AdRock Posted September 7, 2007 Share Posted September 7, 2007 I have my login form which works perfectly if I don't try using mysql_real_escape_string I have a function which is called on the login form to check the username etc and returns a true or false value which will either log the user in or denie access. I have tried using this on the login form but it returns a false value even though i know the username and password are correct $username = mysql_real_escape_string($_POST['username']); $password = mysql_real_escape_string($_POST['password']); $result = user_login($username, $password); Here is the login form <?php // Include init file include 'init.php'; if (!isset($_POST['submit'])) { // Show the form include 'login_form.inc.php'; } else { // Try and login with the given username & pass $result = user_login($_POST['username'], $_POST['password']); if ($result != 'Correct') { // Reshow the form with the error $login_error = $result; include 'login_form.inc.php'; } else { echo 'Thank you for logging in, <a href="index.php">click here</a> to go back.'; } } ?> <?php if (isset($login_error)) { ?> There was an error: <?php echo $login_error; ?>, please try again. <?php } ?> <form action="login.php" method="post"> <b>Username:</b> <input type="text" size="20" maxlength="20" name="username" <?php if (isset($_POST['username'])) { ?> value="<?php echo $_POST['username']; ?>" <?php } ?>/><br /> <b>Password:</b> <input type="password" size="20" maxlength="10" name="password" /><br /> <input type="submit" name="submit" value="Login" /> </form> and here is the function that checks the username etc function user_login($username, $password) { // Try and get the salt from the database using the username $query = "select salt from user where username='$username' limit 1"; $result = mysql_query($query); $user = mysql_fetch_array($result); // Using the salt, encrypt the given password to see if it // matches the one in the database $encrypted_pass = md5(md5($password).$user['salt']); // Try and get the user using the username & encrypted pass $query = "select userid, username from user where username='$username' and password='$encrypted_pass'"; $result = mysql_query($query); $user = mysql_fetch_array($result); $numrows = mysql_num_rows($result); // Now encrypt the data to be stored in the session $encrypted_id = md5($user['userid']); $encrypted_name = md5($user['username']); // Store the data in the session $_SESSION['userid'] = $userid; $_SESSION['username'] = $username; $_SESSION['encrypted_id'] = $encrypted_id; $_SESSION['encrypted_name'] = $encrypted_name; if ($numrows == 1) { return 'Correct'; } else { return false; } } Quote Link to comment Share on other sites More sharing options...
xyn Posted September 7, 2007 Share Posted September 7, 2007 Let me expand on that. function user_login($username, $password) { // Try and get the salt from the database using the username $result = mysql_query("SELECT `username`, `userid` FROM `user` WHERE `username`='$username' and `password`='".md5($password)."'"); if(mysql_num_rows($result)) { // Store the data in the session $_SESSION['userid'] = $userid; $_SESSION['username'] = $username; return "Correct"; } else { return "Incorrect"; } } Quote Link to comment Share on other sites More sharing options...
AdRock Posted September 7, 2007 Author Share Posted September 7, 2007 If i had validation that will only allow numbers and letters, will that stop SQL injection combined with a short maxlength on the input field. If they enter special characters it should return an error and also set the maxlength of the input field to something short Quote Link to comment Share on other sites More sharing options...
AdRock Posted September 7, 2007 Author Share Posted September 7, 2007 I have been testing my function to see when I escape what's in the text field, it won't log me in I used this function and login page to see what was being set and it returned what i expected. I saw the username, password, encrypted password and the salt in the database <?php // Include init file include 'init.php'; if (!isset($_POST['submit'])) { // Show the form include 'login_form.inc.php'; } else { $username = $_POST['username']; $password = $_POST['password']; // Try and login with the given username & pass $result = test($username, $password); } ?> function test($username, $password) { // Try and get the salt from the database using the username $query = "select `salt` from `users` where `username`='$username' limit 1"; $result = mysql_query($query); $user = mysql_fetch_array($result); // Using the salt, encrypt the given password to see if it // matches the one in the database $encrypted_pass = md5(md5($password).$user['salt']); echo "1 ".$username."<br>"; echo "2 ".$password."<br>"; echo "3 ".$encrypted_pass."<br>"; echo "4 ".$user['salt']."<br>"; } When i used this login page it displayed no username, password or salt but displayed the encrypted password <?php // Include init file include 'init.php'; if (!isset($_POST['submit'])) { // Show the form include 'login_form.inc.php'; } else { $username = mysql_real_escape_string($_POST['username']); $password = mysql_real_escape_string($_POST['password']); // Try and login with the given username & pass $result = test($username, $password); } ?> Any ideas why this is happening? Quote Link to comment Share on other sites More sharing options...
effigy Posted September 7, 2007 Share Posted September 7, 2007 You have to be connected to MySQL in order to use the function. Quote Link to comment Share on other sites More sharing options...
AdRock Posted September 7, 2007 Author Share Posted September 7, 2007 I swear blind it was connected to the database becuase I put the database connection in the init.php I put it in there again and now it works....thnx Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.