PHP login script - Object not found!

They have: 5 posts

Joined: Dec 2011

Hi there, please could someone tell me what is wrong with my code, I have checked it quite a few times now, and I am unable to find anything out of place.

The main script:

<?php
               

session_start
();                                              
switch (@
$_POST['Button'])                                   
{

  case
"Login":    

         include(
"dbstuff.php");

   
$cxn = mysqli_connect($host,$user,$passwd,$dbname)
             or die(
"Query died: connect");   

   
$sql = "SELECT username FROM storemembers 
              WHERE username='
$_POST[fusername]'";                      

   
$result = mysqli_query($cxn,$sql)
                or die(
"Query died: fusername");

   
$num = mysqli_num_rows($result);

                         
    if(
$num > 0)                                             
    {  

include(
"functions.php"); 


$password = secure_pass($_POST['fpassword']);
$username = $_POST[fusername];

     
$sql = "SELECT username FROM storemembers 
              WHERE username='
$username'
              AND password='
$password'";



     
$result2 = mysqli_query($cxn,$sql)
                   or die(
"Query died: $password");
           
     
$num2 = mysqli_num_rows($result2); 
                    
      if(
$num2 > 0//password matches                     
     
{

       
$_SESSION['auth']="yes";                             
       
$_SESSION['logname'] = $username;          
       
header("Location: SecretPage.php");                  
      }
      else 
// password does not match                   
     
{
       
$message_1="The Login Name, '$_POST[fusername]
                exists, but you have not entered the 
                correct password! Please try again."
;

       
$fusername = strip_tags(trim($_POST[fusername]));

        include(
"form_login_reg.inc");
      }                                                     
    } 
// end if $num > 0  
                                  
   
elseif($num == 0// login name not found               
   
{
     
$message_1 = "The User Name you entered does not 
                    exist! Please try again."
;
      include(
"form_login_reg.inc");
    }
  break;                                                     

  case
"Register":                                           
  
/* Check for blanks */
   
foreach($_POST as $field => $value)                      
    {
      if (
$field != "fax")                                   
      {
        if (
$value == "")
        {
         
$blanks[] = $field;
        }
        else
        {
         
$good_data[$field] = strip_tags(trim($value));
        }
      }
    }
// end foreach POST  

                                 
   
if(isset($blanks))                                       
    {
     
$message_2 = "The following fields are blank. 
            Please enter the required information:  "
;
      foreach(
$blanks as $value)
      {
       
$message_2 .="$value, ";
      }
     
extract($good_data);                                   
      include(
"form_login_reg.inc");
      exit();                                                
    } 
// end if blanks found                    


   
foreach($_POST as $field => $value)                    
    {                 
      $
$field = strip_tags(trim($value));
    }
    if(@
is_array($errors))                                
    { 
     
$message_2 = "";
      foreach(
$errors as $value)
      {
       
$message_2 .= $value." Please try again<br />";
      }
      include(
"form_login_reg.inc");
      exit();
    }
// end if errors are found                            


   /* check to see if user name already exists */

   
include("dbstuff.php");    
                             
   
$cxn = mysqli_connect($host,$user,$passwd,$dbname)
             or die(
"Couldn't connect to server");

   
$sql = "SELECT username FROM storemembers 
                WHERE username='
$username'"
             
   
$result = mysqli_query($cxn,$sql)
                or die(
"Query died: username.");

   
$num = mysqli_num_rows($result);                        
    if(
$num > 0)                                            
    {
     
$message_2 = "$username already used. Select another
                       User Name."
;
      include(
"form_login_reg.inc");
      exit();
    }
// end if user name already exists
   
else                                                    
    {   

include(
"functions.php");

$password = secure_pass($_POST['password']); 
 
     
     
$today = date("Y-m-d");                               
     
$sql = "INSERT INTO storemembers (username,createdate,
                password,firstname,lastname,email,house_name_no,street,city,
                state,zip,telephone) VALUES
              ('
$username','$today', '$password',
               '
$firstname', '$lastname', '$email','$house_name_no','$street','$city',
               '
$state','$zip','$telephone')";


     
mysqli_query($cxn,$sql);                              
     
$_SESSION['auth']="yes";                              
     
$_SESSION['logname'] = $username
                   
     
/* send email to new Customer */
     
$emess = "You have successfully registered. ";
     
$emess .= "Your new user name and password are: ";
     
$emess .= "\n\n\t$username\n\t";
     
$emess .= "$password\n\n";
     
$emess .= "We appreciate your interest. \n\n";
     
$emess .= "If you have any questions or problems,";
     
$emess .= " email [email protected]";         
     
$subj = "Your new customer registration";            
     
#$mailsend=mail("$email","$subj","$emess"); 
                              
     
header("Location: SecretPage.php");              
    }
// end else no errors found
 
break;                                              


  default:                                                 
    include(
"form_login_reg.inc");
// end switch
?>

I think this is a good business---www.bgocled.com

Greg K's picture

He has: 2,145 posts

Joined: Nov 2003

There is a lot wrong with the code compared to how I would do it, for example, your code as is is wide open to SQL injections.

So can you narrow it down to what problems you are experiencing that makes you think something needs changed? Are you getting specific error messages?

-Greg

They have: 26 posts

Joined: May 2012

It is going to be difficult without any more information where about are you getting that error? Also, this code is very insecure. You can't use this safely in a production environment.

Greg K's picture

He has: 2,145 posts

Joined: Nov 2003

This thread is now closed due to inactivity by OP on this thread.

Want to join the discussion? Create an account or log in if you already have one. Joining is fast, free and painless! We’ll even whisk you back here when you’ve finished.