Win a copy of Succeeding with AI this week in the Artificial Intelligence and Machine Learning forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Paul Clapham
  • Ron McLeod
  • Liutauras Vilda
  • Junilu Lacar
Sheriffs:
  • Tim Cooke
  • Jeanne Boyarsky
  • Knute Snortum
Saloon Keepers:
  • Stephan van Hulst
  • Tim Moores
  • Tim Holloway
  • Carey Brown
  • Piet Souris
Bartenders:
  • salvin francis
  • fred rosenberger
  • Frits Walraven

difficulty in login in one attempt

 
Ranch Hand
Posts: 1102
3
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hello Everyone, i created a login page, but i am facing some difficulties into that.
my login page is working but in two attempts. i mean when i m trying to login using, it's not logged in and giving me again the login page, but when i am trying to login second time with the same username an password, it's logged in/working.
can anyone tell me the problem, here is my code:

index.php




Page which appear after login:





core.inc.php



connect.inc.php

 
Sheriff
Posts: 6601
1253
IntelliJ IDE jQuery Eclipse IDE Postgres Database Tomcat Server Chrome Google App Engine
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Where is your login form located? Is it in index.php or in some other file?

Side note: Your code looks vulnerable for SQL Injection.
 
Punit Jain
Ranch Hand
Posts: 1102
3
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
yes it's index.php. and why it is vulnerable for sql injections can you explain please...
 
Sheriff
Posts: 21926
106
Eclipse IDE Spring VI Editor Chrome Java Ubuntu Windows
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
If I post username ' OR '1'='1, your query becomes SELECT `id` FROM `users` WHERE `username`= '' OR '1' = '1' AND `password`= 'whatever here'. As a result (the OR taking precedence if I recall correctly), all records will be returned and I will definitely be able to login. That's just a "harmless" use. With the right input you can delete records, or even drop entire tables. Use mysql_real_escape_string or casting to numbers on every single value you use in any query.
 
Punit Jain
Ranch Hand
Posts: 1102
3
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
thank you for this explanation, as you said i replace code like this:


<?php
include("connect.inc.php");
if(isset($_POST['username'])&& isset($_POST['password']))
{

$username = mysql_real_escape_string($_POST['username']);
$password = mysql_real_escape_string($_POST['password']);


if(!empty($username)&& !empty($password))
{

$query = "SELECT `id` FROM `users` WHERE `username`= '$username' AND `password`= '$password'";
if($query_run = mysql_query($query))
{
$num_row = mysql_num_rows($query_run);
if($num_row == 0)
{
echo 'Invalid username and password.';
}
else
{
$user_id = mysql_result($query_run, 0, 'id');
$_SESSION['user_id']=$user_id;
$_SESSION['username']=$username;
header("Location: loggedin.php");
}
}
else
{

}
}
else
{
echo 'fill username and password.';
}
}
?>



is it ok..?
and please let me know if i should do any other updation to make my login page more secure...
Thank you...
 
Bring me the box labeled "thinking cap" ... and then read this tiny ad:
ScroogeXHTML 8.7 - RTF to HTML5 and XHTML converter
https://coderanch.com/t/730700/ScroogeXHTML-RTF-HTML-XHTML-converter
    Bookmark Topic Watch Topic
  • New Topic