greg — Tue, 24 Jul 2007 13:15:37 +0000

so now what happens is if either field was blank it assigns a variable to the word "true" else variable is "false"

then, if var is false (that is neither field was blank) it connects to the DB and checks the users input
else, it goes to the login retry page informing user he didnt input anything and this also means it doesnt unnecessarily access and check the DB

The whole script now seems a little sloppy and bloated to me, but it works, and I dont like fixing things that work

My problem now is it ALWAYS sets the $_SESSION['loginerror'] to the number 3

this is because of my sql query line
SELECT * FROM tablename WHERE username='$username' and password='$password'

So it will only retireve data if BOTH match
so when my following script determines which input was incorrect, i.e. the username OR password, both will be, always

because even if the user inputted the correct username OR password, it wont match the DB as the DB data will be blank because BOTH didnt match in the DB querey

how do I get it to select ANY of password and username when they match without having 2 seperate sql queries?

the updated script...

<?php
session_start();
require_once('mysql.php');

if (!$_POST['username'] || !$_POST['password']) {
$blank_login = "true";
$_SESSION['loginerror'] = 4;
} else {
$blank_login = "false";
}

if ($blank_login == "false") {
mysql_select_db("DBNAME") or die(mysql_error());

$username=$_POST['username'];
$password=$_POST['password'];

$sql="SELECT * FROM tablename WHERE username='$username' and password='$password'";
$result=mysql_query($sql);

if ($username == $result['username'] && $password == $result['password']) {
$_SESSION['user']=$username;
header("Location: /members/memindex.php"); 
} else {

if ($username != $result['username'] && $password != $result['password']) {
$_SESSION['loginerror']=3;
} elseif ($username == $result['username']) {
$_SESSION['loginerror']=1;
} elseif ($password == $result['password']) {
$_SESSION['loginerror']=2;
}
}
}
header("Location: loginerr.php"); 


?>

greg — Tue, 24 Jul 2007 12:12:40 +0000

RATHER THAN edit this entire post(incase someone is reading/replying to it) I have solved this problem...see next post for script changes
but still have another problem (next post)

I tried it and made no difference, but I did discover something

the original script sets a value to a session then redirects the user with the header code

I changed it to just echo some text and it worked fine??

if (!$_POST['username'] || !$_POST['password']) {
echo "blank";
}

so there is something wrong with the header redirect within an if statement? I have seen people use a variable within the clause

if (!$_POST['username'] || !$_POST['password']) {
$blank_login = 'true';
}

then later have IF $blank_login == 'true' then do whatever

It seems to me that header("Location: loginerr.php"); isnt working correctly for some reason. because its in within the if statement?

To be honest, it might be fine, but I am not happy with the script that checks the users inputs to the data from the DB checks....
if($username == $result['username'] && $password == $result['password']) {'

$username is assigned to $_POST['username']
and of course $result['username'] is the data from the DB

but if the users left the fields blank, they wont match anything in the DB, so the DB data will be blank
and so is the users input
so that above code is returned as TRUE

and therefore logs in the user. there must be a better way to check if the info the user puts in a form matches anything in the DB

teammatt3 — Tue, 24 Jul 2007 00:09:39 +0000

You only have one pipe bar in your first logical OR.

if (!$_POST['username'] | !$_POST['password']) {

needs to be

if (!$_POST['username'] || !$_POST['password']) {

I don't know if that's the only problem, but try it and see if it works.