Jump to content


Photo

password retrieval with php+mysql


  • Please log in to reply
3 replies to this topic

#1 cerin

cerin
  • Members
  • PipPip
  • Member
  • 16 posts

Posted 26 February 2006 - 06:41 AM

I'm trying to get a password from a mysql database and compare it to the user's input, but I can't figure out what to use to put the returned password in a variable or something so that it is actually comparable to the user's input. This is what I have so far:
<?php
include 'config.php';
mysql_select_db($usersdb);
$pquery="SELECT password WHERE userid={$_POST['username']} FROM userinfo";
$result=mysql_query($pquery);
$pass=mysql_fetch_array($result,MYSQL_ASSOC);
echo $pass['password'];
?>
<form method="Post">
<p> Username: <input type='text' name='username' />
<input type='submit' />
</p>
</form>

<form method='Post'>
<p>Password: <input type='text' name='password' />
<input type='submit' />
</p>
</form>
I tried a couple things, but I don't know how any of them really work.
With this code I get the error:
Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in C:\AppServ\www\forum\login.php on line 6


#2 yarnold

yarnold
  • Members
  • PipPipPip
  • Advanced Member
  • 67 posts
  • LocationWorcester, England

Posted 26 February 2006 - 11:24 AM

First of all you need to read up on SQL Injection.

Escape all input, escape all output.

Edward Yarnold
PHP/MySQL/Javascript Programmer
http://www.twixcoding.com

#3 hitman6003

hitman6003
  • Members
  • PipPipPip
  • Advanced Member
  • 1,807 posts

Posted 26 February 2006 - 01:51 PM

<?php
if (isset($_POST)) {
    //connect to your db
    include 'config.php';
    mysql_select_db($usersdb);
    
    //get and escape your two user inputs
    $username = mysql_real_escape_string($_POST['username']);
    $password = mysql_real_escape_string($_POST['password']);
    
    //rather than trying to retrieve the password, then check to see if they match in php,
    //use the following query and let SQL do that work for you.
    $pquery = "SELECT username FROM userinfo WHERE userid = '$username' AND password = '$password'";
    $result = mysql_query($pquery) or die("Could not query: " . mysql_error());
    
    //if one row was returned, then the username/password combo was found
    if (mysql_num_rows($result) == 1) {
        echo "User Authenticated";
    } else if (mysql_num_rows($result) == 0) { //if no rows are returned, then the user was not in the db
        echo "User not found";
    } else {  //you may have more than one entry for the same person...which is bad.
        echo "Error occurred during verification";
    }
    
    //header("nextpage.php");
    exit;
}
?>
<form method="Post" action="<?php $_SERVER['PHP_SELF']; ?>">
<p> Username: <input type='text' name='username' />
</p>
<p>Password: <input type='text' name='password' /><br />
<input type='submit' name="submit" value="Submit"/>
</p>
</form>


#4 cerin

cerin
  • Members
  • PipPip
  • Member
  • 16 posts

Posted 28 February 2006 - 11:46 PM

Your script displays "User not found" and exits before post is set.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users