Error with login processing system

Question

I have created a login system for my webpage, but when I enter in the username and password, it fails to get past the first stage of the process. Anyone have any ideas on what the problem maybe, I have provided the code below.

if(!$_POST['client_username'] || !$_POST['client_password']) {
                    die('You did not fill in a required field.');
                }



                if (!get_magic_quotes_gpc()) {
                    $_POST['client_username'] = addslashes($_POST['client_username']);
                }

                $qry = "SELECT client_username, client_password FROM client WHERE client_username = '".$_POST['client_username']."'";
                $result = mysql_query($qry);

                if($result) {
                if(mysql_num_rows($result) == 1) {
                       die('That username does not exist in our database.');
                    }
                }


                // check passwords match

                $_POST['client_password'] = stripslashes($_POST['client_password']);
                $info['client_password'] = stripslashes($info['client_password']);
                $_POST['client_password'] = md5($_POST['client_password']);

                if ($_POST['client_password'] != $info['client_password']) {
                    die('Incorrect password, please try again.');
                }

                // if we get here username and password are correct, 
                //register session variables and set last login time.

                $client_last_access = 'now()';

                $qry = "UPDATE client SET client_last_access = '$client_last_access' WHERE client_username = '".$_POST['client_username']."'";
                if(!mysql_query($insert,$con)) {
                die('Error: ' . mysql_error());
                }

                else{

                $_POST['client_username'] = stripslashes($_POST['client_username']);
                $_SESSION['client_username'] = $_POST['client_username'];
                $_SESSION['client_password'] = $_POST['client_password'];


                echo '<script>alert("Welcome Back");</script>';
                echo '<meta http-equiv="Refresh" content="0;URL=pv.php">';
                }

When I fill in the username and password, it dies at the first stage and shows the message: You did not fill in a required field.

Have you tried debugging what goes over the wire with a tool like [Fiddler](http://www.fiddlertool.com/)? — Rowland Shaw, Nov 29 '11 at 10:47
@matthewh I assume that he means that the first `if` "fails" as the error message he is seeing is the one produced there. — Rowland Shaw, Nov 29 '11 at 10:48

riyuk · Accepted Answer · 2011-11-29T11:25:44.783

You should use || instead of a simple |.

I'm in a good mood. Here's your code. It should work.

<?php

if( empty( $_POST['client_username'] ) || empty( $_POST['client_password'] ) ) {
    die('You did not fill in a required field.');
}

$qry = sprintf( "SELECT client_username, client_password FROM client WHERE client_username = '%s' LIMIT 1", mysql_real_escape_string( $_POST['client_username'] ) );
$result = mysql_query( $qry );

if( $result ) {
    if( mysql_num_rows( $result ) == 0 ) {
        die('That username does not exist in our database.');
    }
}

// where the f**k do you get your info? i added some.
$info = mysql_fetch_assoc( $result );

if( md5( $_POST['client_password'] ) != $info['client_password'] ) {
    die('Incorrect password, please try again.');
}

// if we get here username and password are correct, 
//register session variables and set last login time.
$qry = sprintf( "UPDATE client SET client_last_access = NOW() WHERE client_username = '%s'", $info['client_username'] );
if( !mysql_query( $qry ) ) {
    die('Error: ' . mysql_error() );
} else {
    $_SESSION['client_username'] = $info['client_username'];
    $_SESSION['client_password'] = $info['client_password'];

    echo '<script>alert("Welcome Back");</script>';
    echo '<meta http-equiv="Refresh" content="0;URL=pv.php">';
}

Thanks for that, but it's still coming up with the following error: Error: Query was empty — mayman212, Nov 29 '11 at 11:18
Sorry pal. if( !mysql_query( $insert ) ) { -- should be: if( !mysql_query( $qry ) ) { --- i updated the code. — riyuk, Nov 29 '11 at 11:25

score 1 · Answer 2 · edited May 23 '17 at 12:20

1

Your login code contains serious flaws which lead to security issues. In short: magic_quotes compatibility and SQL injection. I don't cover them. Your problem you highlight in your question is the one | when you meant || in the first stages if clause:

  if (!$_POST['client_username'] || !$_POST['client_password'])
                                 ^^

See Logical Operators ^Docs. You've used a Bitwise Operator ^Docs.

edited May 23 '17 at 12:20

Community

1
1

answered Nov 29 '11 at 10:48

hakre

193,403
52
435
836

As I wrote you have got multiple flaws in your code, I didn't say that this one point fixes all your issues. You should consider writing the script step by step with testing after each time you added some functionality (e.g. a new `if`). Additionally output the values you test before you test them so you can verify that your code does what you expect. – hakre Nov 29 '11 at 10:55

Error with login processing system

2 Answers2