Eiolon Posted December 23, 2006 Share Posted December 23, 2006 Basically, my script is letting anything authenticate, regardless if it is in the database or not. I am not trying to do anything special besides using SHA1 for hashing.This is my first PHP script so pay no mind to my excessive commenting.[code]<?php # login.php// Connect to the MySQL server and database.require_once ('mysql_connect.php');// Start the script when submitted.if (isset($_POST['submit'])) {// Verify that all required fields are completed.if (!$_POST['username'] | !$_POST['password']) { die ('You must enter a username and password.'); } // Query the database for user information.$auth = "SELECT username, password FROM users WHERE username=('".$_POST['username']."') AND password=sha1('".$_POST['password']."')";$result = mysql_query ($auth) OR die ('Cannot execute the query.');// If authentication is successful...if ($auth) { echo 'You are now logged in.'; exit(); }// Close the connection to the server and database.mysql_close();// End of script.}?>[/code] Link to comment https://forums.phpfreaks.com/topic/31710-solved-authentication-problems-letting-anything-in/ Share on other sites More sharing options...
Jessica Posted December 23, 2006 Share Posted December 23, 2006 So you're saying that even if they are not in the database, it echos the you are now logged in message? Link to comment https://forums.phpfreaks.com/topic/31710-solved-authentication-problems-letting-anything-in/#findComment-146961 Share on other sites More sharing options...
Orio Posted December 23, 2006 Share Posted December 23, 2006 You never defined $auth. Try this:[code]<?php # login.php// Connect to the MySQL server and database.require_once ('mysql_connect.php');// Start the script when submitted.if (isset($_POST['submit'])) {// Verify that all required fields are completed.if (!$_POST['username'] || !$_POST['password']) { die ('You must enter a username and password.'); } // Query the database for user information.$auth = "SELECT username, password FROM users WHERE username=('".$_POST['username']."') AND password=sha1('".$_POST['password']."')";$result = mysql_query ($auth) OR die ('Cannot execute the query.');$auth = mysql_num_rows($result);// If authentication is successful...if ($auth) { echo 'You are now logged in.'; exit(); }// Close the connection to the server and database.mysql_close();// End of script.}?>[/code]I also fixed another problem- the sign for "OR" in if's is || and not a single |.Btw, you should read about SQL-injections, your script is not secure.Orio. Link to comment https://forums.phpfreaks.com/topic/31710-solved-authentication-problems-letting-anything-in/#findComment-146964 Share on other sites More sharing options...
Eiolon Posted December 23, 2006 Author Share Posted December 23, 2006 Okay, that seems to make it work. Thanks for the help.Yes, I know my script is not secure - as I said, this is my first script so I realize I have lots of work to do on it to make it secure. Link to comment https://forums.phpfreaks.com/topic/31710-solved-authentication-problems-letting-anything-in/#findComment-146967 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.