_escape_string($_POST['username']);
$result = mysql_query("SELECT * FROM registered_members WHERE username=\"$username\"");
$row = mysql_fetch_assoc($result);  // note assoc
if ($row['password'] == $_POST['password']) {
  // success
} else {
  // failure
}

Jimbo · Jan 10th, 2008, 2:14 AM

Quote:

Originally Posted by dr.p

(Toggle Plain Text)

$result = mysql_query("SELECT * FROM registered_members WHERE username=\"$username\"");
$row = mysql_fetch_assoc($result);  // note assoc

IIRC, SQL uses single quotes for strings, which is always a pain for me because it's back asswards from everything else I use. Also, mysql_fetch_array has both the numerical and associative indices, so using it should work fine.

@kishou: You can also use a loop to compare against all of the things pulled from the table, but using a WHERE clause in the SQL query like dr.p showed is what you want for this situation. (If for some reason you allow the same username multiple times, then you'll need the loop as well.)

kishou · Jan 10th, 2008, 2:31 AM

Quote:

Originally Posted by dr.p

You only need to use mysql_real_escape_string to quote a string for use in a query. MySQL returns strings from the database in a literal (unescaped) form. You should read about mysql_real_escape_string in the php manual.

Also, $row in your code is going to represent the FIRST user selected from the database. Your SQL query selects ALL users, instead of selecting ONLY the user identified by $username. This will result in checking the password against the wrong user most of the time if you have multiple users in the table.

Example:

(Toggle Plain Text)

$username = mysql_real_escape_string($_POST['username']);
$result = mysql_query("SELECT * FROM registered_members WHERE username=\"$username\"");
$row = mysql_fetch_assoc($result);  // note assoc
if ($row['password'] == $_POST['password']) {
  // success
} else {
  // failure
}

Thx. but im just wondering when should i use the $username instead of $_POST["username"]? like when im inserting it into the database? because im just starting to learn about SQL injection.

dr.p · Jan 10th, 2008, 4:59 AM

Quote:

Originally Posted by kishou

Thx. but im just wondering when should i use the $username instead of $_POST["username"]? like when im inserting it into the database? because im just starting to learn about SQL injection.

In my original reply, I said: "You only need to use mysql_real_escape_string to quote a string for use in a query."

Just so that we're clear, $username contains the escaped version of $_POST['username'], which is returned by mysql_real_escape_string in your code.

Whether you want to insert a string, update it, select with it, anything... if the contents of a variable (like $_POST['username']) need to go into a query/statement as a string, then you need to escape it.

Read the PHP manual page for mysql_real_escape_string on php.net. It goes over what the function is for, provides examples, and has some very important security information.

dr.p · Jan 10th, 2008, 5:25 AM

Quote:

Originally Posted by Jimbo

IIRC, SQL uses single quotes for strings, which is always a pain for me because it's back asswards from everything else I use. Also, mysql_fetch_array has both the numerical and associative indices, so using it should work fine.

SQL specifications, or SQL implementations? MySQL is what I'm used to using, and it allows single or double quotes.

And mysql_fetch_array stores two sets of the requested information in memory in order to make it available by numeric and associative. Best practice is to use which one you need, unless you actually need both.

Jimbo · Jan 10th, 2008, 7:32 PM

Quote:

Originally Posted by dr.p

SQL specifications, or SQL implementations? MySQL is what I'm used to using, and it allows single or double quotes.

And mysql_fetch_array stores two sets of the requested information in memory in order to make it available by numeric and associative. Best practice is to use which one you need, unless you actually need both.

I've been using MSSQL lately, so maybe it's just been too long since I used MySQL. Thanks for setting me straight

Out of curiosity, why is using the specific array (assoc/numeric) considered a best practice? Just because you limit the ways to access the data?

dr.p · Jan 10th, 2008, 9:37 PM

Quote:

Originally Posted by Jimbo

I've been using MSSQL lately, so maybe it's just been too long since I used MySQL. Thanks for setting me straight

I get corrected all the time... depending on who I'm talking to. I kind of expect it.

I only knew that because I've been using MySQL daily for 8 years now.

Quote:

Originally Posted by Jimbo

Out of curiosity, why is using the specific array (assoc/numeric) considered a best practice? Just because you limit the ways to access the data?

Because I'm really anal about memory usage. _array returns the SELECT results twice in the same array in order to store by numeric and associative indices (at least, I'm 99.9% sure it does.) If I don't need both indices, I prefer to save the memory.

And the PHP docs say that _array doesn't cause a significant slow down, but I have doubts about that when it comes to large amounts of data, based on some of the scripts I've worked on. In all fairness to PHP, though, it had gotten to the point where every little bit helped.

Ooble · Jan 14th, 2008, 12:17 AM

Before fetching the row, make sure it exists - if the user isn't there, you'll get 0 rows returned.

(Toggle Plain Text)

$result = mysql_query("SELECT * FROM registered_members WHERE username='$username'");
if (mysql_num_rows($row) > 0) {
    $row = mysql_fetch_assoc($result);
    ...
}

Jan 10th, 2008, 1:25 AM	#1
kishou Programmer Join Date: May 2007 Posts: 52 Rep Power: 2	mysql_real_escape hey i need some help with this login form. everytime i do this i get login failed even though it is in the database/table/row! Plz tell me whats wrong? Yes i already connected and selected the database. (Toggle Plain Text) $username = mysql_real_escape_string($_POST['username']); $password = mysql_real_escape_string($_POST['password']); $result = mysql_query("SELECT * FROM registered_members"); $row = mysql_fetch_array($result); if ($username==$row['Username']&&$password==$row['Password']) { die ("Login successful"); } else die('Login failed'); $username = mysql_real_escape_string($_POST['username']); $password = mysql_real_escape_string($_POST['password']); $result = mysql_query("SELECT * FROM registered_members"); $row = mysql_fetch_array($result); if ($username==$row['Username']&&$password==$row['Password']) { die ("Login successful"); } else die('Login failed');

Jan 10th, 2008, 1:52 AM	#2
dr.p Programmer Join Date: Feb 2006 Location: Ohio Posts: 93 Rep Power: 3	Re: mysql_real_escape You only need to use mysql_real_escape_string to quote a string for use in a query. MySQL returns strings from the database in a literal (unescaped) form. You should read about mysql_real_escape_string in the php manual. Also, $row in your code is going to represent the FIRST user selected from the database. Your SQL query selects ALL users, instead of selecting ONLY the user identified by $username. This will result in checking the password against the wrong user most of the time if you have multiple users in the table. Example: (Toggle Plain Text) $username = mysql_real_escape_string($_POST['username']); $result = mysql_query("SELECT * FROM registered_members WHERE username=\"$username\""); $row = mysql_fetch_assoc($result); // note assoc if ($row['password'] == $_POST['password']) { // success } else { // failure } $username = mysql_real_escape_string($_POST['username']); $result = mysql_query("SELECT * FROM registered_members WHERE username=\"$username\""); $row = mysql_fetch_assoc($result); // note assoc if ($row['password'] == $_POST['password']) { // success } else { // failure } __________________ Neeley.org

Jan 14th, 2008, 12:17 AM	#9
Ooble I eat cake for breakfast. Join Date: Jul 2004 Location: In my box. Posts: 4,434 Rep Power: 9	Re: mysql_real_escape Before fetching the row, make sure it exists - if the user isn't there, you'll get 0 rows returned. (Toggle Plain Text) $result = mysql_query("SELECT * FROM registered_members WHERE username='$username'"); if (mysql_num_rows($row) > 0) { $row = mysql_fetch_assoc($result); ... } $result = mysql_query("SELECT * FROM registered_members WHERE username='$username'"); if (mysql_num_rows($row) > 0) { $row = mysql_fetch_assoc($result); ... } __________________ Me :: You :: Them

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)