Re: [PHP-DB] Need Help in the below script

2009-09-04 Thread nagendra prasad 
Hay Patrick,

Thanks so much. Its really working. You have saved my life.

Best,

Re: [PHP-DB] Need Help in the below script

2009-09-04 Thread Patrick Price 
It appears that you had a missing bracket or two and you had misspelled
'WHERE' in the query.

In your code you were checking if the username and password were correct
outside of the while loop.  Even though it can be uncommon, if you have
multiple users with the same username then you would only be checking the
last result, not each row.

I changed the query to make it simpler, if you check for the username and
password to match in the query, then you only have to check for the returned
rows to see if the correct username and password were used.

I added a second query to check if the username exists but the password was
wrong.  For security purposes when a login attempt fails, you should not
tell a user whether the username or password was correct, once they know
that one of their parameters was correct, it is much easier for them to hack
the other parameter

You also need to be concerned about SQL injection attacks, you should always
escape any data being used in a query.
http://us.php.net/manual/en/security.database.sql-injection.php



Hope this helps.

Thanks,

patrick



On Fri, Sep 4, 2009 at 5:07 AM, nagendra prasad wrote:

> Hi all,
>
> I am working on my project. I have to create a user  regestration page and
> a
> login page. I am done with registration page but when I tried to code the
> login page its not working. Below is the code. Please take a look at script
> and let me know where am I going wrong.
>
>
> 
> $username=$_POST['username'];
> $password=$_POST['password'];
>
> if($username&&$password)
> {
>
> $connect= mysql_connect("localhost","root","") or die("couldn't connect");
>
> mysql_select_db("phplogin") or die("no db in the list");
>
> $query = mysql_query("SELECT * FROM users WHEER username='$username'");
>
> $numrows = mysql_num_rows($query);
>
>
> if ($numrows!=0)
> {
> echo "user dosen't exist";
> while ($row = mysql_fetch_assoc($query))
> {
> $dbusername = $row['username'];
> $dbpassword = $row['password'];
> }
>
> if ($username==$dbusername && $password==$dbpassword)
> {
> echo "you are in";
> }
> else
> echo "incorrent username and password";
>
>
> else
>die("user dosent exitst");
>
> }
>
> else
>
> die("please enter a username and a password");
> }
>
>
> ?>
>
>
>
> --
> Guru Prasad
> Ubuntu Voice GTK+ Forum
>

[PHP-DB] Need Help in the below script

2009-09-04 Thread nagendra prasad 
Hi all,

I am working on my project. I have to create a user  regestration page and a
login page. I am done with registration page but when I tried to code the
login page its not working. Below is the code. Please take a look at script
and let me know where am I going wrong.






-- 
Guru Prasad
Ubuntu Voice GTK+ Forum