Ex1t Posted August 7, 2015 Share Posted August 7, 2015 (edited) What is wrong in this code? $username = htmlspecialchars($_POST['username']); $password = md5($_POST['password']); $sql = "SELECT * FROM users WHERE username='$username' AND password='$password' "; if($conn->query($sql) === TRUE) { $_SESSION['username'] = $username; header('Location: panel.php'); } else { echo 'Wrong username or passsword!'.mysqli_error($conn); } I fixed it..This is my code now: $username = htmlspecialchars($_POST['username']); $password = md5($_POST['password']); $sql = "SELECT * FROM users WHERE username='$username' AND password='$password'"; $query = mysqli_fetch_assoc($conn, $sql); $run_query = mysqli_query($conn, $sql); if(!$run_query) { echo 'Wrong username or password!'; } else { $_SESSION['username'] = $username; header('Location: panel.php'); } Edited August 7, 2015 by Ex1t Quote Link to comment https://forums.phpfreaks.com/topic/297684-login-script/ Share on other sites More sharing options...
Tom8001 Posted August 7, 2015 Share Posted August 7, 2015 (edited) Don't use md5 for hashing your password it is very easy to crack use this instead $enc_pass = hash('ripemd320', $password); and in your sql query replace $password with $enc_pass Edited August 7, 2015 by Tom8001 Quote Link to comment https://forums.phpfreaks.com/topic/297684-login-script/#findComment-1518230 Share on other sites More sharing options...
scootstah Posted August 8, 2015 Share Posted August 8, 2015 Don't use md5 for hashing your password it is very easy to crack use this instead No. Use this instead. 1 Quote Link to comment https://forums.phpfreaks.com/topic/297684-login-script/#findComment-1518240 Share on other sites More sharing options...
Ex1t Posted August 8, 2015 Author Share Posted August 8, 2015 Im using md5 only for my projects on localhost..For Everything else im using bcrypt Quote Link to comment https://forums.phpfreaks.com/topic/297684-login-script/#findComment-1518249 Share on other sites More sharing options...
Ch0cu3r Posted August 8, 2015 Share Posted August 8, 2015 Your login code is still broken. Anyone can login using any username or password that does or does not exist. That is because your code only checks to see if the query executed. mysqli_query only returns TRUE when the query executed and FALSE if a MySQL error occured. You need to check the query did return a row in order to authenticate the user $result = mysqli_query($conn, $sql); // check mysqli_query return TRUE, meaning query executed without error (returns FALSE otherwise) if($result) { // check the query did return a row, where the username and password hash used matched if(mysqli_num_rows($result) !== 0) { // can now authenticate the user $_SESSION['username'] = $username; header('Location: panel.php'); exit; // use exit/die to terminate the script after using header redirect to prevent remaining PHP code from being executed } // the query did not return a row, incorrect login credentials used else { echo 'Wrong username or password!'; } } // mysqli_query returned FALSE, else { // query did not execute due to an error. Lets find out trigger_error('Login Query Error: ' . mysqli_error($conn)); } Im using md5 only for my projects on localhost..For Everything else im using bcrypt Why? If you are going to use bcrypt when the project is finished then use it at the beginning. 1 Quote Link to comment https://forums.phpfreaks.com/topic/297684-login-script/#findComment-1518261 Share on other sites More sharing options...
Ex1t Posted August 10, 2015 Author Share Posted August 10, 2015 Thanks for helpI work on this project as exercise Quote Link to comment https://forums.phpfreaks.com/topic/297684-login-script/#findComment-1518380 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.