[php] login question

ringo747 · 11 Dec 2006 at 15:37

hi guys,

below is a snippet of code that i am using to implement a simple login system.

I was using this with a test database and now i have dumped it and have built up a new database,

the exact same script isnt working with the new db for some reason.

Could someone please check this script and see if it is correct?

login.php

Code:

<?php
include("database.php");

ob_start();

//specifies db table name
$table_name="users";

// Define $username and $password
$username=$_POST['MyUsername'];
$password=$_POST['MyPassword'];

//encrypt password to md5
$encrypted_password=md5($password);

$sql=("SELECT * FROM $table_name WHERE username='$username' AND password='$password'");
$result=mysql_query($sql);

// Mysql_num_row is counting table row
$count=mysql_num_rows($result);

// If result matched $myusername and $mypassword, table row must be 1 row
if($count==1){

// Register $username, $password and redirect to file "login_success.php"
session_register("username");
session_register("password");
header("location:login_success.php");
}
else {
echo "Wrong Username or Password";
header("location:try_login.php");
}

ob_end_flush();
?>

database.php

Code:

<?php
$dbhost="localhost"; // Host name
$dbusername="root"; // Mysql username
$dbpassword="******"; // Mysql password
$db_name="noticeboard"; // Database name

// Connect to server and select databse.
mysql_connect("$dbhost", "$dbusername", "$dbpassword")or die("cannot connect");
mysql_select_db("$db_name")or die("cannot select DB");

?>

When i enter a valid username and password it keeps redirecting me to the trylogin.php page.. this is just a repeat of the main login form which i used on the index page as seen below:

login form

Code:

		<form name="Logon" action="login.php" method="post">
		  <table border="0">
		  <tr>
			<td>User: </td>
			<td><input type="text" name="MyUsername" size="10"></td>
		  </tr>
		  <tr>
			<td>Password: </td>
			<td><input type="password" name="MyPassword" size="10"></td>
		  </tr>
		  </table>
		  	<input type="checkbox" name="remember" value="yes" checked="checked">Remember Me?</input><br /><br />
			<input type="submit" name="SubmitButton" value="Submit" />
			<input type="reset" name="ResetButton" value="Reset" />
		</form>

This is really baffling me.. any help would be useful. Im a PHP newbie and just trying to piece everything together now!

ringo747 · 11 Dec 2006 at 16:32

i got this solved by taking out the md5 encryption part... it must be something to do with my database end i think.

Does anyone know of any alternatives to using phpmyadmin for managing my database when using WAMP server?

Hector · 11 Dec 2006 at 22:49

try this..

Code:

$encrypted_password=md5($password);

$sql=("SELECT * FROM $table_name WHERE username='$username' AND password='$encrypted_password'");

the data in the db is in md5 so you need to check the encrypted password not the raw password.

robmiller · 12 Dec 2006 at 02:50

I'm so going to log into that with the username admin the password ' OR 1=1

SQL injection, people!

Hector · 12 Dec 2006 at 03:52

i have an excuse, i know next to nothing about php/sql

' OR 1=1

that so easy someone should have seen it before now.. on the plus side, lesson will be learn't fast without any harm. thanks for pointing that out rob.