0

I'm very new to php and mysql. I have found a great tutorial to create a registration and log in section on a site. I'm managing to deconstruct it pretty well and make minor changes. However...

When logging in, if the password is incorrect it validates and an error is returned. If its correct it logs in.

The issue I have is that if you type the correct password but add extra characters after it neither validates or logs in. Just goes to a blank page. Here is the validation code for the login page -

<?php
include('db.php'); 
if(!isset($_POST['login']))//checking if user has entered this page directly
{
include('form.php');
}
else{
if(isset($_POST['user'])&&$_POST['user']==""||!isset($_POST['user']))
{
$error[] = "Username Field can't be left blank";
$usererror = "1";
}
if(!isset($usererror))
{
$user = mysql_real_escape_string($_POST['user']);
$sql = "SELECT * FROM users WHERE user = '$user'";
if(mysql_num_rows(mysql_query($sql))=="0")//1 means there is one entry same so we print error
{
$error[] = "Can't find a user with this username"; 
}
}
if(isset($_POST['pass'])&&$_POST['pass']==""||!isset($_POST['pass']))
{
$error[] = "password Field can't be left blank";
}
if(isset($error)){
if(is_array($error)){echo "<div class=\"error\"><span>please check the errors and refill the form<span><br/>";
foreach ($error as $ers) {     
echo "<span>".$ers."</span><br/>";
}
echo "</div>";
include('form.php');
}
}
if(!isset($error)){
$suser=mysql_real_escape_string($_POST['user']);
$spass=md5($_POST['pass']);//for secure passwords
$find = "SELECT * FROM users WHERE user = '$suser' AND password = '$spass'";
if(mysql_num_rows(mysql_query($find))=="1"or die(mysql_error())){
session_start();
$_SESSION['username'] = $suser;
header("Location: loggedin.php");
}
else{
echo "<div class=\"warning\"><span>Some Error occured durring processing your data</div>";
}
}
}
?>

Any help will be greatly appreciated...

EDIT

I've just noticed that the only error I get is if NO password is entered. If an incorrect password is entered I get the blank white page. Can anyone help as to why the password is not being verified?

Improve this question
2
  • I hope your code is not formatted like that in your file. O_O Commented Jan 26, 2013 at 2:53
  • Hello again! thanks for your help earlier. No, it's not. This is straight from the tutorial... Commented Jan 26, 2013 at 2:56

3 Answers 3

Reset to default
2

Use trim() to deal with extra spaces before and after your strings

Looks like a logic issue. You need to use parenthesis to organize your conditionals:

if(
    (isset($_POST['pass'])&&$_POST['pass']=="")
  ||
    !isset($_POST['pass'])
)
Improve this answer
Sign up to request clarification or add additional context in comments.

6 Comments

Hi, Thanks for this. I understand what trim does but how would I implement it? Would it help in this situation where its not spaces that are the issue. if the password is 'lemon' and they type 'lemondgtgsgd' it then goes blank white with no error or log in...
If that's the case then white space isn't your issue. Have you checked your error log?
I've just updated the Q. Turns out I get a blank page from any password attempt. It's not validating the password?
Hi John. Thanks for the response. I am new to PHP so your answer is very confusing. Do you have an example please?
Where your code says if(isset($_POST['pass'])&&$_POST['pass']==""||!isset($_POST['pass'])) put the code I posted
|
0

Try this and see if it works.

if(mysql_num_rows(mysql_query($find))=="1") {
  session_start();
  $_SESSION['username'] = $suser;
  header("Location: loggedin.php");
} else {
  echo "<span>Your username or password was incorrect.</span>";
  include "form.php";
  die;
}
Improve this answer

7 Comments

Hi, I get the follwoing error - Warning: mysql_num_rows(): supplied argument is not a valid MySQL result resource in... Also the code already has validation for the username, is it possible to add validation for the password on its own?
Well typically that is validation for the password alone. You don't want the user to know if they got a valid username or not, so people typically say that either was incorrect.
Can you try adding a var_dump(mysql_query($find));die; before the if statement I posted in my answer and pasting the response here? It should say something like MYSQL resource, if not, your query is messed up :P
That gives me - bool(false)
Okay, so, something is wrong with your mysql setup. Have you properly established the connection to the database?
|
0

if(mysql_num_rows(mysql_query($find))=="1"or die(mysql_error())){

If the SQL query returns no results (meaning that the password and username didn't match), then the if statement returns false and nothing happens. You should return an error message in that case.

EDIT:

I didn't notice the else statement afterwards. I think the actual problem is die(mysql_error()). When the SQL query returns no results, that if statement will execute die(mysql_error()), which will return a blank because an empty result is not an error.

I suggest you remove die(mysql_error()) and include a separate if statement to check for mysql_errno() (which returns true when there's an error).

if (mysql_errno()) { die(mysql_error()); }

It's worth noting that the mysql_* functions are deprecated in the recent versions of PHP. It's recommended to use MySQLi or PDO to connect to MySQL in PHP.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.