-
PHP Yet Again...
PHP Code:
<?php
session_start();
// Connects to the database
$test = mysql_connect("localhost", "root", "mypass") or die(mysql_error());
mysql_select_db("php", $test) or die(mysql_error());
// Someone wants to lohhin
if (isset($_POST['login'])) {
//Looking for the pass/user in the database
$query = mysql_query("SELECT * FROM php WHERE user='" . $_POST['user'] . "' AND password='" . $_POST['pass'] . "'") or die(mysql_error());
print mysql_error();
if (mysql_num_rows($query) == 1) {
// If the user and pass a valid
$_SESSION['login'] = "true";
$_SESSION["user"] = $_POST["user"];
echo 'Welcome '.$_SESSION["user"].' you are logged in!';
} else {
// It its wrong
die("Wrong logininfo.");
}
}
// Someone want to logout
if (isset($_GET['action']) && $_GET['action'] == 'logout' && isset($_SESSION['login'])) {
unset($_SESSION['login']);
session_destroy();
header("Location: ../index.php");
}
// Someone is a member
if (isset($_GET['action']) && $_GET['action'] == 'member') {
echo "Welcome member";
}
if (isset($_SESSION['login']) && $_SESSION['login'] == "true") {
// This is shoewd if you are logged in!
header("Location: ../index.php");
// This will show if you aint logged in.
} else {
?>
<html>
<body bgcolor="#666666" text="#ffffff">
<table width="200" border="0" cellspacing="5" cellpadding="0" align="center" valign="middle">
<tr>
<td style="border: 1 solid #333333;" bgcolor="#777777">
<table width="100%" border="0" cellspacing="0" cellpadding="0">
<tr>
<td bgcolor="#333333"><font size="1" face="Verdana, Arial, Helvetica, sans-serif">[b]<font color="#ffffff">»</font><font color="#ffffff">Log in
</font>[/b]</font></td>
</tr>
<tr>
<td bgcolor="silver"><font size="1" face="Verdana, Arial, Helvetica, sans-serif" color="#ffffff">
<center>
<form method="post" action="<?= $_SERVER['PHP_SELF'] ?>">
[b]Username:[/b]
<input type="text" name="user">
[b]Password:[/b]
<input type="password" name="pass">
<input type="submit" name="login" value="Login">
</form>
</center>
</font>
</td>
</tr>
</table>
</td>
</tr>
</table>
<?
}
?>
Ok, This login page is supposed to take variable from a form on another page and login the user, instead it redirects back to the main page without loging in.... Any ideas?
-
Maybe $HTTP_POST_VARS["user"] might work better, for getting the input from a form field.
-
<form method="post" action="reg/login.php">
<p align="center">Username:
<input name="user" size="17">
<input type="hidden" name="login">
Password: <input type="password" value name="pass" size="17">
<input type="submit" value="Login">
</td>
</tr>
<tr>
<td>
<font size="1"><center>Not Registered? <a href="reg/signup.php">Sign
Up!</a></center></font>
</form>
-
Several things:
1. Important security issue: You should escape strings from the user before incorporating them into an SQL string. The MySQL module has a function for doing this.
2. I consider it best practice to select the password and manually compare it rather than using "WHERE" - because different databases sometimes consider strings which aren't exactly equal to be equal in the SQL sense (Think, MSSQL's default case-insensitivity etc, but also other cases). This reduces the keyspace by allowing attackers to get in by using something similar but not quite identical to the password. (For instance in German ΓΌ and ue might be considered equal)
3. Consider encrypting the password in the db with MD5 or similar (see MySQL manual for hints to do this)
4. Instead of using select(*) only get the columns you want. That way there will be no nasty surprises if someone subsequently adds a massive binary file in a BLOB column.
Happy coding
Slarty
-
I think you have to fetch the array 'query' before you count the rows in that array, like this:
PHP Code:
$query = mysql_query("SELECT * FROM php
WHERE user='" . $_POST['user'] . "' AND password='" . $_POST['pass'] . "'")
or die(mysql_error());
print mysql_error();
$query = mysql_fetch_array($query);
if (mysql_num_rows($query) == 1) {
And please, use some hard enters if you choose to quote some long lines of code. I'm on 1152x864 and I still have to scroll to the right... I wonder what horrors 800x600 people see :)
-
yeah it sucks on that lol. I'm not that bad with php so PM me if ya need help. I need help with Visual Basic.
