jQuery / PHP Ajax登录系统

Question

I'm setting up a blog type page for my business. Brand new to MySQL and PHP. Set up this login system. For some reason have no idea why the login is dropping. Suppose to check for errors then return 'good' through php if the email and password is right. If php returns good then it's suppose to redirect to the blog page.

Been dealing with this for a few months need desperate help please. Thank you. Here is the php code that goes along with the jquery.

Link to test site is here. test.toddprod.com/login Would really appreciated the help. Thanks

<?php
#fake mysql connection first
DEFINE ('DB_USER','usernamegoeshere');
DEFINE ('DB_PASSWORD','passwordhere');
DEFINE ('DB_HOST','hostnamehere');
DEFINE ('DB_NAME','andtheotherthinghere');

$dbc = mysql_connect (DB_HOST, DB_USER, DB_PASSWORD) or die ('Could not connect to MySQL');

$db = mysql_select_db(DB_NAME, $dbc) or die('Could not select database.'.mysql_error());


$e = $_POST['email'];
$pass = $_POST['pass'];
$q = 'SELECT user_id from toddprod where email="'.$e.'" and pass= SHA1("'.$pass.'")';
$r = mysql_query($db, $q);
if( mysql_num_rows($r)==1 ){
    setcookie ( 'user_id', $r);
    setcookie ( 'email', '$e');
    setcookie ( 'logged-in', 'true');
    echo 'good';
    }
else if (mysql_num_rows($r)==0) {
    echo 'Your '.$e.' with password '.$pass;
};
mysql_close ($db);
?>

Answer 1

Umm there's a number of things I see wrong here...

First of all your query should be sanitized...

$email = mysql_real_escape_string ($_POST['email']); // escape the email
$pass = SHA1(mysql_real_escape_string ($_POST['pass'])); // escape and encrypt the pass

// now you can put it into the query safely
$query = "SELECT user_id from toddprod where email = '$email' and pass = '$pass' ";

Next you're executing the query wrong, the mysql_query function takes two arguments, the query and the database connection. You're passing the wrong arguments, you're passing the query and the result of the mysql_select_db function which is just a boolean value. So you have to $dbc not $db into that query, and even then you're passing the arguments in the wrong order. The query goes first, than the connection. So it should be...

$result = mysql_query($query, $dbc);

Next you're trying to set the return value from the mysql_query function as your cookie but that value is a resource, not the userid that you need. You have to actually read the value from the resource like this.

$row = mysql_fetch_array($result);
$userid = $row["user_id"];
setcookie('user_id', $userid);

Moving on... when you're setting the email cookie, you have the variable in single quotes, so the cookie will actually contain $e and not the actual email because single quotes store strings litterly (without parsing the variables). So you should either use double quotes, or no quotes at all. So either one of the following is fine...

setcookie('email', "$e");
setcookie('email', $e);

Last but not least, you should not have the semicolon at the end of your if-statement, and you again you need to pass the connection not the database-selection result into the mysql_close function, so it should be

mysql_close($dbc);

There, hope this gets you somewhere, try out these changes and if the problem persists i'd be happy to help you further.

Here are links that will help you out:

http://www.php.net/manual/en/function.mysql-query.php

http://www.php.net/manual/en/function.mysql-fetch-array.php

http://www.php.net/manual/en/function.mysql-real-escape-string.php

Edit:

Here, I have fixed the code according to the problems I found. Try it out, I could not test it so it might have some small syntax errors here and there, but it should give you something to compare with. Also for the future, I would suggest that you name your variables semantically/properly so it's easier for others to pickup and it will also keep you from getting confused like you were passing $db instead of $dbc into a few of your functions.

<?php
    // keep the function names in lowercase, no reason, just looks better to me
define('DB_USER', 'usernamegoeshere');
define('DB_PASSWORD', 'passwordhere');
define('DB_HOST', 'hostnamehere');
define('DB_NAME', 'andtheotherthinghere');

    // connect to the mysql server
$conn = mysql_connect(DB_HOST, DB_USER, DB_PASSWORD) or die ('Could not connect to MySQL');
    // select the database, you don't need to store the result, it just returns true or false
mysql_select_db(DB_NAME, $conn) or die('Could not select database.' .mysql_error());

    // escape the input
$email = mysql_real_escape_string($_POST['email']);
$pass = sha1(mysql_real_escape_string($_POST['pass']));

    // create the query
$query = "SELECT user_id FROM toddprod WHERE email = '$email' AND pass = '$pass'";

    // execute the query
$result = mysql_query($query, $conn);
$usercount = mysql_num_rows($result);

if($usercount == 1){
    // read the results and get the user_id
    $row = mysql_fetch_array($result);
    $userid = $row['user_id'];

    // set the cookies
    setcookie('user_id', $userid);
    setcookie('email', $email);
    setcookie('logged-in', 'true');

    // echo success message
    echo 'good';
}elseif($usercount == 0) {
    echo "You're $email with password $pass";
}
mysql_close($conn);
?>

Answer 2

First things first, you MUST sanitise user input with mysql_real_escape_string() :

$e = mysql_real_escape_string ($_POST['email']);
$pass = mysql_real_escape_string ($_POST['pass']);

Read up a bit on SQL injection , you'll be very glad you did.

As for the main problem, could you provide a bit more context? How are you checking to see if the user is logged in?