PHP login help!

stoke1863 · 21 Apr 2011 at 16:45

Ok basically i have adapted some code from tutorials for a protoype but i cannot for the life of me get this login form to work.

i get this error

Warning: mysql_num_rows(): supplied argument is not a valid MySQL result resource in /home/futuret7/public_html/breakdownapp.co.uk/checklogin.php on line 26

Here is my login .php

Code:

<!DOCTYPE html>
<html>
    <head>
    <title>RSA Breakdown Assistance</title>
    <link rel="stylesheet" href="http://code.jquery.com/mobile/1.0a4.1/jquery.mobile-1.0a4.1.min.css" />
<script src="http://code.jquery.com/jquery-1.5.2.min.js"></script>
<script src="http://code.jquery.com/mobile/1.0a4.1/jquery.mobile-1.0a4.1.min.js"></script>
<style>.ui-page { z-index: 1}
.ui-header { z-index: 10 }
.ui-header * { z-index: 20 }
</style>
</head>

<body>

<div data-role="page" id="login">

<div data-role="header" data-position="fixed" data-theme="b"> 
	<h1>RSA Location Finder Login</h1> 
		<a href="" data-icon="refresh" data-theme="a" data-iconpos="notext" class="ui-btn-right"></a> 
  </div><!-- /header --> 
  
  <div data-role="content" data-theme="b">
 <form action="checklogin.php" method="post"  data-ajax="false" > <div data-role="fieldcontain"  >
    <label for="myusername">Membership Number:</label>
    <input type="text" name="myusername" id="myusername" value=""  />
</div>	
<div data-role="fieldcontain">
    <label for="mypassword">Password Input:</label>
    <input type="password" name="mypassword" id="mypassword" value="" />

<input id="Submit1" type="submit" value="Login" data-role="button" data-inline="true" />
</form>
</div>	
  
</div>
 
  
<div data-role="footer" data-theme="b" data-position="fixed"><a href="#bar"data-rel="dialog" data-transition="slideup" data-role="button" data-icon="arrow-u">Help</a>
    </div><!-- /footer --><!-- /page -->

</body>
</html>

and here is my checklogin.php

Code:

<?php
$host="localhost"; // Host name 
$username="XXXXXr"; // Mysql username 
$password="XXXXX"; // Mysql password 
$db_name="XXXX"; // Database name 
$tbl_name="members"; // Table name

// Connect to server and select databse.
mysql_connect("$host", "$username", "$password")or die("cannot connect"); 
mysql_select_db("$db_name")or die("cannot select DB");

// username and password sent from form 
$myusername=$_POST['myusername']; 
$mypassword=$_POST['mypassword'];

// To protect MySQL injection (more detail about MySQL injection)
$myusername = stripslashes($myusername);
$mypassword = stripslashes($mypassword);
$myusername = mysql_real_escape_string($myusername);
$mypassword = mysql_real_escape_string($mypassword);

$sql="SELECT * FROM $tbl_name WHERE username='$myusername' and password='$mypassword'";
$result=mysql_query($sql);

// Mysql_num_row is counting table row
$count=mysql_num_rows($result);
// If result matched $myusername and $mypassword, table row must be 1 row

if($count==1){
// Register $myusername, $mypassword and redirect to file "login_success.php"
session_register("myusername");
session_register("mypassword"); 
header("location:login_success.php");
}
else {
echo "Wrong Username or Password";
}
?>

tntcoder · 21 Apr 2011 at 16:55

Change

Code:

$result=mysql_query($sql);

to

Code:

$result=mysql_query($sql) or die('Query Error: ' . mysql_error() . "<br />\n$sql");

And post the error.

FabienO · 21 Apr 2011 at 16:58

Code:

  function CheckUserAuthentication($username, $password)  {
    $con = InitializeNewsDatabaseConnection();
    $retValue = null;

    if ($con) { 
      $user = mysql_real_escape_string($username);
      $pass = md5($password);

      $result = mysql_query("SELECT id, name FROM user WHERE name = '$user' AND password = '$pass'");     

      if(mysql_num_rows($result) == 1) {
         $retValue = mysql_fetch_assoc($result);
      }
    }
    return $retValue;
  }

There's some old login code I used to use. It helped me when I was first getting to grips with a login.

InitializeNewsDatabaseConnection(); is a function that connects to my DB

This works so you can:

Code:

  if(isset($_POST['username']) && isset($_POST['password'])) 
  {  
    $user = CheckUserAuthentication($_POST['username'], $_POST['password']);
      if($user != null) 
      { 
        //success
      } 
      else 
      { 
        // Wrong password or username 
      }
  }

It's not the best thing in the world, but it was a good starting point for me.

stoke1863 · 21 Apr 2011 at 17:02

tntcoder said:
Change

Code:

$result=mysql_query($sql);

to

Code:

$result=mysql_query($sql) or die('Query Error: ' . mysql_error() . "<br />\n$sql");

And post the error.

Thanks for looking.

Me being stupid didnt have the right colum in the table! it was asking for username and i had userid

DOH!

now im putting in the correct username and password and it directing me to a successful login page but now i have this warning

Warning: session_start() [function.session-start]: Cannot send session cache limiter - headers already sent (output started at /home/futuret7/public_html/breakdownapp.co.uk/login_success.php:3) in /home/futuret7/public_html/breakdownapp.co.uk/login_success.php on line 4

thanks for looking much appreciated

when i put in incorrect detials that works fine

tntcoder · 21 Apr 2011 at 17:12

That will be an issue in login_success.php, you'll need to post the code up for that

Off the top of my head, check to make sure session_start(); is right at the top of that file.

stoke1863 · 21 Apr 2011 at 17:14

tntcoder said:
That will be an issue in login_success.php, you'll need to post the code up for that

Off the top of my head, check to make sure session_start(); is right at the top of that file.

yup fixed it now i think it was to do with some white space

thanks a lot

tntcoder · 21 Apr 2011 at 17:21

Ok cool

Btw, if you're doing this for a business app you should consider notching the security up a bit, rather than storing and transmitting plaintext passwords in the database it's good practice to store hashes of them and then use some javascript to calculate the hash on your login page. Maybe worry about that later though

stoke1863 · 21 Apr 2011 at 17:45

tntcoder said:
Ok cool

Btw, if you're doing this for a business app you should consider notching the security up a bit, rather than storing and transmitting plaintext passwords in the database it's good practice to store hashes of them and then use some javascript to calculate the hash on your login page. Maybe worry about that later though

Its not a business (thank god id probably kill something)

its just a prototype web app for uni

visibleman · 21 Apr 2011 at 22:37

tntcoder said:
Ok cool

Btw, if you're doing this for a business app you should consider notching the security up a bit, rather than storing and transmitting plaintext passwords in the database it's good practice to store hashes of them and then use some javascript to calculate the hash on your login page. Maybe worry about that later though

Sorry to hijack the thread, but can I ask why you would do this? Seems a bit odd to me as all it's doing is masking values rather than adding any security to the app i.e.: hashes could be reverse using the javascript (minifying would make it a bit more tricky I suppose).

osc89er · 21 Apr 2011 at 22:53

Java hashes (possibly similar to Javascript ones) are for fancy storage of data/objects/variables.

Security hashes are one way algorithms. You store the hash, then a user types a password. Hash the password, and compare it to the stored one. Only the user ever sees the password then.

visibleman · 21 Apr 2011 at 23:06

osc89er said:
Java hashes (possibly similar to Javascript ones) are for fancy storage of data/objects/variables.

Security hashes are one way algorithms. You store the hash, then a user types a password. Hash the password, and compare it to the stored one. Only the user ever sees the password then.

Don't take offense I know about hashing, specifically of passwords; rule numero uno is not store plain text passwords etc. It was using JS to hash the password prior to sending it server-side, rather than plaintext, that I don't quite understand as it would simply be masking the password value. Certainly wouldn't prevent a MITM attack as the JS (and any random challenge value you use to hash with) would be viewable, unless i'm missing something which is probably the case

.

tntcoder · 22 Apr 2011 at 00:49

You're correct, hashing alone wouldn't prevent a MITM. It's purpose would be to prevent the password being sniffed or replayed by a passive mitm. In order to prevent an active MITM you have to have a secure and tamper proof channel i.e SSL.

If you just used a simple javascript MD5/SHA function you can chuck in a salt and a cryptographic nonce from the server which would prevent sniffing on the wire, replay attacks and rainbow table cracking with little overhead and effort. The hash would not be reversible.

So your login function would transmit: (username, client_random, hash(nonce, client_random, password)) and the server would confirm a match. This is what this forum does for an example, because it doesn't use SSL and it doesn't trasmit the password in the clear, it uses a JS MD5 function.

Obviously the best way is to wrap it all in SSL, but securing it on multiple layers is always nice.