0

I have a website that I need users to be able to login to. It is currently on a different server from the company's actual website. I would like to have a single login form that checks for a username and password in multiple databases on the same server.

Heres the setup.

1 Database has 2 different tables that I need to check for username and password. the other database has 1 table that I need to check.

I will have a checkbox for 1 of the tables in the first database. So the form will have 3 field. (Username, Password, and "I am a reporter" checkbox)

I believe that it has something to do with the UNION sql command.

I don't know a LOT about sql but I am trying to learn as I go...

Here is the code so far.. also, I hope someone will tell me whether the information will be passed securely or not.

<?php
session_start(); // Starting Session
$error=''; // Variable To Store Error Message
if (isset($_POST['submit'])) {
    if (empty($_POST['uname']) || empty($_POST['pswd'])) {
        $error = "Username or Password is invalid";
    }
    else
    {
        // Define $username and $password
        $uname=$_POST['uname'];
        $pswd=$_POST['pswd'];
        // Establishing Connection with Server by passing server_name, user_id and password as a parameter
        $con = mysql_connect("10.0.0.3", "webaccess", "ccrweb");
        // To protect MySQL injection for Security purpose
        $username = stripslashes($username);
        $password = stripslashes($password);
        $username = mysql_real_escape_string($username);
        $password = mysql_real_escape_string($password);
        // Selecting Database
        $db = mysql_select_db("company", $connection);
        // SQL query to fetch information of registerd users and finds user match.

        $query = mysql_query("select * from dbo.contacts where WebPwd='$password' AND WebAcctName='$username'", $connection);

        $rows = mysql_num_rows($query);

        if ($rows == 1) {
            $_SESSION['login_user']=$username; // Initializing Session
            header("location: "); // Redirecting To Other Page
        } else {
            $error = "Username or Password is invalid";
        }
        mysql_close($connection); // Closing Connection
    }
}
?>

It is not all complete yet and I am still researching but I am also trying to do this as quick as possible.

any help will be greatly appreciated!

RiggsFolly
  • 93,638
  • 21
  • 103
  • 149
DomCan
  • 37
  • 3
  • 8
  • [Your script is at risk for SQL Injection Attacks.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) – Jay Blanchard Aug 24 '15 at 18:20
  • you don't want a union. possibly a join, if the data in the two dbs/tables are related. – Marc B Aug 24 '15 at 18:20
  • If you can, you should [stop using `mysql_*` functions](http://stackoverflow.com/questions/12859942/why-shouldnt-i-use-mysql-functions-in-php). They are no longer maintained and are [officially deprecated](https://wiki.php.net/rfc/mysql_deprecation). Learn about [prepared](http://en.wikipedia.org/wiki/Prepared_statement) [statements](http://php.net/manual/en/pdo.prepared-statements.php) instead, and consider using PDO, [it's really not hard](http://jayblanchard.net/demystifying_php_pdo.html). – Jay Blanchard Aug 24 '15 at 18:20
  • You really should use PHP's [built-in functions](http://jayblanchard.net/proper_password_hashing_with_PHP.html) to handle password security. If you're using a PHP version less than 5.5 you can use the `password_hash()` [compatibility pack](https://github.com/ircmaxell/password_compat). – Jay Blanchard Aug 24 '15 at 18:20
  • I think your issues are related to _but I am also trying to do this as quick as possible_ It looks to me like this script has been built with a few copy/paste's and all you need to do is add some proper code indentation and then actually read what you have written. Lots of little mistakes due to copy/paste – RiggsFolly Aug 24 '15 at 18:27
  • Does he really... just save the passwords plaintext? Also `$uname=$_POST['uname'];` and `$pswd=$_POST['pswd'];` should be `$username = $_POST['uname'];` and `$password = $_POST['pswd'];`. – Charlotte Dunois Aug 24 '15 at 18:52
  • I have been trying to find an explanation of how to not save the passwords in plain text I am very new to server scripting. I have used HTML but never really messed with php and especially not sql. I did not know that mysql functions are deprecated. I have been researching and looking at different tutorials. I will research more about mysqli and PDO as stated below. – DomCan Aug 24 '15 at 19:27

2 Answers2

0

It appears you make a connection declaring one name and then a different connection object name later.

$con = mysql_connect("10.0.0.3", "webaccess", "ccrweb");

$db = mysql_select_db("company", $connection);

I believe the later should use the same name $con and also at the end mysql_close($con);

Professor Abronsius
  • 33,063
  • 5
  • 32
  • 46
0

First, you should use the mysqli_ or PDO API instead of mysql statements

If you need to use mysql, here is what to do:

$QueryReporter = mysql_query("SELECT * FROM $ReporterTable WHERE Username = '$Username' AND Password = '$Password'");
$QueryOthers = mysql_query("SELECT * FROM $UserTable WHERE Username ='$Username' AND Password = '$Password'");

if(mysql_num_rows($QueryReporter)==1){
//Its a reporter
}

else if(mysql_num_rows($QueryOthers)==1){
//Its not a reporter, but a user
}

else{
//Its no user or reporter, show error :)
}

EDIT:

If you are thinking about two different DB servers, you can use a function, then close the connection after the full query and return the result:

function CheckIfReporter($Username, $Password){

//DATABASE CONNECTION TO REPORTER DB

$Query = mysql_query("SELECT * FROM MyTable WHERE Username = '$Username' AND Password = '$Password'");


if(mysql_num_rows($Query)==1){
return TRUE;
}
//Else, no result:
else{
return FALSE;
}
//Close mysqlconnection:
mysql_close();
}

Now, make a similar function for user check,

if(CheckIfReporter($UsernameInput, $PasswordInput)==TRUE){
//Its a reporter
}

else if(CheckIfUser($UsernameInput, $PasswordInput)==TRUE){
//Its a user
}

else{
//Its none
}
MrK
  • 1,060
  • 9
  • 23