I'm creating an e-commerce website. I am working on an admin page that lets the "store manager" log in to do things like add or remove products. In my database, I created a table called admin, with these fields:

• id
• password
• time_last_logged_in

I inserted a row for my store manager, I can see the username and password so I know the person exists in the database, but when I try to log in it echoes out the error below.

admin_login.php

<?php 
    session_start();
    if (isset($_SESSION["manager"])) {
        header("location: index.php"); 
        exit();
    }
?>
<?php 
    if (isset($_POST["username"]) && isset($_POST["password"])) {
        $manager = preg_replace('#[^A-Za-z0-9]#i', '', $_POST["username"]); // filter everything but numbers and letters
        $password = preg_replace('#[^A-Za-z0-9]#i', '', $_POST["password"]); // filter everything but numbers and letters
        // Connect to the MySQL database  
        include "../scripts/connect_to_mysql.php"; 
        $sql = mysql_query("SELECT id FROM admin WHERE username='$manager' AND password='$password' LIMIT 1"); // query the person
        // ------- MAKE SURE PERSON EXISTS IN DATABASE ---------
        $existCount = mysql_num_rows($sql); // count the row nums
        if ($existCount == 1) { // evaluate the count
            while($row = mysql_fetch_array($sql)){ 
                $id = $row["id"];
            }
            $_SESSION["id"] = $id;
            $_SESSION["manager"] = $manager;
      开发者_JAVA百科      $_SESSION["password"] = $password;
            header("location: index.php");
            exit();
        } else {
            **echo 'That information is incorrect, try again <a href="index.php">Click Here</a>';**
            exit();
        }
    }
?>

I use a connect_test.php script to verify that it's connecting to the database and that there's no problem connecting.

index.php

<?php 
    session_start();
    if (!isset($_SESSION["manager"])) {
        header("location: admin_login.php"); 
        exit();
    }
    // Be sure to check that this manager SESSION value is in fact in the database
    $managerID = preg_replace('#[^0-9]#i', '', $_SESSION["id"]); // filter everything but numbers and letters
    $manager = preg_replace('#[^A-Za-z0-9]#i', '', $_SESSION["manager"]); // filter everything but numbers and letters
    $password = preg_replace('#[^A-Za-z0-9]#i', '', $_SESSION["password"]); // filter everything but numbers and letters
    // Run mySQL query to be sure that this person is an admin and that their password session var equals the database information
    // Connect to the MySQL database  
    include "../scripts/connect_to_mysql.php"; 
    $sql = mysql_query("SELECT * FROM admin WHERE id='$managerID' AND username='$manager' AND password='$password' LIMIT 1"); // query the person
    // ------- MAKE SURE PERSON EXISTS IN DATABASE ---------
    $existCount = mysql_num_rows($sql); // count the row nums
    if ($existCount == 0) { // evaluate the count
        echo "Your login session data is not on record in the database.";
        exit();
    }
?>

Why might my code return That information is incorrect, try again <a href="index.php">Click Here</a>'; instead of a successful validation?

The Problem(s?)

The way I see it, there are several problems with your code. I'll try to address each one and tell you how to solve each issue.

Issue #1: You are using REGEX To strip your code.

There are much better alternatives, the best of which is prepared statements which you should obviously use. Sadly, mysql_* functions don't support it. Which get's me to the next issue:

Issue #2: You are using mysql_* functions.

You shouldn't be using functions like mysql_query() and mysql_num_rows(), instead, consider moving to a better and more secure alternative, such as MySQLi (Good) or PDO (Awesome).

Issue #2.5: You are not using prepared statements.

A Prepared statement is automatically escaped and any malicious code or characters is render useless, same goes for SQL injections. You should use a better database handler that supports it (See Issue #2).

Issue #3: You are testing specifically.

You seem to test only if the row count is equal to exactly one. But what if there are (by accident) 2? Instead of testing what should be, test for what should not be:

if ($existCount != 0) { ...

Issue #4: You are not selecting the correct fields.

You only select the id field in your query, where instead you should be selecting all of the relevant fields (like username and password), in order to receive information.

Issue #5: You are not using secure storing.

If someone were to steal your database, they would have easy access to all your passwords. Consider using an encrypting method like sha1().

Issue #6: You are not testing for errors.

Errors can and will occur, you should test for them, with mysql_query() you should probably do something like

mysql_query("SELECT....") or die(mysql_error());

In PDO that would be something like

if (!$stmt->execute()) { throw new Exception("Execution failed.` . var_export($stmt->errorInfo(), true)); }

Try to correct those, and tell us if your problem persists.

Good luck :)

Try doing:

$sql = mysql_query("SELECT ... LIMIT 1") or die(mysql_error());

Your code assumes the query succeeds, which is very bad form. Always check for error conditions. You may have failed to connect to the database. perhaps your DB is malformed and you've got 2 or more records with the same username/password combo, etc...

I'm new to PHP myself, but I noticed that your select statement in the first code sample above selects only the id. That might be the problem. You should change it to select * and see if that makes any difference.

Good luck