Jump to content

Member/Login scripts - argh

Mutley

By Mutley
in PHP Coding Help

Recommended Posts

JasonLewis Member

JasonLewis

Posted
Posted
if its md5 in the database then just select it from the database and compare it against the one from the form but use md5 on the one from the form.

[code=php:0]
$real_password = mysql_result(mysql_query("SELECT `password` FROM `users` WHERE `username`='{$username}'"),0);
$post_password = $_POST['password'];

if(md5($post_password) != $real_password){
echo "wrong password";
}else{
echo "logged in";
}
[/code]

is that what you are asking?
Mutley Advanced Member

Mutley

Posted
  • Author
Posted
That doesn't check the cookie though only the database.

When someone logs in it creates a "username" and "password" cookie. At the moment I can make a fake cookie with someones username in and view their information, the password I don't want entering every time with a login form, it needs to use the password cookie.
alpine Member

alpine

Posted
Posted
Look at this, an example using cookies
[code]

<?php

if(!empty($_COOKIE['user']) && !empty($_COOKIE['pass']))
{
  $user = htmlspecialchars($_COOKIE['user'], ENT_QUOTES);
  $pass = htmlspecialchars($_COOKIE['pass'], ENT_QUOTES);
 
  $check = mysql_query("SELECT * FROM users WHERE pass = '$pass' AND user = '$user'");
 
  if(mysql_num_rows($check) <> 1)
  {
    echo "No accsess granted with your current userdata";
    exit();
  }
  else
  {
    echo "Logged in as $user";
  }
}
else
{
  echo "You have to be logged in to visit this section";
  exit();
}

?>

[/code]
psychohagis Member

psychohagis

Posted
Posted
why are you using cookies? sessions are more secure? I have a script that works fine for me.

[b]Logging in:[/b]
[code]
$server = "YOUR SERVER"; // server to connect to.
$database = "DATABASE"; // the name of the database.
$db_user = "USERNAME"; // mysql username to access the database with.
$db_pass = "PASSWORD"; // mysql password to access the database with.
$table = "TABLE"; // the table that this script will set up and use.




// connect to the mysql server
$link = mysql_connect($server, $db_user, $db_pass)
or die ("Could not connect to mysql because ".mysql_error());

// select the database
mysql_select_db($database)
or die ("Could not select database because ".mysql_error());

//selects from database using the password and username provided and pulls out verified and id
$match = "select id,verified,rank from $table where username = '".$_POST['username']."'
and password = '".$_POST['password']."';";


//send query
$qry = mysql_query($match)
or die ("Could not match data because ".mysql_error());
$num_rows = mysql_num_rows($qry);

//turns id verified and rank in to variables
while ($idgrab = mysql_fetch_array($qry)) {
$userid= $idgrab['id'];
$verified= $idgrab['verified'];
$rank= $idgrab['rank'];
}

//checks that a record was found for the username. If not returns you to sign in with error
if ($num_rows <= 0) {
echo '<meta http-equiv=refresh content=0;URL=http://www.YOURSITE.com/signin.php?error=9>'; /*I have a seperate script for printing errors, you may want to do this differently*/
exit;
} else {
//checks whether thse users email is verified  (you may want to edit this out)
if ($verified!=1)
{
echo '<meta http-equiv=refresh content=0;URL=http://www.YOURSITE.com/signin.php?error=10>';
} else {

//sets session variables

session_start();
$_SESSION['userid'] = $userid;
$_SESSION['username'] = $_POST['username'];
$_SESSION['rank'] = $rank;

//send them to the nect page if everything is fine.

echo '<meta http-equiv=refresh content=0;URL=http://www.YOURSITE.com/index.php>';

}

}


[/code]


[b]Then to check whether someones logged in:[/b]
[code]

//start session
session_start();
//check for prescence of session variables
if (!isset($_SESSION['userid']) or $_SESSION['userid'] =='')
{
echo '<meta http-equiv=refresh content=0;URL=http://www.YOURSITE.com/signin.php?error=12>';  //ask you to sign in if you are not
}


[/code]
alpine Member

alpine

Posted
Posted
[quote author=psychohagis link=topic=121052.msg497564#msg497564 date=1168023521]
why are you using cookies? sessions are more secure?
[/quote]

was that supposed to be a question or a statement ? ...It really doesn't matter much if you do not validate user input from injecting your query, yours is wide open!
alpine Member

alpine

Posted
Posted
[quote author=Mutley link=topic=121052.msg497868#msg497868 date=1168048065]
I like yours Alpine but if my cookie is encrypted, does it read it normally or do I need some PHP to decode it?
[/quote]

You don't decrypt the cookie value, you simply compare encrypted value (like the cookie value) with another encrypted value (like the encrypted db-value) to see if they match. If they match, the values before encryption is in most cases identical. This is if the encryption methods are the same on both values ofcourse (md5() etc)
Mutley Advanced Member

Mutley

Posted
  • Author
Posted
Warning: mysql_num_rows(): supplied argument is not a valid MySQL result resource on line 10

I've set it up all ok I'm sure, I get "No access granted with your current userdata" but the cookies are there?

[code]<?php

if(!empty($_COOKIE['id']) && !empty($_COOKIE['pass']))
{
  $id = htmlspecialchars($_COOKIE['id'], ENT_QUOTES);
  $pass = htmlspecialchars($_COOKIE['pass'], ENT_QUOTES);
include('secure/sec_con.php');
  $check = mysql_query("SELECT * FROM users WHERE pass = '$pass' AND id = '$id'");
 
  if(mysql_num_rows($check) <> 1)
  {
    echo "No accsess granted with your current userdata";
    exit();
  }
  else
  {
    echo "Logged in as $id";
  }
}
else
{
  echo "You have to be logged in to visit this section";
  exit();
}

?>[/code]

Archived

This topic is now archived and is closed to further replies.

Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.