It appears that you had a missing bracket or two and you had misspelled
'WHERE' in the query.
In your code you were checking if the username and password were correct
outside of the while loop. Even though it can be uncommon, if you have
multiple users with the same username then you would only be checking the
last result, not each row.
I changed the query to make it simpler, if you check for the username and
password to match in the query, then you only have to check for the returned
rows to see if the correct username and password were used.
I added a second query to check if the username exists but the password was
wrong. For security purposes when a login attempt fails, you should not
tell a user whether the username or password was correct, once they know
that one of their parameters was correct, it is much easier for them to hack
the other parameter
You also need to be concerned about SQL injection attacks, you should always
escape any data being used in a query.
http://us.php.net/manual/en/security.database.sql-injection.php
?php
$username = $_POST['username'];
$password = $_POST['password'];
if($username$password)
{
$connect= mysql_connect(localhost,root,) or die(couldn't connect);
mysql_select_db(phplogin) or die(no db in the list);
// escape data to prevent SQL injection attacks
$username = mysql_real_escape_string($username);
$password = mysql_real_escape_string($password);
$query = mysql_query(SELECT * FROM users WHERE username='$username' AND
password = '$password';);
$numrows = mysql_num_rows($query);
if ($numrows == 1)
echo you are in;
else
{
$username_result = mysql_query(SELECT * FROM users WHERE username =
'$username';);
if(mysql_num_rows($username_result) == 0)
echo user does not exist;
else
echo incorrent username and password;
}
}
else
die(please enter a username and a password);
?
Hope this helps.
Thanks,
patrick
On Fri, Sep 4, 2009 at 5:07 AM, nagendra prasad nagendra802...@gmail.comwrote:
Hi all,
I am working on my project. I have to create a user regestration page and
a
login page. I am done with registration page but when I tried to code the
login page its not working. Below is the code. Please take a look at script
and let me know where am I going wrong.
?php
$username=$_POST['username'];
$password=$_POST['password'];
if($username$password)
{
$connect= mysql_connect(localhost,root,) or die(couldn't connect);
mysql_select_db(phplogin) or die(no db in the list);
$query = mysql_query(SELECT * FROM users WHEER username='$username');
$numrows = mysql_num_rows($query);
if ($numrows!=0)
{
echo user dosen't exist;
while ($row = mysql_fetch_assoc($query))
{
$dbusername = $row['username'];
$dbpassword = $row['password'];
}
if ($username==$dbusername $password==$dbpassword)
{
echo you are in;
}
else
echo incorrent username and password;
else
die(user dosent exitst);
}
else
die(please enter a username and a password);
}
?
--
Guru Prasad
Ubuntu Voice GTK+ Forum
