I have been given the task of creating a website requiring registered users to sign in. A common problem, but I'm not the best programmer. Just to get the test working to show the boss, before the higher-ups make security decisions, I have to authenticate users whose usernames (member_id's) and passwords are stored as plain varchars in the mysql database.
I'm just working at getting the simplest system right now working before worrying about the harder tasks, but I'm having a bit of difficulty with this simple system, so any help would be appreciated. So far I have a table, 'members' on a database 'ssidb', with the columns I am working with being 'member_id' and 'password'. Here is what I have so far:
<html>
<body>
<?php
$db = mysql_connect("localhost", "root");
mysql_select_db("ssidb", $db);
if ($submit) {
$sql = "SELECT * FROM members WHERE member_id=$member_id && password=$password";
$result = mysql_query($sql);
if ($result) {
echo "Logged In $member_id";
} else {
echo "Try Again";
}
} else {
?>
<form method="post" action="<?php echo $PHP_SELF?>">
<input type="text" name="member_id"><br>
<input type="password" name="password"><br>
<input type="submit" name="submit" value="Login"><br>
</form>
<?php
}
?>
</body>
</html>
When I remove the WHERE clause from the SELECT statement, the system works as planned, but if I leave the WHERE clause in, I get the results of the else statement (echo "Logged in $member_id"
, even if I enter the proper member_id/password combination. I'm really not sure whats going wrong, again any help would be much appreciated.Sorry, I thought I had it but I didnt. Again, any help would be great.replace && with AND
and quote the value since it's a string
$sql = "SELECT * FROM members WHERE member_id='$member_id' AND password='$password'";OK, I changed && to AND and I quoted the values:
<html>
<body>
<?php
$db = mysql_connect("localhost", "root");
mysql_select_db("ssidb", $db);
if ($submit) {
$sql = "SELECT member_id, password FROM members WHERE member_id='$member_id' AND password='$password'";
$result = mysql_query($sql);
if ($result) {
echo "Welcome $member_id";
} else {
echo "Login Incorrect";
}
} else {
?>
<form method="post" action="<?php echo $PHP_SELF?>">
<input type="text" name="member_id"><br>
<input type="password" name="password"><br>
<input type="submit" name="submit" value="Login"><br>
</form>
<?php
}
?>
</body>
</html>
Now when I enter a member_id and password, I get the results of the if statement, whether the users are in the database or not. I think my logic is probably wrong with the
if ($result) {...
This might not even be the best way to do this login, I'm not really a programmer, more of a css/html kinda guy but basically, Im trying to say:
- User enters member_id and password
- Take that data and use it to find the corresponding member_id and password in the DB
- If that data is in the database, do something
- If its not in the database do something else
Thats as far as I'm thinking right now so I don't cloud my vision but its not quite working so far.How do you stop people, that you don't want to have access, from making a user ID and password which they can then use to give themselves access?
Additionally, you do not want to give users an unlimited number of attempts at guessing the password for any particular ID. You should lock people out for a few hours after, say, three wrong guesses.$sql = "SELECT member_id, password FROM members WHERE member_id='$member_id' AND password='$password'";
$result = mysql_query($sql);
if ($result) {
if $result only mean that the query is correct!
so you should do
if (mysql_fetch_array($result))
of
if (mysql_num_rows($result)==1))
I'm just working at getting the simplest system right now working before worrying about the harder tasks, but I'm having a bit of difficulty with this simple system, so any help would be appreciated. So far I have a table, 'members' on a database 'ssidb', with the columns I am working with being 'member_id' and 'password'. Here is what I have so far:
<html>
<body>
<?php
$db = mysql_connect("localhost", "root");
mysql_select_db("ssidb", $db);
if ($submit) {
$sql = "SELECT * FROM members WHERE member_id=$member_id && password=$password";
$result = mysql_query($sql);
if ($result) {
echo "Logged In $member_id";
} else {
echo "Try Again";
}
} else {
?>
<form method="post" action="<?php echo $PHP_SELF?>">
<input type="text" name="member_id"><br>
<input type="password" name="password"><br>
<input type="submit" name="submit" value="Login"><br>
</form>
<?php
}
?>
</body>
</html>
When I remove the WHERE clause from the SELECT statement, the system works as planned, but if I leave the WHERE clause in, I get the results of the else statement (echo "Logged in $member_id"
, even if I enter the proper member_id/password combination. I'm really not sure whats going wrong, again any help would be much appreciated.Sorry, I thought I had it but I didnt. Again, any help would be great.replace && with ANDand quote the value since it's a string
$sql = "SELECT * FROM members WHERE member_id='$member_id' AND password='$password'";OK, I changed && to AND and I quoted the values:
<html>
<body>
<?php
$db = mysql_connect("localhost", "root");
mysql_select_db("ssidb", $db);
if ($submit) {
$sql = "SELECT member_id, password FROM members WHERE member_id='$member_id' AND password='$password'";
$result = mysql_query($sql);
if ($result) {
echo "Welcome $member_id";
} else {
echo "Login Incorrect";
}
} else {
?>
<form method="post" action="<?php echo $PHP_SELF?>">
<input type="text" name="member_id"><br>
<input type="password" name="password"><br>
<input type="submit" name="submit" value="Login"><br>
</form>
<?php
}
?>
</body>
</html>
Now when I enter a member_id and password, I get the results of the if statement, whether the users are in the database or not. I think my logic is probably wrong with the
if ($result) {...
This might not even be the best way to do this login, I'm not really a programmer, more of a css/html kinda guy but basically, Im trying to say:
- User enters member_id and password
- Take that data and use it to find the corresponding member_id and password in the DB
- If that data is in the database, do something
- If its not in the database do something else
Thats as far as I'm thinking right now so I don't cloud my vision but its not quite working so far.How do you stop people, that you don't want to have access, from making a user ID and password which they can then use to give themselves access?
Additionally, you do not want to give users an unlimited number of attempts at guessing the password for any particular ID. You should lock people out for a few hours after, say, three wrong guesses.$sql = "SELECT member_id, password FROM members WHERE member_id='$member_id' AND password='$password'";
$result = mysql_query($sql);
if ($result) {
if $result only mean that the query is correct!
so you should do
if (mysql_fetch_array($result))
of
if (mysql_num_rows($result)==1))