Jump to content

login system using roles from a MYSQL database error

seaturtleftw's Photo Asked by seaturtleftw
Posted Jan 22 2010 02:20 AM
3510 Views
hey everyone, i'm writting a log in system in which users can log in they'll have roles assignt to them manually in the database. Now the problem i'm having is i can't get the role value out of the database;
<?php
session_start();
?>
<!DOCTYPE html
public "-//W3C//DTD XHTML 1.0 strict //EN"
"http://www.w3.org/TR/xhtmll/DTD/xhtmll-strict.dtd">
<html>
<head>
<title> sending you back... </title>
</head>
<body>
<?php
include ("connect.php");
$password = ($_POST["password"]);
$query = "select * FROM docenten
WHERE usersname = '{$_POST['usersname']}'
AND password = '".$password."'";
$result = mysql_query($query, $db) or die('the query failed');
if (mysql_num_rows($result) > 0)
{
$rij = mysql_fetch_array($result, $query);
echo $rij['usersname'];
$_SESSION['usersname']= $_POST['usersname'];
$_SESSION['role'] = $_GET['role'];
$inlogegevens;
session_write_close();
header("location: index.php");
}
else
{
//shows a error box and sends us back
}
</body>
</html>

So the major issue here is that my role never gets a value.
and i've tried about everything i know to fix it ;(
Tags:
0 Subscribe


3 Replies

Comment by odewahn1 O'Reilly Author Answers Early Bird Blogger Foo Peacock  : Jan 22 2010 09:29 AM
I'd doublecheck that you're using "'usersname" as the input element name on the html form -- it needs to match what you use in the $_POST['usersname'].
Comment by seaturtleftw  : Jan 25 2010 12:37 AM
the usersname value seems to be in order displays perfectly it's just that the script just doesnt get the role value with it for some wierd reason
+ 1
  odewahn1's Photo Answered by odewahn1 O'Reilly Author Answers Early Bird Blogger Foo Peacock
Posted Jan 25 2010 04:41 AM
Without seeing the code in detail, it's hard to say anything in particular. But, this looks straightforward enough that it's probably some small mismatch somewhere or the other. Have you confirmed that the correct values for password and usersname are being passed to your script -- for debugging, just print them out on the page and make sure what you're entering in the form is getting passed to the script. Also, make sure you have "method=post" in the <form> tag.

One broader thing I'd point out -- executing unescaped user data directly against the database is a very bad idea. For example, someone can enter " ; delete from docenten;" into the password field and that will blow away your table. This is called a SQL injection attack and is a pretty common security vulnerability. You can read more about this here: http://bit.ly/8DnMv9

 
Sign up today to receive special discounts,
product alerts, and news from O'Reilly.
Privacy Policy >
View Sample Newsletter >