PDA

View Full Version : Urgent help needed with PHP


mkswalia
04-12-07, 04:33 AM
Hey guys im new to nvnews forums and im stuck with my coursework i have to get finished before the easter holls, the teacher for php at uni is not that good.

I have to create a website wherein a critical bit is wherein users should be able to login to a database and access some features.
Basically i cant get the login and password verification (form validation using php) bit working (and god knows iv tried) , im very naive when it comes to php and need some help here.. heres the code for the login page (members.html):
<html>
<head>

<title>The Incredible Shoes Running Club - Member login</title>


</head>

<body>
<table border="0" cellspacing="0" width="600" height="100%" cellpadding="0">

<tr>
<td align="left" width="200" height="100%" bgcolor="#C0C0C0" class="menucell" valign="top">


<br></br><a href="mainpage.html"><img src="home.bmp" title="Home" alt="Back to the Main Page" border=0></a>
<br></br><a href="aboutus.html"><img src="aboutus.bmp" title="Click here to know more about us" alt="About the club" border=0></a>
<br></br><a href="raceresults.html"><img src="raceresults.bmp" title="For latest results click here" alt="Race results" border=0></a>
<br></br><a href="latestpics.html"><img src="latestpics.bmp" title="Latest Pictures" alt="Latest Pictures" border=0></a>
<br></br><a href="organisers.html"><img src="organisers.bmp" title="Organisers enter here" alt="Organisers" border=0></a>
</td>

<td valign="top"> <table width="90%" border="0"> <tr>
<td valign="top"> <br> <p><font face="Century Gothic" color="#800000" size="4">
<br>The Incredible Shoes Running Club Members Login page</br></font><p>

<form method="post" name="LoginForm" action="loginform_validate.php"><input type="hidden" value="1"><table cellpadding="0">
<tr>
<td class="label_cell"><font face="Century Gothic" color="#000000" size="3">E-Mail Address</td>
<td class="edit_cell"><input class="text_box" type="text" name="E-mail id" id="E-mail id" value=""></td>
<td align="left" valign="center"></td>
</tr>

<tr>
<td class="label_cell"><font face="Century Gothic" color="#000000" size="3">Password:</td>
<td class="edit_cell"><input type="password" id="Password" name="Password" value="" maxlength="20" size="15"></td>
</tr>

<tr>
<td class="label_cell"><font face="Century Gothic" color="#000000" size="3">Confirm Password:</td>
<td class="edit_cell"><input type="password" id="Password" name="Password" value="" maxlength="20" size="15"></td>
</tr>


<tr>
<td width="445"><p><font face="Century Gothic" color="#000000" size="3">Save my password on this computer<br>
</br></p>
</td>
<td width="39">
<p>
<input name="SavePassword" type="checkbox" value="1">
</p>
<p>
<input type="submit" class="Button" name="LoginSubmit" value="Login">
</p>
</td>
</tr>
</form>

</tr>
</table>
<i><font face="Verdana, Arial, Helvetica" color="#000000" size="1">
The Incredible Shoes Running Club 2006-2007</font></i>






</body>
</html>


---------------------------------------------------------------------------

And heres the code for lginfor_validate.php

<?php

$DBConnect = @mysql_connect("localhost", "root", "mitsubishi");

$dbselect = @mysql_select_db("runningclub");

$e = $_POST ['email'];
$p = $_POST['password'];
// Check that they've entered the right email address/password combination.
$query = "SELECT member_no FROM member WHERE (email='$e' AND password=SHA('$p') )";
if (mysql_num_rows == 1) { // Match was made.
echo "welcome to the website";
} else {
echo "you have entered incorrect data";
}


?>
---------------
could anyone also tell me howi check wether the user has entered the username in a email format? any help/advise would be greatly appreciated!


P.S i have attatched the whole project as a rar file if anyone needs it , thank you.

radekhulan
04-12-07, 07:41 AM
mysql_num_rows is a function, and should be called with resource parameter, in your case mysql_num_rows($query). There may be more bugs, but this one was standing out ;)

There is also a security bug with not escaping $_POST data used in MySQL query, which can lead to XSS.

In your HTML, you have two "password" inputs with the same name (wrong!), and there is name="E-mail id" input, while in PHP you refer to $_POST ['email'], not "E-mail id".

Frankly, you should get back to school and learn basics, you code is something utterly horrible.. ;)