#1
  1. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jan 2017
    Posts
    100
    Rep Power
    1

    Question What Is Wrong With Number Of Rows Count Function ?


    Guys & My Ladies,

    This LOGIN.php was working lastnight and so I don't know why not now.

    The ELSE at 53 gets triggered even though I have typed the right password!

    What do you think of line 16 ? ...

    if($numrows >1)

    I tried the following but no luck:

    if($numrows)

    if($numrows !=0)

    if($numrows ==2)



    In the past, they worked, though. What is wrong, do you reckon ?



    PHP Code:

    <?php
    session_start
    ();
    require 
    "conn.php";
    require 
    "site_details.php";

    if(isset(
    $_POST["member_login_submit"]))
    {
        if(!empty($_POST["member_login_username_or_email"]) && !empty($_POST["member_login_password"]))
        {
            $member_login_username_or_email trim(strip_tags(strtolower(mysqli_real_escape_string($conn,$_POST["member_login_username_or_email"]))));
            $member_login_password trim(strip_tags(mysqli_real_escape_string($conn,$_POST["member_login_password"])));
            
            $sql 
    "SELECT * FROM users WHERE usernames='".$member_login_username_or_email."' OR emails='".$member_login_username_or_email."' AND passwords='".$member_login_password."'";
            $result mysqli_query($conn,$sql);
            $numrows mysqli_num_rows($result);
            if($numrows >1)
            {        
                
    while ($row mysqli_fetch_assoc($result))
                {
                    $db_username $row["usernames"];
                    $db_password $row["passwords"];
                    $db_email $row["emails"];
                                            
                    
    if  ($member_login_username_or_email == $db_username && $member_login_password == $db_password || $member_login_username_or_email == $db_email && $member_login_password == $db_password)            
                    
    {
                        $_SESSION["user"] = $member_login_username_or_email;           
                        if
    (!empty($_POST["member_login_remember"]))
                        {
                            setcookie("member_login_username_or_email"$member_login_username_or_emailtime()+ (10 365 24 60 60));
                            setcookie("member_login_password"$member_login_passwordtime()+ (10 365 24 60 60));                        
                        
    }
                        else
                        
    {
                            if(isset($_COOKIE["member_login_username_or_email"]))
                            {    
                                setcookie
    ("member_login_username_or_email""""");
                            }
                            if(isset($_COOKIE["member_login_password"]))
                            {    
                                setcookie
    ("member_login_password""""");
                            }        
                        
    }
                        header("location:home.php");            
                    
    }
                    else
                    
    {
                        $message "Invalid login!";
                       
                
    }
            }
            else
            
    {
                $message "Something is wrong! Try again later!";
            }        
        
    }
        else
        
    {
            $message "You must input your Username and Password!";    
        
    }
    }
        

    ?>
    <!DOCTYPE html>
    <html>
    <head>
    <title><?php $site_name?> Member Login Page</title>
      <meta charset="utf-8">
    </head>
    <body>
    <div class = "container">
    <form method="post" action="">
    <center><h3><?php $site_name ?> Member Login Form</h3></center>
    <div class="text-danger">
    <?php
    if(isset($message))
    {
        echo $message;
    }
    ?>
    <div class="form-group">
    <center><label>Username/Email:</label>
    <input type="text" placeholder="Enter Username or Email" name="member_login_username_or_email" value="<?php if(isset($_COOKIE["member_login_username_or_email"])) echo $_COOKIE["member_login_username_or_email"]; ?>"</center>
    </div>
    <div class="form-group">
    <center><label>Password:</label>
    <input type="password" placeholder="Enter password" name="member_login_password" value="<?php if(isset($_COOKIE["member_login_password"])) echo $_COOKIE["member_login_password"]; ?>"></center>
    </div>
    <div class="form-group">
    <center><label>Remember Login Details:</label>
    <input type="checkbox" name="member_login_remember" /></center>
    </div>
    <div class="form-group">
    <center><input type="submit" name="member_login_submit" value="Login" class="button button-success" /></center>
    </div>
    <div class="form-group">
    <center><font color="red" size="3"><b>Forgot your password ?</b><br><a href="member_login_password_reset.php">Reset it here!</a></font></center>
    <center><font color="red" size="3"><b>Not registered ?</b><br><a href="member_register.php">Register here!</a></font></center>
    </form>
    </div>
    </body>
    </html>
  2. #2
  3. No Profile Picture
    Contributing User
    Devshed Specialist (4000 - 4499 posts)

    Join Date
    Jul 2003
    Posts
    4,262
    Rep Power
    602
    Did you echo all those values to make sure they contain what you expect?
    There are 10 kinds of people in the world. Those that understand binary and those that don't.
  4. #3
  5. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jan 2017
    Posts
    100
    Rep Power
    1
    Echoed in the past when testing on my site. Didn't echo recently when testing on xampp.

    Looking for one user per each user login attempt. His username match and his password match. That makes 2 of his inputs matches I'm looking for. All the youtube tuts showed to code like this. Are you saying, my code will check the Username column and Password column and if it finds any matches atall regardless of how many users then the code will log the user in ? I tested like that but it didn't log me in and so I thought my code was safe. Eg. I inputted 2 users like so in mysql "users" tbl:

    1st_user_username
    1st_user_password

    2nd_user_username
    2nd_user_password

    I tried logging in using the 1st_user_username and 2nd_user_password but it didn't log me in. Hence, I thought my code was correct. What is your conclusion now to all this ?
  6. #4
  7. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jan 2017
    Posts
    100
    Rep Power
    1
    Folks,

    Have you seen on gmail or yahoomail or something you can either enter your username or email and then the password and it would log you in ? Trying to build like that so user gets a choice to either use his username or email to login. Script should log user in aslong as "either the username or email" is a match in the username column and the password is a match too that is relevant to the username/email.
    So, db is like this:

    Username|Email|Pass

    If the username is a match on row position 5 then the password should be a match on row position 5 too.
    Or,
    If the email is a match on row position 5 then the password should be a match on row position 5 too.

    I think you understand. Pretty basic, really. Nothing complicated.
  8. #5
  9. Code Monkey V. 0.9
    Devshed Regular (2000 - 2499 posts)

    Join Date
    Mar 2005
    Location
    A Land Down Under
    Posts
    2,268
    Rep Power
    2039
    Your SQL is wrong. Close, but wrong.

    You need to take very careful notice of the precidence of the conditions. In your request:

    Code:
    $sql = "SELECT * FROM users WHERE usernames='".$member_login_username_or_email."' OR emails='".$member_login_username_or_email."' AND passwords='".$member_login_password."'";
    You're asking "If username = X or (email = Y and password = Z)" so if there's a username that matches, it will return a record without checking the password - which is obviously very bad!

    What you need is to check that there is a username OR email, and then that the password matches, like this:

    Code:
    $sql = "SELECT * FROM users WHERE (usernames='".$member_login_username."' OR emails='".$member_login_email."') AND passwords='".$member_login_password."'";
    Oh, and just as a note, storing passwords in plain-text is a very very bad thing to do. You should look into hashing the passwords before you store them so that they won't be quite as vulnerable if anyone from outside of yourself gets access to your database.
  10. #6
  11. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jan 2017
    Posts
    100
    Rep Power
    1

    Question


    Originally Posted by Catacaustic
    Your SQL is wrong. Close, but wrong.

    You need to take very careful notice of the precidence of the conditions. In your request:

    Code:
    $sql = "SELECT * FROM users WHERE usernames='".$member_login_username_or_email."' OR emails='".$member_login_username_or_email."' AND passwords='".$member_login_password."'";
    You're asking "If username = X or (email = Y and password = Z)" so if there's a username that matches, it will return a record without checking the password - which is obviously very bad!

    What you need is to check that there is a username OR email, and then that the password matches, like this:

    Code:
    $sql = "SELECT * FROM users WHERE (usernames='".$member_login_username."' OR emails='".$member_login_email."') AND passwords='".$member_login_password."'";
    Oh, and just as a note, storing passwords in plain-text is a very very bad thing to do. You should look into hashing the passwords before you store them so that they won't be quite as vulnerable if anyone from outside of yourself gets access to your database.

    Originally Posted by Catacaustic
    Your SQL is wrong. Close, but wrong.

    You need to take very careful notice of the precidence of the conditions. In your request:

    Code:
    $sql = "SELECT * FROM users WHERE usernames='".$member_login_username_or_email."' OR emails='".$member_login_username_or_email."' AND passwords='".$member_login_password."'";
    You're asking "If username = X or (email = Y and password = Z)" so if there's a username that matches, it will return a record without checking the password - which is obviously very bad!

    What you need is to check that there is a username OR email, and then that the password matches, like this:

    Code:
    $sql = "SELECT * FROM users WHERE (usernames='".$member_login_username."' OR emails='".$member_login_email."') AND passwords='".$member_login_password."'";
    Oh, and just as a note, storing passwords in plain-text is a very very bad thing to do. You should look into hashing the passwords before you store them so that they won't be quite as vulnerable if anyone from outside of yourself gets access to your database.
    Thanks for thinking deep into this matter and spotting my error which no-one so far has spotted. Others have spotted other mistakes but not this one.
    My thinking logic was like this ...

    The Login form asks for 2 inputs (username or email which are being counted as 1 input) & password (which is being counted as the 2nd input. So, 2 inputs here from the user.
    Now, the 2 inputs must match with data in mysql. First input must match with a username in the Username column or it must match with an email from the Email column. When a match is found in either column then that is one row match.
    Then when a password is matched in the password column then that is the 2nd row match. So, here 2 rows are being matched. So, I thought. I see my error now. It is not 2 rows match but 2 columns match with 1 row match. Correct ?
    I got my wires crossed here. I was looking for 2 column matches but writing the code to search for 2 rows match instead. Anyway, is there a way to get the script to check for 2 column matches ? Care to show an example ? And, would it do the job ? Do you suggest I get the script to do it like that (check for 2 column matches) ?
    5 secs later, I'm now thinking it would be a bad idea to get the script search for 2 column matches.

    User|Pass
    Droopy|your-pass
    UI Man|my-pass

    If you input the following then it would log you in:

    User|Pass
    Droopy|my-pass

    It would log Droopy in with UI man's pass. I guess best stick to row matches over column. No wonder programmers never search for column matches.
    So, I guess, you now gonna say to get the script to log the user in based on any of these conditions:

    Greater Than: 0
    Not Equal To: 0
    Equal To: 1

    Right ?

    Maybe, I stick to the 1st one even though all the following are valid:

    if($numrows)

    if($numrows >0)

    if($numrows !=0)

    if($numrows ==1)

    What do you say ? How do you do things ?
  12. #7
  13. Code Monkey V. 0.9
    Devshed Regular (2000 - 2499 posts)

    Join Date
    Mar 2005
    Location
    A Land Down Under
    Posts
    2,268
    Rep Power
    2039
    Originally Posted by UniqueIdeaMan
    I got my wires crossed here. I was looking for 2 column matches but writing the code to search for 2 rows match instead. Anyway, is there a way to get the script to check for 2 column matches ? Care to show an example ? And, would it do the job ? Do you suggest I get the script to do it like that (check for 2 column matches) ?
    That's correct. You need to match a single row on a matching username or email, and then ensure that the password matches on the same row.

    The example is exactly what I wrote above. That query will do what you need it to - but again thanks to your code being full of security holes it's not something that I'd want to use in production anywhere.

    Originally Posted by UniqueIdeaMan
    5 secs later, I'm now thinking it would be a bad idea to get the script search for 2 column matches.
    No, that's wrong. Matching on two columns is exactly what you need. In your case the only difference is that one of those matches could be in one of two columns, so you're searching a possible total of three columns to find what you're looking for.

    Originally Posted by UniqueIdeaMan
    User|Pass
    Droopy|your-pass
    UI Man|my-pass

    If you input the following then it would log you in:

    User|Pass
    Droopy|my-pass

    It would log Droopy in with UI man's pass. I guess best stick to row matches over column. No wonder programmers never search for column matches.
    So, I guess, you now gonna say to get the script to log the user in based on any of these conditions:

    Greater Than: 0
    Not Equal To: 0
    Equal To: 1
    I'm not sure how your logic is working here. If you're matching against a single record you must match the username/email as well as the password - not one or the other. The only time that you could get multiples is if you have your database indexing and system set up to allow the same username or email address, and that's a very bad idea.

    Originally Posted by UniqueIdeaMan
    What do you say ? How do you do things ?
    It sounds like you need a lot more work on your logic along with your programming, and that's not a bad thing. We all have to start somewhere.

    At this point I'd advise you to look at something like this:

    https://github.com/PHPAuth

    That is pretty much a "default standard" that takes care of everything that you are trying to do, and does it in amuch more secure and manageable way then you are trying to do it.
  14. #8
  15. Banned (not really)
    Devshed Supreme Being (6500+ posts)

    Join Date
    Dec 1999
    Location
    Caro, Michigan
    Posts
    14,665
    Rep Power
    4495
    Your database query is going to return one row if the criteria is met and ZERO rows if the criteria is not met. The criteria being [ (username OR email) AND password ].

    The query & results are your test to see if anything matches. You do not need to go on from there and compare the values again in PHP.
    -- Cigars, whiskey and wild, wild women. --
  16. #9
  17. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jan 2017
    Posts
    100
    Rep Power
    1
    Originally Posted by Catacaustic
    That's correct. You need to match a single row on a matching username or email, and then ensure that the password matches on the same row.

    The example is exactly what I wrote above. That query will do what you need it to - but again thanks to your code being full of security holes it's not something that I'd want to use in production anywhere.



    No, that's wrong. Matching on two columns is exactly what you need. In your case the only difference is that one of those matches could be in one of two columns, so you're searching a possible total of three columns to find what you're looking for.



    I'm not sure how your logic is working here. If you're matching against a single record you must match the username/email as well as the password - not one or the other. The only time that you could get multiples is if you have your database indexing and system set up to allow the same username or email address, and that's a very bad idea.



    It sounds like you need a lot more work on your logic along with your programming, and that's not a bad thing. We all have to start somewhere.

    At this point I'd advise you to look at something like this:

    https://github.com/PHPAuth

    That is pretty much a "default standard" that takes care of everything that you are trying to do, and does it in amuch more secure and manageable way then you are trying to do it.
    Thank you very much for that link! It will be handy when I start learning pdo. Right now, struggling with mysqli. nevertheless, I saved your suggested link and thank you very much for it.

IMN logo majestic logo threadwatch logo seochat tools logo