allyant Posted September 21, 2007 Share Posted September 21, 2007 Hey there, I am making a simple login script, the only problem is that I only need the username to login, if I enter any password but the correct username I can still log in using that username without knowing the password. Here is the script: <?PHP //convert the field values to simple variables //add slashes to the username and md5() the password $user = addslashes($_POST['username']); $pass = sha1($_POST['password']); //set the database connection variables $dbHost = "localhost"; $dbUser = "root"; $dbPass = "******"; $dbDatabase = "users"; //connet to the database $db = mysql_connect("$dbHost", "$dbUser", "$dbPass") or die ("Error connecting to database."); mysql_select_db("$dbDatabase", $db) or die ("Couldn't select the database."); $result=mysql_query("select * from main where username='$user' AND password='$pass'", $db); //check that at least one row was returned $rowCheck = mysql_num_rows($result); if($rowCheck > 0){ while($row = mysql_fetch_array($result)){ //start the session and register a variable session_start(); session_register('username'); //successful login code will go here... echo 'Success!'; //we will redirect the user to another page where we will make sure they're logged in header( "Location: searchlogin.php" ); } } else { //if nothing is returned by the query, unsuccessful login code goes here... echo 'Incorrect login name or password. Please try again.'; } ?> Thanks for any assistance. Quote Link to comment Share on other sites More sharing options...
taith Posted September 21, 2007 Share Posted September 21, 2007 here... try this :-) <?PHP session_start(); $dbHost = "localhost"; $dbUser = "root"; $dbPass = "******"; $dbDatabase = "users"; $db = mysql_connect("$dbHost", "$dbUser", "$dbPass") or die ("Error connecting to database."); mysql_select_db("$dbDatabase", $db) or die ("Couldn't select the database."); $user = addslashes($_POST['username']); $pass = sha1($_POST['password']); $result=mysql_query("select * from `main` where `username`='$user' AND `password`='$pass' LIMIT 1"); if(mysql_num_rows($result)==1){ $_SESSION[user]=mysql_fetch_assoc($query); echo 'Success!'; header( "Location: searchlogin.php" ); }else { echo 'Incorrect login name or password. Please try again.'; } ?> Quote Link to comment Share on other sites More sharing options...
allyant Posted September 21, 2007 Author Share Posted September 21, 2007 Thanks, I tried it but it still comes back as logged in(redirects me to "searchlogin.php") when I enter a correct username but a wrong password... Quote Link to comment Share on other sites More sharing options...
allyant Posted September 21, 2007 Author Share Posted September 21, 2007 Ok so I made a new database (ID, username, password) added a user to it, but now it just says that the password is incorrect... Here is the coad now: <?PHP session_start(); $dbHost = "localhost"; $dbUser = "root"; $dbPass = "*******"; $dbDatabase = "users"; $db = mysql_connect("$dbHost", "$dbUser", "$dbPass") or die ("Error connecting to database."); mysql_select_db("$dbDatabase", $db) or die ("Couldn't select the database."); $user = addslashes($_POST['username']); $pass = sha1($_POST['password']); $result=mysql_query("SELECT * FROM `simple` WHERE `username`='$user' AND `password`='$pass' LIMIT 1"); if(mysql_num_rows($result)==1){ $_SESSION[user]=mysql_fetch_assoc($query); echo 'Success!'; header( "Location: searchlogin.php" ); }else { echo 'Incorrect login name or password. Please try again.'; } ?> Quote Link to comment Share on other sites More sharing options...
MadTechie Posted September 21, 2007 Share Posted September 21, 2007 this should display some useful data, <?PHP session_start(); $dbHost = "localhost"; $dbUser = "root"; $dbPass = "*******"; $dbDatabase = "users"; $db = mysql_connect("$dbHost", "$dbUser", "$dbPass") or die ("Error connecting to database."); mysql_select_db("$dbDatabase", $db) or die ("Couldn't select the database."); $user = addslashes($_POST['username']); $pass = sha1($_POST['password']); echo "User: $user<br>Pass: $pass<br>"; //removed for debugging #$result=mysql_query("SELECT * FROM `simple` WHERE `username`='$user' AND `password`='$pass' LIMIT 1"); //debug $result=mysql_query("SELECT * FROM `simple` WHERE `username`='$user'"); echo "<pre>";print_r($result); die; if(mysql_num_rows($result)==1){ $_SESSION[user]=mysql_fetch_assoc($query); echo 'Success!'; header( "Location: searchlogin.php" ); }else { echo 'Incorrect login name or password. Please try again.'; } ?> also check both the database password and the encrypted the same way Quote Link to comment Share on other sites More sharing options...
allyant Posted September 21, 2007 Author Share Posted September 21, 2007 Ok this is the output: User: allyant Pass: 206c80413b9a96c1312cc346b7d2517b84463edd Resource id #3 The encryption matched the password field in the database(sha1, pass: testpass) Quote Link to comment Share on other sites More sharing options...
MmmVomit Posted September 21, 2007 Share Posted September 21, 2007 Change this: $result=mysql_query("SELECT * FROM `simple` WHERE `username`='$user'"); echo "<pre>";print_r($result); die; To this: $result=mysql_query("SELECT * FROM `simple` WHERE `username`='$user'"); $row = mysql_fetch_assoc($result); echo "<pre>";print_r($row); die; and try it again. Quote Link to comment Share on other sites More sharing options...
allyant Posted September 21, 2007 Author Share Posted September 21, 2007 Sure, output: User: allyant Pass: 206c80413b9a96c1312cc346b7d2517b84463edd Array ( [id] => 1 [username] => allyant [password] => 206c80413b9a96c1312cc346b7d2517b84463edd ) Quote Link to comment Share on other sites More sharing options...
MmmVomit Posted September 21, 2007 Share Posted September 21, 2007 Now try it with several different passwords to see how the hash changes. Quote Link to comment Share on other sites More sharing options...
allyant Posted September 21, 2007 Author Share Posted September 21, 2007 When I enter allyant and a password that is not correct the $username gets hashed but the database output stays the same, example: username: allyant password: 1234: User: allyant Pass: 7110eda4d09e062aa5e4a390b0a572ac0d2c0220 Array ( [id] => 1 [username] => allyant [password] => 206c80413b9a96c1312cc346b7d2517b84463edd ) When I change the username to aa and the password to aaa I get: User: aa Pass: 7e240de74fb1ed08fa08d38063f6a6a91462a815 (note that I only currently have one field on the database: Username: allyant Password: 206c80413b9a96c1312cc346b7d2517b84463edd ) Quote Link to comment Share on other sites More sharing options...
allyant Posted September 21, 2007 Author Share Posted September 21, 2007 Ok, finily got it working I have no idea what was wrong with it. Here was my final code: <?PHP $dbHost = "localhost"; $dbUser = "root"; $dbPass = "******"; $dbDatabase = "users"; $db = mysql_connect("$dbHost", "$dbUser", "$dbPass") or die ("Error connecting to database."); mysql_select_db("$dbDatabase", $db) or die ("Couldn't select the database."); $user = addslashes($_POST['username']); $pass = sha1($_POST['password']); $result = mysql_query("SELECT * FROM `simple` WHERE `username` = '{$user}' AND `password`='{$pass}'"); if(mysql_num_rows($result)==1){ session_start(); session_register('username'); //successful login code will go here... echo 'Success!'; }else { echo 'Incorrect login name or password. Please try again.'; } ?> Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.