Jump to content


Photo

issues with login script


  • Please log in to reply
4 replies to this topic

#1 tomfmason

tomfmason
  • Staff Alumni
  • Advanced Member
  • 1,696 posts
  • Locationstealing your wifi

Posted 08 July 2006 - 01:05 PM

I have tried everything that I can think of. Here is the login script that I am currently working on.

<?php 
include ('includes/db.php');
array_pop($_POST); 
if ( get_magic_quotes_gpc() ) { 
    $_POST= array_map('stripslashes', $_POST); 
} 

$username= mysql_real_escape_string(trim($_POST['username'])); 
$password= mysql_real_escape_string(trim($_POST['password'])); 

$sql= sprintf("SELECT COUNT(*) AS login_match FROM `users` WHERE `username` = '%s' AND `password`= '%s'", $username, $password); 
$res= mysql_query($sql) or die(mysql_error()); 
$login_match= mysql_result($res, 0, 'login_match'); 

if ( $login_match == 1 ) { 
    echo "this test worked";
} else { 
    print_r ($login_match);
	// not logged in 
}
?>



I have tried several things everything that I try prints the same thing 0. I thought that maybe it was because the password is encypted. So I tried this.



<?php 
include ('includes/db.php');
array_pop($_POST); 
if ( get_magic_quotes_gpc() ) { 
    $_POST= array_map('stripslashes', $_POST); 
} 

$mdpwd= md5($password);
$username= mysql_real_escape_string(trim($_POST['username'])); 
$mdpwd= mysql_real_escape_string(trim($_POST['mdpwd'])); 

$sql= sprintf("SELECT COUNT(*) AS login_match FROM `users` WHERE `username` = '%s' AND `password`= '%s'", $username, $mdpwd); 
$res= mysql_query($sql) or die(mysql_error()); 
$login_match= mysql_result($res, 0, 'login_match'); 

if ( $login_match == 1 ) { 
    echo "this test worked";
} else { 
    print_r ($login_match);
	// not logged in 
}
?>




This did not work as well. It out puts the same thing 0.
I am not sure if this is relevant or not but username is on row 0 and password is on row 1 in the users table.
Any suggestions would be great.

Traveling East in search of instruction, and West to propagate the knowledge I have had gained.

current projects: pokersource

My Blog | My Pastebin | PHP Validation class | Backtrack linux


#2 tomfmason

tomfmason
  • Staff Alumni
  • Advanced Member
  • 1,696 posts
  • Locationstealing your wifi

Posted 08 July 2006 - 01:30 PM

I just tried this and still the same thing

<?php 
include ('includes/db.php');
array_pop($_POST); 
if ( get_magic_quotes_gpc() ) { 
    $_POST= array_map('stripslashes', $_POST); 
} 

$username= mysql_real_escape_string(trim($_POST['username'])); 
$mdpwd= mysql_real_escape_string(trim($_POST['password'])); 

$sql= sprintf("SELECT COUNT(*) AS login_match FROM `users` WHERE `username` = '%s' AND `password`= '%s'", $username, $mdpwd); 
$res= mysql_query($sql) or die(mysql_error()); 
$login_match= mysql_result($res, 0, 'login_match'); 

if ( $login_match == 1 ) { 
    echo "this test worked";
} else { 
    print_r ($login_match);
	// not logged in 
}
?>

Traveling East in search of instruction, and West to propagate the knowledge I have had gained.

current projects: pokersource

My Blog | My Pastebin | PHP Validation class | Backtrack linux


#3 Kurt

Kurt
  • Members
  • PipPipPip
  • Advanced Member
  • 42 posts
  • LocationNew York

Posted 08 July 2006 - 02:12 PM

Try using mysql_num_rows($res); rather than mysql_result(). Thats what I do for login systems.

#4 tomfmason

tomfmason
  • Staff Alumni
  • Advanced Member
  • 1,696 posts
  • Locationstealing your wifi

Posted 08 July 2006 - 02:28 PM

I tried that but with SELECT COUNT(*) it will always return 1 it never gets to the WHERE. I was reading somewhere the SELECT COUNT(*) was a faster and better way to do this but so far it hasn't. The way I have it now should work but it dosn't..lol.

Traveling East in search of instruction, and West to propagate the knowledge I have had gained.

current projects: pokersource

My Blog | My Pastebin | PHP Validation class | Backtrack linux


#5 tomfmason

tomfmason
  • Staff Alumni
  • Advanced Member
  • 1,696 posts
  • Locationstealing your wifi

Posted 08 July 2006 - 09:25 PM

I got it to work just fine.

The Fix:

I had it a little mixed up.lol. A simple fix.

From

$mdpwd= md5($password);
$username= mysql_real_escape_string(trim($_POST['username'])); 
$mdpwd= mysql_real_escape_string(trim($_POST['mdpwd']));


To:


$username= mysql_real_escape_string(trim($_POST['username'])); 
$password= mysql_real_escape_string(trim($_POST['password']));
$mdpwd= md5($password);



As you can see this is a simple fix. I just had to md5 hash the password at the end. I have posted the working script below. Now I am off to find a better way for sessions, not $_SESSION['username'].  Any suggestions on hashing session variables would be great or maybe using something like time stamp?


The login code working


<?php 
include ('includes/db.php');
array_pop($_POST); 
if ( get_magic_quotes_gpc() ) { 
    $_POST= array_map('stripslashes', $_POST); 
} 
$username= mysql_real_escape_string(trim($_POST['username'])); 
$password= mysql_real_escape_string(trim($_POST['password']));
$mdpwd= md5($password); 

$sql= sprintf("SELECT COUNT(*) AS login_match FROM `users` WHERE `username` = '%s' AND `password`= '%s'", $username, $mdpwd); 
$res= mysql_query($sql) or die(mysql_error()); 
$login_match= mysql_result($res, 0, 'login_match'); 

if ( $login_match == 1 ) { 
    echo "this test worked";
} else { 
    print_r ($login_match);
	// not logged in 
}
?>

Thanks.

Traveling East in search of instruction, and West to propagate the knowledge I have had gained.

current projects: pokersource

My Blog | My Pastebin | PHP Validation class | Backtrack linux





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users