login

@moondanceJul 31.2003

i have a simple html form with username and password boxes. When they click the submit button it fires a login script, which contains this line:

$query = mysql_query(“select * from user where name = ‘$Name’ and password = ‘$Password'”);

problem is, a user can login with another users password ie

id ¦ pwd
user 1 ¦ pwd1
user 2 ¦ pwd2
user 3 ¦ pwd3

what happens is that user 1 can login with user 2 or 3’s password and vice versa.

Any way around this, or a more secure statement?

to post a comment

PHP

9 Comments(s) _↴

@pyroJul 31.2003 — #When I did it, I used this to query the DB:

[code=php]$query = "SELECT * FROM password WHERE username='$username'";[/code]$usename equaled the username the input into the form.

Then, I checked if the password in the DB for that row was the same as what the users had entered in the password box on the form. This will keep people from being able to enter their username with other passwords. It also has the advantage of being able to let users know if they entered their username or password incorrectly, as you can detect which of the two did not match up...

@finetunerJul 31.2003 — #Well, I did use similar code and I could only get in with proper password. Check your code again with different values.

Arup Bhanja

Need a CMS? its here : http://arupbhanja.com

@moondanceauthorJul 31.2003 — #does that mean you have a db called password?

@pyroJul 31.2003 — #No, actually, password is the tablename.

@moondanceauthorJul 31.2003 — #i don't know if this is related but are you supposed to delcare all the variables in the php script at the top the same you would do with vb?

for every single variable in my php script i've declared it at the top as $var = $_POST['var'];

is this relevant, cos its still not working?

@pyroJul 31.2003 — #Yes, in the situation you posted, it is necessary, because not all servers have global variables enabled. If you post some code, perhaps someone will be able to notice an error that would keep it from working.

@moondanceauthorJul 31.2003 — #<html>

<head>

<title>User Log in</title>

</head>

<body>

<h2>Log in results</h2>

<?

$Name = $_POST['Name'];

$query = $_POST['query'];

$Password = $_POST['Password'];

$dbcnx = $_POST['dbcnx'];

$db = $_POST['db'];

$Name = stripslashes($Name);

$Password = stripslashes($Password);

if((!$Name) ||(!$Password))

{

echo "You did not submit the following information: <br>";

if (!$Name){

echo "You need to enter a User ID <br>";

}

if (!$Password){

echo"You need to enter a password <br>";

}

//show the login form again

include "dave.html";

exit();

}

//connect to database server

@ $dbcnx = mysql_connect("localhost", "root");

if (!$dbcnx)

{

echo ("Error: Could not connect to server");

}

//select database

$db = mysql_select_db("userdb", $dbcnx);

if (!$db)

{

echo ("Could not connect to database");

exit;

}

//login

$query =mysql_query( "select * from users where name= '$Name' and password = '$Password'");

if (!$query)

{

echo("incorrect user name");

exit();

}

else

{

echo ("<BR><BR><BR><BR>");

echo ("logged on! Welcome " .$Name);

?>

</body>

</html>

@Da_WarriahJul 31.2003 — #well just one thing that i noticed quickly glancing through your script (since i dont have much experience with MySQL) is that you forgot to close your else brackets right at the very end...other than that, im stayin out of this thread, lol...

@moondanceauthorAug 01.2003 — #I solved this problem ?

Heres what i added:

a check underneath the login to see if any rows were retrieved. If no rows are retrieved then the login must be invalid, therefore display an invalid login message:

so the login part looks like this now:

//login

$query = mysql_query("select * from users where name= '$Name' and password = '$Password'");

if (mysql_num_rows($query) > 0)

{

echo ("Logged In!");

}

else

{

echo ("Invalid login Information");

exit();

}

?

Also in #PHP _↴

php/javascript visitor timer [RESOLVED] "Undefined index:" in form.include file from DYNAMIC source

Success!

Help @moondance spread the word by sharing this article on Twitter...

Tweet This

about: ({
version: 0.1.9 — BETA 5.19,
whats_new: community page,
up_next: more Davinci•003 tasks,
coming_soon: events calendar,
social: @webDeveloperHQ
});

legal: ({
terms: of use,
privacy: policy
});

changelog: (
version: 0.1.9,
notes: added community page

version: 0.1.8,
notes: added Davinci•003

version: 0.1.7,
notes: upvote answers to bounties

version: 0.1.6,
notes: article editor refresh
)...

recent_tips: (
tipper: @AriseFacilitySolutions09,
tipped: article
amount: 1000 SATS,

tipper: @Yussuf4331,
tipped: article
amount: 1000 SATS,

tipper: @darkwebsites540,
tipped: article
amount: 10 SATS,
)...

login

9 Comments(s) _↴

Also in #PHP _↴

Success!

Social

Version

login

9 Comments(s) ↴

Also in #PHP ↴

Success!

The web is an endless sea of information. Don't miss the boat... Subscribe!

Social

Version

9 Comments(s) _↴

Also in #PHP _↴