Hey guys, creating a simple script for registration and login. Managed to get the registration form working and adding users to a simple 4 table database.

Having problems with the login form. I am not sure how to write the code that validates the user and password because every time that I log in with a registered users details or with an unregistered user I get the part of the script that says the login failed.

Any help would be much appreciated

Here is the login and register script:

register form

<?php
//assign the registration form to a variable and display if it has not been submitted
$regform =<<<EOD
<form action="register.php" method="post">
Please enter your username<input type="text" name="username" />
<br />
Please enter your email address<input type="text" name="usermail" />
<br />
Please confirm your email address<input type="text" name="mailconf" />
<br />
Please enter your password<input type="password" name="userpass" /> 
<br />
Please confirm your password<input type="password" name="passconf" />
<br />
<input type="submit" name="submit" value="submit"/>
</form>
EOD;

if (empty($_POST['submit'])) {
	echo $regform;
	}

//if the from has been submitted
if(isset($_POST['submit'])){

//assign variables to form data
$username = $_POST['username'];
$usermail = $_POST['usermail'];
$mailconf = $_POST['mailconf'];
$userpass = $_POST['userpass'];
$passconf = $_POST['passconf'];

//validate form input
if($username == false || $userpass == false || $passconf == false || $mailconf == false || $usermail == false) {
	echo "Please fill in all fields in the form, Thanks!";
	echo "<br />";
	echo $regform;
	} elseif($usermail != $mailconf || $userpass != $passconf) {
	echo "Please enter a matching email address or password";
	echo "<br />";
	echo $regform;
	} else {

//if form data validated connect and insert into database
	$connect = mysql_connect("localhost","sexybacklink","testpass")
	or die(mysql_error());
	mysql_select_db("testsite")
	or die(mysql_error());
	$register = "INSERT INTO user(username,usermail,userpass)
	VALUES('$username',
	'$usermail','$userpass')";
	$result = mysql_query($register)
	or die(mysql_error($register));
	echo "Thanks for registering with our site!";
	} 
} 
?>

login form

<?php session_start();?>
<html>
<head>
<title>Login</title>
</head>
<body>
<?php
//assign the login form to a variable and display if it has not been submitted
$form=<<<EOD
<form action="login.php" method="post">
Username:<input type="text" name="username"/>
<br />
Password:<input type="password" name="password"/>
<br />
<input type="submit" name="submit" value="submit" />
</form>
EOD;

if(empty($_POST['submit']))
echo $form;

//if the form has been sent
elseif (isset($_POST['submit'])) {
$username = $_POST['username'];
$password = $_POST['password'];

//connect and select database
$connect = mysql_connect("localhost","mytestuser","mytestpass")
or die(mysql_error());
mysql_select_db("testsite")
or die(mysql());

//query database to find user details 
$login =  
		"SELECT * " .
		"FROM user " .
		"WHERE 'username' = '$username' " . 
		"AND 'userpass' = '$password' " . 
		"LIMIT 0 , 30";
$results = mysql_query($login)
or die(mysql_error());
$row = mysql_fetch_assoc($results);

//validate user details to login or try again
if ($row == false) {
	echo "<p>You have not correctly logged in.  Please check your username and 
	password or <a href=\"register.php\">click here to register</a></p>";
	} else {
	$_SESSION['username'] = $username;
	$_SESSION['authuser'] = 1;
	
	echo "Thanks $username, for logging in";	
	}
}
?>
</body>

Here is a bit change in login code.

$results = mysql_query($login) or die(mysql_error());
if(mysql_num_rows($results) == 0) 
{
    echo "Invalid login";
    exit;
}
else
{
    echo "Successfull Login";
    exit;
}

Thanks Vibhadevit for giving the code. Used the code and still got the "inalid login" message.

I am not sure but I think there is a problem with the way that i have written the code that checks the database around line 33.

Any help is much appreciated

echo query and run it in phpmyadmin window to see whats going in query.

echo $login; exit;

are you encrypting the password when storing it?? i meant the one in database??

see this page about real_escape_string() function before you publish the login page since your login form is vulnerable to sql injection.
http://is.php.net/manual/en/function.mysql-real-escape-string.php

If you publish your login page like this a hacker can easily drop your database(if the connection has the privilage for it) and if the connection only allows select privilage he can still get unlimited access by manipulating the boolean expression.

Here is a link to sanitizing and validating data: http://net.tutsplus.com/tutorials/php/sanitize-and-validate-data-with-php-filters/
That is one thing that you can do to help check your login values before querying your database.

You have the following:

$login =
"SELECT * " .
"FROM user " .
"WHERE 'username' = '$username' " .
"AND 'userpass' = '$password' " .
"LIMIT 0 , 30";

Have you tried this yet? focus on lines 37 and 38:

$login =
"SELECT * " .
"FROM user " .
"WHERE 'username' = '".$username."' " .
"AND 'userpass' = '".$password."' " .
"LIMIT 0 , 30";

try this one

$login =
"SELECT * " .
"FROM user " .
"WHERE username = '".$username."' " .
"AND userpass = '".$password."' " .
"LIMIT 0 , 30";

cause when you start condition 'where' then no error found and not result will match in the database with this code

$login =
"SELECT * " .
"FROM user " .
"WHERE 'username' = '".$username."' " .
"AND 'userpass' = '".$password."' " .
"LIMIT 0 , 30";
Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.