phpSensei Posted July 14, 2007 Share Posted July 14, 2007 I want to know how unsafe this login validation is... <?php /*We include our database connection file*/ include("connection.php");?> <?php /*We use the POST method to get the username a password from the form*/ $username=$_POST['username']; $password=$_POST['password']; //Once our Connection is good to go, we can use the SELECT query// $sql= "SELECT * FROM members"; //Here we set our query to the Variable RESULT// $result=mysql_query($sql); //Then we pass it on to the ROW variable as an array// $row=mysql_fetch_array($result); if( $username != $row['username'] || $password != $row['password'] ){ die("Error 2: That username/password does not exist in our Database <br> <br> <a href = errorlog.html>View all Error Logs</a>"); } elseif(isset($_POST['username']) || isset($_POST['password'])){ session_start(); $_SESSION['username'] = $_POST['username']; session_register($username); header( 'Location: index.php' ); } else die("Error 1: Could not log in with username and password provided, Please try again later <br> <br> <a href = errorlog.html>View all Error Logs</a>"); ?> Link to comment https://forums.phpfreaks.com/topic/59958-my-user-login-script/ Share on other sites More sharing options...
pocobueno1388 Posted July 14, 2007 Share Posted July 14, 2007 Here is a better code I wrote up for you: <?php /*We include our database connection file*/ include("connection.php"); /*We use the POST method to get the username a password from the form*/ $username=$_POST['username']; $password=$_POST['password']; //Once our Connection is good to go, we can use the SELECT query// $sql= "SELECT * FROM members WHERE username='$username' AND password='$password'"; //Here we set our query to the Variable RESULT// $result=mysql_query($sql); if (mysql_num_rows($result) < 1){ die("Error 2: That username/password does not exist in our Database" ."<br><br>" ."<a href = errorlog.html>View all Error Logs</a>"); } else { $_SESSION['username'] = $_POST['username']; header('Location: index.php'); } ?> -You needed to change your query to check if there was a row with that username and password. -If there was a match to the username and password, then you can log them in, else give an error. -If your password isn't hashed, look into md5() -You don't need to call session_start() to create a session. You will need to call session start on the rest of your pages that require a login to access. -On this line "session_register($username);", that is the old way to register a session, plus you had already registered it with the new way. Link to comment https://forums.phpfreaks.com/topic/59958-my-user-login-script/#findComment-298168 Share on other sites More sharing options...
phpSensei Posted July 14, 2007 Author Share Posted July 14, 2007 Silly me, I took up too much coding, and your's looks much more simple but safer.. I will wait for the rest.. Link to comment https://forums.phpfreaks.com/topic/59958-my-user-login-script/#findComment-298174 Share on other sites More sharing options...
keeB Posted July 14, 2007 Share Posted July 14, 2007 Remember to protect against SQL injection. Use mysql_escape_string, etc. Link to comment https://forums.phpfreaks.com/topic/59958-my-user-login-script/#findComment-298195 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.