nightkarnation Posted July 2, 2008 Share Posted July 2, 2008 Hey... Im trying to do an authentication login page but for some reason on the password code...if i type a username and password thats already saved on my database...i still keep on getting wrong password Here's mysql code: CREATE TABLE tbl_auth_user ( user_id VARCHAR(10) NOT NULL, user_password CHAR(32) NOT NULL, PRIMARY KEY (user_id) ); INSERT INTO tbl_auth_user (user_id, user_password) VALUES ('theadmin', PASSWORD('chumbawamba')); INSERT INTO tbl_auth_user (user_id, user_password) VALUES ('webmaster', PASSWORD('webmistress')); Here's login.php code: <?php session_start(); $errorMessage = ''; if (isset($_POST['txtUserId']) && isset($_POST['txtPassword'])) { include 'library/config.php'; include 'library/opendb.php'; $userId = $_POST['txtUserId']; $password = $_POST['txtPassword']; // check if the user id and password combination exist in database $sql = "SELECT user_id FROM tbl_auth_user WHERE user_id = '$userId' AND user_password = PASSWORD('$password')"; $result = mysql_query($sql) or die('Query failed. ' . mysql_error()); if (mysql_num_rows($result) == 1) { // the user id and password match, // set the session $_SESSION['db_is_logged_in'] = true; // after login move to the main page header('Location: main.php'); exit; } else { $errorMessage = 'Sorry, wrong user id / password'; } include 'library/closedb.php'; } ?> Any ideas?? Thanks for ur time! Quote Link to comment https://forums.phpfreaks.com/topic/112943-phpmysql-authentication-userpass-login/ Share on other sites More sharing options...
LooieENG Posted July 2, 2008 Share Posted July 2, 2008 "SELECT user_password FROM tbl_auth_user WHERE user_id = '$userId'" And then check $password against $MySQLpassResult Quote Link to comment https://forums.phpfreaks.com/topic/112943-phpmysql-authentication-userpass-login/#findComment-580178 Share on other sites More sharing options...
lemmin Posted July 2, 2008 Share Posted July 2, 2008 The result password will be hashed and the one from $_POST won't be. I think you would actually have to insert $password into the database in order to compare it to the one that is already in there. Unless there is a way for PHP to do that mysql password hash, but I don't know how. Quote Link to comment https://forums.phpfreaks.com/topic/112943-phpmysql-authentication-userpass-login/#findComment-580187 Share on other sites More sharing options...
LooieENG Posted July 2, 2008 Share Posted July 2, 2008 It's better to md5() the pass before inserting it into the database when making an account, and then using it to compare passwords. That way it stops MySQL injection, so unless you already have a load of accounts created, use md5($password) Quote Link to comment https://forums.phpfreaks.com/topic/112943-phpmysql-authentication-userpass-login/#findComment-580191 Share on other sites More sharing options...
jelly Posted July 2, 2008 Share Posted July 2, 2008 You should add 'filtering' to your $userId and $password variables. <?php $userId = mysql_real_escape_string($_POST['txtUserId']); $password = mysql_real_escape_string($_POST['txtPassword']); ?> Try type as user name: ' or 1=1-- ;-) -- jelly Quote Link to comment https://forums.phpfreaks.com/topic/112943-phpmysql-authentication-userpass-login/#findComment-580217 Share on other sites More sharing options...
nightkarnation Posted July 2, 2008 Author Share Posted July 2, 2008 Thanx LooieENG !! It works great now Quote Link to comment https://forums.phpfreaks.com/topic/112943-phpmysql-authentication-userpass-login/#findComment-580224 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.