php login and dbase request

Question

We have a form with php post redirecting communication to database and We'd like if there would have an easy method to detect if failed logins were doubt to username no exists or password dont match. say each error as separate option.

<form id="form1" action="doLogin.php" method="post">
    <div id="border2">
    <table class="table_text" cellpadding="2" cellspacing="0" border="0">
        <tr>
            <td>Username:</td>
            <td><input type="text" name="username" class="input" /></td>
        </tr>
        <tr>
            <td>Password:</td>
            <td><input type="password" name="password" class="input" /></td>
        </tr>
        <tr>
            <td colspan="2" align="right"><a target="_new" href="register.php">Register</a><input id="login_button" type="submit" name="submit" value="Login" class="button" /></td>
        </tr>
    </table>
        </div>
</form>

Parse error: You have a syntax error near "...if failed logins were doubt to username no exists..." — JYelton, Feb 14 '12 at 22:07
I return a JSON object from my login scripts detailing any error codes and messages. You can then use it with AJAX. Alternatively, you can simply redirect to the same page as this form, wtih an e=1 (where 1 is the error code). — crush, Feb 14 '12 at 22:10
You probably don't want to display error messages in such detail for security reasons. Simply tell them login failed because either the username / password is wrong should be plenty of information for the user to determine what went wrong. — Erik, Feb 14 '12 at 22:15

Raphael D.G · Accepted Answer · 2012-02-19T19:29:59.530

Try this

function protect($string){
    $string = trim(strip_tags(addslashes($string)));
    return $string;
}

if($_POST['submit']){
    $username = protect($_POST['username']);
    $password = protect($_POST['password']);
    if(!$username || !$password){
        //if not display an error message
        echo "<script> alert('No data entered') </script>";
        echo "<script type='text/javascript'>document.location.href='index.php';</script>";

    }else{
        //if the were continue checking
        //select all rows from the table where the username matches the one entered by the user
        $res = mysql_query("SELECT * FROM `users` WHERE `username` = '".$username."'");
        $num = mysql_num_rows($res);
        //check if there was not a match
        if($num == 0){
            //if not display an error message
            echo "<script> alert('User does not exist') </script>";
            echo "<script type='text/javascript'>document.location.href='index_spa.php';</script>";

        }else{
            //if there was a match continue checking
            //select all rows where the username and password match the ones submitted by the user
            $res = mysql_query("SELECT * FROM `users` WHERE `username` = '".$username."' AND `password` = '".$password."'");
            $num = mysql_num_rows($res);
            //check if there was not a match
            if($num == 0){
                //if not display error message
                echo "<script> alert('Invalid Password') </script>";
                echo "<script type='text/javascript'>document.location.href='index.php';</script>";
            }else{
                //if there was continue checking
                //split all fields fom the correct row into an associative array
                $row = mysql_fetch_assoc($res);
                //check to see if the user has not activated their account yet
                if($row['active'] != 1){
                    //if not display error message
                    echo "<script> alert('Your account " . $username . " is not activated yet.') </script>";
                    echo "<script type='text/javascript'>document.location.href='index_spa.php';</script>";

                }else{
                    //if they have log them in
                    //set the login session storing there id - we use this to see if they are logged in or not
                    $_SESSION['uid'] = $row['id'];
                    //show message
                    echo "<script type='text/javascript'>document.location.href='index.php?u=" . $username . "';</script>";
                }
            }
        }
    }
}

-1, your code demonstrates a textbook [SQL injection vulnerability](http://en.wikipedia.org/wiki/SQL_injection) and a [cross-site scripting vulnerability](http://en.wikipedia.org/wiki/Cross-site_scripting). Please correct your code to use either proper database parameter escaping or parameterized queries and be sure to safely encode user input when returning it to the user. — Charles, Feb 14 '12 at 23:18
Can you tell me how? I use a php function to protect input fields from being the chance to inject. but in this answer i dont write it at all. but -1 for this???? — Raphael D.G, Feb 19 '12 at 11:01
Yikes! No, your update actually *makes it worse*. You [shouldn't mix input sanitization and output sanitization](http://stackoverflow.com/a/3126175/168868). `addslashes` is *never* the right tool to use. A great tool to mitigate SQL injection is a paramaterized query or [prepared statement](http://en.wikipedia.org/wiki/Prepared_statement). When working with MySQL in PHP, [PDO](http://php.net/pdo) or [MySQLi](http://php.net/mysqli) are good choices, as they provide prepared statements with paramaterized queries. — Charles, Feb 19 '12 at 20:13
If you have *no other choice* but to work with the horrifiying and decrepit mysql family of functions, then at least make sure to use [`mysql_real_escape_string`](http://php.net/mysql_real_escape_string) after [setting the correct connection character set](http://dev.mysql.com/doc/refman/5.0/en/charset-connection.html). — Charles, Feb 19 '12 at 20:15

php login and dbase request

1 Answers1