nV News Forums


nV News Forums (http://www.nvnews.net/vbulletin/index.php)
-   Software Development (http://www.nvnews.net/vbulletin/forumdisplay.php?f=53)
-   -   Urgent help needed with PHP (http://www.nvnews.net/vbulletin/showthread.php?t=89613)

mkswalia 04-12-07 04:33 AM

Urgent help needed with PHP
1 Attachment(s)
Hey guys im new to nvnews forums and im stuck with my coursework i have to get finished before the easter holls, the teacher for php at uni is not that good.

I have to create a website wherein a critical bit is wherein users should be able to login to a database and access some features.
Basically i cant get the login and password verification (form validation using php) bit working (and god knows iv tried) , im very naive when it comes to php and need some help here.. heres the code for the login page (members.html):

<title>The Incredible Shoes Running Club - Member login</title>


<table border="0" cellspacing="0" width="600" height="100%" cellpadding="0">

<td align="left" width="200" height="100%" bgcolor="#C0C0C0" class="menucell" valign="top">

<br></br><a href="mainpage.html"><img src="home.bmp" title="Home" alt="Back to the Main Page" border=0></a>
<br></br><a href="aboutus.html"><img src="aboutus.bmp" title="Click here to know more about us" alt="About the club" border=0></a>
<br></br><a href="raceresults.html"><img src="raceresults.bmp" title="For latest results click here" alt="Race results" border=0></a>
<br></br><a href="latestpics.html"><img src="latestpics.bmp" title="Latest Pictures" alt="Latest Pictures" border=0></a>
<br></br><a href="organisers.html"><img src="organisers.bmp" title="Organisers enter here" alt="Organisers" border=0></a>

<td valign="top"> <table width="90%" border="0"> <tr>
<td valign="top"> <br> <p><font face="Century Gothic" color="#800000" size="4">
<br>The Incredible Shoes Running Club Members Login page</br></font><p>

<form method="post" name="LoginForm" action="loginform_validate.php"><input type="hidden" value="1"><table cellpadding="0">
<td class="label_cell"><font face="Century Gothic" color="#000000" size="3">E-Mail Address</td>
<td class="edit_cell"><input class="text_box" type="text" name="E-mail id" id="E-mail id" value=""></td>
<td align="left" valign="center"></td>

<td class="label_cell"><font face="Century Gothic" color="#000000" size="3">Password:</td>
<td class="edit_cell"><input type="password" id="Password" name="Password" value="" maxlength="20" size="15"></td>

<td class="label_cell"><font face="Century Gothic" color="#000000" size="3">Confirm Password:</td>
<td class="edit_cell"><input type="password" id="Password" name="Password" value="" maxlength="20" size="15"></td>

<td width="445"><p><font face="Century Gothic" color="#000000" size="3">Save my password on this computer<br>
<td width="39">
<input name="SavePassword" type="checkbox" value="1">
<input type="submit" class="Button" name="LoginSubmit" value="Login">

<i><font face="Verdana, Arial, Helvetica" color="#000000" size="1">
The Incredible Shoes Running Club 2006-2007</font></i>



And heres the code for lginfor_validate.php


$DBConnect = @mysql_connect("localhost", "root", "mitsubishi");

$dbselect = @mysql_select_db("runningclub");

$e = $_POST ['email'];
$p = $_POST['password'];
// Check that they've entered the right email address/password combination.
$query = "SELECT member_no FROM member WHERE (email='$e' AND password=SHA('$p') )";
if (mysql_num_rows == 1) { // Match was made.
echo "welcome to the website";
} else {
echo "you have entered incorrect data";

could anyone also tell me howi check wether the user has entered the username in a email format? any help/advise would be greatly appreciated!

P.S i have attatched the whole project as a rar file if anyone needs it , thank you.

radekhulan 04-12-07 07:41 AM

Re: Urgent help needed with PHP
mysql_num_rows is a function, and should be called with resource parameter, in your case mysql_num_rows($query). There may be more bugs, but this one was standing out ;)

There is also a security bug with not escaping $_POST data used in MySQL query, which can lead to XSS.

In your HTML, you have two "password" inputs with the same name (wrong!), and there is name="E-mail id" input, while in PHP you refer to $_POST ['email'], not "E-mail id".

Frankly, you should get back to school and learn basics, you code is something utterly horrible.. ;)

All times are GMT -5. The time now is 07:10 AM.

Powered by vBulletin® Version 3.7.1
Copyright ©2000 - 2015, Jelsoft Enterprises Ltd.
Copyright 1998 - 2014, nV News.