[drewby]

Hey Guys,

Go easy on me as I am new(ish) to PHP. I'm writing a register / login script for a CMS and the register functions as it should. The username, encrypted password, and email are stored in the database. When I run the query to select the match in the login script, I continuously get my echo statement ('Invalid login') which is set to echo only when the mysql_fetch_row variable comes up empty. Here is the script...

Code:

<?php
			
			// session start
			session_start();
			
			// includes
			include('./includes/config.php');

			if (isset($_POST['login']))
			{	
				// set up some variables to make this easier
				$username = $_POST['username'];
				$password = $_POST['password'];
				
				// let's deal with empty fields
				if (empty($username) || empty($password))
				{
					echo '<li>Please make sure to fill in all fields!</li>';
				} else
					{
						// they filled it all in and submitted
						// let's clean up the username and password
						$username = mysql_real_escape_string($_POST['username']);
						$password = md5($_POST['password']);
						
						// search for the combination
						$query = mysql_query("SELECT id FROM users WHERE username = '".$username."' AND password = '".$password."' ") or die(mysql_error());
						
						list($user_id) = mysql_fetch_row($query);
						
						if (empty($user_id))
						{
							echo '<li>Incorrect login!</li>';
						} else
							{
								// we found a match and we login them in
								// WITH a session
								$_SESSION['user_id'] = $user_id;
								
								echo '<meta http-equiv="Refresh" Content="0; URL=index.php">';	
							}
					}
			}

			?>

This is really basic. I'm going to add email validation, and only allow certain string lengths for the username and password. But, can someone help me figure out why it's not getting past the if(empty($user_id)) seeing as I fill in the correct log in information.

Also, I always have to use the meta http-equiv refresh as opposed to the header() function because it never runs. Is that dependable on anything?

Thanks,

[mab]

Second question first (also turning on error reporting might help with the first problem) - headers usually don't work because something is being output to the browser before the headers. The easiest way to troubleshoot this (and most other errors that php can detect) is to turn on full php error_reporting and set display_error on. On a development system, this is best done in the php.ini or a .htaccess file so that fatal parse errors are output as well. Turning on full php error reporting will also help you when learning php or anytime your are developing php code or debugging php code.

I'll assume this is on your own computer. In your php.ini set the following two values (stop and start your web server to get any changes made to php.ini to take effect) -

Code:

error_reporting  =  E_ALL | E_STRICT
display_errors = On

I included the E_STRICT setting in the above so that you will also be notified if you are using any depreciated functions that could be turned off or removed in future versions of php.

For the first problem - your query is apparently executing without error (the or die() statement is not being executed), so, echo what the actual query string is and then check directly in the database using your favorite database management tool to make sure the values match.

I recommend forming your query string in a variable so that you can echo it and then using that variable in the mysql_query() statement. Doing this will also help you as you write more sophisticated programs because you can then echo the query when an error occurs or log all queries to keep a record of who did what to your database.

[jstanden]

echo $query to the screen after you define it, and try running it against your database manually (in the console or phpMyAdmin/TOAD/etc).

Make sure you get the result you expect there first, then suspect the code.

[drewby]

I echoed the $query and got back a 'Resource id #4' about the 'Invalid Login' echo. I'm going to run the query in phpmyadmin and try and figure it out that way.

It's safe to say that the query is the problem seeing as the the die() doesn't run?

[mab]

Reread my post. In your code, the variable $query does not contain your query string. jstanden was just posting general information that was not specific to what your code is doing.

[drewby]

Code:

$query = "SELECT id FROM users WHERE username = '".$username."' AND password = '".$password."'";
						
$result = mysql_query($query) or die(mysql_error());
						
list($user_id) = mysql_fetch_row($result);

Is this what you were suggesting?

I echoed the $result and still got Resource Id #4

Also, with echoing $user_id....nothing echoes so it's empty and that is why the it returns the 'Invalid login'?

(Also, the database is called cms with a table called users consisting of four fields (id, username, password, and email) )

[jstanden]

Sorry about that, I didn't mean to be as confusing as I was.

You were right to split up the $query so it contains the "SELECT ..." string and not the result of mysql_query(). You should be doing that anyway.

Now that you have $query separate from the mysql_query() function, you can "echo $query;". You don't want to "echo $result;" -- that's why you're getting "resource id #4". The result of mysql_query() is a pointer to a non-PHP resource (managed by PHP's internals and the MySQL database driver).

The goal of "echo $query;" is to see what your SQL statement looks like with $username and $password injected in the WHERE. You then want to run that SQL statement against your database to reassure yourself the appropriate record is coming up.

If it does, suspect your code.
If it doesn't, suspect your DB/query.

I hope that's more clear.

[drewby]

Thanks Jstanden! That does make sense now. I did just that and took the query that was echoed and ran it in the phpmyadmin and it returned an empty result set. But, the username/password matched up perfectly to the ones that were inserted into the database. So, as you said, that would mean there is a problem with the DB/query? Everything matches up right and I'm still not sure what I'm doing wrong. I guess I'll keep playing with it.....not sure what else to do...

[drewby]

If anyone has any ideas as to the problem / needs any specific details let me know. I really need help. I've been trying to figure it out for like 4 hours and nothing's working. The query is getting no results in the database even though it is returning the right thing...

[drewby]

Nevermind....still working at it