problem with PHP Login script

Rudy · 05-18-2006, 06:52 AM

hey all,
I'm having a pretty big problem with a login script that I can't figure out.

The login page is here: www.areacodebook.com/login.php

Here's the issue: You you try to login to a personal account (first name & last name), the script works perfectly. If it is a valid login, where the names & passwords match up, the person logs in and goes to the control panel just fine. If it is invalid, the person is not able to get in.

Here's where it gets strange. If you try to login to a business account, if it is a valid login, then you are logged in just fine - BUT for some reason, you are directed to the personal control panel. (Actually, the business & personal control panel are on the same php script - I'm just using a lot of if/else statements to figure out what type of account the person is using).

If it is an INvalid login, the first time it fails. But if you try to login again with the same invalid login info, my script thinks that it is a valid login (and takes you to the personal control panel section of the script).

Of course, b/c it's an invalid login AND because it's taking you to the wrong section, when you try to login as a business, one of the tests that I'm running to try to narrow this down - outputting the User ID number - the ID is blank.

If this is confusing, maybe the following code will help you. I have copied the code for login.php as well as control.php.

Any help would be appreciated.

Thanks,
David

login.php:

PHP Code:

  <?PHP

// ini_set('error_reporting', E_ALL);

// ini_set('display_errors', true);

 
require('library.php');

if (isset($_SESSION['fname']) && isset($_SESSION['bname'])) {

 
    unset($_SESSION['fname']);

    unset($_SESSION['bname']);

    $relogin = 'true';

}

else if (isset($_SESSION['fname']) || isset($_SESSION['bname'])) {

       header("Location: control.php");

    exit();

    }

else {

     $verlogin = isset($_POST['login']) ? $_POST['login'] : "";

 
     if ($verlogin == 'submitted') {

 
 
     if ($_POST['fname'] && $_POST['bname']) {

         $duplicate = 'yes';

     }

     else {

        if (!empty($_POST['fname'])) {

             $fname = $_POST['fname'];

             $lname = $_POST['lname'];

             $password = $_POST['password'];

             $qType = 'per';

            }

        else if (!empty($_POST['bname'])) {

            $bname = $_POST['bname'];

            $password = $_POST['password'];

            $qType = 'bus';

            }

        else {

            echo '<br /><b><center>We are sorry, but there seems to have been an error. Please contact us for assistance';

        }

       if ($qType=='per') {

            $password = md5($password);

            $sql = mysql_query("SELECT * FROM user WHERE fname='$fname' AND lname='$lname' AND password='$password'");

              if (!$sql) {

                echo 'Query failed. Error: ', mysql_error();

                exit();

                }

            }

        else if ($qType=='bus') {

            $password = md5($password);

            $sql = mysql_query("SELECT * FROM buser WHERE name='$bname' AND password='$password'");

            if (!$sql) {

                   echo 'Query failed. Error: ', mysql_error();

                   exit();

                }

            $_SESSION['bname'] = $_POST['bname'];

            }

        else {

            echo '<br /><b><center>We are sorry, but there seems to have been an error. Please contact us for assistance';

            exit();

        }

        $login_check = mysql_num_rows($sql);

        if($login_check > 0){

            while($row = mysql_fetch_array($sql)) {

            foreach( $row AS $key => $val ) {

                $$key = stripslashes( $val );

                }

           /* Testing purposes only

            echo "$fname";

            echo "$bname";

            exit();

           End Test */

            $_SESSION['bname'] = $bname;

            $_SESSION['fname'] = $fname;

            $_SESSION['lname'] = $lname;

            $_SESSION['email'] = $email;

            $_SESSION['user_id'] = $user_id;

            header("Location: control/control.php");

            exit();

            }

        }

        else {

            echo '<center><br /><b>You were not able to be logged in. Please verify that all required fields are filled in. If you need assistance, please contact us.</b><br /><br />';

            echo '<hr></center>';

            }

        }

      }

    }

?>

control.php

PHP Code:

 
    <?PHP

 
        // Testing Purposes Only

        // echo $_SESSION['fname'];

        // echo $_SESSION['bname'];

        //

 
        if (isset($_SESSION['fname'])) {

            echo '<center><h2><b><u>User Control Panel</u></h2></center>';

            echo 'Hello, '.$_SESSION['fname'].' '.$_SESSION['lname'].'! You are now logged in.<br /><br /><hr>';

            /* echo 'Your ID number is: '.$_SESSION['user_id'].'.<br />'; */

            echo 'Here you can do multiple actions, such as add a phone number. Just click on the links below!<hr><br /><br />';

            echo '<a class="class2" href="addphone.php">Add a phone number</a>&nbsp;•&nbsp;<a class="class2" href="addaddress.php">Add/Modify Mailing Address</a>

                <br /><br />

                <a class="class2" href="../logout.php">Logout of your control panel</a><br><br>';

            }

        else if (isset($_SESSION['bname'])) {

            echo '<center><h2><b><u>Business Control Panel</u></h2></center>';

            echo 'Hello, '.$_SESSION['bname'].'! You are now logged in.<br /><br /><hr>';

            // Testing

                echo 'Your ID number is: '.$_SESSION['user_id'].'.<br /><br /><hr>';

            // End Testing

            echo 'Here you can do multiple actions, such as add a phone number. Just click on the links below!<hr><br /><br />';

            echo '<a class="class2" href="addbizphone.php">Add a phone number</a>&nbsp;•&nbsp;<a class="class2" href="addbizaddress.php">Add/Modify Mailing Address</a>

            <br /><br />

            <a class="class2" href="../logout.php">Logout of your control panel</a><br><br>';

        }

        else {

            echo '<center><b>You currently are not logged in. Please <a class="class2" href="../login.php">login</a> now.<br></b></center>';

            }

    ?>

Thanks,
David

**Eric** · 05-18-2006, 07:28 AM

This _may_ work, if not... I blame it on my lack of sleep. May take another look later:

login.php

PHP Code:

  <?PHP

 
// ini_set('error_reporting', E_ALL);

// ini_set('display_errors', true);

 
require('library.php');

 
if(isset($_SESSION['fname']) && isset($_SESSION['bname']))

{

  unset($_SESSION['fname'], $_SESSION['bname']);

  $relogin = 'true';

}

elseif(isset($_SESSION['fname']) || isset($_SESSION['bname']))

{

  header("Location: control.php");

  exit();

}

else

{

  $verlogin = isset($_POST['login']) ? $_POST['login'] : "";

 
  if($verlogin == 'submitted')

  {

    if($_POST['fname'] && $_POST['bname'])

    {

      $duplicate = 'yes';

    }

    else

    {

      if(!empty($_POST['fname']))

      {

        $fname = $_POST['fname'];

        $lname = $_POST['lname'];

        $password = $_POST['password'];

        $qType = 'per';

        $use_per = true;

      }

      elseif(!empty($_POST['bname']))

      {

        $bname = $_POST['bname'];

        $password = $_POST['password'];

        $qType = 'bus';

        $use_bus = true;

      }

      else

      {

        echo '<br /><b><center>We are sorry, but there seems to have been an error. Please contact us for assistance';

      }

      

      if($qType == 'per')

      {

        $password = md5($password);

        $sql = mysql_query("SELECT * FROM user WHERE fname='$fname' AND lname='$lname' AND password='$password'");

 
        if(!$sql)

        {

          echo 'Query failed. Error: ', mysql_error();

          exit();

        }

      }

      elseif($qType == 'bus')

      {

        $password = md5($password);

        $sql = mysql_query("SELECT * FROM buser WHERE name='$bname' AND password='$password'");

 
        if(!$sql)

        {

          echo 'Query failed. Error: ', mysql_error();

          exit();

        }

      }

      else

      {

        echo '<br /><b><center>We are sorry, but there seems to have been an error. Please contact us for assistance';

        exit();

      }

 
      $login_check = mysql_num_rows($sql);

 
      if($login_check > 0)

      {

        while($row = mysql_fetch_array($sql))

        {

          foreach($row AS $key => $val)

          {

            $$key = stripslashes($val);

          }

          /* Testing purposes only

          echo "$fname";

          echo "$bname";

          exit();

          End Test */

          

          if($use_per)

          {

            $_SESSION['fname'] = $fname;

            $_SESSION['lname'] = $lname;

          }

          else

          {

            $_SESSION['bname'] = $bname;

          }

          $_SESSION['email'] = $email;

          $_SESSION['user_id'] = $user_id;

 
          header("Location: control/control.php");

          exit();

        }

      }

      else

      {

        echo '<center><br /><b>You were not able to be logged in. Please verify that all required fields are filled in. If you need assistance, please contact us.</b><br /><br />';

        echo '<hr></center>';

      }

    }

  }

}

?>

control.php

PHP Code:

  <?PHP

 
// Testing Purposes Only

// echo $_SESSION['fname'];

// echo $_SESSION['bname'];

//

 
if(isset($_SESSION['fname']))

{

  echo '<center><h2><b><u>User Control Panel</u></h2></center>';

  echo 'Hello, '.$_SESSION['fname'].' '.$_SESSION['lname'].'! You are now logged in.<br /><br /><hr>';

  /* echo 'Your ID number is: '.$_SESSION['user_id'].'.<br />'; */

  echo 'Here you can do multiple actions, such as add a phone number. Just click on the links below!<hr><br /><br />';

  echo '<a class="class2" href="addphone.php">Add a phone number</a>&nbsp;•&nbsp;<a class="class2" href="addaddress.php">Add/Modify Mailing Address</a><br /><br />

  <a class="class2" href="../logout.php">Logout of your control panel</a><br><br>';

}

elseif(isset($_SESSION['bname']))

{

  echo '<center><h2><b><u>Business Control Panel</u></h2></center>';

  echo 'Hello, '.$_SESSION['bname'].'! You are now logged in.<br /><br /><hr>';

  // Testing

  echo 'Your ID number is: '.$_SESSION['user_id'].'.<br /><br /><hr>';

  // End Testing

  echo 'Here you can do multiple actions, such as add a phone number. Just click on the links below!<hr><br /><br />';

  echo '<a class="class2" href="addbizphone.php">Add a phone number</a>&nbsp;•&nbsp;<a class="class2" href="addbizaddress.php">Add/Modify Mailing Address</a><br /><br />

  <a class="class2" href="../logout.php">Logout of your control panel</a><br><br>';

}

else

{

  echo '<center><b>You currently are not logged in. Please <a class="class2" href="../login.php">login</a> now.<br></b></center>';

}

 
?>

And just a note, I'd highly advise you validate any user input. Right now, you're open to SQL Injection, among other things.. esp, in login.php

Rudy · 05-18-2006, 09:30 AM

I'm not sure what you did... don't tell me so I can study the code and look at it myself.

Thanks so much for the help. It looks like everything is working perfectly now.

I really appreciate it. I'll also look into the validating user input. I'm not too familiar with how to do that, so I'll see if I can read up on anything like it on the net and in a couple books I have.

- David

**Eric** · 05-18-2006, 05:16 PM

'twas no problem. Glad I could help

05-18-2006, 06:52 AM	#1 (permalink)
Rudy NamePros Regular Join Date: Jul 2005 Location: United States Posts: 588 613.72 NP$ (Donate)	problem with PHP Login script hey all, I'm having a pretty big problem with a login script that I can't figure out. The login page is here: www.areacodebook.com/login.php Here's the issue: You you try to login to a personal account (first name & last name), the script works perfectly. If it is a valid login, where the names & passwords match up, the person logs in and goes to the control panel just fine. If it is invalid, the person is not able to get in. Here's where it gets strange. If you try to login to a business account, if it is a valid login, then you are logged in just fine - BUT for some reason, you are directed to the personal control panel. (Actually, the business & personal control panel are on the same php script - I'm just using a lot of if/else statements to figure out what type of account the person is using). If it is an INvalid login, the first time it fails. But if you try to login again with the same invalid login info, my script thinks that it is a valid login (and takes you to the personal control panel section of the script). Of course, b/c it's an invalid login AND because it's taking you to the wrong section, when you try to login as a business, one of the tests that I'm running to try to narrow this down - outputting the User ID number - the ID is blank. If this is confusing, maybe the following code will help you. I have copied the code for login.php as well as control.php. Any help would be appreciated. Thanks, David login.php: PHP Code: <?PHP // ini_set('error_reporting', E_ALL); // ini_set('display_errors', true); require('library.php'); if (isset($_SESSION['fname']) && isset($_SESSION['bname'])) { unset($_SESSION['fname']); unset($_SESSION['bname']); $relogin = 'true'; } else if (isset($_SESSION['fname']) \|\| isset($_SESSION['bname'])) { header("Location: control.php"); exit(); } else { $verlogin = isset($_POST['login']) ? $_POST['login'] : ""; if ($verlogin == 'submitted') { if ($_POST['fname'] && $_POST['bname']) { $duplicate = 'yes'; } else { if (!empty($_POST['fname'])) { $fname = $_POST['fname']; $lname = $_POST['lname']; $password = $_POST['password']; $qType = 'per'; } else if (!empty($_POST['bname'])) { $bname = $_POST['bname']; $password = $_POST['password']; $qType = 'bus'; } else { echo '<br /><b><center>We are sorry, but there seems to have been an error. Please contact us for assistance'; } if ($qType=='per') { $password = md5($password); $sql = mysql_query("SELECT * FROM user WHERE fname='$fname' AND lname='$lname' AND password='$password'"); if (!$sql) { echo 'Query failed. Error: ', mysql_error(); exit(); } } else if ($qType=='bus') { $password = md5($password); $sql = mysql_query("SELECT * FROM buser WHERE name='$bname' AND password='$password'"); if (!$sql) { echo 'Query failed. Error: ', mysql_error(); exit(); } $_SESSION['bname'] = $_POST['bname']; } else { echo '<br /><b><center>We are sorry, but there seems to have been an error. Please contact us for assistance'; exit(); } $login_check = mysql_num_rows($sql); if($login_check > 0){ while($row = mysql_fetch_array($sql)) { foreach( $row AS $key => $val ) { $$key = stripslashes( $val ); } /* Testing purposes only echo "$fname"; echo "$bname"; exit(); End Test / $_SESSION['bname'] = $bname; $_SESSION['fname'] = $fname; $_SESSION['lname'] = $lname; $_SESSION['email'] = $email; $_SESSION['user_id'] = $user_id; header("Location: control/control.php"); exit(); } } else { echo '<center><br /><b>You were not able to be logged in. Please verify that all required fields are filled in. If you need assistance, please contact us.</b><br /><br />'; echo '<hr></center>'; } } } } ?> control.php* PHP Code: <?PHP // Testing Purposes Only // echo $_SESSION['fname']; // echo $_SESSION['bname']; // if (isset($_SESSION['fname'])) { echo '<center><h2><b><u>User Control Panel</u></h2></center>'; echo 'Hello, '.$_SESSION['fname'].' '.$_SESSION['lname'].'! You are now logged in.<br /><br /><hr>'; /* echo 'Your ID number is: '.$_SESSION['user_id'].'.<br />'; / echo 'Here you can do multiple actions, such as add a phone number. Just click on the links below!<hr><br /><br />'; echo '<a class="class2" href="addphone.php">Add a phone number</a> • <a class="class2" href="addaddress.php">Add/Modify Mailing Address</a> <br /><br /> <a class="class2" href="../logout.php">Logout of your control panel</a><br><br>'; } else if (isset($_SESSION['bname'])) { echo '<center><h2><b><u>Business Control Panel</u></h2></center>'; echo 'Hello, '.$_SESSION['bname'].'! You are now logged in.<br /><br /><hr>'; // Testing echo 'Your ID number is: '.$_SESSION['user_id'].'.<br /><br /><hr>'; // End Testing echo 'Here you can do multiple actions, such as add a phone number. Just click on the links below!<hr><br /><br />'; echo '<a class="class2" href="addbizphone.php">Add a phone number</a> • <a class="class2" href="addbizaddress.php">Add/Modify Mailing Address</a> <br /><br /> <a class="class2" href="../logout.php">Logout of your control panel</a><br><br>'; } else { echo '<center><b>You currently are not logged in. Please <a class="class2" href="../login.php">login</a> now.<br></b></center>'; } ?> Thanks, David __________________ Smooth Stone Services Affordable Web Hosting Solutions Starting at only $4.95/month, IT Consulting and Technical Support Hunt Sources - Hunting Resources Online Last edited by Rudy; 05-18-2006 at 07:13 AM.*

05-18-2006, 07:28 AM	#2 (permalink)
Eric NPQ's PA, Slave, and On Call Coder Technical Services Join Date: Mar 2005 Posts: 4,545 0.71 NP$ (Donate)	This _may_ work, if not... I blame it on my lack of sleep. May take another look later: login.php PHP Code: <?PHP // ini_set('error_reporting', E_ALL); // ini_set('display_errors', true); require('library.php'); if(isset($_SESSION['fname']) && isset($_SESSION['bname'])) { unset($_SESSION['fname'], $_SESSION['bname']); $relogin = 'true'; } elseif(isset($_SESSION['fname']) \|\| isset($_SESSION['bname'])) { header("Location: control.php"); exit(); } else { $verlogin = isset($_POST['login']) ? $_POST['login'] : ""; if($verlogin == 'submitted') { if($_POST['fname'] && $_POST['bname']) { $duplicate = 'yes'; } else { if(!empty($_POST['fname'])) { $fname = $_POST['fname']; $lname = $_POST['lname']; $password = $_POST['password']; $qType = 'per'; $use_per = true; } elseif(!empty($_POST['bname'])) { $bname = $_POST['bname']; $password = $_POST['password']; $qType = 'bus'; $use_bus = true; } else { echo '<br /><b><center>We are sorry, but there seems to have been an error. Please contact us for assistance'; } if($qType == 'per') { $password = md5($password); $sql = mysql_query("SELECT * FROM user WHERE fname='$fname' AND lname='$lname' AND password='$password'"); if(!$sql) { echo 'Query failed. Error: ', mysql_error(); exit(); } } elseif($qType == 'bus') { $password = md5($password); $sql = mysql_query("SELECT * FROM buser WHERE name='$bname' AND password='$password'"); if(!$sql) { echo 'Query failed. Error: ', mysql_error(); exit(); } } else { echo '<br /><b><center>We are sorry, but there seems to have been an error. Please contact us for assistance'; exit(); } $login_check = mysql_num_rows($sql); if($login_check > 0) { while($row = mysql_fetch_array($sql)) { foreach($row AS $key => $val) { $$key = stripslashes($val); } /* Testing purposes only echo "$fname"; echo "$bname"; exit(); End Test / if($use_per) { $_SESSION['fname'] = $fname; $_SESSION['lname'] = $lname; } else { $_SESSION['bname'] = $bname; } $_SESSION['email'] = $email; $_SESSION['user_id'] = $user_id; header("Location: control/control.php"); exit(); } } else { echo '<center><br /><b>You were not able to be logged in. Please verify that all required fields are filled in. If you need assistance, please contact us.</b><br /><br />'; echo '<hr></center>'; } } } } ?> control.php PHP Code: <?PHP // Testing Purposes Only // echo $_SESSION['fname']; // echo $_SESSION['bname']; // if(isset($_SESSION['fname'])) { echo '<center><h2><b><u>User Control Panel</u></h2></center>'; echo 'Hello, '.$_SESSION['fname'].' '.$_SESSION['lname'].'! You are now logged in.<br /><br /><hr>'; / echo 'Your ID number is: '.$_SESSION['user_id'].'.<br />'; */ echo 'Here you can do multiple actions, such as add a phone number. Just click on the links below!<hr><br /><br />'; echo '<a class="class2" href="addphone.php">Add a phone number</a> • <a class="class2" href="addaddress.php">Add/Modify Mailing Address</a><br /><br /> <a class="class2" href="../logout.php">Logout of your control panel</a><br><br>'; } elseif(isset($_SESSION['bname'])) { echo '<center><h2><b><u>Business Control Panel</u></h2></center>'; echo 'Hello, '.$_SESSION['bname'].'! You are now logged in.<br /><br /><hr>'; // Testing echo 'Your ID number is: '.$_SESSION['user_id'].'.<br /><br /><hr>'; // End Testing echo 'Here you can do multiple actions, such as add a phone number. Just click on the links below!<hr><br /><br />'; echo '<a class="class2" href="addbizphone.php">Add a phone number</a> • <a class="class2" href="addbizaddress.php">Add/Modify Mailing Address</a><br /><br /> <a class="class2" href="../logout.php">Logout of your control panel</a><br><br>'; } else { echo '<center><b>You currently are not logged in. Please <a class="class2" href="../login.php">login</a> now.<br></b></center>'; } ?> And just a note, I'd highly advise you validate any user input. Right now, you're open to SQL Injection, among other things.. esp, in login.php __________________

05-18-2006, 09:30 AM	#3 (permalink)
Rudy NamePros Regular Join Date: Jul 2005 Location: United States Posts: 588 613.72 NP$ (Donate)	I'm not sure what you did... don't tell me so I can study the code and look at it myself. Thanks so much for the help. It looks like everything is working perfectly now. I really appreciate it. I'll also look into the validating user input. I'm not too familiar with how to do that, so I'll see if I can read up on anything like it on the net and in a couple books I have. - David __________________ Smooth Stone Services Affordable Web Hosting Solutions Starting at only $4.95/month, IT Consulting and Technical Support Hunt Sources - Hunting Resources Online

05-18-2006, 05:16 PM	#4 (permalink)
Eric NPQ's PA, Slave, and On Call Coder Technical Services Join Date: Mar 2005 Posts: 4,545 0.71 NP$ (Donate)	'twas no problem. Glad I could help __________________

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)

Technical Services

Technical Services