2

Currently doing a site that needs a admin panel and i have a php problem, on inserting the values of the username and password correctly, it doesnt seem to be getting the row count. Here is the php code:

admin_login.php

<?php 
session_start();
if (isset($_SESSION["manager"])) {
    header("location:index.php"); 
    exit();
}
?>
<?php 
if (isset($_POST["username"]) && isset($_POST["password"])) {
    $manager = preg_replace('#[^A-Za-z0-9]#i', '', $_POST["username"]); 
    $password = preg_replace('#[^A-Za-z0-9]#i', '', $_POST["password"]); 
    // Connect to the MySQL database  
    include "../storescripts/connect_to_mysql.php"; 
    $sql = mysql_query("SELECT id FROM admin WHERE username='$manager' AND password='$password' LIMIT 1"); // query the person
    $existCount = mysql_num_rows($sql); // count the row nums
    if ($existCount == 1) { // evaluate the count
         while($row = mysql_fetch_array($sql)){ 
             $id = $row["id"];
         }
         $_SESSION["id"] = $id;
         $_SESSION["manager"] = $manager;
         $_SESSION["password"] = $password;
         header("location: index.php");
         exit();
    } else {
        echo 'That information is incorrect, try again <a href="index.php">Click Here</a>';
        exit();
    }
}

the connect to the sql db works fine and i did a echo to make sure it works

Here is the index.php php code:

<?php 
session_start();
if (!isset($_SESSION["manager"])) {
    header("location: admin_login.php"); 
    exit();
}

?>
<?php 
$managerID = preg_replace('#[^0-9]#i', '', $_SESSION["id"]); 
$manager = preg_replace('#[^A-Za-z0-9]#i', '', $_SESSION["manager"]); 
$password = preg_replace('#[^A-Za-z0-9]#i', '', $_SESSION["password"]); 
include "../storescripts/connect_to_mysql.php"; 
$sql = mysql_query("SELECT * FROM admin WHERE id='$managerID' AND username='$manager' AND password='$password' LIMIT 1");
$existCount = mysql_num_rows($sql);
 if(!$existCount == 0){
     echo "Your login session data is not on record in the database.";
     exit();
}
?>

I do believe it is a error in the $existCount and its not getting the count?

Cheers

user2570469
  • 41
  • 6
  • 1) You're wide open to SQL Injection attacks. *At least* use `mysql_real_escape_string`. 2) You're storing passwords in plain text. **Never do that.** 3) You're modifying the password before storing it, why exactly? 4) You're using `mysql_*` libraries which are woefully out of date. *At least* switch to `mysqli_*` instead. – David Jul 10 '13 at 23:04
  • Does $existCount return 0? Or something else? – Pete Scott Jul 10 '13 at 23:05
  • returns as 0 Pete, David thanks will try fix what you have said, i am just doing the basics to make it work before i go back and secure it even more, will try get to grips with the mysqli. – user2570469 Jul 10 '13 at 23:09

2 Answers2

0

Your problem is probably with the final if statement. Change:

if(!$existCount == 0){
     echo "Your login session data is not on record in the database.";
     exit();
}

to:

if($existCount == 0){
     echo "Your login session data is not on record in the database.";
     exit();
}

Note the missing !, which negates the expression in a way you don't want.

Alfie
  • 2,341
  • 2
  • 28
  • 45
  • hello cheers for that :) however i dont get to that pointyet i cant get off the admin login i get the That 'information is incorrect, try again click here' echo – user2570469 Jul 10 '13 at 23:10
  • after `$sql = mysql_query(...` try putting: `if (!$sql) print(mysql_error());`, it will at least tell you if there is an error in your SQL. – Alfie Jul 10 '13 at 23:12
  • just tryed it and nothing came up – user2570469 Jul 10 '13 at 23:15
  • ok, try `print()`ing `$manager`, `$managerID` and `$password` after your regex filters, and compare them directly with the database values, just to be sure that they do actually match. – Alfie Jul 10 '13 at 23:16
  • the if (!$sql) print(mysql_error()); code, it didnt upload, just re-uploaded and came back with this You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''admin' WHERE username='Guest' AND password='********!' LIMIT 1' at line 1 Warning: mysql_num_rows() expects parameter 1 to be resource, boolean given in /home/content/56/11391856/html/storeadmin/admin_login.php on line 21 – user2570469 Jul 10 '13 at 23:20
  • its not getting the password i enterd in the password box, its getting the server password instead? – user2570469 Jul 10 '13 at 23:22
  • yeah i just relised cheers mate, would appear there is a error with getting the password, ill try changing the $password to $user_password! – user2570469 Jul 10 '13 at 23:24
  • ok, I hope you have it sorted, although from the sounds of it I wouldn't be surprised if your error persists. It appears that your SQL is wrong, and as it looks syntactically correct, I would assume it was either that: a) your table name is incorrect, b) your field name(s) are incorrect or c) badly escaped parameters are causing syntax errors – Alfie Jul 10 '13 at 23:27
  • ok cheers mate yeah think i see the error now! Cheers mate you have helped one heck of a lot :D – user2570469 Jul 10 '13 at 23:28
  • yeah changed syntax a bit and im in and it works! Cheers for you help – user2570469 Jul 10 '13 at 23:29
  • brilliant :) could you include the solution in your question for others? and ofc feel free to accept/upvote this answer if you found it helpful ;) – Alfie Jul 10 '13 at 23:30
  • I managed to get the admin as 'admin' in the $sql causing the error and also the $password was taking the $password from the connect_to_mysql.php file, $manager = preg_replace('#[^A-Za-z0-9]#i', '', $_POST["username"]); $user_password = preg_replace('#[^A-Za-z0-9]#i', '', $_POST["password"]); // Connect to the MySQL database include "../storescripts/connect_to_mysql.php"; $sql = mysql_query("SELECT id FROM admin WHERE username='$manager' AND password='$user_password' LIMIT 1"); – user2570469 Jul 10 '13 at 23:41
  • wont let me upvote :( altho now have error on the header part : header("location: index.php"); it comes up with Cannot modify header information - headers already sent by (output started at /home/content/56/11391856/html/storescripts/connect_to_mysql.php:1) in /home/content/56/11391856/html/storeadmin/admin_login.php on line 26 – user2570469 Jul 10 '13 at 23:43
  • make sure nothing is being output/printed to the browser before the calling `header()`. this includes any whitespace (characters / new lines). and, you should be able to accept the answer if not upvote? – Alfie Jul 10 '13 at 23:45
  • Fond a solution = changed the header to a echo to a url heres the snipit of code finnished - if ($existCount == 1) { // evaluate the count while($row = mysql_fetch_array($sql)){ $id = $row["id"]; } $_SESSION["id"] = $id; $_SESSION["manager"] = $manager; $_SESSION["password"] = $user_password; echo' '; exit(); } else { echo 'That information is incorrect, try again Click Here'; exit(); – user2570469 Jul 10 '13 at 23:49
  • be careful that any files you `include()` don't call `header()` when the file which included it has already written to the browser – Alfie Jul 10 '13 at 23:49
  • that sounds ok, but a bit of a work around ;) consider using output buffering if you can't find a better way to fix it (which you should :p) http://stackoverflow.com/questions/4401949/whats-the-use-ob-start-in-php – Alfie Jul 10 '13 at 23:51
  • will look into it :P been pulling my hair out over the login for past 3 days haha will look into it when i go into securing it a lot more :) cheers bud – user2570469 Jul 10 '13 at 23:54
  • haha yes, one thing at a time, I get it. but make a note of it for the future if nothing else - it's useful :) – Alfie Jul 10 '13 at 23:55
0

I believe you are taking the code from developphp. By using above code, if your password has some characters are not alphanum, can cause the filter remove them and unmatch to the database and return $existCount as zero.

user3831378
  • 1