Checking a users login details against a database

Jmz · 05-07-2008, 07:56 PM

I'm making a very simple login script, here's what I have so far:

Code:

<?
//Connect to the database
include("../config/connect.php");

//Get the data from the form
$UserName = $_POST['UserName'];
$Password = $_POST['Password'];

//Check the fields arent empty
if(empty($UserName)) {
	echo "Please Enter A Username";
}elseif(empty($Password)){
	echo "Please Enter A Password";
//Theyre all fine, lets continue
}else {	

//Get rid of any nasty inputs
$UserName = mysql_real_escape_string($UserName);
$Password = mysql_real_escape_string($Password);

$query = "SELECT * from tbl_users WHERE UserName = '$UserName' AND Password = '$Password'";

$result = mysql_query($query);

while ($row = mysql_fetch_assoc($result)) {
	echo $row['UserName'];
}
}
?>

It all works fine but I was wondering. What is the best way to see if the users details matched what was in the database or not?

I've tried putting the following in the while loop:

Code:

if(empty($row['UserName'])) {
echo "Not Logged In";
}else{
echo "Logged In";
}

But it doesn't seem to work

xenon · 05-07-2008, 08:55 PM

After this line:

PHP Code:


			
$result = mysql_query($query);

you don't need to go through the result (which, btw, should be only one). Instead, you can easily do this:

PHP Code:


			
if(mysql_num_rows($result) > 0)
{
    echo 'successfully logged in!';
}
else
{
    echo 'wrong username and/or password';
}

And an advice: don't store the password in clear text in your database. Instead, use a hashing algorithm like md5 or sha1.

Jmz · 05-07-2008, 09:11 PM

Thanks for that

Jmz · 05-07-2008, 09:36 PM

Ok, now I'm stuck with the next part.

Once the username and password are matched with one from the db I want to set the users username as a session variable. So I put:

PHP Code:


			
session_start();
$r=mysql_fetch_array($result);
$_session['UserName'] = $r['UserName'];
echo $_session['UserName'];
echo "<br />";
echo '<a href="2.php">Next</a>';

Then on the page 2.php I add:

PHP Code:


			
<?php
session_start();
echo $_session['UserName'];
?>

Should this not display the users username on the page?

delayedinsanity · 05-07-2008, 10:05 PM

$_SESSION is what you want to set, not $_session.
-m

Jmz · 05-08-2008, 06:42 AM

Great, thanks.

Now, does anybody have a link to a tutorial that will show me how to make sure my sessions are secure?

Jim · 05-08-2008, 10:47 AM

On the left of this page, Securing your PHP applications Part 1 has a piece of code to check the SESSION. Insert that in your script, you might also want to check IP for differences.