frank_solo Posted April 12, 2013 Share Posted April 12, 2013 So I have been trying to figure out why my login page keeps logging me in with just the username. I can just type in the username without the password and it logs me in. I can type a non existing username and I get the "invalid" error. This is the code: <?php include("config.php"); session_start(); if($_SERVER["REQUEST_METHOD"] == "POST") // username and password sent from Form $myusername=mysql_real_escape_string($_POST['username']); $mypassword=mysql_real_escape_string($_POST['password']); $passcode=sha1(md5($mypassword)*(12)); // Encrypted Password $sql="SELECT id FROM user WHERE username='".$myusername."' and password='".$passcode."'"; $result=mysql_query($sql); $count=mysql_num_rows($result); // If result matched $username and $password, table row must be 1 row if($count==1) { $_SESSION['username']; $_SESSION['login_user']=$myusername; header("location: welcome.php"); } else { $error="Your Login Name or Password is invalid"; } ?> The Form: <form action="" method="post"> <p><input type="text" name="username" id="username" placeholder="Username" ></p> <p><input type="password" name="password" id="password" placeholder="Password" ></p> <p align="center" class="submit"><input type="submit" name="commit" value="Login"></p> </form> Quote Link to comment https://forums.phpfreaks.com/topic/276858-login-issues/ Share on other sites More sharing options...
wright67uk Posted April 12, 2013 Share Posted April 12, 2013 What do you return when you echo $passcode? Quote Link to comment https://forums.phpfreaks.com/topic/276858-login-issues/#findComment-1424322 Share on other sites More sharing options...
frank_solo Posted April 12, 2013 Author Share Posted April 12, 2013 Thanks wright67ukSorry for the delay. I echo the passcode and it shows the hashed password for the user on the first row. I can't figure it out. Thanks Quote Link to comment https://forums.phpfreaks.com/topic/276858-login-issues/#findComment-1424479 Share on other sites More sharing options...
mac_gyver Posted April 13, 2013 Share Posted April 13, 2013 you are multiplying $mypassword * 12. as long as $mypassword doesn't start with a number, that multiplication will produce a zero value as will an empty $mypassword and the hash of that will always be the same. if you used the same logic when you inserted the row in to the user table, the hash stored in the user table corresponds to a zero value and leaving the password field empty will match it. why are you multiplying a string by a number? Quote Link to comment https://forums.phpfreaks.com/topic/276858-login-issues/#findComment-1424514 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.