0

EDIT. If I echo $row_count, it comes back as 1, so it works up to that point. But still I get the invalid login details statement back.

I set up a login page that leads to the admin area of my site for the client to log in and add text/images etc.

The login page has worked from day one whilst testing on apache/xaamp, but the site when live today, and for some reason now it is impossible to log in. I am using PDO's to connect on the other pages, but this page was written before I moved to PDO, would this make a difference?

The outcome I get is Invalid login details. There are no errors. And I have doubled checked all db host details and made sure I am using a valid username and password!

Any help would be much appreciated. Thanks.

$db=new mysqli ("hostname.db.1and1.com", "myusername", "mypasswd", "dbname");

if($db->connect_errno > 0){
   die('Unable to connect to database [' . $db->connect_error . ']');
}

$username=mysqli_real_escape_string($db, $_POST['username']);
$password=mysqli_real_escape_string($db, $_POST['password']);

if ($result = $mysqli->query("SELECT firstname from admin 
where username='$username' and     password='$password'")) {
   $row_count = $result->num_rows;
}



$accepted = false ;

if ($row_count ==1) {
   $accepted=setcookie("cookie", "value", time()+18000);
}

if ($accepted==1) {
   header ("location:admin_home.php");
} else {
   echo "<p class=\"center\">Invalid Login details, 
   please <a href=\"login.php\">Try  again</a></p>";
}
DJC
  • 1,175
  • 1
  • 15
  • 39
  • Begin your troubleshooting by logging the credentials you're getting from the web page, and comparing those with the credentials in the database to see if they match. – Robert Harvey Mar 03 '14 at 18:09
  • 4
    Surprised it ever worked. You're using `mysql_real_escape_string` with `mysqli`. You ***cannot*** mix `mysql_*` functions with `mysqli_*` functions. – War10ck Mar 03 '14 at 18:10
  • @War10ck: I did wonder about that. – Robert Harvey Mar 03 '14 at 18:10
  • yeah I just notice that too. Like you say, no idea why it worked before. Will alter and see if that was the problem. Thanks – DJC Mar 03 '14 at 18:10
  • If rest of you site is now in PDO, spend the 5 mins to rewrite this in PDO. – Kami Mar 03 '14 at 18:12
  • Change `$username=mysql_real_escape_string($_POST['username']);` to `$username=mysqli_real_escape_string($db,$_POST['username']);` and do the same for the other one. Plus don't store passwords in plain text, use [`crypt()`](http://php.net/crypt) or PHP's `password()` function if your PHP version is 5.5 - [`crypt()`](http://php.net/crypt) works for older versions of PHP and salts the password for you. @user2933231 Also, what you're using now is not PDO, it's `mysqli_*` – Funk Forty Niner Mar 03 '14 at 18:16
  • yeah I've just done this, still doesn't work, though it seems to take a long time to tell me now. No I know, I just said I was using PDO on other pages, not this once. Strange, still won't log in – DJC Mar 03 '14 at 18:23
  • I think I know why. Change `if ($result = $mysqli->query(` to `if ($result = $db->query(` @user2933231 Wrong variable name. – Funk Forty Niner Mar 03 '14 at 18:24
  • ah sorry that was just a typo from changing the names to post online. Still no luck – DJC Mar 03 '14 at 18:27
  • If you want a PDO method using the `crypt()` function, [`consult an answer`](http://stackoverflow.com/a/22152805/) I gave someone earlier today. @user2933231 If you like it, upvote it. It's safer. – Funk Forty Niner Mar 03 '14 at 18:29
  • I just checked the query and this seems to be the error. Though I can't see what is wrong with it! – DJC Mar 03 '14 at 18:33
  • Then try `SELECT firstname, password from admin...` @user2933231 – Funk Forty Niner Mar 03 '14 at 18:35
  • This is a live site, and you're storing passwords in plaintext? Bravo! – The Blue Dog Mar 03 '14 at 18:44
  • Other than the `$db` typo mentioned above, your code looks correct. Have you tried manually running the `SELECT` statement in whatever SQL manager you are using (command line, phpmyadmin, etc.) with the variables replaced by your actual parameters you're passing in. The SQL statement looks right, however it very well could be that there is a typo in the table name or column name and that's why you're not getting any rows back. I would suggest that you run the statement directly in the database and see what you get back. That will narrow down if the PHP is wrong, or if the SQL is wrong. – War10ck Mar 03 '14 at 19:11
  • i'm using phpmyadmin on the 1&1 website- it looks very different to the nice version I was running on my memory stick but seems to do the same thing. What exactly would I type in? I have noticed some other pages are now inserting blank fields into the database, all pages that worked perfectly when running on apache/xaamp on my memory stick – DJC Mar 03 '14 at 19:26
  • ok worked it out. The result is being shwon, so does that mean the query is correct? If I echo $accepted or count the rows, it always returns 1, even if I manually insert identical matching rows into the admin table, so confusing! – DJC Mar 03 '14 at 19:29
  • there was an error in my error checking for the query, so there query is actually running fine. Absolutely at my wits end with this! – DJC Mar 03 '14 at 19:39
  • anyone have any other suggestions? – DJC Mar 03 '14 at 20:18
  • So the passwords are in plain text? Or do you hash somewhere?.. ah, you get the correct from that (due to count).. – craniumonempty Mar 04 '14 at 14:58
  • Hmm, how many pages are being called? Is there any whitespace that may be outputting before the call to setcookie()? – craniumonempty Mar 04 '14 at 15:06

0 Answers0