PHP Coding
 
Forums: » Register « |  User CP |  Games |  Calendar |  Members |  FAQs |  Sitemap |  Support | 
User Name:
Password:
Remember me



Go Back   Codewalkers ForumsPHP RelatedPHP Coding

Reply
Add This Thread To:
  Del.icio.us   Digg   Google   Spurl   Blink   Furl   Simpy   Y! MyWeb 
Thread Tools Search this Thread Rate Thread Display Modes
 
Unread Codewalkers Forums Sponsor:
Old February 14th, 2013, 06:00 AM
ariesgelera ariesgelera is offline
Registered User
Codewalkers Newbie (0 - 499 posts)
 
Join Date: Feb 2013
Posts: 1 ariesgelera User rank is Just a Lowly Private (1 - 20 Reputation Level) 
Time spent in forums: 6 m 54 sec
Reputation Power: 0
syntax error - Login multi users

can someone please help me to fix my login code

<form action="#" method="POST">
<fieldset>
<legend>NewsLetter</legend>
<input type="text" name="studnumber" value="Username;" onfocus="this.value=(this.value=='Username;')? '' : this.value ;" />
<input type="text" name="password" value="Password;" onfocus="this.value=(this.value=='Password;')? '' : this.value ;" />
<input name="userlevel" type="hidden" value="1" />
<input type="submit" name="login" id="news_go" value="Login" />
</fieldset>


<?php
session_start();
if(isset($_POST['login']))
{
// username and password sent from form
$studnumber=$_POST['studnumber'];
$password=$_POST['password'];
$userlevel=$_POST['userlevel'];


$studnumber = stripslashes($studnumber);
$password = stripslashes($password);
$studnumber = mysql_real_escape_string($studnumber);
$password = mysql_real_escape_string($password);

$sql="SELECT userlevel FROM user WHERE studnumber='$studnumber' AND password='$password' AND userlevel='$userlevel'";
$result=mysql_query($sql);

// Mysql_num_row is counting table row
$count=mysql_num_rows($result);

if ($count == 1)
{
if ($userlevel == 'student')
{
$_SESSION['studnumber'] = $studnumber;
$_SESSION['password'] = $password;
header("location:student/student.php");
}
else if ($userlevel == 2)
{
$_SESSION['studnumber'] = $studnumber;
$_SESSION['password'] = $password;
header("location:teacher/teacher.php");
}
}
else
{
echo "Wrong Username or Password";
}
}
?>

</form>

Reply With Quote
Old February 14th, 2013, 06:43 AM
DavidMR's Avatar
DavidMR DavidMR is offline
Contributing User
Codewalkers Beginner (1000 - 1499 posts)
 
Join Date: Apr 2007
Location: Galway
Posts: 1,437 DavidMR User rank is Lance Corporal (50 - 100 Reputation Level)DavidMR User rank is Lance Corporal (50 - 100 Reputation Level)DavidMR User rank is Lance Corporal (50 - 100 Reputation Level) 
Time spent in forums: 1 Month 3 Days 20 h 56 m 48 sec
Reputation Power: 9
uh, whats not working? a description of the problem would actually be helpful.
__________________
When I die, I want to go peacefully like my Grandfather did, in his sleep -- not screaming, like the passengers in his car.

Reply With Quote
Old February 14th, 2013, 01:23 PM
IAmALlama IAmALlama is offline
Me
Click here for more information
 
Join Date: Apr 2007
Location: San Diego, CA
Posts: 2,290 IAmALlama User rank is Lance Corporal (50 - 100 Reputation Level)IAmALlama User rank is Lance Corporal (50 - 100 Reputation Level)IAmALlama User rank is Lance Corporal (50 - 100 Reputation Level) 
Time spent in forums: 2 Weeks 1 Day 11 h 27 m 9 sec
Reputation Power: 10
Yea, an error or output would be helpful. But to try to help, echo out the SQL and make sure it looks correct. Then try to run the query somewhere like phpmyadmin or whatever mysql manager you use just to check if there are any rows coming back. If you see a row, call mysql_fetch_assoc on your $result and then print_r/var_dump that to see what you are getting back. perhaps also when you query, check if $result === false and if so echo mysql_error().

Some tips:

-don't use the mysql_* functions. they are deprecated and will be removed from php in a future version. use mysqli (mysql improved) or pdo. both do the same thing and are infinitely better than mysql_*. Use mysqli or pdo with binded parameters. It is simple to switch and easy to get the hang of.

-With the code the way it is, you will need to escape $userlevel also. Just because a form input is hidden, doesn't mean it can't be changed. currently your code is open to sql injection. seeing that query, if I know someone elses student number I could log in as them. for example if I wanted to login as student number 123, I could just change user level to:
Code:
' or studnumber=123

Of course, this could all be fixed if you would just use mysqli/pdo with bind.

-don't store passwords in the database without hashing them first. just please don't. you should be using a hashing function to one way hash the password. this means that if you hash the password, you get a seemingly random string. everytime you hash the same password, you get the same string and given the hashed string, you can't get the original password. you can store this string in the database and when checking the password, hash what the user typed in and compare these hashed strings. This ensures that if someone dumps the data in your database, usually through sql injection, you don't show them the password of every user.

Last edited by IAmALlama : February 14th, 2013 at 01:34 PM.

Reply With Quote
Reply

Viewing: Codewalkers ForumsPHP RelatedPHP Coding > syntax error - Login multi users


Developer Shed Advertisers and Affiliates


Thread Tools  Search this Thread 
Search this Thread:

Advanced Search
Display Modes  Rate This Thread 
Rate This Thread:


Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
View Your Warnings | New Posts | Latest News | Latest Threads | Shoutbox
Forum Jump


Forums: » Register « |  User CP |  Games |  Calendar |  Members |  FAQs |  Sitemap |  Support | 
  
 


Powered by: vBulletin Version 3.0.5
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.

© 2003-2014 by Developer Shed. All rights reserved. DS Cluster - Follow our Sitemap