Member Avatar for ON_Jtharpe

Hey guys I am trying to create a login that checks for a password in a mysql database. I have just started picking away at this and have no clue if I am even close. If I am not even close I don't need someone to wast there time holding my hand through this just tell me and I will read up more just wondering if its something small or if I am going the totally wrong direction.

<?php

include = '/var/www/sql_connect.php';

$user = '$_POST['password'];
//if (mysql_query ("SELECT * FROM users WHERE pass = '$user'"){
//header ("location: administration.php");
//} else {
//header ("location: index.php");
//}
$result = mysql_query ("SELECT * FROM users WHERE pass = '$user'") or die(mysql_error());
if ($_POST['password'] == '$result'{
header ("location: administration.php");
} else {
header ("location: index.php");
}

?>

Thanks!
-Justin

  • 4 Contributors
  • 4 Replies
  • 148 Views
  • 2 Days Discussion Span
  • Latest Post Latest Post by codewall
Member Avatar for nuttyniall

Hi There
Have a look phpsense.com they have some good tutorials on how to go about this they also have some source code for a full but simple login system its really good for getting the basics you can download the source files at http://phpsense.com/file_download/3.

Also you must read up on how to sanitize all your $_GET / $_POST variables to prevent SQL injection attacks. I picked up some good resource here http://www.learnphponline.com/security/sql-injection-prevention-mysql-php

Hope this helps

Good Luck

N

Member Avatar for ON_Jtharpe

Thank you for your help I was planning on the sanitizing of my code this was just to get the functionality going before hand. I will take a look at these links thank you for you quick response.

-Justin

Member Avatar for Szabi Zsoldos

You could use just the simple mysql_num_rows, so if you get a record that equals your form input, then it redirects you to your desired page, else, it will display a message.

<?php

if(isset($_REQUEST['login']))
{
	$query = "SELECT user, pass FROM yourTable WHERE user='".mysql_real_escape_string($_REQUEST['user'])."'";
			$result = mysql_query($query);
			   if (mysql_num_rows($result)>0)
			   {		   
					$client = mysql_result($result,0,"user");
					$password = mysql_result($result,0,"pass");
					
																						  
						if (isset($_REQUEST['user']) && $_REQUEST['user'] == $client && isset($_REQUEST['pass']) && $_REQUEST['pass'] == $password)
						{
							header('Location: index.php');
						}
						
			   }
			   else
			   {
				   echo 'Wrong passwod';
			   }
}


?>
Edited by Szabi Zsoldos because: n/a
Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.