0
<?php
include 'session.php';
?>

<html>
<head>
<link href="css/adminOpmaak.css" rel="stylesheet" type="text/css"/>
<?php
        mysql_connect("localhost", "admin", "") or die(mysql_error());
        mysql_select_db("test") or die(mysql_error());
?>

</head>

<body>
<div class = "header">

<a href="index.php"><img src="home-icon.png" width="25" height ="25"></a>

</div> <!--header-->

<div class = "menu">

</div> <!--menu-->

<div class ="content">
<form action="Login.php" method="POST">

<input type="text" align="center" name="Account"  value="<?php echo isset     ($_POST['Account'])?$_POST['Account']:"";?>"/> <br />
<input type="text" align="center" name="Password" value="<?php echo isset    ($_POST['Password'])?$_POST['Password']:"";?>" /><br />    
<input type="submit" name="Login" value="Login"/><br />
<?php 
if(isset ($_POST ['Login']))
{
    $querystring ="SELECT Account FROM Admins WHERE Account ='".$_POST['Account']."';";
    $result = mysql_query($querystring);

    mysql_query($querystring)or die (mysql_error());

    if (empty($_POST['Account']) || empty($_POST['Password'])) 
    {
        echo "niet alles is ingevoerd"; 

    }
    elseif (mysql_num_rows($result) == 1) 
    {
        $user = mysql_fetch_assoc($result); 
    } 
    else 
    {
        echo "dit account bestaat niet";
    }

    if(md5($_POST['Password']) != $user['Password'])
    {
        echo "wachtwoord is niet correct";?><br/> <?php
        echo "Het account is:".$user['Account'];?><br/> <?php
        echo "het wachtwoord is: ".$user['Password'];?><br/> <?php
        echo mysql_fetch_assoc($result);
    }
}   
?>  
</form>
</div>

</body>
</html>

It's kinda strange since he does recognize the $user['Account']; and he doesnt recognize the password version.

My database has the right values. This is what he echo's:

wachtwoord is niet correct
Het account is:Probeersel
het wachtwoord is:

So I dont know why he DOES recognize the account but he doesn't recognize wachtwoord. Why is that?

Jim
  • 22,354
  • 6
  • 52
  • 80
Bart
  • 717
  • 1
  • 9
  • 28
  • 5
    Your SELECT statement is `SELECT Account FROM ...` - you're not selecting Password at all. – andrewsi Aug 23 '13 at 14:57
  • $querystring ="SELECT Account FROM Admins WHERE Account ='".$_POST['Account']."'; remove last quotes. – Mihai Aug 23 '13 at 14:58
  • 3
    Also you're prone to SQL injection. Scripts like yours is a reason why we say you should use a different database client library that supports prepared statements so that you write more stable code. - Recommended reading: [How can I prevent SQL injection in PHP?](http://stackoverflow.com/q/60174/367456) – hakre Aug 23 '13 at 14:58
  • `wachtwoord is niet correct Het account is:Probeersel het wachtwoord is:` is that another language or bad typing? – amaster Aug 23 '13 at 14:58
  • 2
    This question appears to be off-topic because it is about a typo in a SQL query. – hakre Aug 23 '13 at 15:01
  • @amaster507: it's swedish, or something similar-ish. – Marc B Aug 23 '13 at 15:02
  • 1
    Lots of problems here: `mysql` is deprecated. don't use it: use `mysqli` or `PDO` instead. You're not escaping your $_POST variables so your code is susceptible to SQL injection. You're using MD5 to hash stored passwords: MD5 is cryptographically broken. Use SHA256 or SHA512 instead, and hash more than once. –  Aug 23 '13 at 15:02
  • @MarcB It's Dutch. "wachtwoord" = password in English. – Sumurai8 Aug 23 '13 at 15:08
  • `echo "...";?>
    ";`     – zessx Aug 23 '13 at 15:08
  • @zessx thats because I want the value on the same line with the text, that's why I used the ?>
    – Bart Aug 26 '13 at 06:54
  • @andrewsi Thats because I want to retrieve the password via my account. Not getting it out of the DB. Thats why I use the fetch. – Bart Aug 26 '13 at 06:55
  • @hakre it's not a typo. the query works else It would die and I would recognize the error. – Bart Aug 26 '13 at 06:57
  • Well forgetting a word is also a typo. Your concrete problem is that you don't troubleshoot this well. E.g. inspect what the database returns before running wild assumptions on it. That helps you to find errors early. Another one is to not stuff so much together over multiple levels of nesting because it makes things complicated. You want to keep things simple to reduce errors. – hakre Aug 26 '13 at 08:23
  • @Bart - your query is "SELECT Account FROM..."; you pass that into `mysql_query`, and assign the result to `$result`; you use `mysql_fetch_assoc($result)` to add a row into `$user`. The only field that's going to be in `$user` is Account. You can't check `$user['Password']` because it's null. Does that make it clearer? – andrewsi Aug 26 '13 at 10:59
  • @hakre Yeah I noticed that big mistake. Forgetting a word is also a typo, you're right. But I tested? I used the echo's to see the values in my database. If it shows '' I know he can't find my value. Maybe I shouldn't get the fetch right after it since it won't work. I just started programming with PHP I like it but there are still some hard parts in it for me :). Anyways thanks for the answers. – Bart Aug 26 '13 at 13:04
  • @Bart: PHP gives warnings on undefined indexes and variables and properties. But you must want to take care to read them: http://stackoverflow.com/questions/845021/how-to-get-useful-error-messages-in-php – hakre Aug 27 '13 at 06:56

1 Answers1

0

There are a few problems.

First, your mysql statement is wrong.

Change this:

$querystring ="SELECT Account FROM Admins WHERE Account ='".$_POST['Account']."';";

To this:

$querystring ="SELECT * FROM Admins WHERE Account ='" .$_POST['Account']. "'";

Next, for one test, echo out the account name and password that you get from the db query, just so you can make sure you are getting what you expect (perhaps the capitalization is wrong for the field name or something like that).

$user = mysql_fetch_assoc($result);
echo 'Got this username: ' .$user['Account']. '<br />';
echo 'Got this password: ' .$user['Password']. '<br />';

Once you have confidence that you are getting the correct data, then you can finish your script.

This:

if(md5($_POST['Password']) != $user['Password'])
{
    echo "wachtwoord is niet correct";?><br/> <?php
    echo "Het account is:".$user['Account'];?><br/> <?php
    echo "het wachtwoord is: ".$user['Password'];?><br/> <?php
    echo mysql_fetch_assoc($result);
}

Can be re-written as:

if(md5($_POST['Password']) != $user['Password'])
{
    echo "wachtwoord is niet correct<br />";
    echo "Het account is: " .$user['Account']. "<br />";
    echo "het wachtwoord is: " .$user['Password']. "<br />";
}
cssyphus
  • 37,875
  • 18
  • 96
  • 111
  • I beg to disagree with the `SELECT *` bit... What if the table has 100's of rows even though unlikely. What should be is just select the rows that are needed. In this scenario it probably should be `SELECT \`Account\`,\`Password\`` and the OP should use the `mysqli_` functions instead of `mysql_` – amaster Aug 23 '13 at 15:19
  • Thanks for the tips @ the "
    " I'm just a beginner and just trying some stuff out.     – Bart Aug 26 '13 at 06:57
  • Please upvote any posts that are helpful to you, and also select a correct answer when done (to close the question). – cssyphus Sep 10 '13 at 16:27