One more time - Login Form

[WizyWyg]

Im having a problem with my login form, my coding on the login page

<html>
<head>
<title>Admin Login</title>
</head>
<body>
<h1>Admin Login</h1>

<form method=&quot;post&quot; action=&quot;admin.php&quot;>
<table width=50%>
	<tr>
		<td>Username:</td>
		<td><input type=&quot;text&quot; name=&quot;username&quot; size=&quot;25&quot; maxlength=&quot;50&quot;></td>
	</tr>
	<tr>
		<td>Password:</td>
		<td><input type=&quot;text&quot; name=&quot;password&quot; size=&quot;25&quot; maxlength=&quot;50&quot;></td>
	</tr>
</table>
<input type=&quot;submit&quot; name=&quot;submit&quot; value=&quot;Login&quot;>
</form>
</body>
</html>
[code]


and then the page that authenticates it: 


[code]

<?

if ((!$username) || (!$password)) {
    header (&quot;Location[URL unfurl="true"]http://opushi/test/admin-login.php&quot;);[/URL]
    exit;
}

$db_name = &quot;accessories&quot;;
$connection = @mysql_connect(&quot;localhost&quot;,&quot;root&quot;) or die (&quot;Couldn't connect.&quot;);
$db = @mysql_select_db($db_name, $connection) or die (&quot;Couldn't select database.&quot;);
$sql = &quot;SELECT * FROM admin WHERE username = \&quot;$username\&quot; AND password = \&quot;$password\&quot;)&quot;;
$result = @mysql_query($sql, $connection) or die (&quot;Couldn't execute query.&quot;);
$num = mysql_numrows($result);

if ($num != 0) {
$msg = &quot;Congratulations! You're authorized!&quot;;
} else {
header(&quot;Location: [URL unfurl="true"]http://opushi/test/admin-login.php&quot;);[/URL]
exit;
}
?>
<body>
<? echo &quot;$msg&quot;; ?>

I am getting the "Couldn't execute query" when one logs in from the login page.

Thanks if you can help.

 

[gerrygerry]

Try this:

<?

if ((!$username) || (!$password)) {

header ("Location: [URL unfurl="true"]http://opushi/test/admin-login.php");[/URL]

    exit;
}

$db_name = "accessories";
$connection = @mysql_connect("localhost",

"your_username","your_password"

) or die ("Couldn't connect.");
$db = @mysql_select_db($db_name, $connection) or die ("Couldn't select database.");
$sql = "SELECT * FROM admin WHERE username = \"$username\" AND password = \"$password\")";
$result = @mysql_query($sql, $connection) or die ("Couldn't execute query.");
$num = mysql_numrows($result);

if ($num != 0) {
$msg = "Congratulations! You're authorized!";
} else {
header("Location: [URL unfurl="true"]http://opushi/test/admin-login.php");[/URL]
exit;
}
?>
<body>
<? echo &quot;$msg&quot;; ?>

Ive never seenlocalhost and root passed as parameters for the mysql_connect function but I'm still a newby

You may also want to try replacing the die functions with some other code (for development)... Try something like this instead of die

$result = @mysql_query($sql, $connection);
$err_msg = mysql_error();
echo $err_msg;

-gerrygerry
Go To

http://quickfreewebsite.com!

 

[inlandpac]

WizyWyg,

First to get through your problem:

$connection = @mysql_connect("localhost","root","password&quot or die (mysql_error());
@mysql_select_db("accessories", $connection) or die (mysql_error());

.....and so on..


Now, I don't want to say that you can approach this better (each developer has his/her own symantic patterns, coding methods, etc), but I would like to share some thing with you:

First we have the admin page that is our goal page. But in order to access the admin page, we have to login.

What we do, is utilize sessions and separate login from our goal into 'modules' (4 to be exact).

Here is our admin page - admin.php
^{<?php
include_once($DOCUMENT_ROOT.&quot;/clients/misc/secure.php&quot;
?>
<html>
<head>
<title>Administration Section :: <?php echo $username; ?></title>
</head>
<body>
Welcome, <?php echo $username; ?>, to the administration section.
</body>
</html>}

You will notice there is an include at the top to a script called secure.php. Here it is and I will explain what it does:
<sup><?php
session_start();

if(!$username) {
$login_error = &quot;You must login to access the Administration Section.<br>\n&quot;;
include_once($DOCUMENT_ROOT.&quot;/clients/misc/login.php&quot;
exit;
}
?></sup>

session_start() starts/restarts the session causing a pseudo maintaining state browsing experience. Once we start the session, we can check to see if a variable that we registered called 'username' (which will be shown below) exists. If it does not, then the user is not logged in. Otherwise, we are good and can continue.

You would include the above in every page where authentication is required.

If we are not logged in, we send the user to the login.php page:
<sup><html>
<head>
<title>Administration Login</title>
</head>
<body>
<form action=&quot;login2.php&quot; method=&quot;post&quot;>
<font face=&quot;Verdana,Arial,Helvetica,sans-serif&quot; size=&quot;-1&quot;>
<b><font color=&quot;Red&quot;><?php echo $login_error; ?></font></b>

<b><font color=&quot;Red&quot;><?php echo $username_error; ?></font></b>
Username: <input type=&quot;text&quot; name=&quot;username&quot; value=&quot;<?php echo $username; ?>&quot;><br>

<b><font color=&quot;Red&quot;><?php echo $password_error; ?></font></b>
Password: <input type=&quot;password&quot; name=&quot;password&quot; value=&quot;&quot;><br>

<input type=&quot;submit&quot; name=&quot;submit&quot; value=&quot;Login&quot;>
</font>
</form>
</body>
</html></sup>

On this page, we have setup certain responses that will display messages, depending on the situation. If we went to the admin.php page without loging in, $login_error is set and we would see that message when displayed this login.

Now, when we try to login, we are sent to login2.php where all of the magic happens.
<sup><?php

if((!$username)||(!$password)) {
$error = 1;
if(!$username) {
$username_error = &quot;You must enter your username.<br>\n&quot;;
}
if(!$password) {
$password_error = &quot;You must enter your password.<br>\n&quot;;
}
}
else {
$query = &quot;select * from admin_login where username='$username' and password='$password'&quot;;

$connection = mysql_pconnect(&quot;host&quot;,&quot;user&quot;,&quot;pass&quot;
@mysql_select_db(&quot;database&quot;,$connection);

$result = mysql_query($query) or die(mysql_error());

$num = mysql_num_rows($result);
$data = mysql_fetch_array($result);

if($num > 0) {
session_start();
session_register(&quot;username&quot;
}
else {
$error = 1;
$login_error = &quot;Your login failed...please check your email and password.<br>\n&quot;;
}
}

if($error) {
include($DOCUMENT_ROOT.&quot;/clients/misc/login.php&quot;
exit;
}
?>
<html>
<head>
<script language=&quot;javascript&quot;>
location.replace('/clients/misc/admin.php');
</script>
</head>
<body>
</body>
</html></sup>

Here, we first check to make sure the user entered in a username and password. We provide the user with detailed error messages, so that if they entered in a username and no password, we tell them just that (and visa-versa).

If the username and password are entered, we run our query. If no row was returned, we pass an error to that effect to the user. Otherwise, we start a session, register the username for use on all pages that require validation, and send the user on their way to admin.php.

We try not to user header(&quot;Location: ...&quot statements. Instead we use includes so we can pass the errors as well as preventing any dangerous back button keypresses to the prior page which sent the user to the current page to begin with.

Also, if the login is successful, we can utilize JavaScript's wonderful location.replace(''); to replace the entire login routine with the admin.php page.

I have set up a test for you at

http://www.inlandpac.com/clients/misc/admin.php

You will be automatically directed to login (with an error message). Try to login with missing the username and then missing the password, and then providing incorrect login information. After this, use 'WizyWyg' and 'WizyWyg' for your username and password (case insensitive).

Through all of my years of development, this has ended up being the most successful and useful method. Additionally, doing it this way allows for even further development integration such as templates (since everything is separated).

;-)
Chad. ICQ: 54380631