php login form., php login script not functioning correctly Options

[belowHeights00]

Hello. I am using a php script as follows:
<?php
include"includes/connection_db.php";

$username = $_POST['login_username'];
$password = $_POST['login_password'];
$login = $_GET['security_level'];

setcookie('user_name', '$username', time()+86400);

if ($login == 'yes'){
$get = mysql_query("SELECT count(user_id) FROM registered_users WHERE user_name='$username' and password='$password'");
$result = mysql_result($get, 0);

if($result != 1){
echo "Invalid login";
}
else
{echo "Login Successful." . " Welcome back " . $_COOKIE['user_name'];
$_SESSION['user_name'] = $username;
}
}
?>
<?php
mysql_close();
?>

The form is here:
<form id="home_login" action="login.php?login=yes" Method="POST">
User Name: <input type="text" name="login_username" />
Password: <input type="password" name="login_password" />
<button type="submit" name="login_submit">Submit</button>
</form>

The problem is it keeps returning "invalid login" regardless of correct or incorrect credentials. Unknown user does work though so I assume that means the mysql statement is correct.
The included connection_db.php script is correct 'cuz it work son other pages.

Any ideas folks...I'm still looking closely at it but in the mean time hopefully y'all can help.

Oh and I do have entries for user_name and password as well as user_id for the primary key. Possibly that "count(user_id) part is missing something but idk.

[belowHeights00]

I have since created a table named "login" with user_name and passwor being populated from a registration form and performed a SELECT statement for that. but it didn't work, same problem.

[Christian J]

$login = $_GET['security_level'];

Where does $_GET['security_level'] come from? The form's URL uses action="login.php?login=yes".

WHERE user_name='$username' and password='$password'"

Where's the form data sanitation? Don't apply security as an afterthought, it's better to focus on it from the very beginning.

if($result != 1){

Can't comment on the SQL, but according to http://php.net/manual/en/function.mysql-result.php the return value is

"The contents of one cell from a MySQL result set on success."

--is that the same as "1"?

else
{echo "Login Successful." . " Welcome back " . $_COOKIE['user_name'];

Sidenote: what if the user has disabled or deleted cookies?

The problem is it keeps returning "invalid login" regardless of correct or incorrect credentials.

What does mysql_result() return? Print it out and check.

Unknown user does work though

When does "Unknown user" apply?

Possibly that "count(user_id) part is missing something but idk.

I'm no good at SQL, what is COUNT used for here? I don't see if it's necessary for anything, unless there's more than one DB row where user_name='$username' and password='$password' in the DB table --and if so, is that a good way to organize a DB table? And what happens if someone has chosen a username or password that's the same as user_id, doesn't that result in an unintended match?

[CharlesEF]

To add to what Christian J says, you should not be using mysql anymore, it is depreciated and can be removed at any time. You should be using mysqli instead. Also, user data should be cleaned using mysqli_real_escape_string() and you should be using prepared statements (or PDO, depending on your PHP version) to help guard against SQL injection attacks. I see this line of code: $_SESSION['user_name'] = $username; but I do not see a session_start command anywhere. You need to issue the session_start command before you can access $_SESSION variables.

Assuming your column names are correct I really don't see any other problems, but it has been a long day for me.

PS: Many people suggest using PDO because it does a lot of the data cleaning for you. I use prepared statements because PDO requires a newer PHP version. But, I would still do my own data cleaning because I think it adds an extra layer of protection.

This post has been edited by CharlesEF: Jun 13 2014, 07:52 PM

[belowHeights00]

Well, according to the code, the value of mysql_result($get, 0) print out as '0'. So according to that, it seems like the problem is the mysql statement, right? Charles...I hear all the time about mysqli and how I should only use it...can you tell me how to incorporater it --- is it as simple as adding an 'i' after it or...?

Christian...the 'security_level' is a field in my registered_users table to determine session (or that is the plan)...values are 0,1, or 2..
I have sinced changed the value of the form's actions to "login.php?login=yes" [I just don't understand what it means].

Thanks for the cookie tip...I should use a fallback in case cookies are off...which I'm sure happens at least the majority of the time.
Also I'm always told about the sanitizing - I think I'll watch some youtube videos of it and start getting used to it:)

Thanks guys...to summarize...I'm guessing the mysql statement is a bit off just not sure how...or if that's even the reason...anyone wanna chime in?

And I addd a session_start() function right under the 'import' at the top of the page.

This post has been edited by belowHeights00: Jun 13 2014, 09:32 PM

[CharlesEF]

Most, if not all, mysql commands have a corresponding mysqli command. mysqli supports 2 modes of programming, procedural and object oriented and you should not mix the 2. I recommend the OO approach. Since I have never used mysql the format is a little different than what I'm use too.

I understand the count(user_id) should return 1 if only 1 record is found but what if you have duplicates? You should have a primary/unique key defined on the user_name column to ensure that duplicates do not happen and then you don't need the count() part of the query.

If 'security_level' is a column in your database then why are you trying to use it before the value is retrieved from the DB?

[belowHeights00]

Well...the funny thing is I had it right a couple hours or so but didn't realize it...I was using the credentials only from my registered_users table and NOT the 'login' table which was the table used in the SELECT statement. Now it works it seems. Still learning sql tho...I love it though -- the possibilities...

[belowHeights00]

Ugghh, now I keep getting that stinkin' Warning: session_start(): Cannot send session cache limiter - headers already sent error. I'm working on showing an image to link to the register page if the session_start('username') is not found...and if it is found, it should show a logout button under the login form. btw -- the site can be found at:

www(dot)socialv1(dot)lifecoachkathleen(dot)(com)

[CharlesEF]

You can check the PHP online manual to be sure but I think session_start needs to be issued before any output from the server to your browser.

[CharlesEF]

BTW, your URL does not help me because it does not show any PHP code (it has already been processed by the server).

Something I forgot to ask yesterday. How do you store user passwords? Based on your PHP code it looks like you are storing plain text passwords. Your passwords should be hashed before they are stored in the database. You might not think you need the security but hackers could break in to your website easier when you use plain text passwords.

This post has been edited by CharlesEF: Jun 14 2014, 12:10 PM

[belowHeights00]

ahh, I assume sql has a built in hashing system...I appreciate the suggestions Charles! I'm getting closer to my final result...just not quite there yet.

[DaisyOntas]

The code for PHP login is,

CODE

<?php
session_start();
$message="";
if(count($_POST)>0) {
$conn = mysql_connect("localhost","root","");
mysql_select_db("phppot_examples",$conn);
$result = mysql_query("SELECT * FROM users WHERE user_name='" . $_POST["user_name"] . "' and password = '". $_POST["password"]."'");
$row  = mysql_fetch_array($result);
if(is_array($row)) {
$_SESSION["user_id"] = $row[user_id];
$_SESSION["user_name"] = $row[user_name];
} else {
$message = "Invalid Username or Password!";
}
}
if(isset($_SESSION["user_id"])) {
header("Location:user_dashboard.php");
}
?>