Simple Login Script

[vcherubini]

Hello:

I am in the process of writing a message board and I have a question about my login script.

Here is the code, or at least the main jist of it:

[tt]

$dbname = "forum";
$dbhost = "localhost";
$dbuser = "user";
$dbpass = "password";

$conn = mysql_connect($dbhost, $dbuser, $dbpass);
if(!$conn) {
print &quot;failed connection to database: $dbname because of the following reason(s):<br>\n&quot;;
print mysql_error();
} else {
$user = &quot;SELECT userid FROM users&quot;;
$pass = &quot;SELECT userpass FROM users&quot;;
$getvalues = mysql(&quot;forum&quot;,&quot;$user&quot;
$numvalues = mysql_numrows($getvalues);
$getval = mysql(&quot;forum&quot;,&quot;$pass&quot;
$numval = mysql_numrows($getval);
$i=1;
while ($i<$numvalues) {
$usernames[$i] = mysql_result($getvalues,$i,&quot;userid&quot;
$userpasswords[$i] = mysql_result($getval,$i,&quot;userpass&quot;
if (($userid == $usernames[$i]) &amp;&amp; ($userpass == $userpasswords[$i])) {
print &quot;<br>both username and password are accepted.<br>\n&quot;;
print &quot;you are allowed to enter\n&quot;;
$go=$userpasswords[$i];
print &quot;<br><a href=\&quot;main.php?go=$go?userpass=$userpasswords[$i]\&quot;>click here to continue</a>\n&quot;;
break;
} else {
print &quot;<br>your username and password are both incorrect.<br>\n&quot;;
print &quot;go back and try again.\n&quot;;
$go=0;
break;
}
$i++;
//break;
}
}
?>
[/tt]

If I have only one entry for the users section of my database, it works fine. But when I add another user, it screws up.

I understand how it screws up. It will go through the loop once for the second user and find that the user is not there, printing out that the user is not there, but then it will go through the loop again, this time the variable incremented one, and find that the user exists, therefore printing that he does.

How can I make this loop so that it does not run in a linear fashion?

Any help on how to make a simple login script is appreciated.

Thanks

-Vic

vic cherubini
malice365@hotmail.com

http://www.epicsoftware.com

====

Knows: Perl, HTML, JavScript, C/C++, PHP, Flash, Director

Wants to Know: Java, Cold Fusion, Tcl/TK

====

 

[sophisticate]

Whoa. A lot of that isn't necessary. You can simply use a where clause in your SQL statement (e.g. select * from users where userid = 'username' and userpass = 'password'). If your numrows is greater than 0, successful authentication has occurred.

Now -- you might watch out for sticking a password in the query string. That's not normally (read: ever!) a wise practice. In fact, if security is at all a concern of yours (and why wouldn't it be... you're looking for authentication measures), you should look into (at least!) using the md5 algorithm to hash the server side passwords and the md5.js (

http://pajhome.org.uk/crypt/md5/)

script which will encrypt the password entry on the client side. That way, when the authentication is sent from the user to the server, it is not in plaintext form, and the plaintext password isn't even stored on the server in case that's compromised. Other measures would be to set up a SSL certificate (if you're in an environment where people won't mind getting a little warning saying the certificate is from an untrusted source, you can make one of these free with OpenSSL (

http://www.openssl.org))

which will further encrypt the communication.

Good luck,

brendanc@icehouse.net

 

[vcherubini]

Sophisticate:

Thanks a bunch for that. I had talked a friend after I posted it and he said to do a simple mySQL query, but didn't shed much light on how to do it.

Now that I look at it, it is amazingly easy.

Those sites that you posted are also awesome.

Thanks,
-Vic

vic cherubini
malice365@hotmail.com

http://www.epicsoftware.com

====

Knows: Perl, HTML, JavScript, C/C++, PHP, Flash, Director

Wants to Know: Java, Cold Fusion, Tcl/TK

====

 

[vcherubini]

Hello again:

I have updated my code, but without fail, it does not work.

Here it is:

[tt]
$dbname = &quot;forum&quot;;
$dbhost = &quot;localhost&quot;;
$dbuser = &quot;user&quot;;
$dbpass = &quot;pass&quot;;

$conn = mysql_connect($dbhost, $dbuser, $dbpass);
if(!$conn) {
print &quot;failed connection to database: $dbname because of the following reason(s):<br>\n&quot;;
print mysql_error();
} else {
$query = &quot;SELECT * FROM users WHERE userid='$userid' AND userpass='$userpass'&quot;;
$getval = mysql(&quot;forum&quot;,&quot;$query&quot;
$numval = mysql_numrows($getval);
$test = mysql_db_query(&quot;forum&quot;,&quot;$query&quot;
if (!$test) {
print &quot;failed to authenticate user\n&quot;;
} else {
print &quot;user authenticated.\n&quot;;
}
}
}
[/tt]

The problem is, the code works for any user. If the user does not exist in the database, it still authenticates him. Is there some sort of way that I could test to see if the mysql query returns true or false?

Any help is appreciated.

Thanks,
-Vic

vic cherubini
malice365@hotmail.com

http://www.epicsoftware.com

====

Knows: Perl, HTML, JavScript, C/C++, PHP, Flash, Director

Wants to Know: Java, Cold Fusion, Tcl/TK

====

 

[sophisticate]

These lines right here are your problem:

$getval = mysql(&quot;forum&quot;,&quot;$query&quot;
$numval = mysql_numrows($getval);
$test = mysql_db_query(&quot;forum&quot;,&quot;$query&quot;
if (!$test) {

Try this:
mysql_select_db($dbname,$conn);
$getval = mysql_query($query);
if(mysql_num_rows($getval) > 0) {
//User authenticated
} else {
//User not authenticated
}

Take care,

brendanc@icehouse.net

 

[vcherubini]

Thanks so much for that, sophisticate.

It works perfectly.

Thanks again,

-Vic

vic cherubini
malice365@hotmail.com

http://www.epicsoftware.com

====

Knows: Perl, HTML, JavScript, C/C++, PHP, Flash, Director

Wants to Know: Java, Cold Fusion, Tcl/TK

====