washingtonirvine Posted June 8, 2010 Share Posted June 8, 2010 Can anyone help me figure out whats wrong in this code its not ment to do alot but its giving me trouble. i have a admin database set up with one user tom pass abc but i dont get the error messege if it is incorrect<?php$username = $_POST['username'];$password = $_POST['password'];if ($username&&$password){$connect = mysql_connect("localhost","root",""); or die("couldnt connect");mysql_select_db("phplogin"); or die ("couldnt find db");$query = mysql_query("SELECT * FROM users WHERE username='$username'");$numrows = mysql_num_rows($query);if ($numrows!=0){ while ($row = mysql_fetch_assoc($query)) { $dbusername = $row['username'] $dbpassword = $row['password'] } //check to see if they match! if ($username==$dbusername&&$password==$dbpassword) { echo } }else die("please enter a username and password");?> Link to comment Share on other sites More sharing options...
Synook Posted June 8, 2010 Share Posted June 8, 2010 Why don't you just select from the database checking both the username and password at once? Link to comment Share on other sites More sharing options...
End User Posted June 8, 2010 Share Posted June 8, 2010 Why don't you just select from the database checking both the username and password at once?I wondered that too. Sometime ago I read that it was less secure to match on both the name and password (or something along those lines) but try as I might, I can't find the page that referenced this. It seemed like it made sense at the time when I read it, but for the life of me now I can't find the page where it was discussed. I've thought about it quite a bit but I don't really see how looking for the name and password at the same time should be any less secure. If anyone knows something about this I'd be interested in hearing about it. I should have bookmarked that page...there was a certain logic to it but it escapes me now. Link to comment Share on other sites More sharing options...
Synook Posted June 9, 2010 Share Posted June 9, 2010 If you select both at once, then you may want to be careful to observe the number of rows returned - if multiple ones were selected, then that could be an indication someone has fiddled with the query (i.e. SQL injection) to grab something no matter what.Of course, by the time the OP's application goes live he should have implemented data filtering / prepared statements / whatever to prevent SQL injection. Link to comment Share on other sites More sharing options...
justsomeguy Posted June 9, 2010 Share Posted June 9, 2010 A SQL injection attack can be used if you're checking both the username and password at once. If you're only getting the username, and you check the password manually, a SQL injection attack won't work there. I prefer to check them individually so I can show a separate error for the username or password being wrong instead of an error that says either the username or password didn't match. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.