MySQLi Login User allowing login with blank fields! :(

12/17/2014 3:26 am | #1 Nathon Jones Web Design

We've set up and installed the MySQLi Log in User behaviour on the following page:
http://www.stranraermusictown.org.uk/smtadmin/index.php

We were using an e-mail address and password to log in, to test, and it worked fine so we didn't think any more of it.
Today however I happening to click on the Sign In button without entering any information and, to my horror, it logged us straight in!
I've double checked the behaviour and nothing seems out of place. Hope you can resolve this swiftly for us. Page attached.

Thank you
NJ

12/17/2014 9:33 am | #2 Jason ByrnesWebAssist

My first guess would be a blank record in the users table.

Does the registration form use validation?

Both the registration and login page should have server side validation in place to prevent submitting a blank email address or password.

to troubleshoot further than that, I'll need to troubleshoot directly, see the private message section.

9/17/2015 5:24 pm | #5 Dave W

Hi Jason,
I am having the same problem, only worse.
You can log in with a blank username and password, but you can also use a username and password that isn't in the database and it will still log you in.
Is there a bug in this MySQLi user authentication module?
I have attached the page for you to look at.

9/17/2015 5:32 pm | #6 Ray BorduinWebAssist

In the filter tab of the UI you should be filtering the username column with the value from the form... and you shouldn't have a recordset on the page at all.

You have a recordset returning the user information and then you are logging in with the field from that recordset, which of course is always valid since it is coming from the database directly.

Delete the recordset from the page.

Update the Authenticate Server behavior and on the filter tab filter the authenticate based on both the username and password columns, getting their values from the submitted form.

Did this help? Tips are appreciated...

9/17/2015 5:45 pm | #7 Dave W

Thanks Ray,
That worked. It's fine now.
As I was new to MySQLi I used Kate Ford's Tutorial to set this up, and if you read it it tells you to set up a recordset and then select your username etc from that, (see the section marked "General Tab" and the illustration that goes with it), I think it should be amended.
Anyway, thanks once again for your (very) quick help.

Email me with all replies to this thread

Title:

Public Message: (viewable by anyone reading this thread)
(do not cut and paste code into this field unless necessary, attach copies of your pages so they can be opened in Dreamweaver for debugging)

Quote message in reply?

Private Message: (viewable only by you, the person you are replying to, and WebAssist employees)
(only put truly private information in this area such as ftp details and phone numbers. Keep as much of your post public as possible)

These attachments are private (viewable only by you, the person you are replying to, and WebAssist employees)

Manage Attachments

Technical Support Forums

Free, outstanding support from WebAssist and your colleagues

MySQLi Login User allowing login with blank fields! :(

12/17/2014 3:26 am | #1 Nathon Jones Web Design