Jump to content
Sign in to follow this  
washingtonirvine

login code faulty

Recommended Posts

Can anyone help me figure out whats wrong in this code its not ment to do alot but its giving me trouble. i have a admin database set up with one user tom pass abc but i dont get the error messege if it is incorrect<?php$username = $_POST['username'];$password = $_POST['password'];if ($username&&$password){$connect = mysql_connect("localhost","root",""); or die("couldnt connect");mysql_select_db("phplogin"); or die ("couldnt find db");$query = mysql_query("SELECT * FROM users WHERE username='$username'");$numrows = mysql_num_rows($query);if ($numrows!=0){ while ($row = mysql_fetch_assoc($query)) { $dbusername = $row['username'] $dbpassword = $row['password'] } //check to see if they match! if ($username==$dbusername&&$password==$dbpassword) { echo } }else die("please enter a username and password");?>

Share this post


Link to post
Share on other sites

Why don't you just select from the database checking both the username and password at once?

Share this post


Link to post
Share on other sites
Why don't you just select from the database checking both the username and password at once?
I wondered that too. Sometime ago I read that it was less secure to match on both the name and password (or something along those lines) but try as I might, I can't find the page that referenced this. It seemed like it made sense at the time when I read it, but for the life of me now I can't find the page where it was discussed. I've thought about it quite a bit but I don't really see how looking for the name and password at the same time should be any less secure. If anyone knows something about this I'd be interested in hearing about it. I should have bookmarked that page...there was a certain logic to it but it escapes me now.

Share this post


Link to post
Share on other sites

If you select both at once, then you may want to be careful to observe the number of rows returned - if multiple ones were selected, then that could be an indication someone has fiddled with the query (i.e. SQL injection) to grab something no matter what.Of course, by the time the OP's application goes live he should have implemented data filtering / prepared statements / whatever to prevent SQL injection.

Share this post


Link to post
Share on other sites

A SQL injection attack can be used if you're checking both the username and password at once. If you're only getting the username, and you check the password manually, a SQL injection attack won't work there. I prefer to check them individually so I can show a separate error for the username or password being wrong instead of an error that says either the username or password didn't match.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
Sign in to follow this  

×
×
  • Create New...