nuk3 — Sat, 17 May 2003 06:17:10 +0000

I may as well post my solution, it turns out that the password column was varchar 16 when the md5() algorithm encrypts a string into 32 characters. Therefore the script was trying to compare a 32 character password with a 16 character password in the database. I've managed to get it all working. Its always the small things..

Busy — Sat, 26 Apr 2003 04:12:29 +0000

the 'welcome to this area ...' bit is outside any if/else statements so will always show no matter what happens

you don't need if(!isset($username)) and if(isset($username))

just use one with an else
if(!isset($username)) { // or use (isset(
....
} else {
...
} // this should be the very last tag of the page unless you want stuff to always show
?>

and place everything between the approtiate sections

Renegade — Fri, 25 Apr 2003 11:07:01 +0000

Maybe this site may be of some help to you:

http://www.evolt.org/article/Creating_a_Login_Script_with_PHP_4/17/19661/

nuk3 — Fri, 25 Apr 2003 03:21:00 +0000

<?php
 
session_start();

include(\"/home/silonet/public_html/includes/header.php\");


if(!isset($username)) {
  
  <p><div align=\"center\"><h4> Login Required </h4></div></p>


You must login to access this area of the site! <br>
If you are not a registered user, <a href=\"signup.php\">click here</a> to sign up for instant access! <P>

<form method=\"post\" action=\"=$_SERVER[\"PHP_SELF\"]\">

    Username: <input type=\"text\" name=\"username\" size=\"20\"><br>
    Password: &nbsp;<input type=\"password\" name=\"password\" SIZE=\"20\"><br>
    <input type=\"submit\" value=\"Log in\">
  </form></p>
  
  exit;
}


if (isset($username)) {

session_register(\"username\");
session_register(\"password\");

$db = mysql_connect(\"localhost\", \"removed\", \"removed\");

if (!$db)
echo \"A conection to the database could not be made. Please try again later or contact the website administrator.\";

mysql_select_db(\"removed\");




$result = mysql_query(\"SELECT * FROM member\");

$myrow = mysql_fetch_array($result);

$password == md5($password);

if ($myrow[\"password\"] != $password or $myrow[\"username\"] != $username)

{
  mysql_error(); 
  session_unregister(\"username\");
  session_unregister(\"password\");
  
  <html>
  <head>
  <title> Access Denied </title>
  </head>
  <body>
  <h1> Access Denied </h1>
  <p>Your username and/or password is incorrect, or you are not a
     registered user on this site. To try logging in again, click
     <a href=\"=$PHP_SELF\">here</a>. To register for instant
     access, click <a href=\"signup.php\">here</a>.</p>
  </body>
  </html>
  
  exit;
}
}

if ($id == logoff)

{
session_unregister(\"username\");
session_unregister(\"password\");
session_destroy();
}
echo \"Welcome to this area, soon to come will be a place to change your details such as password etc.. This login script will be implemented into my code snippet library (under construction) and eventually into my site for total interaction.\";


echo \" <a href=\\"$PHP_SELF?id=logoff\\">Log Off</a>\";


include(\"/home/silonet/public_html/includes/footer.php\"); 
?>

I've rescipted it, but it still doesn't work. There is obviously no error ( I added in mysql_error(); ) and I'm thinking its having problems comparing the two passwords.. http://www.silonetwork.com/accesscontrol2.php

Busy — Fri, 25 Apr 2003 02:41:48 +0000

I take it your password starts with md5

try add mysql_error() in the result check

if(!$result) { mysql_error(); ... }

the other thing to do is wrap the 'congrats your in' bit in an else statement from the !$result above

I tried the link you gave and got access denied, are you using cookies or anything that could be logging you in when you test it?

just a side note, i wouldn't add the bit about don't hack ... if someone was going to they would hide behind a proxy server so what you have would mean nothing, maybe just add a note stating 'your ip has been recorded' or something, or just do that if the name or p/w is wrong.
also take out the password value

nuk3 — Fri, 25 Apr 2003 01:33:00 +0000

I've just noticed that if I enter any combination of numbers in the login form it logs in even though that data doesn't exist in the database?!

nuk3 — Fri, 25 Apr 2003 01:29:50 +0000

Well for some reason it cant compare the username and password entered on the form with the ones in the database.. Even more strangely when I enter 1 for the password and username it logs in.

http://www.silonetwork.com/signup.php
http://www.silonetwork.com/accesscontrol.php

Busy — Thu, 24 Apr 2003 21:50:16 +0000

what errors are you getting (if any)

mysql_select_db("####",$db); doesn't need the ,$db bit as you've already opened the db by setting $db

the mysql_query (SELECT tag) doesn't need the end part either, this part );", $db you've already choosen the database opened and choosen the database