Member Avatar for davy_yg

I have this codes:

login.php

<div id="loginbox">
<table>

    <form action="proses.php" method="POST">
        <tr>
            <td>Login:</td>               
            <td><input size="30px" type="text" name="username" value=""/></td>
        </tr>
        <tr>
            <td>Password:</td>                
            <td><input size="30px" type="password" name="password" value=""/></td>
        </tr>
        <tr>
            <td></td>
            <td><input type="submit" value="OK"></td>
        </tr>
    </form>
</table>
</div>

proses.php

<?php

$servername = "localhost";
$username = "root";
$password = "";
$database = "rustoleum";

mysql_connect($servername, $username, $password) or die("Not connected");
mysql_select_db($database) or die("Not connected to the database");


/* the files */

// username and password sent from form
$username=$_POST['username'];
$password=$_POST['password'];

// To protect MySQL injection (more detail about MySQL injection)
$username = stripslashes($username);
$password = stripslashes($password);
$username = mysql_real_escape_string($username);
$password = mysql_real_escape_string($password);

$sql="SELECT * FROM user WHERE username='$username' and password='$password'";
$result=mysql_query($sql);

// Mysql_num_row is counting table row
$count=mysql_num_rows($result);

echo $count;
// If result matched $username and $password, table row must be 1 row

if($count==1){

// Register $myusername, $mypassword and redirect to file "login_success.php"
session_register("username");
session_register("password");
header("location:login_success.php");
}
else {
echo "Wrong Username or Password";
}
?>

I wonder why the result is:

0Wrong Username or Password

I already type the username and password exactly as written in the database.

  • 6 Contributors
  • 11 Replies
  • 191 Views
  • 17 Hours Discussion Span
  • Latest Post Latest Post by davy_yg
Member Avatar for pritaeas

Between line 24 and 25, put echo $sql; and see what is generated. One of your functions can introduce unexpected results.

Member Avatar for davy_yg

Nevermind, after writing more codes I pass the login page.

admin.php

session_start();
if(!session_is_registered('username')){
header("location:index.php");
}
?>

Deprecated: Function session_is_registered() is deprecated in C:\xampp\htdocs\RustoleumCustomCMS\administrator\admin.php on line 63

why is deprecated?

Member Avatar for AARTI SHRIVAS 
if(isset['$username'])
{
}

put all your code in this condition and also check the out put of your query using echo and use die(mysql_error()); for any db error

Member Avatar for pixelsoul

Are you sure that works arti18? I am sure that it would be actually something like:

if(isset($_SESSION['username']))
{

}
Member Avatar for davy_yg

Parse error: syntax error, unexpected '[', expecting '(' in C:\xampp\htdocs\RustoleumCustomCMS\administrator\admin.php on line 62

Member Avatar for NardCake

pixelsoul is correct. You could also do these things I beleive

if(!empty($_SESSION['username']))
{
}
//or
if(($_SESSION['username']) != null)
{
}
Member Avatar for davy_yg

I change some code in order to encrypt the password:

proses.php

<?php

$servername = "localhost";
$username = "root";
$password = "";
$database = "rustoleum";

mysql_connect($servername, $username, $password) or die("Not connected");
mysql_select_db($database) or die("Not connected to the database");


/* the files */

// username and password sent from form
$username=$_POST['username'];
$password=$_POST['password'];

// To protect MySQL injection (more detail about MySQL injection)
$username = stripslashes($username);
$password = stripslashes($password);
$username = mysql_real_escape_string($username);
$password = mysql_real_escape_string($password);

$encrypted_password = MD5($password);

$sql=("SELECT * FROM user WHERE username='$username' and password='$encrypted_password'") or die(mysql_query);
$result=mysql_query($sql);

// Mysql_num_row is counting table row
$count=mysql_num_rows($result);

echo $count; 
// If result matched $username and $password, table row must be 1 row

if($count==1){

// Register $myusername, $mypassword and redirect to file "login_success.php"
session_register("username");
session_register("password");
header("location:admin.php");
}
else {
echo "Wrong Username or Password";
}
?>

admin.php

<?php

// Check if session is not registered, redirect back to main page.
// Put this code in first line of web page.

if(isset($_SESSION['$username']))
{
    session_start();
    if(!session_is_registered('username'))
    {
    header("location:index.php");
    }
}

?>

I wonder why now I can enter the admin page without login just by typing the url. In this case, I already Logout - which will direct me to index.php.

index.php

<?php
// Put this code in first line of web page.

session_start();
session_destroy();
?>
Edited by davy_yg
Member Avatar for pixelsoul

md5 is okay, sha1 would be better. Also, why are you destroying the session right after you start it?

Edited by pixelsoul because: Added a question
Member Avatar for IIM

There are some points which i have asked below.

   <?php
     session_start(); 
   if(!isset($_SESSION['username'])) 
    {
       session_destroy();
       header("location:index.php");

    }
    ?>

Instead of this why don't you just try

Edited by IIM
Member Avatar for davy_yg

admin.php

if(isset($_SESSION['$username']))
{
session_start();
}
else
{
header("location:index.php");
}

This time I wonder why I cannot login at all? (I'm in the middle of trying few posibilities).

What's the difference between:

$_SESSION['$username'] and session_is_registered('username') ?

Member Avatar for davy_yg

I find the solution:

admin.php

session_start();

if(!$_SESSION['username'])
    {
    header("location:index.php");
    }
Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.