MySQL & PHP - login

FirebarUK · 14 Jan 2007 at 00:44

I'm busy creating a login script and now have the following;

Code:

$user_pass_check = mysql_query("SELECT * FROM users WHERE username = '".$_POST['username']."'") or die(mysql_error());
	//Gives error if user dosen't exist
	$check_row = mysql_num_rows($user_pass_check);
	if ($check_row == 0) {
	die('That user does not exist <a href=register.php>Click Here to Register</a>');
	}
	
	while($info = mysql_fetch_array($user_pass_check))
	{
	$_POST['password'] = stripslashes($_POST['password']);
	$info['pass'] = stripslashes($info['pass']);
	$_POST['password'] = md5($_POST['password']);

	//gives error if the password is wrong
	if ($_POST['password'] != $info['pass']) {
		die('Incorrect password, please try again.');
	}

It detects the username and can match it without a worry but seems to have problems matching the password too. My password is put into the mysql field md5 encrypted. Can anyone see anything wrong with the code above?

Thanks.

robmiller · 14 Jan 2007 at 02:26

Before your `if... die`, echo both values and see if they're the same and if they're both being fetched correctly.

Also, fix your SQL injection problems.

punky_munky · 14 Jan 2007 at 11:45

Nothing to do with this is it?

$_POST['password'] = md5($_POST['password']);

Gman · 14 Jan 2007 at 12:04

also might be worth wrapping the two (username and password) in a trim() as with login system ypu usualy get users entering the details in correctly but adding a space by accident but they still submit and don't understand why it gets rejected. Could also be your problem with the password valiadion.

FirebarUK · 14 Jan 2007 at 13:43

Thanks. Doing that showed a very long encrypted password (naturally), turned out I hadn't left enough space in the field in the database. Whoops

I'll look into both of your suggestions. Now I just need to keep the user logged in with some kind of session management

FirebarUK · 15 Jan 2007 at 12:32

Righto, I have it all working apart from one very small part.

I have a link to click whereby I would like to POST the contents of a PHP session variable ($_SESSION['username'] in this context). Does anyone know how I can do this. I have a servlet which picks up the info from the POST and requires it for certain operations.

Is this possible without a form?