I made a script for user login and registration, but when I try to register a new user it gives me the error that I need all fields to be filled in. I am pretty sure that I know what is causing the problem, but I don't know how to fix it. Here is my registration page script:
<?php
require("config.php");

if ($_POST['submit']) { //Check if form was submitted

$username = clean($_POST['$username']);

$password = clean($_POST['$password']);

$password2 = clean($_POST['$password2']); //Password confirmation

$email = clean($_POST['email']);

$ip = clean($_SERVER['REMOTE_ADDR']); //Get ip of user

$signup = time(); //Time of registration

if (!$username | !$password | !$password2 | !$email) { //If any fields are empty
echo'You must fill out every field! <a href="'.$_SERVER['REQUEST_URI'].'">Back</a>.';
}
else {

if ($password != !$password2) { //If passwords do not match
echo'The passwords did not match! <a href="'.$_SERVER['REQUEST_URI'].'">Back</a>.';
}
else { //Test to see if username is in use
$user_test = "SELECT * FROM `users` WHERE username = '$username'";
$user_test = mysql_query($user_test);

if (mysql_num_rows(username_test) == 1) { //If username is found
echo'The username is already in use. <a href="'.$_SERVER['REQUEST_URI'].'">Back</a>.';
}
else {
$md5pass = md5($password); //Encrypt password

//Query to add data to table
$add = "INSERT INTO `users VALUES ('', '$username', '$md5pass', '$email', '$ip', '$signup')";

mysql_query($add); //Run query

echo'You have successfully registered! <br />';
echo'Use this information to login: <br />';
echo'Username: '.$username.' <br />';
echo'Password: '.$password;

}
}
}
}
else {
require("register_form.php");
}
?>I think the specific part is the part that checks for empty fields:
if (!$username | !$password | !$password2 | !$email) { //If any fields are empty
echo'You must fill out every field! <a href="'.$_SERVER['REQUEST_URI'].'">Back</a>.';
}I checked over everything to make sure that all the fields were filled in and names matched, but found no error. The form code that submits to this page is:
<form method="post" action="<?=$_SERVER['REQUEST_URI']?>">
Username:
<br />
<input type="text" name="username">
<br />
Password:
<br />
<input type="password" name="password">
<br />
Confirm Password:
<br />
<input type="password" name="password2">
<br />
E-mail:
<br />
<input type="text" name="email">
<br />
<input type="submit" name="submit" value="Register">
</form>The error displayed is the one i specified for if a field is not filled in. I would appreciate any ideas on whats going wrong. thanks

I think the specific part is the part that checks for empty fields:


if (!$username | !$password | !$password2 | !$email) { //If any fields are empty
echo'You must fill out every field! <a href="'.$_SERVER['REQUEST_URI'].'">Back</a>.';
}



You are right about this being the line that does the checks, and the problem is that you are not comparing anything. The above should actually look like any of the following variations:



if (!$username || !$password || !$password2 || !$email) { //If any fields are empty
echo'You must fill out every field! <a href="'.$_SERVER['REQUEST_URI'].'">Back</a>.';
}


or



if (!$username or !$password or !$password2 or !$email) { //If any fields are empty
echo'You must fill out every field! <a href="'.$_SERVER['REQUEST_URI'].'">Back</a>.';
}


That should fix the problem on that.
Hope this helps.

I tried both of those ways, but i still get the same error, any more ideas?

yes this should help

if (!$username || !$password || !$password2 || !$email) { //If any fields are empty
echo'You must fill out every field! <a href="'.$_SERVER['REQUEST_URI'].'">Back</a>.';
}


if not check for

if (empty($username)) ... go on...{

I have noticed this part in your code:



$username = clean($_POST['$username']);


do you have a function in config.php named clean? If so, what does it do? Try taking that part off and just have the following:



$username = $_POST['$username'];


If it works like that, then you know that it is a problem with that function.

Hope this helps.

I took of the clean function and the error is still displayed. Anything else it could be?

Something else that I have not noticed before was the following in red:



$username = clean($_POST['$username']);


Notice that you are not calling upon a form field but a variable. That IS the reason why you are recieving this message. It's so subtle that everyone viewing/replying to this thread (including myself) have just overlooked it.

This is in the username, password, and password2 variables.

Hope this helps.

That was the error, fixed it and it works great :) . However, I ran into yet another issue. When I try to login, it just redisplays the login box and says/does nothing. I am really not sure what is causing it to do this, here is the code, hope someone knows:
<?php
require ("config.php");

if (empty($online['id'])){ //Check if already logged in

if ($_POST['login']) { //If form was submitted

$username = clean($_POST['username']);

$password = clean($_POST['password']);


if (!$username | !$password){ //If user or password is empty
echo 'You left a field empty. <a href="'.$_SERVER['REQUEST_URI'].'">Back</a>.';
}
else {

$pass = md5($pass); //Encrypt password

$query = "SELECT * FROM `users` WHERE username = '$username' AND password = '$password'";
$query = mysql_query($query) or die(mysql_error());


if (mysql_num_rows($query) == 1){ //If row exists

$expire = time() + (7*86400); //Cookie expire time

setcookie("username", $username, $expire); //Set username cookie

setcookie("password", $password, $expire); //Set password cookie

//Success
echo 'Success, you have been logged in!<br />';
echo '<a href="cpanel.php">Continue</a>...';

}
else { //User not found
echo 'Incorrect username and password. <a href="'.$_SERVER['REQUEST_URI'].'">Back</a>.';
}

}

}
else {
require("form.php");
}

}
else { //Already logged in
require("logged_in.php");
}
?> Thanks for the help so far ;)

Could you post the code for form.php please. It could be just one little item not being submitted in the form that keeps causing it to redisplay the form, but to be sure we need the code.

Thanks.

EDIT: Actually, before you post the code, check to make sure you have a form field named "login" because that could be the problem.

Sure, here it is:
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>Login</title>
</head>

<body>

<form method="post" action="<?=$_SERVER['REQUEST_URI']?>">
Username:
<br />
<input name="username" type="text" id="username" />
<br />
Password:
<br />
<input name="password" type="text" id="password" />
<br /><br />
<input name="submit" type="submit" id="login" value="Login" />
</form>

</body>
</html>

As said in my edit:



EDIT: Actually, before you post the code, check to make sure you have a form field named "login" because that could be the problem.


Make sure there is a field named login, and in the above code you posted, there is NOT one.

Either add a hidden field that for that or change the submit button name.

Ok, I changed the name and now that works (seems I am good at making stupid little errors), but now I find that the data is not being entered into the sql table from the register.php page, so I set it to display an error, and this is what I get: "Column count doesn't match value count at row 1". It comes from this line of code:
$add = "INSERT INTO `users` VALUES ('', '$username', '$md5pass', '$email', '$ip', '$signup')";

mysql_query($add) or die (mysql_error()); //Run query I have never seen this error and have no idea what it means, anyone know? Could it be related to my SQL code?

You need to include the column list or specify them exactly.
so it should look like this.


INSERT INTO `users`(column_name,column_name,column_name,column_name,column_name,column_name) VALUES ('', '$username', '$md5pass', '$email', '$ip', '$signup')

column_name needs to be changed to the correct columns(in the exact order)

Ok, I added what you said to and now it adds the data to the table :). However, yet another problem, I still get the "incorrect username" when I try to login. Since I know the data is indeed in the sql database, it must be something with the login page. Here is the full code:
<?php

require('config.php');

if (empty($online['id'])){

if ($_POST['Login']) { //If loggin submitted

$username = clean($_POST['username']);
$password = clean($_POST['password']);

if (!$username || !$password){ //If fields are empty
echo 'You left a field empty. <a href="'.$_SERVER['REQUEST_URI'].'">Back</a>.';
}
else {

$password = md5($password);

$query = "SELECT * FROM `users` WHERE username = '$username' AND password = '$password'";
mysql_query($query) or die(mysql_error());


if (mysql_num_rows($query) == 1){ //Info found

$expire = time() + (7*86400);

setcookie("username", $user, $expire); //Set Username cookie

setcookie("password", $pass, $expire); //Set password cookie

//Success
echo 'Success, you have been logged in!<br />';
echo '<a href="cpanel.php">Continue</a>...';

}
else { //If no info found
echo 'Incorrect username and password. <a href="'.$_SERVER['REQUEST_URI'].'">Back</a>.';
}

}

}
else {
require('form.php');
}

}
else {
require('logged_in.php');
}
?> I get the error:
Warning: mysql_num_rows(): supplied argument is not a valid MySQL result resource in /home/bntqann/public_html/testing/user_login/login.php on line 23. I do not know why it says mysql_num_rows() is not valid result, anyone know?

It should be like this:



$query = "SELECT * FROM `users` WHERE username = '$username' AND password = '$password'";
$result = mysql_query($query) or die(mysql_error());


if (mysql_num_rows($result) == 1){ //Info found

Ok, I changed the mysql_num_rows() to what you showed me and it works good, but I still get the username incorrect error, anything else it could be?

Try echoing the variable $password after the following line in the above code.



$password = md5($password);


If it matches the SQL entry, then you may need to make a workaround for this, by calling upon different queries (ex: one for the user information, and one for the password itself [like the below example]).



$password = md5($password);

$query = "SELECT * FROM `users` WHERE username = '$username'";
$result = mysql_query($query) or die(mysql_error());

$q = mysql_fetch_array($result);

if ($password == $q['password']) {

echo 'Login Success!';
}

else {

echo 'Login Failed';
}

//edit to your liking of course


However, if the variable $password does not match that in the SQL entry, you may need to make it into a new variable. Like so:



$pwd = md5($password);

//sql query...


Hope this helps.

Another trick I use when a query isn't working, echo out the final query(after the variables have been added) and run it manually(with mysql command line tool, or maybe PhpMyAdmin). This will make sure you get the results you thought you would.

I tested echoed the password and it matches up with the database record of it. I am not sure how to make 2 different queries for the password and the username. In the code you gave before, what does this do:
if ($password == $q['password']) {I don't know what the $q['password'] would do.
Another thing that I think may be the problem is my query code:
$query = "SELECT * FROM `users` WHERE username = '$user' AND password = '$password'";
$result = mysql_query($query) or die(mysql_error());


if (mysql_num_rows($result) == 1){ //Info foundAnything wrong in there?
thanks for all the help so far, hope someone sees something in the code or has an idea on whats wrong :)

Ok, so here's something that you could do. Change the following:



$query = "SELECT * FROM `users` WHERE username = '$username' AND password = '$password'";
$result = mysql_query($query) or die(mysql_error());


to this:



$query = "SELECT * FROM `users` WHERE username = '$username'";
$result = mysql_query($query) or die(mysql_error());


Then, below that, add the following:



$q = mysql_fetch_array($result); //fetches the mysql array from the table.

if ($password == $q[password]) {
echo 'Login Success';
}

else {
echo 'Login Failed';
}


What the above does is assign a variable ($q) to the array in the sql data that was returned from the query. After that, it takes that same variable with the array name "password" ( $q[password] ) and checks against the md5 encryption of that entered. If it matches, then the login was successful. Else, the login failed.

Hope this helps.

ok, I changed the code to what you said, and I get the login success message, but now I am not sure how to check to see if the user is logged in on other pages (the protected ones). Also, I don't really understand how the password is being checked, and I would like to seeing how I am doing this as a learning experience ;) . Any help and explanations would be greatly appreciated

Now that you are getting the login success message, add what you tried to add before (the setcookie items.)







$expire = time() + (7*86400);

setcookie("username", $user, $expire); //Set Username cookie

setcookie("password", $pass, $expire); //Set password cookie

//Success
echo 'Success, you have been logged in!<br />';
echo '<a href="cpanel.php">Continue</a>...';



The above will go where the login success message is, and whatever you want to happen if they get the login failed message would go there.



I don't really understand how the password is being checked


In your first query (after you changed it to check only for rows with the matching username), you get the information from the only row with the username that you entered. After that, the following line kicks in:



$q = mysql_fetch_array($result);


That gets the table column names and puts them in an array. After that, we check against the db for a match with the entered password after its md5 encryption:



$password = md5($password);

if ($password == $q[password]) {

echo 'Login Success!';
}

else {

echo 'Login Failed';
}


In other words (for the above code), if the entered md5 password hash matches the one in the db, continue with login success. If it does not match, then the login failed.

Hope this helps.

Now that you are getting the login success message, add what you tried to add before (the setcookie items.)

That may not be the best way to do it. I would use something along these lines.
Log them in


@session_start();//Start the session, Must be called before anything is sent to the browser
$_SESSION['user'] = $username;//Remember the username
$_SESSION['ip'] = $_SERVER['REMOTE_ADDR'];//Remember the IP.Another line of defense against the session getting hijacked


and check the login


@session_start();//Must be called before anything is sent to the browser
if(!empty($_SESSION['user']) && !empty($_SESSION['ip']) && $_SESSION['ip'] == $_SERVER['REMOTE_ADDR']){
echo 'User is logged in';
}

Either way is fine, just a matter of opinon. I simply suggested adding the part (s)he already had in the original script due to the fact (s)he is currently learning, and if it was already in the original, that means it was already learned. Sessions is a good way to go about user authentication, but it is pretty much the same as a cookie (with the exception that it is not stored client side [browser]).