Akenatehm Posted November 29, 2008 Share Posted November 29, 2008 Hey Guys, Well I have tried on my own to produce this script that validates inputted text with a login database on my server. Could you please look over it and tell me what I need to change/fix? <?PHP include "connect.php"; $username=$_POST['user']; $password=$_POST['pass']; $usernamecheck = mysql_query"SELECT from `users` where 'username' = $username"; if $username=='username'{ $correct_user; } else { print "Username/Password is Incorrect"; } $usernamecheck = mysql_query"SELECT from `users` where 'password' = $password"; if $password=='password'{ $correct_pass; } else { print "Username/Password is Incorrect"; } // SET THE CORRECT USERNAME AND PASSWORD $correct_user = "($usernamecheck)"; $correct_pass = "($passwordcheck)"; // Checkif the username is correct if ($user==$correct_user){ //IF the username is correct, check the password if ($pass==$correct_pass){ //If the password is correct, return "ok" $response="Password Correct. Logging In...."; } else { //Else the password is wrong $response="Wrong Username/Password"; } //Return the response to Flash print "&response=".$response."&"; ?> Quote Link to comment Share on other sites More sharing options...
trq Posted November 29, 2008 Share Posted November 29, 2008 Your over complicating things. A simple example. <?php include "connect.php"; if (isset($_POST['submit'])) { $username = mysql_real_escape_string($_POST['user']); $password = md5(mysql_real_escape_string($_POST['pass'])); if ($result = mysql_query("SELECT username FROM users WHERE username = '$username' && userpass = '$password'")) { if (mysql_num_rows($result)) { echo "User is valid"; } else { echo "User not valid"; } } } ?> Quote Link to comment Share on other sites More sharing options...
Akenatehm Posted November 29, 2008 Author Share Posted November 29, 2008 I am adjusting from a tutorial. We are using it to validate a login in Flash. The script was originally just storing a username and password and checking it off with the one that the user inputted but I changed it to validate it from a database. Do I still need the extra script. Oh, and will my version still work? If not, and if its required could you please tell me what needs fixing. Thanks Akenatehm Quote Link to comment Share on other sites More sharing options...
trq Posted November 29, 2008 Share Posted November 29, 2008 No your script won't work. A few reasons, mainly errors. Firstly, mysql_query is a function, therefore its arguments need to be surrouned by quotes. Secondly, your sql query itself is malformed. Thirdly, though this will still work, there is absolutelly no need to execute two seperate queries to validate against both username and password. Quote Link to comment Share on other sites More sharing options...
trq Posted November 29, 2008 Share Posted November 29, 2008 Actually, looking at your code again there are more, in fact numerous errors. It needs a complete rewrite. Id suggest you look over my example. Quote Link to comment Share on other sites More sharing options...
Akenatehm Posted November 29, 2008 Author Share Posted November 29, 2008 Hmm ok. Is there a way to alter this script to get data from a mysql table: // SET THE CORRECT USERNAME AND PASSWORD $correct_user = "flash"; $correct_pass = "vista"; // Checkif the username is correct if ($user==$correct_user){ //IF the username is correct, check the password if ($pass==$correct_pass){ //If the password is correct, return "ok" $response="ok"; } else { //Else the password is wrong $response="Wrong password"; } } else { //If the username is wrong $response="Wrong username"; } //Return the response to Flash print "&response=".$response."&"; There also needs to be validation and anti-sql injection Quote Link to comment Share on other sites More sharing options...
Prismatic Posted November 29, 2008 Share Posted November 29, 2008 <?php $sql = mysql_query("SELECT * FROM users WHERE username = '". mysql_real_escape_string($username) ."' AND password = '". mysql_real_escape_string($password) ."'"); if(mysql_fetch_row($sql)) { $response = "ok"; } else { $response = "invalid details"; } print "&response=".$response."&"; ?> This is assuming you have a users table with a username and password field Quote Link to comment Share on other sites More sharing options...
Akenatehm Posted November 29, 2008 Author Share Posted November 29, 2008 Yes I do. Can you please explain what is happening at each stage of the script? and why there is a lot less than there is in the other script? Quote Link to comment Share on other sites More sharing options...
Prismatic Posted November 29, 2008 Share Posted November 29, 2008 <?php /** * Run the MySQL query selecting only the rows with $usernamd and $password * mysql_real_escape_string escapes special characters to prevent SQL injection */ $sql = mysql_query("SELECT * FROM users WHERE username = '". mysql_real_escape_string($username) ."' AND password = '". mysql_real_escape_string($password) ."'"); /** * mysql_fetch_row will return the row as an array or FALSE if no row is * found in the query we ran above */ if(mysql_fetch_row($sql)) { // A row was returned so the user data is valid $response = "ok"; } else { // No row was returned so the user data was NOT valid $response = "invalid details"; } print "&response=".$response."&"; ?> In the code above you can swap out mysql_fetch_row with mysql_num_rows as they perform the same function in these circumstances. It's not generally the best idea to tell someone either the username or password was incorrect. You should simply tell the user the information they provided was incorrect. Reason being a potential attacker trying to brute force their way in wouldn't know if they had a valid username or not if you just returned incorrect information. Quote Link to comment Share on other sites More sharing options...
Akenatehm Posted November 29, 2008 Author Share Posted November 29, 2008 Ok cool that made it alot easier for me. Could you please explain the last line print "&response=".$response."&"; I have no idea what that means. Quote Link to comment Share on other sites More sharing options...
ShiloVir Posted November 29, 2008 Share Posted November 29, 2008 print and echo are same things. But Print is a function. So it can be used in things like" <?php if(file_exists("require/blablabla.php")){ include("require/blablabla.php") or print ("Zomg00sh. I Screwed up. The file isnt here!"); } ?> while on the other hand. Echo wouldnt work because it isnt a function. The following code will not work: <?php if(file_exists("require/blablabla.php")){ include("require/blablabla.php") or echo "Zomg00sh. I Screwed up. The file isnt here!"; } ?> Quote Link to comment Share on other sites More sharing options...
Akenatehm Posted November 29, 2008 Author Share Posted November 29, 2008 Yeah i understand that but I dont understand what all the other characters are in the print fuction. Quote Link to comment Share on other sites More sharing options...
trq Posted November 29, 2008 Share Posted November 29, 2008 Those other chars are there because flash expects a string simular to that found in urls. eg; foo=a&bar=b This would set the variables foo and bar within flash to equal a and b respectively. Quote Link to comment Share on other sites More sharing options...
Akenatehm Posted November 29, 2008 Author Share Posted November 29, 2008 Oh sweet, thanks heaps thorpe and everyone else for your help on this topic. Quote Link to comment Share on other sites More sharing options...
Akenatehm Posted November 29, 2008 Author Share Posted November 29, 2008 I still need this script to validate against data that is inputted in a form in Flash, which works the same way as HTML forms I believe. Quote Link to comment Share on other sites More sharing options...
Akenatehm Posted November 29, 2008 Author Share Posted November 29, 2008 Dont worry. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.