Username + Password Check

[Ken2k7]

Okay so I have a registered name and password - a hashed one - stored in the database table called member.

 

First, when someone submit the form for a login, how do I match the name the person typed with the name in the database, case-insensitive and how to I check whether the 2 passwords match since one is hashed, which is the one in the database.

 

BTW, for the forms, I'm using $_SESSION to store the $_POST values.

[hostfreak]

What type of hashing? Assuming md5():

 

<?php

//Change $_POST values to your field names
$Name = $_POST['Username'];
$Password = md5($_POST['Password']);

//SQL validate statment
$SQL_Validate = "SELECT * FROM member WHERE name = '$Name' AND password = '$Password'";

//Query statement
$Result = mysql_query($SQL_Validate);

//Fetch number of rows returned
$Returned_Rows = mysql_num_rows($Result);

//If query was valid & Returned_Rows is greater than 0
if ($Result && ($Returned_Rows > 0))
{
    //Store retrieved information to session
    while ($Row = mysql_fetch_assoc($Result))
    {
        $_SESSION['Name'] = $Row['Name'];
    }
}
else
{
    echo 'No matches!';
}

?>

 

[corillo181]

what did you hash the password with ?

 

a good easy code since you a newbie

 

<?php
if($_POST['Submit']){

// give the password and username a variable
$username=$_POST['username'];
$password=$_POST['password'];

// check to see if anything was left empty
if(empty($username)||empty($password)){
$empty="Please fill up all of the fields";

echo $empty;

}else{


// search the database for the information is too to check if the user activated the account
$get=mysql_query("SELECT * FROM table WHERE username='$email' AND password='$password' AND activated='y'")or die(mysql_error());

// check to see if anything was found
$rows=mysql_num_rows($get);
$row=mysql_fetch_array($get);

// test to see if any record was found 
if($rows>0){

// if it was give some variable as $_SESSION 
$_SESSION['user_id']=$row['user_id'];
header('Location:../home.php');
}else{ 

// if nothing give the error
$notFound='Your name was not found, make sure your Email is activated and password is correct.';
echo $notFound
}
  }
}else{

// if they try to check the page with out submitting anything
header('Location:'.$_SERVER['DOCUMENT_ROOT'].'/home.php');
}
?>

[Ken2k7]

I did that but in a login, a username DOESN'T have to be case-sensitive. I think that's the problem.

[corillo181]

them don't put anything to check if is case sensitive..

 

just to make sure your form is working it, make a test page and test the values of what the $_post or $_get method are outputting

[Ken2k7]

Right but see if the user registers with the name Ken2k7 and then log in with ken2k7, it should pass through; but with $sql = "SELECT * FROM member WHERE name='$username' AND password='$password'"; won't match the name since Ken2k7 != ken2k7.

[hostfreak]

$sql = "SELECT * FROM member WHERE name LIKE '$username' AND password='$password'";

[MadTechie]

NO NO

By default, MySQL searches are not case sensitive , so

 

$sql = "SELECT * FROM member WHERE name='Test'

$sql = "SELECT * FROM member WHERE name='test'

$sql = "SELECT * FROM member WHERE name='TEST'

 

will all find the same thing

 

EDIT: worst case,

 

$sql = "SELECT * FROM member WHERE LCASE(name)=LCASE('tEst')

[hostfreak]

Too bad I didn't go with my initial instinct. I had thought they weren't case sensitive, but wasn't 100%, so I recommended LIKE. Although, I didn't think it would be that bad to use?